Merge branch 'main' into lv/mimecast_fix_email_attachments_field

SEKOIA-IO · Dec 18, 2024 · 3ddc055 · 3ddc055
2 parents d45f223 + 99cbd38
commit 3ddc055
Show file tree

Hide file tree

Showing 19 changed files with 623 additions and 33 deletions.
diff --git a/Fortinet/fortigate/ingest/parser.yml b/Fortinet/fortigate/ingest/parser.yml
@@ -52,31 +52,31 @@ pipeline:
         timezone: "UTC"
 
   - name: parsed_date
-    filter: '{{parsed_event.message.get("eventtime") != None}}'
+    filter: '{{parsed_event.message.get("timestamp") != None}}'
     external:
       name: date.parse
       properties:
-        input_field: "{{parsed_event.message.eventtime }}"
+        input_field: "{{parsed_event.message.timestamp }}"
         output_field: date
-        timezone: "UTC"
+        timezone: "{{parsed_event.message.tz}}"
 
   - name: parsed_date
-    filter: '{{parsed_event.message.get("timestamp") != None}}'
+    filter: '{{parsed_event.message.get("start") != None}}'
     external:
       name: date.parse
       properties:
-        input_field: "{{parsed_event.message.timestamp }}"
+        input_field: "{{parsed_event.message.start }}"
         output_field: date
-        timezone: "UTC"
+        timezone: "{{parsed_event.message.tz}}"
 
   - name: parsed_date
-    filter: '{{parsed_event.message.get("start") != None}}'
+    filter: '{{parsed_event.message.get("eventtime") != None}}'
     external:
       name: date.parse
       properties:
-        input_field: "{{parsed_event.message.start }}"
+        input_field: "{{parsed_event.message.eventtime }}"
         output_field: date
-        timezone: "{{parsed_event.message.tz}}"
+        timezone: "UTC"
 
   - name: field_extraction
   - name: set_event_dataset

diff --git a/Fortinet/fortigate/tests/test_ips.STANDARD.json b/Fortinet/fortigate/tests/test_ips.STANDARD.json
@@ -12,7 +12,7 @@
       "reason": "tools: Qualys.Vulnerability.Scanner",
       "timezone": "-0700"
     },
-    "@timestamp": "2023-10-23T07:40:49Z",
+    "@timestamp": "2023-10-23T07:40:49.852013Z",
     "action": {
       "name": "detected",
       "outcome": "success",

diff --git a/Fortinet/fortigate/tests/traffic_nat_1.STANDARD.json b/Fortinet/fortigate/tests/traffic_nat_1.STANDARD.json
@@ -12,7 +12,7 @@
       "outcome": "success",
       "timezone": "+0000"
     },
-    "@timestamp": "2024-03-06T22:06:03Z",
+    "@timestamp": "2024-03-06T22:06:04.028578Z",
     "action": {
       "name": "accept",
       "outcome": "success",

diff --git a/Fortinet/fortigate/tests/traffic_nat_2.STANDARD.json b/Fortinet/fortigate/tests/traffic_nat_2.STANDARD.json
@@ -0,0 +1,97 @@
+{
+  "input": {
+    "message": "timestamp=1732640381 devname=\"12_LE_XXXXX-60F\" devid=\"xxxxxxxxxxxxxxxxxxx\" vd=\"root\" date=2024-11-26 time=16:59:41 eventtime=1732633180924621531 tz=\"+0200\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" srcip=1.2.3.4 srcname=\"xxxxxxx.test.info\" srcport=56745 srcintf=\"internal\" srcintfrole=\"undefined\" dstip=1.2.4.5 dstport=80 dstintf=\"wan1\" dstintfrole=\"undefined\" srccountry=\"Reserved\" dstcountry=\"Egypt\" sessionid=157131884 proto=6 action=\"close\" policyid=12 policytype=\"policy\" poluuid=\"c1353c04-b6ee-51ea-9664-c8541f024774\" policyname=\"LAN to Internet\" service=\"HTTP\" trandisp=\"snat\" transip=45.245.209.162 transport=56745 appid=15893 app=\"HTTP.BROWSER\" appcat=\"Web.Client\" apprisk=\"medium\" applist=\"block-high-risk\" duration=1 sentbyte=483 rcvdbyte=399 sentpkt=7 rcvdpkt=5 wanin=187 wanout=111 lanin=111 lanout=187 utmaction=\"allow\" countweb=1 osname=\"Windows\" srcswversion=\"10\" mastersrcmac=\"00:e0:4c:68:00:0a\" srcmac=\"00:e0:4c:68:00:0a\" srcserver=0"
+  },
+  "expected": {
+    "message": "timestamp=1732640381 devname=\"12_LE_XXXXX-60F\" devid=\"xxxxxxxxxxxxxxxxxxx\" vd=\"root\" date=2024-11-26 time=16:59:41 eventtime=1732633180924621531 tz=\"+0200\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" srcip=1.2.3.4 srcname=\"xxxxxxx.test.info\" srcport=56745 srcintf=\"internal\" srcintfrole=\"undefined\" dstip=1.2.4.5 dstport=80 dstintf=\"wan1\" dstintfrole=\"undefined\" srccountry=\"Reserved\" dstcountry=\"Egypt\" sessionid=157131884 proto=6 action=\"close\" policyid=12 policytype=\"policy\" poluuid=\"c1353c04-b6ee-51ea-9664-c8541f024774\" policyname=\"LAN to Internet\" service=\"HTTP\" trandisp=\"snat\" transip=45.245.209.162 transport=56745 appid=15893 app=\"HTTP.BROWSER\" appcat=\"Web.Client\" apprisk=\"medium\" applist=\"block-high-risk\" duration=1 sentbyte=483 rcvdbyte=399 sentpkt=7 rcvdpkt=5 wanin=187 wanout=111 lanin=111 lanout=187 utmaction=\"allow\" countweb=1 osname=\"Windows\" srcswversion=\"10\" mastersrcmac=\"00:e0:4c:68:00:0a\" srcmac=\"00:e0:4c:68:00:0a\" srcserver=0",
+    "event": {
+      "action": "close",
+      "category": "traffic",
+      "code": "0000000013",
+      "dataset": "traffic:forward",
+      "outcome": "success",
+      "timezone": "+0200"
+    },
+    "@timestamp": "2024-11-26T14:59:40.924622Z",
+    "action": {
+      "name": "close",
+      "outcome": "success",
+      "target": "network-traffic",
+      "type": "forward"
+    },
+    "destination": {
+      "address": "1.2.4.5",
+      "bytes": 399,
+      "ip": "1.2.4.5",
+      "packets": 5,
+      "port": 80
+    },
+    "fortinet": {
+      "fortigate": {
+        "apprisk": "medium",
+        "event": {
+          "type": "traffic"
+        },
+        "policyid": "12",
+        "poluuid": "c1353c04-b6ee-51ea-9664-c8541f024774",
+        "virtual_domain": "root"
+      }
+    },
+    "host": {
+      "name": "xxxxxxx.test.info",
+      "os": {
+        "family": "Windows"
+      }
+    },
+    "log": {
+      "hostname": "12_LE_XXXXX-60F",
+      "level": "notice"
+    },
+    "network": {
+      "application": "HTTP.BROWSER",
+      "bytes": 882,
+      "protocol": "http",
+      "transport": "tcp"
+    },
+    "observer": {
+      "egress": {
+        "interface": {
+          "name": "wan1"
+        }
+      },
+      "hostname": "12_LE_XXXXX-60F",
+      "ingress": {
+        "interface": {
+          "name": "internal"
+        }
+      },
+      "serial_number": "xxxxxxxxxxxxxxxxxxx"
+    },
+    "related": {
+      "hosts": [
+        "12_LE_XXXXX-60F"
+      ],
+      "ip": [
+        "1.2.3.4",
+        "1.2.4.5",
+        "45.245.209.162"
+      ]
+    },
+    "rule": {
+      "apprisk": "medium",
+      "category": "Web.Client",
+      "ruleset": "block-high-risk"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "bytes": 483,
+      "ip": "1.2.3.4",
+      "mac": "00:e0:4c:68:00:0a",
+      "nat": {
+        "ip": "45.245.209.162"
+      },
+      "packets": 7,
+      "port": 56745
+    }
+  }
+}
diff --git a/HarfangLab/harfanglab/_meta/fields.yml b/HarfangLab/harfanglab/_meta/fields.yml
@@ -998,11 +998,6 @@ harfanglab.grandparent.process.ancestors:
   name: harfanglab.grandparent.process.ancestors
   type: keyword
 
-harfanglab.grandparent.process.command_line:
-  description: Command line that started the grandparent process
-  name: harfanglab.grandparent.process.command_line
-  type: keyword
-
 harfanglab.grandparent.process.executable:
   description: Absolute path to the grandparent process executable
   name: harfanglab.grandparent.process.executable

diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml
@@ -207,7 +207,6 @@ stages:
           process.working_directory: "{{json_event.message.current_directory}}"
           process.pe.imphash: "{{json_event.message.pe_imphash}}"
           harfanglab.grandparent.process.executable: "{{json_event.message.grandparent_image}}"
-          harfanglab.grandparent.process.command_line: "{{json_event.message.parent_commandline}}"
           harfanglab.grandparent.process.ancestors: "{{json_event.message.ancestors.split('|')}}"
 
           user.name: >

diff --git a/HarfangLab/harfanglab/tests/process-event.json b/HarfangLab/harfanglab/tests/process-event.json
@@ -28,7 +28,6 @@
     "harfanglab": {
       "grandparent": {
         "process": {
-          "command_line": "C:\\ProgramData\\CentraStage\\AEMAgent\\AEMAge.exe",
           "executable": "C:\\Program Files (x86)\\Centra\\CagServ.exe"
         }
       },

diff --git a/HarfangLab/harfanglab/tests/process.json b/HarfangLab/harfanglab/tests/process.json
@@ -25,13 +25,6 @@
         "sha256": "100af46c952e58105dbc51eb92510f6990377a3ffc57e82074a8bfb64c56c529"
       }
     },
-    "harfanglab": {
-      "grandparent": {
-        "process": {
-          "command_line": "E:\\Program Files\\Microsoft\\Exchange Server\\V15\\Bin\\Microsoft.Exchange.Diagnostics.Service.exe"
-        }
-      }
-    },
     "host": {
       "domain": "NIVURA",
       "hostname": "EXCHANGE",

diff --git a/HarfangLab/harfanglab/tests/process3.json b/HarfangLab/harfanglab/tests/process3.json
@@ -25,13 +25,6 @@
         "sha256": "b5c78bef3883e3099f7ef844da1446db29107e5c0223b97f29e7fafab5527f15"
       }
     },
-    "harfanglab": {
-      "grandparent": {
-        "process": {
-          "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p"
-        }
-      }
-    },
     "host": {
       "domain": "WORKGROUP",
       "hostname": "REDACTED",

diff --git a/HarfangLab/harfanglab/tests/process4.json b/HarfangLab/harfanglab/tests/process4.json
@@ -34,7 +34,6 @@
             "C:\\Windows\\test2.exe",
             "C:\\Windows\\test3.exe"
           ],
-          "command_line": "test.exe -p -e test_script.py | find test",
           "executable": "C:\\Windows\\grandparent_image.exe"
         }
       },

diff --git a/Trend Micro/trend-micro-vision-one-oat/CHANGELOG.md b/Trend Micro/trend-micro-vision-one-oat/CHANGELOG.md
@@ -0,0 +1,8 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
diff --git a/Trend Micro/trend-micro-vision-one-oat/_meta/fields.yml b/Trend Micro/trend-micro-vision-one-oat/_meta/fields.yml
@@ -0,0 +1,59 @@
+action.properties.ScriptBlockText:
+  description: ''
+  name: action.properties.ScriptBlockText
+  type: keyword
+
+process.parent.parent.command_line:
+  description: ''
+  name: process.parent.parent.command_line
+  type: keyword
+
+process.parent.parent.executable:
+  description: ''
+  name: process.parent.parent.executable
+  type: keyword
+
+process.parent.parent.hash.md5:
+  description: ''
+  name: process.parent.parent.hash.md5
+  type: keyword
+
+process.parent.parent.hash.sha1:
+  description: ''
+  name: process.parent.parent.hash.sha1
+  type: keyword
+
+process.parent.parent.hash.sha256:
+  description: ''
+  name: process.parent.parent.hash.sha256
+  type: keyword
+
+process.parent.parent.name:
+  description: ''
+  name: process.parent.parent.name
+  type: keyword
+
+process.parent.parent.pid:
+  description: ''
+  name: process.parent.parent.pid
+  type: keyword
+
+process.parent.parent.start:
+  description: ''
+  name: process.parent.parent.start
+  type: datetime
+
+process.parent.parent.user.domain:
+  description: ''
+  name: process.parent.parent.user.domain
+  type: keyword
+
+process.parent.parent.user.name:
+  description: ''
+  name: process.parent.parent.user.name
+  type: keyword
+
+process.parent.user.domain:
+  description: ''
+  name: process.parent.user.domain
+  type: keyword
diff --git a/Trend Micro/trend-micro-vision-one-oat/_meta/logo.png b/Trend Micro/trend-micro-vision-one-oat/_meta/logo.png
diff --git a/Trend Micro/trend-micro-vision-one-oat/_meta/manifest.yml b/Trend Micro/trend-micro-vision-one-oat/_meta/manifest.yml
@@ -0,0 +1,12 @@
+uuid: 2345b987-a94a-4363-b7bc-a6e4a9efd98a
+automation_connector_uuid: 3b5a417e-e86f-4fce-ac10-4c1d76d91b46
+automation_module_uuid: 1b02d442-b804-4987-afe7-6a4be6ef35e6
+name: Trend Micro Vision One OAT [BETA]
+slug: trend-micro-vision-one-oat
+
+description: >-
+  Trend Micro Vision One is an extended detection and response (XDR) platform that enhances threat detection, investigation, and response across multiple security layers. It provides a centralized view for improved security posture and faster threat remediation.
+  This intake format will ingest Observed Attack Techniques from Trend Micro Vision One.
+
+data_sources:
+  Network intrusion detection system:
diff --git a/Trend Micro/trend-micro-vision-one-oat/_meta/smart-descriptions.json b/Trend Micro/trend-micro-vision-one-oat/_meta/smart-descriptions.json
@@ -0,0 +1,27 @@
+[
+    {
+    "value": "Observed {threat.tactic.id} tactic(s) and {threat.technique.id}({threat.technique.subtechnique.id}) technique(s) on {host.ip}",
+    "conditions": [
+      { "field": "threat.tactic.id" },
+      { "field": "threat.technique.id" },
+      { "field": "threat.technique.subtechnique.id" },
+      { "field": "host.ip" }
+    ]
+  },
+  {
+    "value": "Observed {threat.tactic.id} tactic(s) and {threat.technique.id} technique(s) on {host.ip}",
+    "conditions": [
+      { "field": "threat.tactic.id" },
+      { "field": "threat.technique.id" },
+      { "field": "host.ip" }
+    ]
+  },
+  {
+    "value": "Observed {threat.tactic.id} tactic(s) and {threat.technique.subtechnique.id} technique(s) on {host.ip}",
+    "conditions": [
+      { "field": "threat.tactic.id" },
+      { "field": "threat.technique.subtechnique.id" },
+      { "field": "host.ip" }
+    ]
+  }
+]