From 930934b0e3b3ea8eb27f023e9bf8a5aba899d80b Mon Sep 17 00:00:00 2001 From: Bichoumac Date: Mon, 9 Dec 2024 20:05:57 +0100 Subject: [PATCH 1/8] Adding a possible value to destination.domain on Fortigate logs Adding the value of remotename to the field destination.domain --- Fortinet/fortigate/ingest/parser.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Fortinet/fortigate/ingest/parser.yml b/Fortinet/fortigate/ingest/parser.yml index 311e0deb0..4cda504c7 100644 --- a/Fortinet/fortigate/ingest/parser.yml +++ b/Fortinet/fortigate/ingest/parser.yml @@ -191,7 +191,7 @@ stages: event.action: "{{parsed_event.message.name or parsed_event.message.FTNTFGTaction or parsed_event.message.FortinetFortiGateaction or parsed_event.message.act or parsed_event.message.action or parsed_event.message.reason}}" destination.address: "{{parsed_event.message.dstip or parsed_event.message.dst}}" destination.bytes: "{{parsed_event.message.rcvdbyte or parsed_event.message.in}}" - destination.domain: "{{parsed_event.message.hostname or parsed_event.message.dhost}}" + destination.domain: "{{parsed_event.message.remotename or parsed_event.message.hostname or parsed_event.message.dhost}}" destination.mac: "{{parsed_event.message.dstmac}}" destination.nat.port: "{{parsed_event.message.destinationTranslatedPort}}" destination.packets: "{{parsed_event.message.rcvdpkt or parsed_event.message.FTNTFGTrcvpkt or parsed_event.message.FortinetFortiGatercvdpkt or parsed_event.message.get('Packets Received')}}" From 2f1337b090bf6735c1a77376b6fbaa2cb9a4ccf2 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Tue, 10 Dec 2024 14:50:41 +0100 Subject: [PATCH 2/8] Fix on cisco.url fields --- Cisco/cisco-esa/_meta/fields.yml | 9 +++++++-- Cisco/cisco-esa/ingest/parser.yml | 11 ++++++++--- .../tests/test_attachments_details.json | 14 ++++++++++---- Cisco/cisco-esa/tests/test_ingest_log2.json | 14 ++++++++++---- Cisco/cisco-esa/tests/test_ingest_log5.json | 19 ++++++++++++++----- Cisco/cisco-esa/tests/test_ingest_log7.json | 5 ++++- 6 files changed, 53 insertions(+), 19 deletions(-) diff --git a/Cisco/cisco-esa/_meta/fields.yml b/Cisco/cisco-esa/_meta/fields.yml index 144a3c222..8adc31e3c 100644 --- a/Cisco/cisco-esa/_meta/fields.yml +++ b/Cisco/cisco-esa/_meta/fields.yml @@ -116,9 +116,14 @@ cisco.esa.status: name: cisco.esa.status type: keyword -cisco.esa.url: +cisco.esa.url.domain: + description: the declaration of the cisco urls domains + name: cisco.esa.url.domain + type: keyword + +cisco.esa.url.full: description: the declaration of the cisco urls - name: cisco.esa.url + name: cisco.esa.url.full type: keyword email.attachments: diff --git a/Cisco/cisco-esa/ingest/parser.yml b/Cisco/cisco-esa/ingest/parser.yml index 67b76402f..65e217b47 100644 --- a/Cisco/cisco-esa/ingest/parser.yml +++ b/Cisco/cisco-esa/ingest/parser.yml @@ -209,9 +209,14 @@ stages: {% endif %} {% endif %} {%- endfor %}] - cisco.esa.url: >- - [{% for url, details in dict(json_event_url_details.message).items() %} - "{% if details.get('ExpandedUrl') is not none %}{{ details.ExpandedUrl }}{% else %}{{ url }}{% endif %}" + cisco.esa.url.domain: >- + [{% for url, details in json_event_url_details.message.items() %} + {% if details.get('ExpandedUrl') is not none %}"{{url.split('/')[2]}}", "{{ details.ExpandedUrl.split('/')[2] }}"{% else %}"{{ url.split('/')[2] }}"{% endif %} + {% if not loop.last %},{% endif %} + {% endfor %}] + cisco.esa.url.full: >- + [{% for url, details in json_event_url_details.message.items() %} + {% if details.get('ExpandedUrl') is not none %}"{{url}}", "{{ details.ExpandedUrl }}"{% else %}"{{ url }}"{% endif %} {% if not loop.last %},{% endif %} {% endfor %}] url.domain: "{{parsed_event.message.EAURLDetails}}" diff --git a/Cisco/cisco-esa/tests/test_attachments_details.json b/Cisco/cisco-esa/tests/test_attachments_details.json index 56ac98c83..d6a1e2d56 100644 --- a/Cisco/cisco-esa/tests/test_attachments_details.json +++ b/Cisco/cisco-esa/tests/test_attachments_details.json @@ -55,10 +55,16 @@ "age": "30 days (or greater)" } }, - "url": [ - "http://schemas.microsoft.com/office/2004/12/omml", - "http://www.w3.org/TR/REC-html40" - ] + "url": { + "domain": [ + "schemas.microsoft.com", + "www.w3.org" + ], + "full": [ + "http://schemas.microsoft.com/office/2004/12/omml", + "http://www.w3.org/TR/REC-html40" + ] + } } }, "email": { diff --git a/Cisco/cisco-esa/tests/test_ingest_log2.json b/Cisco/cisco-esa/tests/test_ingest_log2.json index afb99f16d..861934a97 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log2.json +++ b/Cisco/cisco-esa/tests/test_ingest_log2.json @@ -58,10 +58,16 @@ "age": "9 years 3 months 14 days" } }, - "url": [ - "http://mandrill.appc.cisco.com/track/open.php?u=30372747&id=d57275a6c9df40418a90fd977e3bf506", - "https://bce-demo.appc.cisco.com/sensors/a7b04388-0f6e-11e9-8def-0242ac110002" - ] + "url": { + "domain": [ + "bce-demo.appc.cisco.com", + "mandrill.appc.cisco.com" + ], + "full": [ + "http://mandrill.appc.cisco.com/track/open.php?u=30372747&id=d57275a6c9df40418a90fd977e3bf506", + "https://bce-demo.appc.cisco.com/sensors/a7b04388-0f6e-11e9-8def-0242ac110002" + ] + } } }, "email": { diff --git a/Cisco/cisco-esa/tests/test_ingest_log5.json b/Cisco/cisco-esa/tests/test_ingest_log5.json index 553425b45..77ae37f04 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log5.json +++ b/Cisco/cisco-esa/tests/test_ingest_log5.json @@ -52,11 +52,20 @@ "age": "30 days (or greater)" } }, - "url": [ - "https://facebook.com/u/john.doe", - "https://tiktok.com", - "www.twitter.com" - ] + "url": { + "domain": [ + "", + "facebook.com", + "tiktok.com", + "tinyurl.es" + ], + "full": [ + "https://facebook.com/u/john.doe", + "https://tiktok.com", + "https://tinyurl.es/tbdra", + "www.twitter.com" + ] + } } }, "email": { diff --git a/Cisco/cisco-esa/tests/test_ingest_log7.json b/Cisco/cisco-esa/tests/test_ingest_log7.json index 29716af19..8fcb871ab 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log7.json +++ b/Cisco/cisco-esa/tests/test_ingest_log7.json @@ -55,7 +55,10 @@ "age": "30 days (or greater)" } }, - "url": [] + "url": { + "domain": [], + "full": [] + } } }, "email": { From 2e73fb7509b85c32c709f65d816757bc0d89159d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9na=C3=AFg?= <126670263+LenaigKaliou@users.noreply.github.com> Date: Tue, 10 Dec 2024 15:23:16 +0100 Subject: [PATCH 3/8] Update Cisco/cisco-esa/ingest/parser.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sébastien Quioc --- Cisco/cisco-esa/ingest/parser.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cisco/cisco-esa/ingest/parser.yml b/Cisco/cisco-esa/ingest/parser.yml index 65e217b47..ea082905c 100644 --- a/Cisco/cisco-esa/ingest/parser.yml +++ b/Cisco/cisco-esa/ingest/parser.yml @@ -209,12 +209,12 @@ stages: {% endif %} {% endif %} {%- endfor %}] - cisco.esa.url.domain: >- + cisco.esa.url_domain: >- [{% for url, details in json_event_url_details.message.items() %} {% if details.get('ExpandedUrl') is not none %}"{{url.split('/')[2]}}", "{{ details.ExpandedUrl.split('/')[2] }}"{% else %}"{{ url.split('/')[2] }}"{% endif %} {% if not loop.last %},{% endif %} {% endfor %}] - cisco.esa.url.full: >- + cisco.esa.url: >- [{% for url, details in json_event_url_details.message.items() %} {% if details.get('ExpandedUrl') is not none %}"{{url}}", "{{ details.ExpandedUrl }}"{% else %}"{{ url }}"{% endif %} {% if not loop.last %},{% endif %} From 1757251807a7b82dbfcc0a5a1564263567755787 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Tue, 10 Dec 2024 15:27:28 +0100 Subject: [PATCH 4/8] fix on fields --- Cisco/cisco-esa/_meta/fields.yml | 12 ++++----- .../tests/test_attachments_details.json | 18 ++++++------- Cisco/cisco-esa/tests/test_ingest_log2.json | 18 ++++++------- Cisco/cisco-esa/tests/test_ingest_log5.json | 26 +++++++++---------- Cisco/cisco-esa/tests/test_ingest_log7.json | 6 ++--- 5 files changed, 36 insertions(+), 44 deletions(-) diff --git a/Cisco/cisco-esa/_meta/fields.yml b/Cisco/cisco-esa/_meta/fields.yml index 8adc31e3c..3ea23bd6f 100644 --- a/Cisco/cisco-esa/_meta/fields.yml +++ b/Cisco/cisco-esa/_meta/fields.yml @@ -116,14 +116,14 @@ cisco.esa.status: name: cisco.esa.status type: keyword -cisco.esa.url.domain: - description: the declaration of the cisco urls domains - name: cisco.esa.url.domain +cisco.esa.url: + description: the declaration of the cisco urls + name: cisco.esa.url type: keyword -cisco.esa.url.full: - description: the declaration of the cisco urls - name: cisco.esa.url.full +cisco.esa.url_domain: + description: '' + name: cisco.esa.url_domain type: keyword email.attachments: diff --git a/Cisco/cisco-esa/tests/test_attachments_details.json b/Cisco/cisco-esa/tests/test_attachments_details.json index d6a1e2d56..ce0d1d1b3 100644 --- a/Cisco/cisco-esa/tests/test_attachments_details.json +++ b/Cisco/cisco-esa/tests/test_attachments_details.json @@ -55,16 +55,14 @@ "age": "30 days (or greater)" } }, - "url": { - "domain": [ - "schemas.microsoft.com", - "www.w3.org" - ], - "full": [ - "http://schemas.microsoft.com/office/2004/12/omml", - "http://www.w3.org/TR/REC-html40" - ] - } + "url": [ + "http://schemas.microsoft.com/office/2004/12/omml", + "http://www.w3.org/TR/REC-html40" + ], + "url_domain": [ + "schemas.microsoft.com", + "www.w3.org" + ] } }, "email": { diff --git a/Cisco/cisco-esa/tests/test_ingest_log2.json b/Cisco/cisco-esa/tests/test_ingest_log2.json index 861934a97..4dbc8fa48 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log2.json +++ b/Cisco/cisco-esa/tests/test_ingest_log2.json @@ -58,16 +58,14 @@ "age": "9 years 3 months 14 days" } }, - "url": { - "domain": [ - "bce-demo.appc.cisco.com", - "mandrill.appc.cisco.com" - ], - "full": [ - "http://mandrill.appc.cisco.com/track/open.php?u=30372747&id=d57275a6c9df40418a90fd977e3bf506", - "https://bce-demo.appc.cisco.com/sensors/a7b04388-0f6e-11e9-8def-0242ac110002" - ] - } + "url": [ + "http://mandrill.appc.cisco.com/track/open.php?u=30372747&id=d57275a6c9df40418a90fd977e3bf506", + "https://bce-demo.appc.cisco.com/sensors/a7b04388-0f6e-11e9-8def-0242ac110002" + ], + "url_domain": [ + "bce-demo.appc.cisco.com", + "mandrill.appc.cisco.com" + ] } }, "email": { diff --git a/Cisco/cisco-esa/tests/test_ingest_log5.json b/Cisco/cisco-esa/tests/test_ingest_log5.json index 77ae37f04..6bc9470fd 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log5.json +++ b/Cisco/cisco-esa/tests/test_ingest_log5.json @@ -52,20 +52,18 @@ "age": "30 days (or greater)" } }, - "url": { - "domain": [ - "", - "facebook.com", - "tiktok.com", - "tinyurl.es" - ], - "full": [ - "https://facebook.com/u/john.doe", - "https://tiktok.com", - "https://tinyurl.es/tbdra", - "www.twitter.com" - ] - } + "url": [ + "https://facebook.com/u/john.doe", + "https://tiktok.com", + "https://tinyurl.es/tbdra", + "www.twitter.com" + ], + "url_domain": [ + "", + "facebook.com", + "tiktok.com", + "tinyurl.es" + ] } }, "email": { diff --git a/Cisco/cisco-esa/tests/test_ingest_log7.json b/Cisco/cisco-esa/tests/test_ingest_log7.json index 8fcb871ab..45d8465a7 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log7.json +++ b/Cisco/cisco-esa/tests/test_ingest_log7.json @@ -55,10 +55,8 @@ "age": "30 days (or greater)" } }, - "url": { - "domain": [], - "full": [] - } + "url": [], + "url_domain": [] } }, "email": { From 28a6c8731ba8f8e122ded925ba64d37958d6c52e Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Tue, 10 Dec 2024 16:30:51 +0200 Subject: [PATCH 5/8] Fix: Extract more fields for Cybereason --- CybeReason/malop-json/ingest/parser.yml | 33 +++++++++++++++++++ CybeReason/malop-json/tests/test_malop.json | 26 ++++++++++++++- .../malop-json/tests/test_malop_detail.json | 25 +++++++++++++- 3 files changed, 82 insertions(+), 2 deletions(-) diff --git a/CybeReason/malop-json/ingest/parser.yml b/CybeReason/malop-json/ingest/parser.yml index 80803a753..9f716126d 100644 --- a/CybeReason/malop-json/ingest/parser.yml +++ b/CybeReason/malop-json/ingest/parser.yml @@ -61,19 +61,43 @@ stages: - set: observer.vendor: "Cybereason" observer.product: "Cybereason" + handle_malop: actions: - set: "@timestamp": "{{parsed_timestamp.datetime}}" filter: "{{parsed_event.message.lastUpdateTime != null}}" + - set: file.name: "{{parsed_event.message.primaryRootCauseName}}" file.hash.sha1: "{{parsed_event.message.rootCauseElementHashes}}" filter: '{{parsed_event.message.rootCauseElementType == "File"}}' + - set: process.name: "{{parsed_event.message.primaryRootCauseName}}" process.hash.sha1: "{{parsed_event.message.rootCauseElementHashes}}" filter: '{{parsed_event.message.rootCauseElementType == "Process"}}' + + - set: + host.os.type: "{{parsed_event.message.machines[0].get('osType', '').lower()}}" + host.name: "{{parsed_event.message.machines[0].get('displayName')}}" + host.domain: "{{parsed_event.message.machines[0].get('adDNSHostName')}}" + cybereason.malop.host.id: "{{parsed_event.message.machines[0].get('guid')}}" + cybereason.malop.host.is_online: "{{parsed_event.message.machines[0].get('connected')}}" + cybereason.malop.host.is_isolated: "{{parsed_event.message.machines[0].get('isolated')}}" + filter: "{{parsed_event.message.get('machines', []) != []}}" + + - set: + user.name: "{{parsed_event.message.users[0].get('displayName')}}" + cybereason.malop.user.id: "{{parsed_event.message.users[0].get('guid')}}" + cybereason.malop.user.is_admin: "{{parsed_event.message.users[0].get('admin')}}" + filter: "{{parsed_event.message.get('users', []) != []}}" + + - set: + user.name: '{{parsed_event.message.users[0].displayName.split("\\")[1]}}' + user.domain: '{{parsed_event.message.users[0].displayName.split("\\")[0]}}' + filter: '{{parsed_event.message.get("users", []) != [] and "\\" in parsed_event.message.users[0].get("displayName")}}' + - set: event.kind: "alert" event.category: ["malware"] @@ -88,22 +112,28 @@ stages: cybereason.malop.root_cause.type: "{{parsed_event.message.rootCauseElementType}}" cybereason.malop.root_cause.name: "{{parsed_event.message.primaryRootCauseName}}" cybereason.malop.is_edr: "{{parsed_event.message.edr}}" + - set: cybereason.malop.created_at: "{{parsed_creation_time.datetime}}" filter: "{{parsed_event.message.malopCloseTime != null}}" + - set: cybereason.malop.modified_at: "{{parsed_timestamp.datetime}}" filter: "{{parsed_event.message.creationTime != null}}" + - set: cybereason.malop.closed_at: "{{parsed_closing_time.datetime}}" filter: "{{parsed_event.message.malopCloseTime != null}}" + handle_model: actions: - set: "@timestamp": "{{parsed_timestamp.datetime}}" filter: "{{parsed_event.message.metadata.timestamp != null}}" + - set: cybereason.malop.id: "{{parsed_event.message.metadata.malopGuid}}" + handle_machine_model: actions: - set: @@ -118,6 +148,7 @@ stages: - set: host.os.type: "{{parsed_event.message.osType.lower()}}" filter: "{{parsed_event.message.osType != null}}" + handle_user_model: actions: - set: @@ -127,10 +158,12 @@ stages: user.name: "{{parsed_event.message.displayName}}" cybereason.malop.user.id: "{{parsed_event.message.guid}}" cybereason.malop.user.is_admin: "{{parsed_event.message.admin}}" + - set: user.name: '{{parsed_event.message.displayName.split("\\")[1]}}' user.domain: '{{parsed_event.message.displayName.split("\\")[0]}}' filter: '{{parsed_event.message.displayName != null and "\\" in parsed_event.message.displayName}}' + handle_file_suspect_model: actions: - set: diff --git a/CybeReason/malop-json/tests/test_malop.json b/CybeReason/malop-json/tests/test_malop.json index b7ad07bb9..a5df9c14f 100644 --- a/CybeReason/malop-json/tests/test_malop.json +++ b/CybeReason/malop-json/tests/test_malop.json @@ -24,6 +24,11 @@ ], "type": "CUSTOM_RULE" }, + "host": { + "id": "-576002811.1198775089551518743", + "is_isolated": false, + "is_online": true + }, "id": "11.-6654920844431693523", "is_edr": "true", "modified_at": "2022-11-20T12:02:17.625000Z", @@ -33,7 +38,17 @@ "type": "Process" }, "severity": "High", - "status": "Active" + "status": "Active", + "user": { + "id": "0.2548072792133848559", + "is_admin": true + } + } + }, + "host": { + "name": "win-cybereason", + "os": { + "type": "windows" } }, "observer": { @@ -42,6 +57,15 @@ }, "process": { "name": "cymulateagent.exe" + }, + "related": { + "user": [ + "administrator" + ] + }, + "user": { + "domain": "win-cybereason", + "name": "administrator" } } } \ No newline at end of file diff --git a/CybeReason/malop-json/tests/test_malop_detail.json b/CybeReason/malop-json/tests/test_malop_detail.json index a009d865f..532ff8e73 100644 --- a/CybeReason/malop-json/tests/test_malop_detail.json +++ b/CybeReason/malop-json/tests/test_malop_detail.json @@ -24,6 +24,11 @@ ], "type": "KNOWN_MALWARE" }, + "host": { + "id": "-576002811.1198775089551518743", + "is_isolated": false, + "is_online": false + }, "id": "11.7498520112250262440", "is_edr": "false", "modified_at": "2022-11-14T02:19:45.000000Z", @@ -33,7 +38,11 @@ "type": "File" }, "severity": "Low", - "status": "Closed" + "status": "Closed", + "user": { + "id": "0.2548072792133848559", + "is_admin": false + } } }, "file": { @@ -42,6 +51,13 @@ }, "name": "kprocesshacker.sys" }, + "host": { + "domain": "desktop-aaaaaa.example.org", + "name": "desktop-aaaaaa", + "os": { + "type": "windows" + } + }, "observer": { "product": "Cybereason", "vendor": "Cybereason" @@ -49,7 +65,14 @@ "related": { "hash": [ "adc83b19e793491b1c6ea0fd8b46cd9f32e592fc" + ], + "user": [ + "system" ] + }, + "user": { + "domain": "desktop-aaaaa", + "name": "system" } } } \ No newline at end of file From bc460dc02fadba94aa2dceb3e0b86ee58eca8967 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Wed, 11 Dec 2024 11:38:21 +0100 Subject: [PATCH 6/8] Fix for url with no http header --- Cisco/cisco-esa/ingest/parser.yml | 2 +- Cisco/cisco-esa/tests/test_ingest_log5.json | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Cisco/cisco-esa/ingest/parser.yml b/Cisco/cisco-esa/ingest/parser.yml index ea082905c..06a4f7dec 100644 --- a/Cisco/cisco-esa/ingest/parser.yml +++ b/Cisco/cisco-esa/ingest/parser.yml @@ -211,7 +211,7 @@ stages: {%- endfor %}] cisco.esa.url_domain: >- [{% for url, details in json_event_url_details.message.items() %} - {% if details.get('ExpandedUrl') is not none %}"{{url.split('/')[2]}}", "{{ details.ExpandedUrl.split('/')[2] }}"{% else %}"{{ url.split('/')[2] }}"{% endif %} + {% if details.get('ExpandedUrl') is not none %}"{{url.replace('https://','').replace('http://','').split('/')[0]}}", "{{ details.ExpandedUrl.replace('https://','').replace('http://','').split('/')[0] }}"{% else %}"{{ url.replace('https://','').replace('http://','').split('/')[0] }}"{% endif %} {% if not loop.last %},{% endif %} {% endfor %}] cisco.esa.url: >- diff --git a/Cisco/cisco-esa/tests/test_ingest_log5.json b/Cisco/cisco-esa/tests/test_ingest_log5.json index 6bc9470fd..46ca9ebb4 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log5.json +++ b/Cisco/cisco-esa/tests/test_ingest_log5.json @@ -59,10 +59,10 @@ "www.twitter.com" ], "url_domain": [ - "", "facebook.com", "tiktok.com", - "tinyurl.es" + "tinyurl.es", + "www.twitter.com" ] } }, From 0c17da55c79c3cb0498e27bd152797f8f647ec0e Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Wed, 11 Dec 2024 13:52:16 +0100 Subject: [PATCH 7/8] fix to avoid empty lists --- Cisco/cisco-esa/ingest/parser.yml | 23 ++++++++++++--------- Cisco/cisco-esa/tests/test_ingest_log7.json | 4 +--- 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/Cisco/cisco-esa/ingest/parser.yml b/Cisco/cisco-esa/ingest/parser.yml index 06a4f7dec..8f3acbeb3 100644 --- a/Cisco/cisco-esa/ingest/parser.yml +++ b/Cisco/cisco-esa/ingest/parser.yml @@ -209,16 +209,6 @@ stages: {% endif %} {% endif %} {%- endfor %}] - cisco.esa.url_domain: >- - [{% for url, details in json_event_url_details.message.items() %} - {% if details.get('ExpandedUrl') is not none %}"{{url.replace('https://','').replace('http://','').split('/')[0]}}", "{{ details.ExpandedUrl.replace('https://','').replace('http://','').split('/')[0] }}"{% else %}"{{ url.replace('https://','').replace('http://','').split('/')[0] }}"{% endif %} - {% if not loop.last %},{% endif %} - {% endfor %}] - cisco.esa.url: >- - [{% for url, details in json_event_url_details.message.items() %} - {% if details.get('ExpandedUrl') is not none %}"{{url}}", "{{ details.ExpandedUrl }}"{% else %}"{{ url }}"{% endif %} - {% if not loop.last %},{% endif %} - {% endfor %}] url.domain: "{{parsed_event.message.EAURLDetails}}" cisco.esa.delivery.connection_id: "{{parsed_event.message.ESADCID}}" cisco.esa.injection.connection_id: "{{parsed_event.message.ESAICID}}" @@ -237,6 +227,19 @@ stages: cisco.esa.helo.ip: "{{parsed_event.message.ESAHeloIP}}" filter: "{{parsed_event.message.ESAHeloIP | is_ipaddress}}" + - set: + cisco.esa.url_domain: >- + [{% for url, details in json_event_url_details.message.items() %} + {% if details.get('ExpandedUrl') is not none %}"{{url.replace('https://','').replace('http://','').split('/')[0]}}", "{{ details.ExpandedUrl.replace('https://','').replace('http://','').split('/')[0] }}"{% else %}"{{ url.replace('https://','').replace('http://','').split('/')[0] }}"{% endif %} + {% if not loop.last %},{% endif %} + {% endfor %}] + cisco.esa.url: >- + [{% for url, details in json_event_url_details.message.items() %} + {% if details.get('ExpandedUrl') is not none %}"{{url}}", "{{ details.ExpandedUrl }}"{% else %}"{{ url }}"{% endif %} + {% if not loop.last %},{% endif %} + {% endfor %}] + filter: "{{json_event_url_details.message | length > 0}}" + - set: cisco.esa.helo.domain: "{{parsed_event.message.ESAHeloDomain}}" cisco.esa.sender_group: "{{parsed_event.message.ESASenderGroup}}" diff --git a/Cisco/cisco-esa/tests/test_ingest_log7.json b/Cisco/cisco-esa/tests/test_ingest_log7.json index 45d8465a7..b77951dcf 100644 --- a/Cisco/cisco-esa/tests/test_ingest_log7.json +++ b/Cisco/cisco-esa/tests/test_ingest_log7.json @@ -54,9 +54,7 @@ "domain": { "age": "30 days (or greater)" } - }, - "url": [], - "url_domain": [] + } } }, "email": { From 41472aad15b100b1777f2793d1e0fea503bc93e2 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 11 Dec 2024 14:38:07 +0100 Subject: [PATCH 8/8] fix(Fortigate): reorder the fields for destination.domain --- Fortinet/fortigate/ingest/parser.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Fortinet/fortigate/ingest/parser.yml b/Fortinet/fortigate/ingest/parser.yml index 4cda504c7..cbb9b311a 100644 --- a/Fortinet/fortigate/ingest/parser.yml +++ b/Fortinet/fortigate/ingest/parser.yml @@ -191,7 +191,7 @@ stages: event.action: "{{parsed_event.message.name or parsed_event.message.FTNTFGTaction or parsed_event.message.FortinetFortiGateaction or parsed_event.message.act or parsed_event.message.action or parsed_event.message.reason}}" destination.address: "{{parsed_event.message.dstip or parsed_event.message.dst}}" destination.bytes: "{{parsed_event.message.rcvdbyte or parsed_event.message.in}}" - destination.domain: "{{parsed_event.message.remotename or parsed_event.message.hostname or parsed_event.message.dhost}}" + destination.domain: "{{parsed_event.message.remotename or parsed_event.message.dhost or parsed_event.message.hostname}}" destination.mac: "{{parsed_event.message.dstmac}}" destination.nat.port: "{{parsed_event.message.destinationTranslatedPort}}" destination.packets: "{{parsed_event.message.rcvdpkt or parsed_event.message.FTNTFGTrcvpkt or parsed_event.message.FortinetFortiGatercvdpkt or parsed_event.message.get('Packets Received')}}"