Merge branch 'main' into lv/add_trend_micro_vision_oat

AWS/aws-cloudtrail/ingest/parser.yml

@@ -14,6 +14,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: json_event.message.sourceIPAddress
         output_field: source
         pattern: "(%{IP:ip}|%{HOSTNAME:domain})"

AWS/aws-guardduty/ingest/parser.yml

@@ -13,6 +13,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: json_event.message.type
         output_field: finding
         pattern: "%{DATA:threat_purpose}:%{DATA:affected_resource_type}/%{WORD:threat_family_name}(.%{DATA:detection_mecanism})?(!%{DATA:artifact})?"

Azure/azure-network-watcher/ingest/parser.yml

@@ -9,6 +9,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{json_event.message.get('flow.0')}}"
         output_field: result
         pattern: "%{NUMBER:timestamp},%{IP:source_ip},%{IP:destination_ip},%{NUMBER:source_port},%{NUMBER:destination_port},%{PROTOCOL:protocol},%{TRAFFICFLOW:traffic_flow},%{TRAFFICDECISION:traffic_decision}(|,(%{FLOWSTATE:flow_state}|),(%{INT:source_packets}|),(%{INT:source_bytes}|),(%{INT:destination_packets}|),(%{INT:destination_bytes}|))"

Azure/azure-windows/ingest/parser.yml

@@ -24,6 +24,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{parse_windows_event.message.EventData.SubjectUserName or parse_windows_event.message.EventData.User}}"
         output_field: result
         pattern: "(%{USER_WITH_DOMAIN}|%{GREEDYDATA:user_name})"
@@ -36,6 +37,7 @@ pipeline:
     external:
       name: kv.parse-kv
       properties:
+        raise_errors: false
         input_field: "{{parse_windows_event.message.EventData.Hashes | lower}}"
         output_field: result
         value_sep: "="

Beats/winlogbeat/ingest/parser.yml

@@ -10,6 +10,7 @@ pipeline:
     external:
       name: kv.parse-kv
       properties:
+        raise_errors: false
         input_field: "{{json.event.winlog.event_data.Hashes}}"
         output_field: hash
         value_sep: "="

CatoNetworks/cato-sase/ingest/parser.yml

@@ -19,6 +19,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{json_event.output.mitre_attack_tactics}}"
         output_field: message
         pattern: '%{DATA:tactic_name_1} \(%{DATA:tactic_id_1}\)\, %{DATA:tactic_name_2} \(%{DATA:tactic_id_2}\)'
@@ -28,6 +29,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{json_event.output.mitre_attack_techniques}}"
         output_field: message
         pattern: '%{DATA:technique_name_1} \(%{DATA:technique_id_1}\)\, %{DATA:technique_name_2} \(%{DATA:technique_id_2}\)'

Cisco/cisco-esa/ingest/parser.yml

@@ -32,6 +32,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{parsed_event.message.ExternalMsgID}}"
         output_field: message
         pattern: "<%{MESSAGE_ID}>|%{MESSAGE_ID}"
@@ -42,6 +43,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{parsed_event.message.duser}}"
         output_field: message
         pattern: "%{GREEDYDATA:duser_name}@%{GREEDYDATA:duser_domain}"
@@ -50,6 +52,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{parsed_event.message.suser}}"
         output_field: message
         pattern: "%{GREEDYDATA:suser_name}@%{GREEDYDATA:suser_domain}"
@@ -67,6 +70,7 @@ pipeline:
     external:
       name: dict.parse
       properties:
+        output_field: message
         input_field: >
           {{ parsed_event.message.ESAURLDetails }}
 

Cisco/cisco-ios/ingest/parser.yml

@@ -14,6 +14,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: parsed_event.message.description
         pattern: "%{LINEPROTO}|%{LINK}"
         custom_patterns:
@@ -24,6 +25,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: parsed_event.message.description
         pattern: "%{SEC_LOGIN_SUCCESS}|%{SYS_LOGIN_FAILURE}|%{SYS_LOGOUT}|%{SYS_TTY_EXPIRE_TIMER}"
         custom_patterns:
@@ -34,6 +36,7 @@ pipeline:
     filter: '{{parsed_event.message.facility in ["SEC_LOGIN", "SYS"]}}'
   - name: parsed_description
     external:
+      raise_errors: false
       name: grok.match
       properties:
         input_field: parsed_event.message.description

Cisco/cisco-nx-os/ingest/parser.yml

@@ -14,6 +14,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: parsed_event.message.description
         pattern: "%{ETHPORT_IF_DOWN}|%{ETHPORT_IF_UP}|%{ETHPORT_IF}|%{ETHPORT_CONTROL}|%{ETHPORT_LAN}|%{ETHPORT_TRANSCEIVER}|%{ETHPORT_CHANNEL}"
         custom_patterns:
@@ -30,6 +31,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: parsed_event.message.description
         pattern: "%{PAM_MESSAGE}|%{FILE_OPEN_FAILURE}"
         custom_patterns:
@@ -42,6 +44,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: parsed_event.message.description
         pattern: "%{VSHD_CONFIG}|%{VSHD_CMD_EXEC}"
         custom_patterns:
@@ -53,6 +56,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: parsed_event.message.description
         pattern: "%{ARP_DUP}"
         custom_patterns:

CybeReason/malop-json/ingest/parser.yml

@@ -35,6 +35,7 @@ pipeline:
     external:
       name: grok.match
       properties:
+        raise_errors: false
         input_field: "{{parsed_event.message.name}}"
         output_field: technique
         pattern: "%{TID:id} - %{DATA:name} : %{DATA}"

HarfangLab/harfanglab/CHANGELOG.md

@@ -7,7 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-### 2024-10-01
+### 2024-12-11 - 1.3.0
+
+### Changed
+
+- Split username into `user.name` and `user.domain`
+
+### 2024-10-01 - 1.2.0
 
 ### Added
 

HarfangLab/harfanglab/ingest/parser.yml

@@ -171,7 +171,16 @@ stages:
 
           process.pid: "{{json_event.message.pid}}"
           process.executable: "{{json_event.message.image_name}}"
-          user.name: "{{json_event.message.username}}"
+          user.name: >
+            {%- if '\\' not in json_event.message.username -%}
+              {{ json_event.message.username }}
+            {%- else -%}
+              {{ json_event.message.username.split('\\')[1] }}
+            {%- endif -%}
+          user.domain: >
+            {%- if '\\' in json_event.message.username -%}
+              {{ json_event.message.username.split('\\')[0] }}
+            {%- endif -%}
 
           event.category: ["network"]
           event.type: ["connection"]
@@ -192,7 +201,6 @@ stages:
           process.pe.company: "{{json_event.message.pe_info.company_name}}"
           process.pe.product: "{{json_event.message.pe_info.product_name}}"
           process.executable: "{{json_event.message.image_name}}"
-          user.name: "{{json_event.message.username}}"
           process.parent.executable: "{{json_event.message.parent_image}}"
           process.parent.command_line: "{{json_event.message.parent_commandline}}"
           process.parent.name: '{{json_event.message.parent_image.split("\\") | last}}'
@@ -202,6 +210,17 @@ stages:
           harfanglab.grandparent.process.command_line: "{{json_event.message.parent_commandline}}"
           harfanglab.grandparent.process.ancestors: "{{json_event.message.ancestors.split('|')}}"
 
+          user.name: >
+            {%- if '\\' not in json_event.message.username -%}
+              {{ json_event.message.username }}
+            {%- else -%}
+              {{ json_event.message.username.split('\\')[1] }}
+            {%- endif -%}
+          user.domain: >
+            {%- if '\\' in json_event.message.username -%}
+              {{ json_event.message.username.split('\\')[0] }}
+            {%- endif -%}
+
           event.category: ["process"]
           event.type: ["start"]
       - set:
@@ -261,7 +280,17 @@ stages:
           process.pe.product: "{{json_event.message.process.pe_info.product_name}}"
 
           process.executable: "{{json_event.message.process.image_name}}"
-          user.name: "{{json_event.message.process.username}}"
+
+          user.name: >
+            {%- if '\\' not in json_event.message.process.username -%}
+              {{ json_event.message.process.username }}
+            {%- else -%}
+              {{ json_event.message.process.username.split('\\')[1] }}
+            {%- endif -%}
+          user.domain: >
+            {%- if '\\' in json_event.message.process.username -%}
+              {{ json_event.message.process.username.split('\\')[0] }}
+            {%- endif -%}
 
           process.parent.executable: "{{json_event.message.process.parent_image}}"
           process.parent.command_line: "{{json_event.message.process.parent_commandline}}"
@@ -726,9 +755,29 @@ stages:
           event.code: "{{json_event.message.windows.event_id}}"
           event.action: "{{json_event.message.object_type}}"
           user.id: "{{json_event.message.windows.source_sid}}"
-          user.name: "{{json_event.message.source_username}}"
           user.target.id: "{{json_event.message.windows.target_sid}}"
-          user.target.name: "{{json_event.message.target_username}}"
+
+          user.name: >
+            {%- if '\\' not in json_event.message.source_username -%}
+              {{ json_event.message.source_username }}
+            {%- else -%}
+              {{ json_event.message.source_username.split('\\')[1] }}
+            {%- endif -%}
+          user.domain: >
+            {%- if '\\' in json_event.message.source_username -%}
+              {{ json_event.message.source_username.split('\\')[0] }}
+            {%- endif -%}
+
+          user.target.name: >
+            {%- if '\\' not in json_event.message.target_username -%}
+              {{ json_event.message.target_username }}
+            {%- else -%}
+              {{ json_event.message.target_username.split('\\')[1] }}
+            {%- endif -%}
+          user.target.domain: >
+            {%- if '\\' in json_event.message.target_username -%}
+              {{ json_event.message.target_username.split('\\')[0] }}
+            {%- endif -%}
 
   dns_info:
     actions:
@@ -737,10 +786,20 @@ stages:
           event.type: ["info"]
           process.pid: "{{json_event.message.pid}}"
           process.executable: "{{json_event.message.process_image_path}}"
-          user.name: "{{json_event.message.username}}"
           dns.question.type: "{{json_event.message.query_type}}"
           dns.question.name: "{{json_event.message.requested_name}}"
 
+          user.name: >
+            {%- if '\\' not in json_event.message.username -%}
+              {{ json_event.message.username }}
+            {%- else -%}
+              {{ json_event.message.username.split('\\')[1] }}
+            {%- endif -%}
+          user.domain: >
+            {%- if '\\' in json_event.message.username -%}
+              {{ json_event.message.username.split('\\')[0] }}
+            {%- endif -%}
+
   auditlog_info:
     actions:
       - set:
@@ -750,11 +809,21 @@ stages:
           http.response.status_code: "{{json_event.message.response_status_code}}"
           url.path: "{{json_event.message.request_path}}"
           user_agent.original: "{{json_event.message.user_agent}}"
-          user.name: "{{json_event.message.username}}"
           source.ip: "{{json_event.message.ip_address}}"
           event.reason: "{{json_event.message.log_description}}"
           event.action: "{{json_event.message.log_slug}}"
 
+          user.name: >
+            {%- if '\\' not in json_event.message.username -%}
+              {{ json_event.message.username }}
+            {%- else -%}
+              {{ json_event.message.username.split('\\')[1] }}
+            {%- endif -%}
+          user.domain: >
+            {%- if '\\' in json_event.message.username -%}
+              {{ json_event.message.username.split('\\')[0] }}
+            {%- endif -%}
+
   agentlog_info:
     actions:
       - set:

HarfangLab/harfanglab/tests/alert.json

@@ -76,7 +76,7 @@
         "REDACTED"
       ],
       "user": [
-        "REDACTED\\valves"
+        "valves"
       ]
     },
     "rule": {
@@ -86,7 +86,8 @@
       "name": "YARA binary check"
     },
     "user": {
-      "name": "REDACTED\\valves"
+      "domain": "REDACTED",
+      "name": "valves"
     }
   }
 }

HarfangLab/harfanglab/tests/alert_1.json

@@ -77,7 +77,7 @@
         "PL-3049"
       ],
       "user": [
-        "EXAMPLE\\jdoe"
+        "jdoe"
       ]
     },
     "rule": {
@@ -87,7 +87,8 @@
       "name": "File Added/Modified in Startup Directory"
     },
     "user": {
-      "name": "EXAMPLE\\jdoe"
+      "domain": "EXAMPLE",
+      "name": "jdoe"
     }
   }
 }

HarfangLab/harfanglab/tests/alert_2.json

@@ -83,7 +83,7 @@
         "PL3024"
       ],
       "user": [
-        "EXAMPLE\\jdoe"
+        "jdoe"
       ]
     },
     "rule": {
@@ -93,7 +93,8 @@
       "name": "Registry Autorun Key Added"
     },
     "user": {
-      "name": "EXAMPLE\\jdoe",
+      "domain": "EXAMPLE",
+      "name": "jdoe",
       "roles": "EXAMPLE"
     }
   }

HarfangLab/harfanglab/tests/alert_3.json

@@ -84,7 +84,7 @@
         "SRV001"
       ],
       "user": [
-        "EXAMPLE\\j.doe"
+        "j.doe"
       ]
     },
     "rule": {
@@ -94,7 +94,8 @@
       "name": "PowerShellInvoke-CommandExecutedonRemoteHost"
     },
     "user": {
-      "name": "EXAMPLE\\j.doe",
+      "domain": "EXAMPLE",
+      "name": "j.doe",
       "roles": "Servers"
     }
   }