Bitdefender : enhanced parser for uc events

SEKOIA-IO · Dec 20, 2024 · 339e5b2 · 339e5b2
1 parent cf11456
commit 339e5b2
Show file tree

Hide file tree

Showing 4 changed files with 104 additions and 2 deletions.
diff --git a/Bitdefender/gravityzone/_meta/fields.yml b/Bitdefender/gravityzone/_meta/fields.yml
@@ -1,3 +1,23 @@
+bitdefender.gravityzone.application_control.block_type:
+  description: Type of block detected by Bitdefender GravityZone Application Control.
+  name: bitdefender.gravityzone.application_control.block_type
+  type: keyword
+
+bitdefender.gravityzone.application_control.detection_count:
+  description: Number of detections by Bitdefender GravityZone Application Control.
+  name: bitdefender.gravityzone.application_control.detection_count
+  type: long
+
+bitdefender.gravityzone.application_control.type:
+  description: Type of application control detected by Bitdefender GravityZone.
+  name: bitdefender.gravityzone.application_control.type
+  type: keyword
+
+bitdefender.gravityzone.data.categories:
+  description: Data categories detected by Bitdefender GravityZone.
+  name: bitdefender.gravityzone.data.categories
+  type: keyword
+
 bitdefender.gravityzone.exploit.type:
   description: Exploit type detected by Bitdefender GravityZone.
   name: bitdefender.gravityzone.exploit.type

diff --git a/Bitdefender/gravityzone/ingest/parser.yml b/Bitdefender/gravityzone/ingest/parser.yml
@@ -8,7 +8,7 @@ pipeline:
     external:
       name: date.parse
       properties:
-        input_field: "{{parse_event.message.eventdate or parse_event.message.BitdefenderGZDetectionTime}}"
+        input_field: "{{parse_event.message.eventdate or parse_event.message.BitdefenderGZDetectionTime or parse_event.message.end or parse_event.message.start}}"
         output_field: datetime
 
   - name: set_event_fields
@@ -67,14 +67,14 @@ stages:
           "device-control": ["host"]
           "ransomware-mitigation": ["intrusion_detection"]
           "new-incident": ["process"]
+          "uc": ["web"]
         mapping:
           parse_event.message.BitdefenderGZModule: event.category
         filter: "{{parse_event.message.BitdefenderGZModule != None}}"
 
   set_ecs_fields:
     actions:
       - set:
-          "@timestamp": "{{parsed_date.datetime}}"
           host.ip: "{{parse_event.message.dvc}}"
           host.name: "{{parse_event.message.BitdefenderGZComputerFQDN or parse_event.message.dvchost}}"
           destination.user.name: "{{parse_event.message.duser}}"
@@ -94,8 +94,24 @@ stages:
           observer.vendor: "{{parse_event.message.DeviceVendor}}"
           observer.product: "{{parse_event.message.DeviceProduct}}"
           observer.version: "{{parse_event.message.DeviceVersion}}"
+          bitdefender.gravityzone.application_control.block_type: "{{parse_event.message.BitdefenderGZApplicationControlBlockType}}"
+          bitdefender.gravityzone.application_control.type: "{{parse_event.message.BitdefenderGZApplicationControlType}}"
+          bitdefender.gravityzone.application_control.detection_count: "{{parse_event.message.cnt}}"
+          bitdefender.gravityzone.data.categories: "{{parse_event.message.BitdefenderGZDataCategories}}"
           bitdefender.gravityzone.exploit.type: "{{parse_event.message.BitdefenderGZExploitType}}"
 
+      - set:
+          "@timestamp": "{{parsed_date.datetime}}"
+        filter: "{{parse_event.message.get('eventdate') != None or parse_event.message.get('BitdefenderGZDetectionTime') != None}}"
+
+      - set:
+          event.start: "{{parsed_date.datetime}}"
+        filter: "{{parse_event.message.get('start') != None}}"
+
+      - set:
+          event.end: "{{parsed_date.datetime}}"
+        filter: "{{parse_event.message.get('end') != None}}"
+
       - set:
           file.path: "{{parse_event.message.filePath}}"
         filter: "{{parse_event.message.get('BitdefenderGZMalwareType') == None or parse_event.message.BitdefenderGZMalwareType.lower() != 'file'}}"

diff --git a/Bitdefender/gravityzone/tests/login_1.json b/Bitdefender/gravityzone/tests/login_1.json
@@ -9,6 +9,7 @@
         "authentication"
       ],
       "severity": 3,
+      "start": "2024-06-11T11:34:56Z",
       "type": [
         "start"
       ]

diff --git a/Bitdefender/gravityzone/tests/uc_event.json b/Bitdefender/gravityzone/tests/uc_event.json
@@ -0,0 +1,65 @@
+{
+  "input": {
+    "message": "CEF:0|Bitdefender|GravityZone|6.40.1-1|1000|Web Control|9|BitdefenderGZModule=uc dvchost=example BitdefenderGZComputerFQDN=example.test.local dvc=1.2.3.4 deviceExternalId=1234567890abcdef12345678 BitdefenderGZApplicationControlType=http request=external-content.domain.com/ip3/www.test_request.com BitdefenderGZApplicationControlBlockType=http_categories BitdefenderGZDataCategories=Ads act=uc_site_blocked end=Dec 16 2024 12:34:33 Z cnt=1 [email protected] suid=S-1-5-21-1111111111-222222222-3333333333-500",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Bitdefender GravityZone [BETA]",
+        "dialect_uuid": "d11df984-840d-4c29-a6dc-b9195c3a24e3"
+      }
+    }
+  },
+  "expected": {
+    "message": "CEF:0|Bitdefender|GravityZone|6.40.1-1|1000|Web Control|9|BitdefenderGZModule=uc dvchost=example BitdefenderGZComputerFQDN=example.test.local dvc=1.2.3.4 deviceExternalId=1234567890abcdef12345678 BitdefenderGZApplicationControlType=http request=external-content.domain.com/ip3/www.test_request.com BitdefenderGZApplicationControlBlockType=http_categories BitdefenderGZDataCategories=Ads act=uc_site_blocked end=Dec 16 2024 12:34:33 Z cnt=1 [email protected] suid=S-1-5-21-1111111111-222222222-3333333333-500",
+    "event": {
+      "action": "uc_site_blocked",
+      "category": [
+        "web"
+      ],
+      "end": "2024-12-16T12:34:33Z",
+      "module": "uc",
+      "severity": 9,
+      "type": [
+        "info"
+      ]
+    },
+    "bitdefender": {
+      "gravityzone": {
+        "application_control": {
+          "block_type": "http_categories",
+          "detection_count": 1,
+          "type": "http"
+        },
+        "data": {
+          "categories": "Ads"
+        }
+      }
+    },
+    "host": {
+      "ip": "1.2.3.4",
+      "name": "example.test.local"
+    },
+    "observer": {
+      "product": "GravityZone",
+      "vendor": "Bitdefender",
+      "version": "6.40.1-1"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "[email protected]"
+      ]
+    },
+    "source": {
+      "user": {
+        "id": "S-1-5-21-1111111111-222222222-3333333333-500",
+        "name": "[email protected]"
+      }
+    },
+    "url": {
+      "original": "external-content.domain.com/ip3/www.test_request.com",
+      "path": "external-content.domain.com/ip3/www.test_request.com"
+    }
+  }
+}