diff --git a/AWS/aws-cloudtrail/ingest/parser.yml b/AWS/aws-cloudtrail/ingest/parser.yml index 265f9f7b7..31dcee72d 100644 --- a/AWS/aws-cloudtrail/ingest/parser.yml +++ b/AWS/aws-cloudtrail/ingest/parser.yml @@ -14,6 +14,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: json_event.message.sourceIPAddress output_field: source pattern: "(%{IP:ip}|%{HOSTNAME:domain})" diff --git a/AWS/aws-guardduty/ingest/parser.yml b/AWS/aws-guardduty/ingest/parser.yml index 06512d7b1..7cb4ac969 100644 --- a/AWS/aws-guardduty/ingest/parser.yml +++ b/AWS/aws-guardduty/ingest/parser.yml @@ -13,6 +13,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: json_event.message.type output_field: finding pattern: "%{DATA:threat_purpose}:%{DATA:affected_resource_type}/%{WORD:threat_family_name}(.%{DATA:detection_mecanism})?(!%{DATA:artifact})?" diff --git a/Azure/azure-network-watcher/ingest/parser.yml b/Azure/azure-network-watcher/ingest/parser.yml index edca894ef..f6af50849 100644 --- a/Azure/azure-network-watcher/ingest/parser.yml +++ b/Azure/azure-network-watcher/ingest/parser.yml @@ -9,6 +9,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json_event.message.get('flow.0')}}" output_field: result pattern: "%{NUMBER:timestamp},%{IP:source_ip},%{IP:destination_ip},%{NUMBER:source_port},%{NUMBER:destination_port},%{PROTOCOL:protocol},%{TRAFFICFLOW:traffic_flow},%{TRAFFICDECISION:traffic_decision}(|,(%{FLOWSTATE:flow_state}|),(%{INT:source_packets}|),(%{INT:source_bytes}|),(%{INT:destination_packets}|),(%{INT:destination_bytes}|))" diff --git a/Azure/azure-windows/ingest/parser.yml b/Azure/azure-windows/ingest/parser.yml index 4a4e76ac7..bfd2e9740 100644 --- a/Azure/azure-windows/ingest/parser.yml +++ b/Azure/azure-windows/ingest/parser.yml @@ -24,6 +24,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parse_windows_event.message.EventData.SubjectUserName or parse_windows_event.message.EventData.User}}" output_field: result pattern: "(%{USER_WITH_DOMAIN}|%{GREEDYDATA:user_name})" @@ -36,6 +37,7 @@ pipeline: external: name: kv.parse-kv properties: + raise_errors: false input_field: "{{parse_windows_event.message.EventData.Hashes | lower}}" output_field: result value_sep: "=" diff --git a/Beats/winlogbeat/ingest/parser.yml b/Beats/winlogbeat/ingest/parser.yml index 0ffc5dbf6..7f190c1ff 100644 --- a/Beats/winlogbeat/ingest/parser.yml +++ b/Beats/winlogbeat/ingest/parser.yml @@ -10,6 +10,7 @@ pipeline: external: name: kv.parse-kv properties: + raise_errors: false input_field: "{{json.event.winlog.event_data.Hashes}}" output_field: hash value_sep: "=" diff --git a/CatoNetworks/cato-sase/ingest/parser.yml b/CatoNetworks/cato-sase/ingest/parser.yml index c3559d563..73f02ca34 100644 --- a/CatoNetworks/cato-sase/ingest/parser.yml +++ b/CatoNetworks/cato-sase/ingest/parser.yml @@ -19,6 +19,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json_event.output.mitre_attack_tactics}}" output_field: message pattern: '%{DATA:tactic_name_1} \(%{DATA:tactic_id_1}\)\, %{DATA:tactic_name_2} \(%{DATA:tactic_id_2}\)' @@ -28,6 +29,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json_event.output.mitre_attack_techniques}}" output_field: message pattern: '%{DATA:technique_name_1} \(%{DATA:technique_id_1}\)\, %{DATA:technique_name_2} \(%{DATA:technique_id_2}\)' diff --git a/Cisco/cisco-esa/ingest/parser.yml b/Cisco/cisco-esa/ingest/parser.yml index 8f3acbeb3..38469cd70 100644 --- a/Cisco/cisco-esa/ingest/parser.yml +++ b/Cisco/cisco-esa/ingest/parser.yml @@ -32,6 +32,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.ExternalMsgID}}" output_field: message pattern: "<%{MESSAGE_ID}>|%{MESSAGE_ID}" @@ -42,6 +43,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.duser}}" output_field: message pattern: "%{GREEDYDATA:duser_name}@%{GREEDYDATA:duser_domain}" @@ -50,6 +52,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.suser}}" output_field: message pattern: "%{GREEDYDATA:suser_name}@%{GREEDYDATA:suser_domain}" @@ -67,6 +70,7 @@ pipeline: external: name: dict.parse properties: + output_field: message input_field: > {{ parsed_event.message.ESAURLDetails }} diff --git a/Cisco/cisco-ios/ingest/parser.yml b/Cisco/cisco-ios/ingest/parser.yml index dace57b15..84cce9666 100644 --- a/Cisco/cisco-ios/ingest/parser.yml +++ b/Cisco/cisco-ios/ingest/parser.yml @@ -14,6 +14,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.description pattern: "%{LINEPROTO}|%{LINK}" custom_patterns: @@ -24,6 +25,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.description pattern: "%{SEC_LOGIN_SUCCESS}|%{SYS_LOGIN_FAILURE}|%{SYS_LOGOUT}|%{SYS_TTY_EXPIRE_TIMER}" custom_patterns: @@ -34,6 +36,7 @@ pipeline: filter: '{{parsed_event.message.facility in ["SEC_LOGIN", "SYS"]}}' - name: parsed_description external: + raise_errors: false name: grok.match properties: input_field: parsed_event.message.description diff --git a/Cisco/cisco-nx-os/ingest/parser.yml b/Cisco/cisco-nx-os/ingest/parser.yml index 5b8fe2aee..b9f586e96 100644 --- a/Cisco/cisco-nx-os/ingest/parser.yml +++ b/Cisco/cisco-nx-os/ingest/parser.yml @@ -14,6 +14,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.description pattern: "%{ETHPORT_IF_DOWN}|%{ETHPORT_IF_UP}|%{ETHPORT_IF}|%{ETHPORT_CONTROL}|%{ETHPORT_LAN}|%{ETHPORT_TRANSCEIVER}|%{ETHPORT_CHANNEL}" custom_patterns: @@ -30,6 +31,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.description pattern: "%{PAM_MESSAGE}|%{FILE_OPEN_FAILURE}" custom_patterns: @@ -42,6 +44,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.description pattern: "%{VSHD_CONFIG}|%{VSHD_CMD_EXEC}" custom_patterns: @@ -53,6 +56,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.description pattern: "%{ARP_DUP}" custom_patterns: diff --git a/CybeReason/malop-json/ingest/parser.yml b/CybeReason/malop-json/ingest/parser.yml index 9f716126d..5eb538561 100644 --- a/CybeReason/malop-json/ingest/parser.yml +++ b/CybeReason/malop-json/ingest/parser.yml @@ -35,6 +35,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.name}}" output_field: technique pattern: "%{TID:id} - %{DATA:name} : %{DATA}" diff --git a/HarfangLab/harfanglab/CHANGELOG.md b/HarfangLab/harfanglab/CHANGELOG.md index b51c03c58..020bfb34e 100644 --- a/HarfangLab/harfanglab/CHANGELOG.md +++ b/HarfangLab/harfanglab/CHANGELOG.md @@ -7,7 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] -### 2024-10-01 +### 2024-12-11 - 1.3.0 + +### Changed + +- Split username into `user.name` and `user.domain` + +### 2024-10-01 - 1.2.0 ### Added diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml index 34535641b..253355fce 100644 --- a/HarfangLab/harfanglab/ingest/parser.yml +++ b/HarfangLab/harfanglab/ingest/parser.yml @@ -171,7 +171,16 @@ stages: process.pid: "{{json_event.message.pid}}" process.executable: "{{json_event.message.image_name}}" - user.name: "{{json_event.message.username}}" + user.name: > + {%- if '\\' not in json_event.message.username -%} + {{ json_event.message.username }} + {%- else -%} + {{ json_event.message.username.split('\\')[1] }} + {%- endif -%} + user.domain: > + {%- if '\\' in json_event.message.username -%} + {{ json_event.message.username.split('\\')[0] }} + {%- endif -%} event.category: ["network"] event.type: ["connection"] @@ -192,7 +201,6 @@ stages: process.pe.company: "{{json_event.message.pe_info.company_name}}" process.pe.product: "{{json_event.message.pe_info.product_name}}" process.executable: "{{json_event.message.image_name}}" - user.name: "{{json_event.message.username}}" process.parent.executable: "{{json_event.message.parent_image}}" process.parent.command_line: "{{json_event.message.parent_commandline}}" process.parent.name: '{{json_event.message.parent_image.split("\\") | last}}' @@ -202,6 +210,17 @@ stages: harfanglab.grandparent.process.command_line: "{{json_event.message.parent_commandline}}" harfanglab.grandparent.process.ancestors: "{{json_event.message.ancestors.split('|')}}" + user.name: > + {%- if '\\' not in json_event.message.username -%} + {{ json_event.message.username }} + {%- else -%} + {{ json_event.message.username.split('\\')[1] }} + {%- endif -%} + user.domain: > + {%- if '\\' in json_event.message.username -%} + {{ json_event.message.username.split('\\')[0] }} + {%- endif -%} + event.category: ["process"] event.type: ["start"] - set: @@ -261,7 +280,17 @@ stages: process.pe.product: "{{json_event.message.process.pe_info.product_name}}" process.executable: "{{json_event.message.process.image_name}}" - user.name: "{{json_event.message.process.username}}" + + user.name: > + {%- if '\\' not in json_event.message.process.username -%} + {{ json_event.message.process.username }} + {%- else -%} + {{ json_event.message.process.username.split('\\')[1] }} + {%- endif -%} + user.domain: > + {%- if '\\' in json_event.message.process.username -%} + {{ json_event.message.process.username.split('\\')[0] }} + {%- endif -%} process.parent.executable: "{{json_event.message.process.parent_image}}" process.parent.command_line: "{{json_event.message.process.parent_commandline}}" @@ -726,9 +755,29 @@ stages: event.code: "{{json_event.message.windows.event_id}}" event.action: "{{json_event.message.object_type}}" user.id: "{{json_event.message.windows.source_sid}}" - user.name: "{{json_event.message.source_username}}" user.target.id: "{{json_event.message.windows.target_sid}}" - user.target.name: "{{json_event.message.target_username}}" + + user.name: > + {%- if '\\' not in json_event.message.source_username -%} + {{ json_event.message.source_username }} + {%- else -%} + {{ json_event.message.source_username.split('\\')[1] }} + {%- endif -%} + user.domain: > + {%- if '\\' in json_event.message.source_username -%} + {{ json_event.message.source_username.split('\\')[0] }} + {%- endif -%} + + user.target.name: > + {%- if '\\' not in json_event.message.target_username -%} + {{ json_event.message.target_username }} + {%- else -%} + {{ json_event.message.target_username.split('\\')[1] }} + {%- endif -%} + user.target.domain: > + {%- if '\\' in json_event.message.target_username -%} + {{ json_event.message.target_username.split('\\')[0] }} + {%- endif -%} dns_info: actions: @@ -737,10 +786,20 @@ stages: event.type: ["info"] process.pid: "{{json_event.message.pid}}" process.executable: "{{json_event.message.process_image_path}}" - user.name: "{{json_event.message.username}}" dns.question.type: "{{json_event.message.query_type}}" dns.question.name: "{{json_event.message.requested_name}}" + user.name: > + {%- if '\\' not in json_event.message.username -%} + {{ json_event.message.username }} + {%- else -%} + {{ json_event.message.username.split('\\')[1] }} + {%- endif -%} + user.domain: > + {%- if '\\' in json_event.message.username -%} + {{ json_event.message.username.split('\\')[0] }} + {%- endif -%} + auditlog_info: actions: - set: @@ -750,11 +809,21 @@ stages: http.response.status_code: "{{json_event.message.response_status_code}}" url.path: "{{json_event.message.request_path}}" user_agent.original: "{{json_event.message.user_agent}}" - user.name: "{{json_event.message.username}}" source.ip: "{{json_event.message.ip_address}}" event.reason: "{{json_event.message.log_description}}" event.action: "{{json_event.message.log_slug}}" + user.name: > + {%- if '\\' not in json_event.message.username -%} + {{ json_event.message.username }} + {%- else -%} + {{ json_event.message.username.split('\\')[1] }} + {%- endif -%} + user.domain: > + {%- if '\\' in json_event.message.username -%} + {{ json_event.message.username.split('\\')[0] }} + {%- endif -%} + agentlog_info: actions: - set: diff --git a/HarfangLab/harfanglab/tests/alert.json b/HarfangLab/harfanglab/tests/alert.json index 0f8e1a0d4..6acde1285 100644 --- a/HarfangLab/harfanglab/tests/alert.json +++ b/HarfangLab/harfanglab/tests/alert.json @@ -76,7 +76,7 @@ "REDACTED" ], "user": [ - "REDACTED\\valves" + "valves" ] }, "rule": { @@ -86,7 +86,8 @@ "name": "YARA binary check" }, "user": { - "name": "REDACTED\\valves" + "domain": "REDACTED", + "name": "valves" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/alert_1.json b/HarfangLab/harfanglab/tests/alert_1.json index b69152813..9ac1abc0a 100644 --- a/HarfangLab/harfanglab/tests/alert_1.json +++ b/HarfangLab/harfanglab/tests/alert_1.json @@ -77,7 +77,7 @@ "PL-3049" ], "user": [ - "EXAMPLE\\jdoe" + "jdoe" ] }, "rule": { @@ -87,7 +87,8 @@ "name": "File Added/Modified in Startup Directory" }, "user": { - "name": "EXAMPLE\\jdoe" + "domain": "EXAMPLE", + "name": "jdoe" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/alert_2.json b/HarfangLab/harfanglab/tests/alert_2.json index 310b001a9..60c039be7 100644 --- a/HarfangLab/harfanglab/tests/alert_2.json +++ b/HarfangLab/harfanglab/tests/alert_2.json @@ -83,7 +83,7 @@ "PL3024" ], "user": [ - "EXAMPLE\\jdoe" + "jdoe" ] }, "rule": { @@ -93,7 +93,8 @@ "name": "Registry Autorun Key Added" }, "user": { - "name": "EXAMPLE\\jdoe", + "domain": "EXAMPLE", + "name": "jdoe", "roles": "EXAMPLE" } } diff --git a/HarfangLab/harfanglab/tests/alert_3.json b/HarfangLab/harfanglab/tests/alert_3.json index db3a57056..f37d2fad4 100644 --- a/HarfangLab/harfanglab/tests/alert_3.json +++ b/HarfangLab/harfanglab/tests/alert_3.json @@ -84,7 +84,7 @@ "SRV001" ], "user": [ - "EXAMPLE\\j.doe" + "j.doe" ] }, "rule": { @@ -94,7 +94,8 @@ "name": "PowerShellInvoke-CommandExecutedonRemoteHost" }, "user": { - "name": "EXAMPLE\\j.doe", + "domain": "EXAMPLE", + "name": "j.doe", "roles": "Servers" } } diff --git a/HarfangLab/harfanglab/tests/alert_4.json b/HarfangLab/harfanglab/tests/alert_4.json index 8a3745f19..1a45b2b22 100644 --- a/HarfangLab/harfanglab/tests/alert_4.json +++ b/HarfangLab/harfanglab/tests/alert_4.json @@ -85,7 +85,7 @@ "HOST01" ], "user": [ - "DOMAINSI\\JDOE" + "JDOE" ] }, "rule": { @@ -105,7 +105,8 @@ "top_level_domain": "com" }, "user": { - "name": "DOMAINSI\\JDOE", + "domain": "DOMAINSI", + "name": "JDOE", "roles": "DOMAIN_Postes_de_travail_Windows" } } diff --git a/HarfangLab/harfanglab/tests/alert_false_positive.json b/HarfangLab/harfanglab/tests/alert_false_positive.json index f01c2921f..99b1994fb 100644 --- a/HarfangLab/harfanglab/tests/alert_false_positive.json +++ b/HarfangLab/harfanglab/tests/alert_false_positive.json @@ -76,7 +76,7 @@ "pc123" ], "user": [ - "XXX\\XXX" + "XXX" ] }, "rule": { @@ -86,7 +86,8 @@ "name": "Discovery: Process list" }, "user": { - "name": "XXX\\XXX" + "domain": "XXX", + "name": "XXX" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/authentication.json b/HarfangLab/harfanglab/tests/authentication.json index 91af4cc19..a00b26310 100644 --- a/HarfangLab/harfanglab/tests/authentication.json +++ b/HarfangLab/harfanglab/tests/authentication.json @@ -58,7 +58,7 @@ "127.0.0.1" ], "user": [ - "test-domain\\work-laptop$" + "work-laptop$" ] }, "sekoiaio": { @@ -78,12 +78,14 @@ "ip": "127.0.0.1" }, "user": { + "domain": "test-domain", "id": "S-1-5-18", - "name": "test-domain\\work-laptop$", + "name": "work-laptop$", "roles": "custom-group", "target": { + "domain": "work-laptop", "id": "S-1-0-0", - "name": "work-laptop\\administrateur" + "name": "administrateur" } } } diff --git a/HarfangLab/harfanglab/tests/dns.json b/HarfangLab/harfanglab/tests/dns.json index acf1cc407..903c7d68d 100644 --- a/HarfangLab/harfanglab/tests/dns.json +++ b/HarfangLab/harfanglab/tests/dns.json @@ -57,11 +57,12 @@ "work-laptop" ], "user": [ - "test-domain\\john.doe" + "john.doe" ] }, "user": { - "name": "test-domain\\john.doe", + "domain": "test-domain", + "name": "john.doe", "roles": "custom-group" } } diff --git a/HarfangLab/harfanglab/tests/network.json b/HarfangLab/harfanglab/tests/network.json index 0a8eef023..e047efaf0 100644 --- a/HarfangLab/harfanglab/tests/network.json +++ b/HarfangLab/harfanglab/tests/network.json @@ -50,7 +50,7 @@ "192.168.120.41" ], "user": [ - "NT AUTHORITY\\SYSTEM" + "SYSTEM" ] }, "source": { @@ -59,7 +59,8 @@ "port": 21955 }, "user": { - "name": "NT AUTHORITY\\SYSTEM" + "domain": "NT AUTHORITY", + "name": "SYSTEM" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/network2.json b/HarfangLab/harfanglab/tests/network2.json index 43ba71477..b350a10ac 100644 --- a/HarfangLab/harfanglab/tests/network2.json +++ b/HarfangLab/harfanglab/tests/network2.json @@ -51,7 +51,7 @@ "185.202.2.238" ], "user": [ - "NT AUTHORITY\\NETWORK SERVICE" + "NETWORK SERVICE" ] }, "source": { @@ -60,7 +60,8 @@ "port": 42221 }, "user": { - "name": "NT AUTHORITY\\NETWORK SERVICE" + "domain": "NT AUTHORITY", + "name": "NETWORK SERVICE" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/process-event.json b/HarfangLab/harfanglab/tests/process-event.json index abbbd338b..9f1f078f3 100644 --- a/HarfangLab/harfanglab/tests/process-event.json +++ b/HarfangLab/harfanglab/tests/process-event.json @@ -81,11 +81,12 @@ "SFRTAOA" ], "user": [ - "NT AUTHORITY\\SYSTEM" + "SYSTEM" ] }, "user": { - "name": "NT AUTHORITY\\SYSTEM", + "domain": "NT AUTHORITY", + "name": "SYSTEM", "roles": "Group1" } } diff --git a/HarfangLab/harfanglab/tests/process.json b/HarfangLab/harfanglab/tests/process.json index c91f0a2c0..024f674a3 100644 --- a/HarfangLab/harfanglab/tests/process.json +++ b/HarfangLab/harfanglab/tests/process.json @@ -74,11 +74,12 @@ "EXCHANGE" ], "user": [ - "NT AUTHORITY\\SYSTEM" + "SYSTEM" ] }, "user": { - "name": "NT AUTHORITY\\SYSTEM" + "domain": "NT AUTHORITY", + "name": "SYSTEM" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/process2.json b/HarfangLab/harfanglab/tests/process2.json index f01c2921f..99b1994fb 100644 --- a/HarfangLab/harfanglab/tests/process2.json +++ b/HarfangLab/harfanglab/tests/process2.json @@ -76,7 +76,7 @@ "pc123" ], "user": [ - "XXX\\XXX" + "XXX" ] }, "rule": { @@ -86,7 +86,8 @@ "name": "Discovery: Process list" }, "user": { - "name": "XXX\\XXX" + "domain": "XXX", + "name": "XXX" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/process3.json b/HarfangLab/harfanglab/tests/process3.json index 035f70d0f..3e464ccab 100644 --- a/HarfangLab/harfanglab/tests/process3.json +++ b/HarfangLab/harfanglab/tests/process3.json @@ -74,11 +74,12 @@ "REDACTED" ], "user": [ - "NT AUTHORITY\\NETWORK SERVICE" + "NETWORK SERVICE" ] }, "user": { - "name": "NT AUTHORITY\\NETWORK SERVICE" + "domain": "NT AUTHORITY", + "name": "NETWORK SERVICE" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/process4.json b/HarfangLab/harfanglab/tests/process4.json index a19bf13fc..3f32333c2 100644 --- a/HarfangLab/harfanglab/tests/process4.json +++ b/HarfangLab/harfanglab/tests/process4.json @@ -87,11 +87,12 @@ "jdoe" ], "user": [ - "TST USER\\SYSTEM" + "SYSTEM" ] }, "user": { - "name": "TST USER\\SYSTEM", + "domain": "TST USER", + "name": "SYSTEM", "roles": "test_group" } }