Merge pull request #1369 from SEKOIA-IO/lv/trend_micro_vision_one_par…

…se_more_events Trend Micro Vision One - improve parser
SEKOIA-IO · Nov 29, 2024 · 3e15f48 · 3e15f48
2 parents 23a8b32 + 286b315
commit 3e15f48
Show file tree

Hide file tree

Showing 9 changed files with 328 additions and 22 deletions.
diff --git a/Trend Micro/trend-micro-vision-one/_meta/fields.yml b/Trend Micro/trend-micro-vision-one/_meta/fields.yml
@@ -1,3 +1,8 @@
+action.properties.ScriptBlockText:
+  description: ''
+  name: action.properties.ScriptBlockText
+  type: keyword
+
 trendmicro.vision_one.alert_id:
   description: ''
   name: trendmicro.vision_one.alert_id
@@ -8,6 +13,11 @@ trendmicro.vision_one.case_id:
   name: trendmicro.vision_one.case_id
   type: keyword
 
+trendmicro.vision_one.detection_name:
+  description: ''
+  name: trendmicro.vision_one.detection_name
+  type: keyword
+
 trendmicro.vision_one.incident_id:
   description: ''
   name: trendmicro.vision_one.incident_id

diff --git a/Trend Micro/trend-micro-vision-one/ingest/parser.yml b/Trend Micro/trend-micro-vision-one/ingest/parser.yml
@@ -25,39 +25,45 @@ stages:
       - set:
           "@timestamp": "{{parsed_event.message.createdDateTime}}"
 
-          host.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'host') | first).entityValue.name }}"
-          host.ip: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'host') | first).entityValue.ips }}"
+          host.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'host') | first).entityValue.name }}"
+          host.ip: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'host') | first).entityValue.ips }}"
+          host.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'host') | first).entityValue.guid }}"
 
-          user.email: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'emailAddress') | first).entityValue }}"
-          container.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'container') | first).entityValue }}"
-          container.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'container') | first).entityId }}"
+          user.email: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'emailAddress') | first).entityValue }}"
+          container.name: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'container') | first).entityValue }}"
+          container.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'container') | first).entityId }}"
 
           rule.name: "{{parsed_event.message.model}}"
           rule.id: "{{parsed_event.message.model.modelId}}"
 
           event.url: "{{parsed_event.message.model.workbenchLink}}"
 
       - set:
-          user.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', 'equalto', 'account') | first).entityValue }}"
+          user.id: "{{ (parsed_event.message.impactScope.entities | selectattr('entityType', '==', 'account') | first).entityValue }}"
 
       - set:
           user.name: "{{final.user.id.split('\\\\') | last}}"
           user.domain: "{{final.user.id.split('\\\\') | first}}"
         filter: "{{final.user.id != null}}"
 
       - set:
-          process.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processCmd') | first).value }}"
-          process.parent.command_line: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentCmd') | first).value }}"
-          process.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFilePath') | first).value }}"
-          process.parent.executable: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'parentFilePath') | first).value }}"
-          process.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha1') | first).value }}"
-          process.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'processFileHashSha256') | first).value }}"
-          process.pid: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectPid') | first).value }}"
+          process.command_line: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'processCmd') | first).value }}"
+          process.parent.command_line: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentCmd') | first).value }}"
+          process.executable: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'processFilePath') | first).value }}"
+          process.parent.executable: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentFilePath') | first).value }}"
+          process.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'processFileHashSha1') | first).value }}"
+          process.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'processFileHashSha256') | first).value }}"
+
+          process.parent.pid: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentPid') | first).value }}"
+          process.pid: "{{ (parsed_event.message.indicators | selectattr('field', 'in', ['processPid', 'objectPid']) | first).value }}"
+
+          process.parent.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentFileHashSha1') | first).value }}"
+          process.parent.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'parentFileHashSha256') | first).value }}"
 
       - set:
-          registry.hive: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_key') | first).value.split('\\\\')[0] }}"
-          registry.key: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_key') | first).value.split('\\\\')[1:] | join('\\\\') }}"
-          registry.value: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_value') | first).value }}"
+          registry.hive: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'registry_key') | first).value.split('\\\\')[0] }}"
+          registry.key: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'registry_key') | first).value.split('\\\\')[1:] | join('\\\\') }}"
+          registry.value: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'registry_value') | first).value }}"
           registry.path: >
             {%- set path = [] -%}
             {%- for indicator in parsed_event.message.indicators -%}
@@ -68,19 +74,22 @@ stages:
             {%- endfor -%}
             {%- if path | length > 0 -%}{{ path | join('\\') }}{%- endif -%}
 
-          registry.data.strings: "{{ (parsed_event.message.indicators | selectattr('type', 'equalto', 'registry_value_data') | first).value }}"
+          registry.data.strings: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'registry_value_data') | first).value }}"
 
       - set:
           registry.data.type: "REG_SZ"
         filter: "{{final.registry.data.strings != null }}"
 
       - set:
-          file.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFileHashSha1') | first).value }}"
-          file.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFileHashSha256') | first).value }}"
-          file.path: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'objectFilePath') | first).value or (parsed_event.message.indicators | selectattr('field', 'equalto', 'filePath') | first).value}}"
-          file.name: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'fileName') | first).value }}"
+          file.hash.sha1: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'file_sha1') | selectattr('field', 'in', ['fileHash', 'objectFileHashSha1']) | first).value }}"
+          file.hash.sha256: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'objectFileHashSha256') | first).value }}"
+          file.path: "{{ (parsed_event.message.indicators | selectattr('field', 'in', ['objectFilePath', 'fullPath']) | first).value }}"
+          file.name: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'fileName') | first).value }}"
 
-          user.name: "{{ (parsed_event.message.indicators | selectattr('field', 'equalto', 'logonUser') | first).value }}"
+          user.name: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'logonUser') | first).value }}"
+
+      - set:
+          action.properties.ScriptBlockText: "{{ (parsed_event.message.indicators | selectattr('field', '==', 'objectRawDataStr') | first).value }}"
 
       - set:
           trendmicro.vision_one.severity: "{{parsed_event.message.severity}}"
@@ -89,3 +98,4 @@ stages:
           trendmicro.vision_one.alert_id: "{{parsed_event.message.id}}"
           trendmicro.vision_one.status: "{{parsed_event.message.status}}"
           trendmicro.vision_one.investigation_status: "{{parsed_event.message.investigationStatus}}"
+          trendmicro.vision_one.detection_name: "{{ (parsed_event.message.indicators | selectattr('type', '==', 'detection_name') | first).value }}"
diff --git a/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json b/Trend Micro/trend-micro-vision-one/tests/test_eicar_test_file_detection.json
@@ -0,0 +1,57 @@
+{
+  "input": {
+    "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"dee5c874-1032-4f7a-baec-8ed1ef0be1af\", \"model\": \"Eicar Test File Detection\", \"modelType\": \"preset\", \"score\": 20, \"severity\": \"low\", \"createdDateTime\": \"2024-11-26T16:51:29Z\", \"updatedDateTime\": \"2024-11-26T16:51:29Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 0, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"host\", \"entityValue\": {\"guid\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"name\": \"windows10\", \"ips\": [\"10.0.0.6\"]}, \"entityId\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"110299e0-d3a0-499f-9ec3-e35ab5c2c702\"}]}, \"description\": \"Eicar test file is detected in the system.\", \"matchedRules\": [{\"id\": \"1ce01ccb-d930-4a1f-9e64-c1a117344f32\", \"name\": \"Eicar Test File Detection\", \"matchedFilters\": [{\"id\": \"4c2fd712-e89a-440a-b789-9bfcd8afd443\", \"name\": \"VSAPI Eicar Detection\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"mitreTechniqueIds\": [], \"matchedEvents\": [{\"uuid\": \"2bd63c5f-7394-4c3e-9a3c-acc77d0a43dd\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"type\": \"PRODUCT_EVENT_LOG\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"detection_name\", \"field\": \"malName\", \"value\": \"Eicar_test_1\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"file_sha1\", \"field\": \"fileHash\", \"value\": \"667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"filename\", \"field\": \"fileName\", \"value\": \"eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"fullpath\", \"field\": \"fullPath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\Downloads\\\\eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"WINDOWS10\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"text\", \"field\": \"actResult\", \"value\": \"File quarantined\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}]}"
+  },
+  "expected": {
+    "message": "{\"schemaVersion\": \"1.15\", \"id\": \"WB-11111-22222222-00000\", \"investigationStatus\": \"New\", \"status\": \"Open\", \"investigationResult\": \"No Findings\", \"workbenchLink\": \"https://portal.eu.xdr.trendmicro.com/index.html#/workbench/alerts/WB-11111-22222222-00000\", \"alertProvider\": \"SAE\", \"modelId\": \"dee5c874-1032-4f7a-baec-8ed1ef0be1af\", \"model\": \"Eicar Test File Detection\", \"modelType\": \"preset\", \"score\": 20, \"severity\": \"low\", \"createdDateTime\": \"2024-11-26T16:51:29Z\", \"updatedDateTime\": \"2024-11-26T16:51:29Z\", \"ownerIds\": [], \"impactScope\": {\"desktopCount\": 1, \"serverCount\": 0, \"accountCount\": 0, \"emailAddressCount\": 0, \"containerCount\": 0, \"cloudIdentityCount\": 0, \"entities\": [{\"entityType\": \"host\", \"entityValue\": {\"guid\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"name\": \"windows10\", \"ips\": [\"10.0.0.6\"]}, \"entityId\": \"ecede9e8-407e-4f34-9747-4a145c247ad5\", \"relatedEntities\": [], \"relatedIndicatorIds\": [1, 2, 3, 4, 5, 6], \"provenance\": [\"Alert\"], \"managementScopeGroupId\": \"110299e0-d3a0-499f-9ec3-e35ab5c2c702\"}]}, \"description\": \"Eicar test file is detected in the system.\", \"matchedRules\": [{\"id\": \"1ce01ccb-d930-4a1f-9e64-c1a117344f32\", \"name\": \"Eicar Test File Detection\", \"matchedFilters\": [{\"id\": \"4c2fd712-e89a-440a-b789-9bfcd8afd443\", \"name\": \"VSAPI Eicar Detection\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"mitreTechniqueIds\": [], \"matchedEvents\": [{\"uuid\": \"2bd63c5f-7394-4c3e-9a3c-acc77d0a43dd\", \"matchedDateTime\": \"2024-11-26T16:44:04.000Z\", \"type\": \"PRODUCT_EVENT_LOG\"}]}]}], \"indicators\": [{\"id\": 1, \"type\": \"detection_name\", \"field\": \"malName\", \"value\": \"Eicar_test_1\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 2, \"type\": \"file_sha1\", \"field\": \"fileHash\", \"value\": \"667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 3, \"type\": \"filename\", \"field\": \"fileName\", \"value\": \"eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 4, \"type\": \"fullpath\", \"field\": \"fullPath\", \"value\": \"C:\\\\Users\\\\jdoe\\\\Downloads\\\\eicar-com.txt\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 5, \"type\": \"text\", \"field\": \"endpointHostName\", \"value\": \"WINDOWS10\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}, {\"id\": 6, \"type\": \"text\", \"field\": \"actResult\", \"value\": \"File quarantined\", \"relatedEntities\": [\"ecede9e8-407e-4f34-9747-4a145c247ad5\"], \"filterIds\": [\"4c2fd712-e89a-440a-b789-9bfcd8afd443\"], \"provenance\": [\"Alert\"]}]}",
+    "event": {
+      "category": [
+        "intrusion_detection"
+      ],
+      "kind": "alert",
+      "reason": "Eicar Test File Detection",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-26T16:51:29Z",
+    "file": {
+      "hash": {
+        "sha1": "667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8"
+      },
+      "name": "eicar-com.txt",
+      "path": "C:\\Users\\jdoe\\Downloads\\eicar-com.txt"
+    },
+    "host": {
+      "id": "ecede9e8-407e-4f34-9747-4a145c247ad5",
+      "ip": [
+        "10.0.0.6"
+      ],
+      "name": "windows10"
+    },
+    "observer": {
+      "product": "Vision One",
+      "vendor": "TrendMicro"
+    },
+    "related": {
+      "hash": [
+        "667DB0B8AE0C459133E30F4147A1CAC47CAFDDF8"
+      ],
+      "ip": [
+        "10.0.0.6"
+      ]
+    },
+    "rule": {
+      "name": "Eicar Test File Detection"
+    },
+    "trendmicro": {
+      "vision_one": {
+        "alert_id": "WB-11111-22222222-00000",
+        "detection_name": "Eicar_test_1",
+        "investigation_status": "New",
+        "severity": "low",
+        "status": "Open"
+      }
+    }
+  }
+}