diff --git a/Cisco/cisco-esa/_meta/fields.yml b/Cisco/cisco-esa/_meta/fields.yml index 144a3c222..3ea23bd6f 100644 --- a/Cisco/cisco-esa/_meta/fields.yml +++ b/Cisco/cisco-esa/_meta/fields.yml @@ -121,6 +121,11 @@ cisco.esa.url: name: cisco.esa.url type: keyword +cisco.esa.url_domain: + description: '' + name: cisco.esa.url_domain + type: keyword + email.attachments: description: A list of objects describing the attachment files sent along with an email message diff --git a/Cisco/cisco-esa/ingest/parser.yml b/Cisco/cisco-esa/ingest/parser.yml index 67b76402f..8f3acbeb3 100644 --- a/Cisco/cisco-esa/ingest/parser.yml +++ b/Cisco/cisco-esa/ingest/parser.yml @@ -209,11 +209,6 @@ stages: {% endif %} {% endif %} {%- endfor %}] - cisco.esa.url: >- - [{% for url, details in dict(json_event_url_details.message).items() %} - "{% if details.get('ExpandedUrl') is not none %}{{ details.ExpandedUrl }}{% else %}{{ url }}{% endif %}" - {% if not loop.last %},{% endif %} - {% endfor %}] url.domain: "{{parsed_event.message.EAURLDetails}}" cisco.esa.delivery.connection_id: "{{parsed_event.message.ESADCID}}" cisco.esa.injection.connection_id: "{{parsed_event.message.ESAICID}}" @@ -232,6 +227,19 @@ stages: cisco.esa.helo.ip: "{{parsed_event.message.ESAHeloIP}}" filter: "{{parsed_event.message.ESAHeloIP | is_ipaddress}}" + - set: + cisco.esa.url_domain: >- + [{% for url, details in json_event_url_details.message.items() %} + {% if details.get('ExpandedUrl') is not none %}"{{url.replace('https://','').replace('http://','').split('/')[0]}}", "{{ details.ExpandedUrl.replace('https://','').replace('http://','').split('/')[0] }}"{% else %}"{{ url.replace('https://','').replace('http://','').split('/')[0] }}"{% endif %} + {% if not loop.last %},{% endif %} + {% endfor %}] + cisco.esa.url: >- + [{% for url, details in json_event_url_details.message.items() %} + {% if details.get('ExpandedUrl') is not none %}"{{url}}", "{{ details.ExpandedUrl }}"{% else %}"{{ url }}"{% endif %} + {% if not loop.last %},{% endif %} + {% endfor %}] + filter: "{{json_event_url_details.message | length > 0}}" + - set: cisco.esa.helo.domain: "{{parsed_event.message.ESAHeloDomain}}" cisco.esa.sender_group: "{{parsed_event.message.ESASenderGroup}}" diff --git a/Cisco/cisco-esa/tests/test_attachments_details.json b/Cisco/cisco-esa/tests/test_attachments_details.json index 56ac98c83..ce0d1d1b3 100644 --- a/Cisco/cisco-esa/tests/test_attachments_details.json +++ b/Cisco/cisco-esa/tests/test_attachments_details.json @@ -58,6 +58,10 @@ "url": [ "http://schemas.microsoft.com/office/2004/12/omml", "http://www.w3.org/TR/REC-html40" + ], + "url_domain": [ + "schemas.microsoft.com", + "www.w3.org" ] } }, diff --git a/Cisco/cisco-esa/tests/test_ingest_log2.json b/Cisco/cisco-esa/tests/test_ingest_log2.json index afb99f16d..4dbc8fa48 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log2.json +++ b/Cisco/cisco-esa/tests/test_ingest_log2.json @@ -61,6 +61,10 @@ "url": [ "http://mandrill.appc.cisco.com/track/open.php?u=30372747&id=d57275a6c9df40418a90fd977e3bf506", "https://bce-demo.appc.cisco.com/sensors/a7b04388-0f6e-11e9-8def-0242ac110002" + ], + "url_domain": [ + "bce-demo.appc.cisco.com", + "mandrill.appc.cisco.com" ] } }, diff --git a/Cisco/cisco-esa/tests/test_ingest_log5.json b/Cisco/cisco-esa/tests/test_ingest_log5.json index 553425b45..46ca9ebb4 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log5.json +++ b/Cisco/cisco-esa/tests/test_ingest_log5.json @@ -55,6 +55,13 @@ "url": [ "https://facebook.com/u/john.doe", "https://tiktok.com", + "https://tinyurl.es/tbdra", + "www.twitter.com" + ], + "url_domain": [ + "facebook.com", + "tiktok.com", + "tinyurl.es", "www.twitter.com" ] } diff --git a/Cisco/cisco-esa/tests/test_ingest_log7.json b/Cisco/cisco-esa/tests/test_ingest_log7.json index 29716af19..b77951dcf 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log7.json +++ b/Cisco/cisco-esa/tests/test_ingest_log7.json @@ -54,8 +54,7 @@ "domain": { "age": "30 days (or greater)" } - }, - "url": [] + } } }, "email": { diff --git a/CybeReason/malop-json/ingest/parser.yml b/CybeReason/malop-json/ingest/parser.yml index 80803a753..9f716126d 100644 --- a/CybeReason/malop-json/ingest/parser.yml +++ b/CybeReason/malop-json/ingest/parser.yml @@ -61,19 +61,43 @@ stages: - set: observer.vendor: "Cybereason" observer.product: "Cybereason" + handle_malop: actions: - set: "@timestamp": "{{parsed_timestamp.datetime}}" filter: "{{parsed_event.message.lastUpdateTime != null}}" + - set: file.name: "{{parsed_event.message.primaryRootCauseName}}" file.hash.sha1: "{{parsed_event.message.rootCauseElementHashes}}" filter: '{{parsed_event.message.rootCauseElementType == "File"}}' + - set: process.name: "{{parsed_event.message.primaryRootCauseName}}" process.hash.sha1: "{{parsed_event.message.rootCauseElementHashes}}" filter: '{{parsed_event.message.rootCauseElementType == "Process"}}' + + - set: + host.os.type: "{{parsed_event.message.machines[0].get('osType', '').lower()}}" + host.name: "{{parsed_event.message.machines[0].get('displayName')}}" + host.domain: "{{parsed_event.message.machines[0].get('adDNSHostName')}}" + cybereason.malop.host.id: "{{parsed_event.message.machines[0].get('guid')}}" + cybereason.malop.host.is_online: "{{parsed_event.message.machines[0].get('connected')}}" + cybereason.malop.host.is_isolated: "{{parsed_event.message.machines[0].get('isolated')}}" + filter: "{{parsed_event.message.get('machines', []) != []}}" + + - set: + user.name: "{{parsed_event.message.users[0].get('displayName')}}" + cybereason.malop.user.id: "{{parsed_event.message.users[0].get('guid')}}" + cybereason.malop.user.is_admin: "{{parsed_event.message.users[0].get('admin')}}" + filter: "{{parsed_event.message.get('users', []) != []}}" + + - set: + user.name: '{{parsed_event.message.users[0].displayName.split("\\")[1]}}' + user.domain: '{{parsed_event.message.users[0].displayName.split("\\")[0]}}' + filter: '{{parsed_event.message.get("users", []) != [] and "\\" in parsed_event.message.users[0].get("displayName")}}' + - set: event.kind: "alert" event.category: ["malware"] @@ -88,22 +112,28 @@ stages: cybereason.malop.root_cause.type: "{{parsed_event.message.rootCauseElementType}}" cybereason.malop.root_cause.name: "{{parsed_event.message.primaryRootCauseName}}" cybereason.malop.is_edr: "{{parsed_event.message.edr}}" + - set: cybereason.malop.created_at: "{{parsed_creation_time.datetime}}" filter: "{{parsed_event.message.malopCloseTime != null}}" + - set: cybereason.malop.modified_at: "{{parsed_timestamp.datetime}}" filter: "{{parsed_event.message.creationTime != null}}" + - set: cybereason.malop.closed_at: "{{parsed_closing_time.datetime}}" filter: "{{parsed_event.message.malopCloseTime != null}}" + handle_model: actions: - set: "@timestamp": "{{parsed_timestamp.datetime}}" filter: "{{parsed_event.message.metadata.timestamp != null}}" + - set: cybereason.malop.id: "{{parsed_event.message.metadata.malopGuid}}" + handle_machine_model: actions: - set: @@ -118,6 +148,7 @@ stages: - set: host.os.type: "{{parsed_event.message.osType.lower()}}" filter: "{{parsed_event.message.osType != null}}" + handle_user_model: actions: - set: @@ -127,10 +158,12 @@ stages: user.name: "{{parsed_event.message.displayName}}" cybereason.malop.user.id: "{{parsed_event.message.guid}}" cybereason.malop.user.is_admin: "{{parsed_event.message.admin}}" + - set: user.name: '{{parsed_event.message.displayName.split("\\")[1]}}' user.domain: '{{parsed_event.message.displayName.split("\\")[0]}}' filter: '{{parsed_event.message.displayName != null and "\\" in parsed_event.message.displayName}}' + handle_file_suspect_model: actions: - set: diff --git a/CybeReason/malop-json/tests/test_malop.json b/CybeReason/malop-json/tests/test_malop.json index b7ad07bb9..a5df9c14f 100644 --- a/CybeReason/malop-json/tests/test_malop.json +++ b/CybeReason/malop-json/tests/test_malop.json @@ -24,6 +24,11 @@ ], "type": "CUSTOM_RULE" }, + "host": { + "id": "-576002811.1198775089551518743", + "is_isolated": false, + "is_online": true + }, "id": "11.-6654920844431693523", "is_edr": "true", "modified_at": "2022-11-20T12:02:17.625000Z", @@ -33,7 +38,17 @@ "type": "Process" }, "severity": "High", - "status": "Active" + "status": "Active", + "user": { + "id": "0.2548072792133848559", + "is_admin": true + } + } + }, + "host": { + "name": "win-cybereason", + "os": { + "type": "windows" } }, "observer": { @@ -42,6 +57,15 @@ }, "process": { "name": "cymulateagent.exe" + }, + "related": { + "user": [ + "administrator" + ] + }, + "user": { + "domain": "win-cybereason", + "name": "administrator" } } } \ No newline at end of file diff --git a/CybeReason/malop-json/tests/test_malop_detail.json b/CybeReason/malop-json/tests/test_malop_detail.json index a009d865f..532ff8e73 100644 --- a/CybeReason/malop-json/tests/test_malop_detail.json +++ b/CybeReason/malop-json/tests/test_malop_detail.json @@ -24,6 +24,11 @@ ], "type": "KNOWN_MALWARE" }, + "host": { + "id": "-576002811.1198775089551518743", + "is_isolated": false, + "is_online": false + }, "id": "11.7498520112250262440", "is_edr": "false", "modified_at": "2022-11-14T02:19:45.000000Z", @@ -33,7 +38,11 @@ "type": "File" }, "severity": "Low", - "status": "Closed" + "status": "Closed", + "user": { + "id": "0.2548072792133848559", + "is_admin": false + } } }, "file": { @@ -42,6 +51,13 @@ }, "name": "kprocesshacker.sys" }, + "host": { + "domain": "desktop-aaaaaa.example.org", + "name": "desktop-aaaaaa", + "os": { + "type": "windows" + } + }, "observer": { "product": "Cybereason", "vendor": "Cybereason" @@ -49,7 +65,14 @@ "related": { "hash": [ "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" + ], + "user": [ + "system" ] + }, + "user": { + "domain": "desktop-aaaaa", + "name": "system" } } } \ No newline at end of file diff --git a/Fortinet/fortigate/ingest/parser.yml b/Fortinet/fortigate/ingest/parser.yml index 311e0deb0..cbb9b311a 100644 --- a/Fortinet/fortigate/ingest/parser.yml +++ b/Fortinet/fortigate/ingest/parser.yml @@ -191,7 +191,7 @@ stages: event.action: "{{parsed_event.message.name or parsed_event.message.FTNTFGTaction or parsed_event.message.FortinetFortiGateaction or parsed_event.message.act or parsed_event.message.action or parsed_event.message.reason}}" destination.address: "{{parsed_event.message.dstip or parsed_event.message.dst}}" destination.bytes: "{{parsed_event.message.rcvdbyte or parsed_event.message.in}}" - destination.domain: "{{parsed_event.message.hostname or parsed_event.message.dhost}}" + destination.domain: "{{parsed_event.message.remotename or parsed_event.message.dhost or parsed_event.message.hostname}}" destination.mac: "{{parsed_event.message.dstmac}}" destination.nat.port: "{{parsed_event.message.destinationTranslatedPort}}" destination.packets: "{{parsed_event.message.rcvdpkt or parsed_event.message.FTNTFGTrcvpkt or parsed_event.message.FortinetFortiGatercvdpkt or parsed_event.message.get('Packets Received')}}"