Merge branch 'main' into fix/citrix_adc_warning

SEKOIA-IO · Dec 11, 2024 · 49a3f0a · 49a3f0a
2 parents e5bfc8d + ff1dd4b
commit 49a3f0a
Show file tree

Hide file tree

Showing 10 changed files with 117 additions and 10 deletions.
diff --git a/Cisco/cisco-esa/_meta/fields.yml b/Cisco/cisco-esa/_meta/fields.yml
@@ -121,6 +121,11 @@ cisco.esa.url:
   name: cisco.esa.url
   type: keyword
 
+cisco.esa.url_domain:
+  description: ''
+  name: cisco.esa.url_domain
+  type: keyword
+
 email.attachments:
   description: A list of objects describing the attachment files sent along with an
     email message

diff --git a/Cisco/cisco-esa/ingest/parser.yml b/Cisco/cisco-esa/ingest/parser.yml
@@ -209,11 +209,6 @@ stages:
                 {% endif %}
               {% endif %}
             {%- endfor %}]
-          cisco.esa.url: >-
-            [{% for url, details in dict(json_event_url_details.message).items() %}
-              "{% if details.get('ExpandedUrl') is not none %}{{ details.ExpandedUrl }}{% else %}{{ url }}{% endif %}"
-              {% if not loop.last %},{% endif %}
-            {% endfor %}]
           url.domain: "{{parsed_event.message.EAURLDetails}}"
           cisco.esa.delivery.connection_id: "{{parsed_event.message.ESADCID}}"
           cisco.esa.injection.connection_id: "{{parsed_event.message.ESAICID}}"
@@ -232,6 +227,19 @@ stages:
           cisco.esa.helo.ip: "{{parsed_event.message.ESAHeloIP}}"
         filter: "{{parsed_event.message.ESAHeloIP | is_ipaddress}}"
 
+      - set:
+          cisco.esa.url_domain: >-
+            [{% for url, details in json_event_url_details.message.items() %}
+              {% if details.get('ExpandedUrl') is not none %}"{{url.replace('https://','').replace('http://','').split('/')[0]}}", "{{ details.ExpandedUrl.replace('https://','').replace('http://','').split('/')[0] }}"{% else %}"{{ url.replace('https://','').replace('http://','').split('/')[0] }}"{% endif %}
+              {% if not loop.last %},{% endif %}
+            {% endfor %}]
+          cisco.esa.url: >-
+            [{% for url, details in json_event_url_details.message.items() %}
+              {% if details.get('ExpandedUrl') is not none %}"{{url}}", "{{ details.ExpandedUrl }}"{% else %}"{{ url }}"{% endif %}
+              {% if not loop.last %},{% endif %}
+            {% endfor %}]
+        filter: "{{json_event_url_details.message | length > 0}}"
+
       - set:
           cisco.esa.helo.domain: "{{parsed_event.message.ESAHeloDomain}}"
           cisco.esa.sender_group: "{{parsed_event.message.ESASenderGroup}}"

diff --git a/Cisco/cisco-esa/tests/test_attachments_details.json b/Cisco/cisco-esa/tests/test_attachments_details.json
@@ -58,6 +58,10 @@
         "url": [
           "http://schemas.microsoft.com/office/2004/12/omml",
           "http://www.w3.org/TR/REC-html40"
+        ],
+        "url_domain": [
+          "schemas.microsoft.com",
+          "www.w3.org"
         ]
       }
     },

diff --git a/Cisco/cisco-esa/tests/test_ingest_log2.json b/Cisco/cisco-esa/tests/test_ingest_log2.json
@@ -61,6 +61,10 @@
         "url": [
           "http://mandrill.appc.cisco.com/track/open.php?u=30372747&id=d57275a6c9df40418a90fd977e3bf506",
           "https://bce-demo.appc.cisco.com/sensors/a7b04388-0f6e-11e9-8def-0242ac110002"
+        ],
+        "url_domain": [
+          "bce-demo.appc.cisco.com",
+          "mandrill.appc.cisco.com"
         ]
       }
     },

diff --git a/Cisco/cisco-esa/tests/test_ingest_log5.json b/Cisco/cisco-esa/tests/test_ingest_log5.json
@@ -55,6 +55,13 @@
         "url": [
           "https://facebook.com/u/john.doe",
           "https://tiktok.com",
+          "https://tinyurl.es/tbdra",
+          "www.twitter.com"
+        ],
+        "url_domain": [
+          "facebook.com",
+          "tiktok.com",
+          "tinyurl.es",
           "www.twitter.com"
         ]
       }

diff --git a/Cisco/cisco-esa/tests/test_ingest_log7.json b/Cisco/cisco-esa/tests/test_ingest_log7.json
@@ -54,8 +54,7 @@
           "domain": {
             "age": "30 days (or greater)"
           }
-        },
-        "url": []
+        }
       }
     },
     "email": {

diff --git a/CybeReason/malop-json/ingest/parser.yml b/CybeReason/malop-json/ingest/parser.yml
@@ -61,19 +61,43 @@ stages:
       - set:
           observer.vendor: "Cybereason"
           observer.product: "Cybereason"
+
   handle_malop:
     actions:
       - set:
           "@timestamp": "{{parsed_timestamp.datetime}}"
         filter: "{{parsed_event.message.lastUpdateTime != null}}"
+
       - set:
           file.name: "{{parsed_event.message.primaryRootCauseName}}"
           file.hash.sha1: "{{parsed_event.message.rootCauseElementHashes}}"
         filter: '{{parsed_event.message.rootCauseElementType == "File"}}'
+
       - set:
           process.name: "{{parsed_event.message.primaryRootCauseName}}"
           process.hash.sha1: "{{parsed_event.message.rootCauseElementHashes}}"
         filter: '{{parsed_event.message.rootCauseElementType == "Process"}}'
+
+      - set:
+          host.os.type: "{{parsed_event.message.machines[0].get('osType', '').lower()}}"
+          host.name: "{{parsed_event.message.machines[0].get('displayName')}}"
+          host.domain: "{{parsed_event.message.machines[0].get('adDNSHostName')}}"
+          cybereason.malop.host.id: "{{parsed_event.message.machines[0].get('guid')}}"
+          cybereason.malop.host.is_online: "{{parsed_event.message.machines[0].get('connected')}}"
+          cybereason.malop.host.is_isolated: "{{parsed_event.message.machines[0].get('isolated')}}"
+        filter: "{{parsed_event.message.get('machines', []) != []}}"
+
+      - set:
+          user.name: "{{parsed_event.message.users[0].get('displayName')}}"
+          cybereason.malop.user.id: "{{parsed_event.message.users[0].get('guid')}}"
+          cybereason.malop.user.is_admin: "{{parsed_event.message.users[0].get('admin')}}"
+        filter: "{{parsed_event.message.get('users', []) != []}}"
+
+      - set:
+          user.name: '{{parsed_event.message.users[0].displayName.split("\\")[1]}}'
+          user.domain: '{{parsed_event.message.users[0].displayName.split("\\")[0]}}'
+        filter: '{{parsed_event.message.get("users", []) != [] and "\\" in parsed_event.message.users[0].get("displayName")}}'
+
       - set:
           event.kind: "alert"
           event.category: ["malware"]
@@ -88,22 +112,28 @@ stages:
           cybereason.malop.root_cause.type: "{{parsed_event.message.rootCauseElementType}}"
           cybereason.malop.root_cause.name: "{{parsed_event.message.primaryRootCauseName}}"
           cybereason.malop.is_edr: "{{parsed_event.message.edr}}"
+
       - set:
           cybereason.malop.created_at: "{{parsed_creation_time.datetime}}"
         filter: "{{parsed_event.message.malopCloseTime != null}}"
+
       - set:
           cybereason.malop.modified_at: "{{parsed_timestamp.datetime}}"
         filter: "{{parsed_event.message.creationTime != null}}"
+
       - set:
           cybereason.malop.closed_at: "{{parsed_closing_time.datetime}}"
         filter: "{{parsed_event.message.malopCloseTime != null}}"
+
   handle_model:
     actions:
       - set:
           "@timestamp": "{{parsed_timestamp.datetime}}"
         filter: "{{parsed_event.message.metadata.timestamp != null}}"
+
       - set:
           cybereason.malop.id: "{{parsed_event.message.metadata.malopGuid}}"
+
   handle_machine_model:
     actions:
       - set:
@@ -118,6 +148,7 @@ stages:
       - set:
           host.os.type: "{{parsed_event.message.osType.lower()}}"
         filter: "{{parsed_event.message.osType != null}}"
+
   handle_user_model:
     actions:
       - set:
@@ -127,10 +158,12 @@ stages:
           user.name: "{{parsed_event.message.displayName}}"
           cybereason.malop.user.id: "{{parsed_event.message.guid}}"
           cybereason.malop.user.is_admin: "{{parsed_event.message.admin}}"
+
       - set:
           user.name: '{{parsed_event.message.displayName.split("\\")[1]}}'
           user.domain: '{{parsed_event.message.displayName.split("\\")[0]}}'
         filter: '{{parsed_event.message.displayName != null and "\\" in parsed_event.message.displayName}}'
+
   handle_file_suspect_model:
     actions:
       - set:

diff --git a/CybeReason/malop-json/tests/test_malop.json b/CybeReason/malop-json/tests/test_malop.json
@@ -24,6 +24,11 @@
           ],
           "type": "CUSTOM_RULE"
         },
+        "host": {
+          "id": "-576002811.1198775089551518743",
+          "is_isolated": false,
+          "is_online": true
+        },
         "id": "11.-6654920844431693523",
         "is_edr": "true",
         "modified_at": "2022-11-20T12:02:17.625000Z",
@@ -33,7 +38,17 @@
           "type": "Process"
         },
         "severity": "High",
-        "status": "Active"
+        "status": "Active",
+        "user": {
+          "id": "0.2548072792133848559",
+          "is_admin": true
+        }
+      }
+    },
+    "host": {
+      "name": "win-cybereason",
+      "os": {
+        "type": "windows"
       }
     },
     "observer": {
@@ -42,6 +57,15 @@
     },
     "process": {
       "name": "cymulateagent.exe"
+    },
+    "related": {
+      "user": [
+        "administrator"
+      ]
+    },
+    "user": {
+      "domain": "win-cybereason",
+      "name": "administrator"
     }
   }
 }
diff --git a/CybeReason/malop-json/tests/test_malop_detail.json b/CybeReason/malop-json/tests/test_malop_detail.json
@@ -24,6 +24,11 @@
           ],
           "type": "KNOWN_MALWARE"
         },
+        "host": {
+          "id": "-576002811.1198775089551518743",
+          "is_isolated": false,
+          "is_online": false
+        },
         "id": "11.7498520112250262440",
         "is_edr": "false",
         "modified_at": "2022-11-14T02:19:45.000000Z",
@@ -33,7 +38,11 @@
           "type": "File"
         },
         "severity": "Low",
-        "status": "Closed"
+        "status": "Closed",
+        "user": {
+          "id": "0.2548072792133848559",
+          "is_admin": false
+        }
       }
     },
     "file": {
@@ -42,14 +51,28 @@
       },
       "name": "kprocesshacker.sys"
     },
+    "host": {
+      "domain": "desktop-aaaaaa.example.org",
+      "name": "desktop-aaaaaa",
+      "os": {
+        "type": "windows"
+      }
+    },
     "observer": {
       "product": "Cybereason",
       "vendor": "Cybereason"
     },
     "related": {
       "hash": [
         "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc"
+      ],
+      "user": [
+        "system"
       ]
+    },
+    "user": {
+      "domain": "desktop-aaaaa",
+      "name": "system"
     }
   }
 }
diff --git a/Fortinet/fortigate/ingest/parser.yml b/Fortinet/fortigate/ingest/parser.yml
@@ -191,7 +191,7 @@ stages:
           event.action: "{{parsed_event.message.name or parsed_event.message.FTNTFGTaction or parsed_event.message.FortinetFortiGateaction or parsed_event.message.act or parsed_event.message.action or parsed_event.message.reason}}"
           destination.address: "{{parsed_event.message.dstip or parsed_event.message.dst}}"
           destination.bytes: "{{parsed_event.message.rcvdbyte or parsed_event.message.in}}"
-          destination.domain: "{{parsed_event.message.hostname or parsed_event.message.dhost}}"
+          destination.domain: "{{parsed_event.message.remotename or parsed_event.message.dhost or parsed_event.message.hostname}}"
           destination.mac: "{{parsed_event.message.dstmac}}"
           destination.nat.port: "{{parsed_event.message.destinationTranslatedPort}}"
           destination.packets: "{{parsed_event.message.rcvdpkt or parsed_event.message.FTNTFGTrcvpkt or parsed_event.message.FortinetFortiGatercvdpkt or parsed_event.message.get('Packets Received')}}"