diff --git a/Mimecast/mimecast-email-security/_meta/fields.yml b/Mimecast/mimecast-email-security/_meta/fields.yml index d28378aca..47c39d6ab 100644 --- a/Mimecast/mimecast-email-security/_meta/fields.yml +++ b/Mimecast/mimecast-email-security/_meta/fields.yml @@ -40,6 +40,11 @@ mimecast.siem.rejection.type: name: mimecast.siem.rejection.type type: keyword +mimecast.siem.scan_results: + description: The reason that the click was blocked. + name: mimecast.siem.scan_results + type: keyword + mimecast.siem.virus_found: description: The name of the virus found on the email, if applicable. name: mimecast.siem.virus_found diff --git a/Mimecast/mimecast-email-security/_meta/smart-descriptions.json b/Mimecast/mimecast-email-security/_meta/smart-descriptions.json index d3968018e..2198bf43e 100644 --- a/Mimecast/mimecast-email-security/_meta/smart-descriptions.json +++ b/Mimecast/mimecast-email-security/_meta/smart-descriptions.json @@ -1,7 +1,19 @@ [ { "value": "{mimecast.siem.rejection.info} for email from {email.from.address}", - "conditions": [{ "field": "mimecast.siem.rejection.info" }] + "conditions": [ + { "field": "mimecast.siem.rejection.info" }, + { "field": "email.from.address" } + ] + }, + { + "value": "Protected {email.to.address} by {event.action} URL {url.original}", + "conditions": [ + { "field": "event.dataset", "value": "url protect" }, + { "field": "event.action" }, + { "field": "email.to.address" }, + { "field": "url.original" } + ] }, { "value": "{event.action} {email.direction} email from {email.from.address} to {email.to.address}", @@ -26,5 +38,34 @@ { "field": "event.action" }, { "field": "email.from.address" } ] + }, + { + "value": "Spam detected in email from {email.from.address} to {email.to.address}", + "conditions": [ + { "field": "event.dataset", "value": "spam" }, + { "field": "email.from.address" }, + { "field": "email.to.address" } + ] + }, + { + "value": "Attachment Protect triggered on file {email.attachments.file.name}", + "conditions": [ + { "field": "event.dataset", "value": "attachment protect" }, + { "field": "email.attachments.file.name" } + ] + }, + { + "value": "AV detected {mimecast.siem.virus_found} in file {email.attachments.file.name} from {email.from.address}", + "conditions": [ + { "field": "event.dataset", "value": "av" }, + { "field": "mimecast.siem.virus_found" } + ] + }, + { + "value": "{mimecast.siem.scan_results} on email from {email.from.address}", + "conditions": [ + { "field": "mimecast.siem.scan_results" }, + { "field": "email.from.address" } + ] } ] diff --git a/Mimecast/mimecast-email-security/ingest/parser.yml b/Mimecast/mimecast-email-security/ingest/parser.yml index 41d3d89de..d5f5cd38f 100644 --- a/Mimecast/mimecast-email-security/ingest/parser.yml +++ b/Mimecast/mimecast-email-security/ingest/parser.yml @@ -7,6 +7,16 @@ pipeline: input_field: "{{original.message}}" output_field: message + - name: parse_rejectioninfo + filter: '{{ "Url" in parse_event.message.rejectionInfo}}' + external: + name: kv.parse-kv + properties: + input_field: '{{parse_event.message.rejectionInfo.replace("[","").replace("]","")}}' + output_field: message + value_sep: ":" + item_sep: "," + - name: set_ecs_fields stages: @@ -34,11 +44,7 @@ stages: source.ip: "{{parse_event.message.senderIp}}" email.message_id: "{{parse_event.message.messageId.lstrip('<').rstrip('>')}}" - email.to.address: ["{{parse_event.message.recipients}}"] - email.from.address: - [ - "{{parse_event.message.senderEnvelope or parse_event.message.senderHeader}}", - ] + email.subject: "{{parse_event.message.subject}}" mimecast.siem.rejection.code: "{{parse_event.message.rejectionCode}}" mimecast.siem.rejection.info: "{{parse_event.message.rejectionInfo}}" @@ -49,7 +55,21 @@ stages: mimecast.siem.delivered: "{{parse_event.message.delivered}}" mimecast.siem.delivery_errors: "{{parse_event.message.deliveryErrors}}" + mimecast.siem.scan_results: "{{parse_event.message.scanResults}}" + destination.ip: "{{parse_event.message.destinationIp}}" + url.original: "{{parse_event.message.url}}" + + - set: + email.to.address: ["{{parse_event.message.recipients}}"] + filter: "{{parse_event.message.get('recipients') != None}}" + + - set: + email.from.address: + [ + "{{parse_event.message.senderEnvelope or parse_event.message.senderHeader}}", + ] + filter: "{{parse_event.message.get('senderEnvelope') != None or parse_event.message.get('senderHeader') != None}}" - set: email.attachments: > @@ -58,3 +78,15 @@ stages: {"file": {"name": "{{ item.strip('" ') }}"}}, {%- endfor -%} ] + filter: "{{parse_event.message.get('attachments') != None}}" + + - set: + email.attachments: > + [ + {"file": {"name": "{{ parse_event.message.fileName.strip('" ') }}"}}, + ] + filter: "{{parse_event.message.get('fileName') != None}}" + + - set: + url.original: "{{ parse_rejectioninfo.message.Url }}" + filter: '{{ "Url" in parse_event.message.rejectionInfo}}' diff --git a/Mimecast/mimecast-email-security/tests/test_attachment_protect.json b/Mimecast/mimecast-email-security/tests/test_attachment_protect.json new file mode 100644 index 000000000..b4a3345f7 --- /dev/null +++ b/Mimecast/mimecast-email-security/tests/test_attachment_protect.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"sha1\": \"816b013c8be6e5708690645964b5d442c085041e\", \"accountId\": \"C0A0\", \"fileName\": \"tpsreport.docx\", \"sha256\": \"efe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12\", \"fileExtension\": \"xlsm\", \"subType\": null, \"eventType\": \"attachment protect\", \"timestamp\": 1689692409135, \"md5\": \"4dbe9dbfb53438d9ce410535355cd973\"}" + }, + "expected": { + "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"sha1\": \"816b013c8be6e5708690645964b5d442c085041e\", \"accountId\": \"C0A0\", \"fileName\": \"tpsreport.docx\", \"sha256\": \"efe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12\", \"fileExtension\": \"xlsm\", \"subType\": null, \"eventType\": \"attachment protect\", \"timestamp\": 1689692409135, \"md5\": \"4dbe9dbfb53438d9ce410535355cd973\"}", + "event": { + "category": [ + "email" + ], + "dataset": "attachment protect", + "provider": "Mimecast", + "type": [ + "info" + ] + }, + "@timestamp": "2023-07-18T15:00:09.135000Z", + "email": { + "attachments": [ + { + "file": { + "name": "tpsreport.docx" + } + } + ] + }, + "mimecast": { + "siem": { + "aggregate_id": "aggregateId", + "processing_id": "processingId" + } + } + } +} \ No newline at end of file diff --git a/Mimecast/mimecast-email-security/tests/test_av_logs.json b/Mimecast/mimecast-email-security/tests/test_av_logs.json new file mode 100644 index 000000000..0ffb637ed --- /dev/null +++ b/Mimecast/mimecast-email-security/tests/test_av_logs.json @@ -0,0 +1,56 @@ +{ + "input": { + "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"fileName\": \"tpsreport.docx\", \"sha256\": \"efe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12\", \"subject\": \"siem_av - email subject line\", \"senderEnvelope\": \"auser@mimecast.com\", \"messageId\": \"messageId\", \"senderDomainInternal\": \"true\", \"eventType\": \"av\", \"sha1\": \"816b013c8be6e5708690645964b5d442c085041e\", \"accountId\": \"C0A0\", \"virusFound\": \"bad.virus.found\", \"route\": \"Inbound\", \"recipients\": \"auser@mimecast.com\", \"fileExtension\": \"docx\", \"subType\": null, \"senderIp\": \"123.123.123.123\", \"senderDomain\": \"mimecast.com\", \"timestamp\": 1689685338586, \"emailSize\": \"1648832\", \"md5\": \"4dbe9dbfb53438d9ce410535355cd973\"}" + }, + "expected": { + "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"fileName\": \"tpsreport.docx\", \"sha256\": \"efe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12\", \"subject\": \"siem_av - email subject line\", \"senderEnvelope\": \"auser@mimecast.com\", \"messageId\": \"messageId\", \"senderDomainInternal\": \"true\", \"eventType\": \"av\", \"sha1\": \"816b013c8be6e5708690645964b5d442c085041e\", \"accountId\": \"C0A0\", \"virusFound\": \"bad.virus.found\", \"route\": \"Inbound\", \"recipients\": \"auser@mimecast.com\", \"fileExtension\": \"docx\", \"subType\": null, \"senderIp\": \"123.123.123.123\", \"senderDomain\": \"mimecast.com\", \"timestamp\": 1689685338586, \"emailSize\": \"1648832\", \"md5\": \"4dbe9dbfb53438d9ce410535355cd973\"}", + "event": { + "category": [ + "email" + ], + "dataset": "av", + "provider": "Mimecast", + "type": [ + "info" + ] + }, + "@timestamp": "2023-07-18T13:02:18.586000Z", + "email": { + "attachments": [ + { + "file": { + "name": "tpsreport.docx" + } + } + ], + "from": { + "address": [ + "auser@mimecast.com" + ] + }, + "message_id": "messageId", + "subject": "siem_av - email subject line", + "to": { + "address": [ + "auser@mimecast.com" + ] + } + }, + "mimecast": { + "siem": { + "aggregate_id": "aggregateId", + "processing_id": "processingId", + "virus_found": "bad.virus.found" + } + }, + "related": { + "ip": [ + "123.123.123.123" + ] + }, + "source": { + "address": "123.123.123.123", + "ip": "123.123.123.123" + } + } +} \ No newline at end of file diff --git a/Mimecast/mimecast-email-security/tests/test_delivery.json b/Mimecast/mimecast-email-security/tests/test_delivery.json new file mode 100644 index 000000000..2475bff2d --- /dev/null +++ b/Mimecast/mimecast-email-security/tests/test_delivery.json @@ -0,0 +1,50 @@ +{ + "input": { + "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"accountId\": \"C0A0\", \"timestamp\": 1731187649343, \"messageId\": \"<11111111111111111111111111111111111111@mail.gmail.com>\", \"senderEnvelope\": \"john.doe@example.org\", \"subject\": \"My little subject\", \"recipients\": \"jane.doe@example.com\", \"delivered\": \"true\", \"destinationIp\": \"5.6.7.8\", \"Hostname\": \"mail-111111111.inbound.protection.outlook.com\", \"numberAttachments\": \"0\", \"direction\": \"Inbound\", \"totalSizeAttachments\": \"0\", \"deliveryAttempts\": \"1\", \"tlsVersion\": \"TLSv1.3\", \"tlsCipher\": \"TLS_AES_256_GCM_SHA384\", \"emailSize\": \"30126\", \"tlsUsed\": \"Yes\", \"route\": \"Office 365 Inbound Routing Policy Definition\", \"deliveryErrors\": null, \"rejectionType\": null, \"rejectionCode\": null, \"rejectionInfo\": null, \"deliveryTime\": \"5333\", \"type\": \"delivery\", \"subtype\": \"true\", \"_offset\": 1069263, \"_partition\": 66}" + }, + "expected": { + "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"accountId\": \"C0A0\", \"timestamp\": 1731187649343, \"messageId\": \"<11111111111111111111111111111111111111@mail.gmail.com>\", \"senderEnvelope\": \"john.doe@example.org\", \"subject\": \"My little subject\", \"recipients\": \"jane.doe@example.com\", \"delivered\": \"true\", \"destinationIp\": \"5.6.7.8\", \"Hostname\": \"mail-111111111.inbound.protection.outlook.com\", \"numberAttachments\": \"0\", \"direction\": \"Inbound\", \"totalSizeAttachments\": \"0\", \"deliveryAttempts\": \"1\", \"tlsVersion\": \"TLSv1.3\", \"tlsCipher\": \"TLS_AES_256_GCM_SHA384\", \"emailSize\": \"30126\", \"tlsUsed\": \"Yes\", \"route\": \"Office 365 Inbound Routing Policy Definition\", \"deliveryErrors\": null, \"rejectionType\": null, \"rejectionCode\": null, \"rejectionInfo\": null, \"deliveryTime\": \"5333\", \"type\": \"delivery\", \"subtype\": \"true\", \"_offset\": 1069263, \"_partition\": 66}", + "event": { + "category": [ + "email" + ], + "dataset": "delivery", + "provider": "Mimecast", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-09T21:27:29.343000Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "email": { + "direction": "Inbound", + "from": { + "address": [ + "john.doe@example.org" + ] + }, + "message_id": "11111111111111111111111111111111111111@mail.gmail.com", + "subject": "My little subject", + "to": { + "address": [ + "jane.doe@example.com" + ] + } + }, + "mimecast": { + "siem": { + "aggregate_id": "aggregateId", + "delivered": true, + "processing_id": "processingId" + } + }, + "related": { + "ip": [ + "5.6.7.8" + ] + } + } +} \ No newline at end of file diff --git a/Mimecast/mimecast-email-security/tests/test_impersonation_protect.json b/Mimecast/mimecast-email-security/tests/test_impersonation_protect.json new file mode 100644 index 000000000..2485acafd --- /dev/null +++ b/Mimecast/mimecast-email-security/tests/test_impersonation_protect.json @@ -0,0 +1,48 @@ +{ + "input": { + "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"taggedMalicious\": \"false\", \"subject\": \"siem_impersonation - email subject line\", \"internalUserName\": \"false\", \"senderEnvelope\": \"auser@mimecast.com\", \"policyDefinition\": \"Default Impersonation Definition\", \"newDomain\": \"false\", \"customThreatDictionary\": \"false\", \"action\": \"Hold\", \"senderIp\": \"123.123.123.123\", \"timestamp\": 1689685338545, \"similarInternalDomain\": \"false\", \"messageId\": \"\", \"eventType\": \"impersonation protect\", \"itemsDetected\": \"1\", \"mimecastThreatDictionary\": \"false\", \"accountId\": \"C0A0\", \"customNameMatch\": \"false\", \"route\": \"Inbound\", \"similarMimecastExternalDomain\": \"false\", \"recipients\": \"auser@mimecast.com\", \"similarCustomExternalDomain\": \"false\", \"subType\": \"Hold\", \"taggedExternal\": \"false\", \"replyMismatch\": \"false\"}" + }, + "expected": { + "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"taggedMalicious\": \"false\", \"subject\": \"siem_impersonation - email subject line\", \"internalUserName\": \"false\", \"senderEnvelope\": \"auser@mimecast.com\", \"policyDefinition\": \"Default Impersonation Definition\", \"newDomain\": \"false\", \"customThreatDictionary\": \"false\", \"action\": \"Hold\", \"senderIp\": \"123.123.123.123\", \"timestamp\": 1689685338545, \"similarInternalDomain\": \"false\", \"messageId\": \"\", \"eventType\": \"impersonation protect\", \"itemsDetected\": \"1\", \"mimecastThreatDictionary\": \"false\", \"accountId\": \"C0A0\", \"customNameMatch\": \"false\", \"route\": \"Inbound\", \"similarMimecastExternalDomain\": \"false\", \"recipients\": \"auser@mimecast.com\", \"similarCustomExternalDomain\": \"false\", \"subType\": \"Hold\", \"taggedExternal\": \"false\", \"replyMismatch\": \"false\"}", + "event": { + "action": "Hold", + "category": [ + "email" + ], + "dataset": "impersonation protect", + "provider": "Mimecast", + "type": [ + "info" + ] + }, + "@timestamp": "2023-07-18T13:02:18.545000Z", + "email": { + "from": { + "address": [ + "auser@mimecast.com" + ] + }, + "subject": "siem_impersonation - email subject line", + "to": { + "address": [ + "auser@mimecast.com" + ] + } + }, + "mimecast": { + "siem": { + "aggregate_id": "aggregateId", + "processing_id": "processingId" + } + }, + "related": { + "ip": [ + "123.123.123.123" + ] + }, + "source": { + "address": "123.123.123.123", + "ip": "123.123.123.123" + } + } +} \ No newline at end of file diff --git a/Mimecast/mimecast-email-security/tests/test_internal_email_project.json b/Mimecast/mimecast-email-security/tests/test_internal_email_project.json new file mode 100644 index 000000000..c96b751bd --- /dev/null +++ b/Mimecast/mimecast-email-security/tests/test_internal_email_project.json @@ -0,0 +1,40 @@ +{ + "input": { + "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"accountId\": \"C0A0\", \"timestamp\": 1730905847558, \"messageId\": \"<11111111111111111111111111111111111111@mail.gmail.com>\", \"senderEnvelope\": \"john.doe@example.org\", \"subject\": \"My dangerous email\", \"recipients\": \"jane.doe@example.com\", \"urlCategory\": \"Dangerous file extension\", \"scanResults\": \"Restricted File Type - Found executable extension: dll\", \"route\": \"Internal\", \"monitoredDomainSource\": null, \"similarDomain\": null, \"type\": \"internal email protect\", \"subtype\": null, \"_offset\": 994904, \"_partition\": 66}" + }, + "expected": { + "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"accountId\": \"C0A0\", \"timestamp\": 1730905847558, \"messageId\": \"<11111111111111111111111111111111111111@mail.gmail.com>\", \"senderEnvelope\": \"john.doe@example.org\", \"subject\": \"My dangerous email\", \"recipients\": \"jane.doe@example.com\", \"urlCategory\": \"Dangerous file extension\", \"scanResults\": \"Restricted File Type - Found executable extension: dll\", \"route\": \"Internal\", \"monitoredDomainSource\": null, \"similarDomain\": null, \"type\": \"internal email protect\", \"subtype\": null, \"_offset\": 994904, \"_partition\": 66}", + "event": { + "category": [ + "email" + ], + "dataset": "internal email protect", + "provider": "Mimecast", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-06T15:10:47.558000Z", + "email": { + "from": { + "address": [ + "john.doe@example.org" + ] + }, + "message_id": "11111111111111111111111111111111111111@mail.gmail.com", + "subject": "My dangerous email", + "to": { + "address": [ + "jane.doe@example.com" + ] + } + }, + "mimecast": { + "siem": { + "aggregate_id": "aggregateId", + "processing_id": "processingId", + "scan_results": "Restricted File Type - Found executable extension: dll" + } + } + } +} \ No newline at end of file diff --git a/Mimecast/mimecast-email-security/tests/test_process.json b/Mimecast/mimecast-email-security/tests/test_process.json index 52a887bae..3eb706d80 100644 --- a/Mimecast/mimecast-email-security/tests/test_process.json +++ b/Mimecast/mimecast-email-security/tests/test_process.json @@ -23,11 +23,7 @@ ] }, "message_id": "CAF7=BmDb+6qHo+J5EB9oH+S4ncJOfEMsUYAEirX4MRZRJX+esw@mail.gmail.com", - "to": { - "address": [ - "null" - ] - } + "subject": "Moderate" }, "mimecast": { "siem": { diff --git a/Mimecast/mimecast-email-security/tests/test_process_with_attachment.json b/Mimecast/mimecast-email-security/tests/test_process_with_attachment.json index b48c8cb61..f74ef7ef2 100644 --- a/Mimecast/mimecast-email-security/tests/test_process_with_attachment.json +++ b/Mimecast/mimecast-email-security/tests/test_process_with_attachment.json @@ -30,11 +30,7 @@ ] }, "message_id": "messageId", - "to": { - "address": [ - "null" - ] - } + "subject": "siem_process - email subject line" }, "mimecast": { "siem": { diff --git a/Mimecast/mimecast-email-security/tests/test_process_with_multiple_attachments.json b/Mimecast/mimecast-email-security/tests/test_process_with_multiple_attachments.json index 4d335bb96..164fe08cd 100644 --- a/Mimecast/mimecast-email-security/tests/test_process_with_multiple_attachments.json +++ b/Mimecast/mimecast-email-security/tests/test_process_with_multiple_attachments.json @@ -100,11 +100,7 @@ ] }, "message_id": "1@mail.gmail.com", - "to": { - "address": [ - "null" - ] - } + "subject": "TEST SEKOIA" }, "mimecast": { "siem": { diff --git a/Mimecast/mimecast-email-security/tests/test_receipt.json b/Mimecast/mimecast-email-security/tests/test_receipt.json index 8f81db770..78635f69e 100644 --- a/Mimecast/mimecast-email-security/tests/test_receipt.json +++ b/Mimecast/mimecast-email-security/tests/test_receipt.json @@ -24,6 +24,7 @@ ] }, "message_id": "CAF7=BmDb+6qHo+J5EB9oH+S4ncJOfEMsUYAAarX4MRZRJX+esw@mail.gmail.com", + "subject": "Moderate", "to": { "address": [ "admin@mcfr2.pro" diff --git a/Mimecast/mimecast-email-security/tests/test_receipt_urls.json b/Mimecast/mimecast-email-security/tests/test_receipt_urls.json new file mode 100644 index 000000000..5fa8633c7 --- /dev/null +++ b/Mimecast/mimecast-email-security/tests/test_receipt_urls.json @@ -0,0 +1,64 @@ +{ + "input": { + "message": "{\"aggregateId\":\"YvXi4vUANvSwDaBxkq6SYA\",\"processingId\":\"RMkDQFp7L5gGaZ5jnsGVW4zLmvTVvWVb0lQeO9EBDRo_1736242544\",\"accountId\":\"CDE22A102\",\"timestamp\":1736242547621,\"action\":\"Rej\",\"senderEnvelope\":\"john.doe@gmail.com\",\"messageId\":\"\",\"subject\":\"Rejected email with URL\",\"recipients\":\"admin@mcfr.pro\",\"senderIp\":\"209.85.216.51\",\"rejectionType\":\"Malicious QRCode Detection\",\"rejectionCode\":\"554\",\"direction\":\"Inbound\",\"numberAttachments\":\"2\",\"senderHeader\":\"john.doe@gmail.com\",\"rejectionInfo\":\"[Type: [Phishing & Fraud],Url: [https://assistance-mon-espace.com/pages/billing.php],UrlBlock: [ORIGINAL:https://assistance-mon-espace.com/pages/billin]\",\"tlsVersion\":\"TLSv1.3\",\"tlsCipher\":\"TLS_AES_256_GCM_SHA384\",\"spamInfo\":null,\"spamProcessingDetail\":\"{\\\"spf\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"}}\",\"virusFound\":null,\"spamScore\":null,\"spamDetectionLevel\":null,\"receiptErrors\":\"Malicious QRCode detected in email: UrlReputationScan\",\"type\":\"receipt\",\"subtype\":\"Rej\",\"_offset\":293625,\"_partition\":137}" + }, + "expected": { + "message": "{\"aggregateId\":\"YvXi4vUANvSwDaBxkq6SYA\",\"processingId\":\"RMkDQFp7L5gGaZ5jnsGVW4zLmvTVvWVb0lQeO9EBDRo_1736242544\",\"accountId\":\"CDE22A102\",\"timestamp\":1736242547621,\"action\":\"Rej\",\"senderEnvelope\":\"john.doe@gmail.com\",\"messageId\":\"\",\"subject\":\"Rejected email with URL\",\"recipients\":\"admin@mcfr.pro\",\"senderIp\":\"209.85.216.51\",\"rejectionType\":\"Malicious QRCode Detection\",\"rejectionCode\":\"554\",\"direction\":\"Inbound\",\"numberAttachments\":\"2\",\"senderHeader\":\"john.doe@gmail.com\",\"rejectionInfo\":\"[Type: [Phishing & Fraud],Url: [https://assistance-mon-espace.com/pages/billing.php],UrlBlock: [ORIGINAL:https://assistance-mon-espace.com/pages/billin]\",\"tlsVersion\":\"TLSv1.3\",\"tlsCipher\":\"TLS_AES_256_GCM_SHA384\",\"spamInfo\":null,\"spamProcessingDetail\":\"{\\\"spf\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"}}\",\"virusFound\":null,\"spamScore\":null,\"spamDetectionLevel\":null,\"receiptErrors\":\"Malicious QRCode detected in email: UrlReputationScan\",\"type\":\"receipt\",\"subtype\":\"Rej\",\"_offset\":293625,\"_partition\":137}", + "event": { + "action": "Rej", + "category": [ + "email" + ], + "dataset": "receipt", + "provider": "Mimecast", + "type": [ + "denied" + ] + }, + "@timestamp": "2025-01-07T09:35:47.621000Z", + "email": { + "direction": "Inbound", + "from": { + "address": [ + "john.doe@gmail.com" + ] + }, + "message_id": "CAF7=BmAn9O711xhrO3-CQqJ6YmAfitXyk+5Kd9Xixc5cBmy48g@mail.gmail.com", + "subject": "Rejected email with URL", + "to": { + "address": [ + "admin@mcfr.pro" + ] + } + }, + "mimecast": { + "siem": { + "aggregate_id": "YvXi4vUANvSwDaBxkq6SYA", + "processing_id": "RMkDQFp7L5gGaZ5jnsGVW4zLmvTVvWVb0lQeO9EBDRo_1736242544", + "rejection": { + "code": 554, + "info": "[Type: [Phishing & Fraud],Url: [https://assistance-mon-espace.com/pages/billing.php],UrlBlock: [ORIGINAL:https://assistance-mon-espace.com/pages/billin]", + "type": "Malicious QRCode Detection" + } + } + }, + "related": { + "ip": [ + "209.85.216.51" + ] + }, + "source": { + "address": "209.85.216.51", + "ip": "209.85.216.51" + }, + "url": { + "domain": "assistance-mon-espace.com", + "original": "https://assistance-mon-espace.com/pages/billing.php", + "path": "/pages/billing.php", + "port": 443, + "registered_domain": "assistance-mon-espace.com", + "scheme": "https", + "top_level_domain": "com" + } + } +} \ No newline at end of file diff --git a/Mimecast/mimecast-email-security/tests/test_spam.json b/Mimecast/mimecast-email-security/tests/test_spam.json new file mode 100644 index 000000000..52a756602 --- /dev/null +++ b/Mimecast/mimecast-email-security/tests/test_spam.json @@ -0,0 +1,48 @@ +{ + "input": { + "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"accountId\": \"C0A0\", \"timestamp\": 1731193597481, \"messageId\": \"<11111111111111111111111111111111111111@mail.gmail.com>\", \"senderEnvelope\": \"john.doe@example.org\", \"subject\": \"My little subject\", \"recipients\": \"jane.doe@example.com\", \"senderIp\": \"1.2.3.4\", \"senderDomain\": \"example.org\", \"route\": \"Inbound\", \"senderHeader\": \"john.doe@example.org\", \"type\": \"spam\", \"subtype\": null, \"_offset\": 1069434, \"_partition\": 66}" + }, + "expected": { + "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"accountId\": \"C0A0\", \"timestamp\": 1731193597481, \"messageId\": \"<11111111111111111111111111111111111111@mail.gmail.com>\", \"senderEnvelope\": \"john.doe@example.org\", \"subject\": \"My little subject\", \"recipients\": \"jane.doe@example.com\", \"senderIp\": \"1.2.3.4\", \"senderDomain\": \"example.org\", \"route\": \"Inbound\", \"senderHeader\": \"john.doe@example.org\", \"type\": \"spam\", \"subtype\": null, \"_offset\": 1069434, \"_partition\": 66}", + "event": { + "category": [ + "email" + ], + "dataset": "spam", + "provider": "Mimecast", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-09T23:06:37.481000Z", + "email": { + "from": { + "address": [ + "john.doe@example.org" + ] + }, + "message_id": "11111111111111111111111111111111111111@mail.gmail.com", + "subject": "My little subject", + "to": { + "address": [ + "jane.doe@example.com" + ] + } + }, + "mimecast": { + "siem": { + "aggregate_id": "aggregateId", + "processing_id": "processingId" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } +} \ No newline at end of file diff --git a/Mimecast/mimecast-email-security/tests/test_url_protect_blocked.json b/Mimecast/mimecast-email-security/tests/test_url_protect_blocked.json new file mode 100644 index 000000000..3b4bba2c5 --- /dev/null +++ b/Mimecast/mimecast-email-security/tests/test_url_protect_blocked.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"processingId\": \"req-aa8ae4a3334b30fbb07bbb9c2fb69048_1715766931\", \"aggregateId\": \"Y12X0yjKNr6A6yhIH48Wkw_1715766931\", \"timestamp\": 1715767102752, \"accountId\": \"CDE22A102\", \"urlCategory\": \"Phishing & Fraud\", \"action\": \"Block\", \"url\": \"http://www.mimcast.com\", \"subject\": \"TEST URL\", \"sourceIp\": \"209.123.123.123\", \"senderDomain\": \"gmail.com\", \"senderEnvelope\": \"jeanne@gmail.com\", \"route\": \"inbound\", \"recipients\": \"john@mcfr2.pro\", \"blockReason\": \"malicious\", \"messageId\": \"\", \"analysis\": \"{\\\"CredentialTheftEvidence\\\":[\\\"The website uses an unencrypted connection\\\"],\\\"CredentialTheftTags\\\":[\\\"NO_CERTIFICATE\\\",\\\"NO_IMAGES_PASSED_FILTERING\\\",\\\"REDIRECTION\\\",\\\"REMOTE_RESOURCES\\\"]}\", \"type\": \"url protect\", \"subtype\": \"Block\", \"_offset\": 106007, \"_partition\": 137}" + }, + "expected": { + "message": "{\"processingId\": \"req-aa8ae4a3334b30fbb07bbb9c2fb69048_1715766931\", \"aggregateId\": \"Y12X0yjKNr6A6yhIH48Wkw_1715766931\", \"timestamp\": 1715767102752, \"accountId\": \"CDE22A102\", \"urlCategory\": \"Phishing & Fraud\", \"action\": \"Block\", \"url\": \"http://www.mimcast.com\", \"subject\": \"TEST URL\", \"sourceIp\": \"209.123.123.123\", \"senderDomain\": \"gmail.com\", \"senderEnvelope\": \"jeanne@gmail.com\", \"route\": \"inbound\", \"recipients\": \"john@mcfr2.pro\", \"blockReason\": \"malicious\", \"messageId\": \"\", \"analysis\": \"{\\\"CredentialTheftEvidence\\\":[\\\"The website uses an unencrypted connection\\\"],\\\"CredentialTheftTags\\\":[\\\"NO_CERTIFICATE\\\",\\\"NO_IMAGES_PASSED_FILTERING\\\",\\\"REDIRECTION\\\",\\\"REMOTE_RESOURCES\\\"]}\", \"type\": \"url protect\", \"subtype\": \"Block\", \"_offset\": 106007, \"_partition\": 137}", + "event": { + "action": "Block", + "category": [ + "email" + ], + "dataset": "url protect", + "provider": "Mimecast", + "type": [ + "info" + ] + }, + "@timestamp": "2024-05-15T09:58:22.752000Z", + "email": { + "from": { + "address": [ + "jeanne@gmail.com" + ] + }, + "message_id": "CAF7=BmDfJHJO0j34Y9F6pY2C5MEEq9SLVizm7R+JGwJ2OPtoGw@mail.gmail.com", + "subject": "TEST URL", + "to": { + "address": [ + "john@mcfr2.pro" + ] + } + }, + "mimecast": { + "siem": { + "aggregate_id": "Y12X0yjKNr6A6yhIH48Wkw_1715766931", + "processing_id": "req-aa8ae4a3334b30fbb07bbb9c2fb69048_1715766931" + } + }, + "url": { + "domain": "www.mimcast.com", + "original": "http://www.mimcast.com", + "port": 80, + "registered_domain": "mimcast.com", + "scheme": "http", + "subdomain": "www", + "top_level_domain": "com" + } + } +} \ No newline at end of file diff --git a/Netskope/netskope_events/_meta/smart-descriptions.json b/Netskope/netskope_events/_meta/smart-descriptions.json index bdc92b317..44a72bd68 100644 --- a/Netskope/netskope_events/_meta/smart-descriptions.json +++ b/Netskope/netskope_events/_meta/smart-descriptions.json @@ -214,5 +214,26 @@ "field": "netskope.dlp.policy" } ] + }, + { + "value": "DLP incident detected on {source.ip}: {user.name} attempted to {event.action} file {file.name}", + "conditions": [ + { + "field": "event.dataset", + "value": "dlp_incident" + }, + { + "field": "event.action" + }, + { + "field": "source.ip" + }, + { + "field": "user.name" + }, + { + "field": "file.name" + } + ] } ] diff --git a/Netskope/netskope_events/tests/test_dlp_incident_wo_policy.json b/Netskope/netskope_events/tests/test_dlp_incident_wo_policy.json new file mode 100644 index 000000000..4e00cda31 --- /dev/null +++ b/Netskope/netskope_events/tests/test_dlp_incident_wo_policy.json @@ -0,0 +1,134 @@ +{ + "input": { + "message": "{\"_id\": \"11fc1dee8256ff3645f6d25f0\", \"access_method\": \"Client\", \"action\": \"useralert\", \"activity\": \"Download\", \"alert\": \"yes\", \"alert_type\": \"DLP\", \"app\": \"LinkedIn\", \"app_session_id\": 1111111111111111111, \"appcategory\": \"Professional Networking\", \"appsuite\": \"Linkedin App\", \"browser\": \"Chrome\", \"browser_session_id\": 222222222222222, \"browser_version\": \"131.0.0.0\", \"category\": \"Professional Networking\", \"cci\": 68, \"ccl\": \"medium\", \"connection_id\": 3333333333333, \"count\": 1, \"device\": \"Windows Device\", \"device_classification\": \"unmanaged\", \"dlp_file\": \"HighRes_QRCode_3.png\", \"dlp_incident_id\": 44444444444444, \"dlp_is_unique_count\": \"false\", \"dlp_parent_id\": 44444444444444, \"dlp_profile\": \"ML-TYOC-QRCode\", \"dlp_rule\": \"QRCode\", \"dlp_rule_count\": 0, \"dlp_rule_severity\": \"Medium\", \"dst_country\": \"US\", \"dst_latitude\": 37.775699615478516, \"dst_location\": \"San Francisco\", \"dst_longitude\": -122.39520263671875, \"dst_region\": \"California\", \"dst_timezone\": \"America/Los_Angeles\", \"dst_zipcode\": \"N/A\", \"dstip\": \"9.10.11.12\", \"dstport\": 443, \"file_lang\": \"Unknown\", \"file_size\": 1908, \"file_type\": \"image/png\", \"from_user\": \"john.doe@gmail.com\", \"hostname\": \"EXAMPLE1\", \"managed_app\": \"no\", \"md5\": \"eb430691fe30d16070b5a144c3d3303c\", \"netskope_pop\": \"FR-PAR2\", \"object\": \"HighRes_QRCode_3.png\", \"object_type\": \"File\", \"organization_unit\": \"\", \"os\": \"Windows 11\", \"os_version\": \"Windows NT 11.0\", \"other_categories\": [\"All Internet\", \"Professional Networking\"], \"page\": \"www.linkedin.com\", \"page_site\": \"Linkedin\", \"policy\": \"Coach user QRCode in Social Media and IM\", \"policy_id\": \"981C1E7B3795DA18687613FBD66D4954 2024-12-11 13:39:20.625594\", \"protocol\": \"HTTPS/1.1\", \"referer\": \"https://www.linkedin.com/feed/\", \"request_id\": 2994008614773293824, \"scan_type\": \"\", \"severity\": \"unknown\", \"sha256\": \"d847acf7bab1b6f761779f3995c693e25eb899dceea61ef9043532d1ae9923a6\", \"site\": \"Linkedin\", \"src_country\": \"FR\", \"src_latitude\": 48.9247, \"src_location\": \"La Courneuve\", \"src_longitude\": 2.3975, \"src_region\": \"\\u00cele-de-France\", \"src_time\": \"Wed Dec 11 15:06:00 2024\", \"src_timezone\": \"Europe/Paris\", \"src_zipcode\": \"93120\", \"srcip\": \"5.6.7.8\", \"timestamp\": 1733925987, \"traffic_type\": \"CloudApp\", \"transaction_id\": 555555555555555, \"true_obj_category\": \"Image (Raster)\", \"true_obj_type\": \"Portable Network Graphics (PNG)\", \"tss_mode\": \"inline\", \"type\": \"nspolicy\", \"ur_normalized\": \"johndoe@example.com\", \"url\": \"www.linkedin.com/dms/prv/vid/v2/abc/messaging-attachmentFile/messaging-attachmentFile/0/123\", \"user\": \"johndoe@example.com\", \"useragent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36\", \"userip\": \"1.2.3.4\", \"userkey\": \"johndoe@example.com\", \"ext_labels\": [], \"dlp_fail_reason\": \"\", \"workspace\": \"\", \"instance_id\": \"\", \"tss_scan_failed\": \"\", \"dlp_unique_count\": 0, \"dlp_mail_parent_id\": \"\", \"notify_template\": \"\", \"tss_fail_reason\": \"\", \"channel_id\": \"\", \"mime_type\": \"\", \"resp_cnt\": 0, \"file_path\": \"\", \"orignal_file_path\": \"\", \"suppression_end_time\": 0, \"log_file_name\": \"\", \"modified\": 0, \"user_category\": \"\", \"CononicalName\": \"\", \"suppression_key\": \"\", \"web_universal_connector\": \"\", \"owner\": \"\", \"ja3\": \"\", \"dsthost\": \"\", \"data_type\": \"\", \"loginurl\": \"\", \"workspace_id\": \"\", \"managementID\": \"\", \"telemetry_app\": \"\", \"user_confidence_index\": 0, \"parent_id\": \"\", \"ja3s\": \"\", \"userPrincipalName\": \"\", \"smtp_to\": [], \"justification_reason\": \"\", \"app_activity\": \"\", \"sanctioned_instance\": \"\", \"user_id\": \"\", \"title\": \"\", \"audit_category\": \"\", \"internal_collaborator_count\": 0, \"shared_with\": \"\", \"dst_geoip_src\": 0, \"serial\": \"\", \"numbytes\": 0, \"sAMAccountName\": \"\", \"dlp_scan_failed\": \"\", \"server_bytes\": 0, \"sessionid\": \"\", \"to_user\": \"\", \"src_geoip_src\": 0, \"total_collaborator_count\": 0, \"custom_attr\": {}, \"logintype\": \"\", \"instance\": \"\", \"fromlogs\": \"\", \"retro_scan_name\": \"\", \"justification_type\": \"\", \"from_user_category\": \"\", \"data_center\": \"\", \"custom_connector\": \"\", \"audit_type\": \"\", \"suppression_start_time\": 0, \"req_cnt\": 0, \"exposure\": \"\", \"object_id\": \"\", \"conn_duration\": 0, \"nsdeviceuid\": \"\", \"universal_connector\": \"\", \"org\": \"\", \"netskope_activity\": \"\", \"client_bytes\": 0}" + }, + "expected": { + "message": "{\"_id\": \"11fc1dee8256ff3645f6d25f0\", \"access_method\": \"Client\", \"action\": \"useralert\", \"activity\": \"Download\", \"alert\": \"yes\", \"alert_type\": \"DLP\", \"app\": \"LinkedIn\", \"app_session_id\": 1111111111111111111, \"appcategory\": \"Professional Networking\", \"appsuite\": \"Linkedin App\", \"browser\": \"Chrome\", \"browser_session_id\": 222222222222222, \"browser_version\": \"131.0.0.0\", \"category\": \"Professional Networking\", \"cci\": 68, \"ccl\": \"medium\", \"connection_id\": 3333333333333, \"count\": 1, \"device\": \"Windows Device\", \"device_classification\": \"unmanaged\", \"dlp_file\": \"HighRes_QRCode_3.png\", \"dlp_incident_id\": 44444444444444, \"dlp_is_unique_count\": \"false\", \"dlp_parent_id\": 44444444444444, \"dlp_profile\": \"ML-TYOC-QRCode\", \"dlp_rule\": \"QRCode\", \"dlp_rule_count\": 0, \"dlp_rule_severity\": \"Medium\", \"dst_country\": \"US\", \"dst_latitude\": 37.775699615478516, \"dst_location\": \"San Francisco\", \"dst_longitude\": -122.39520263671875, \"dst_region\": \"California\", \"dst_timezone\": \"America/Los_Angeles\", \"dst_zipcode\": \"N/A\", \"dstip\": \"9.10.11.12\", \"dstport\": 443, \"file_lang\": \"Unknown\", \"file_size\": 1908, \"file_type\": \"image/png\", \"from_user\": \"john.doe@gmail.com\", \"hostname\": \"EXAMPLE1\", \"managed_app\": \"no\", \"md5\": \"eb430691fe30d16070b5a144c3d3303c\", \"netskope_pop\": \"FR-PAR2\", \"object\": \"HighRes_QRCode_3.png\", \"object_type\": \"File\", \"organization_unit\": \"\", \"os\": \"Windows 11\", \"os_version\": \"Windows NT 11.0\", \"other_categories\": [\"All Internet\", \"Professional Networking\"], \"page\": \"www.linkedin.com\", \"page_site\": \"Linkedin\", \"policy\": \"Coach user QRCode in Social Media and IM\", \"policy_id\": \"981C1E7B3795DA18687613FBD66D4954 2024-12-11 13:39:20.625594\", \"protocol\": \"HTTPS/1.1\", \"referer\": \"https://www.linkedin.com/feed/\", \"request_id\": 2994008614773293824, \"scan_type\": \"\", \"severity\": \"unknown\", \"sha256\": \"d847acf7bab1b6f761779f3995c693e25eb899dceea61ef9043532d1ae9923a6\", \"site\": \"Linkedin\", \"src_country\": \"FR\", \"src_latitude\": 48.9247, \"src_location\": \"La Courneuve\", \"src_longitude\": 2.3975, \"src_region\": \"\\u00cele-de-France\", \"src_time\": \"Wed Dec 11 15:06:00 2024\", \"src_timezone\": \"Europe/Paris\", \"src_zipcode\": \"93120\", \"srcip\": \"5.6.7.8\", \"timestamp\": 1733925987, \"traffic_type\": \"CloudApp\", \"transaction_id\": 555555555555555, \"true_obj_category\": \"Image (Raster)\", \"true_obj_type\": \"Portable Network Graphics (PNG)\", \"tss_mode\": \"inline\", \"type\": \"nspolicy\", \"ur_normalized\": \"johndoe@example.com\", \"url\": \"www.linkedin.com/dms/prv/vid/v2/abc/messaging-attachmentFile/messaging-attachmentFile/0/123\", \"user\": \"johndoe@example.com\", \"useragent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36\", \"userip\": \"1.2.3.4\", \"userkey\": \"johndoe@example.com\", \"ext_labels\": [], \"dlp_fail_reason\": \"\", \"workspace\": \"\", \"instance_id\": \"\", \"tss_scan_failed\": \"\", \"dlp_unique_count\": 0, \"dlp_mail_parent_id\": \"\", \"notify_template\": \"\", \"tss_fail_reason\": \"\", \"channel_id\": \"\", \"mime_type\": \"\", \"resp_cnt\": 0, \"file_path\": \"\", \"orignal_file_path\": \"\", \"suppression_end_time\": 0, \"log_file_name\": \"\", \"modified\": 0, \"user_category\": \"\", \"CononicalName\": \"\", \"suppression_key\": \"\", \"web_universal_connector\": \"\", \"owner\": \"\", \"ja3\": \"\", \"dsthost\": \"\", \"data_type\": \"\", \"loginurl\": \"\", \"workspace_id\": \"\", \"managementID\": \"\", \"telemetry_app\": \"\", \"user_confidence_index\": 0, \"parent_id\": \"\", \"ja3s\": \"\", \"userPrincipalName\": \"\", \"smtp_to\": [], \"justification_reason\": \"\", \"app_activity\": \"\", \"sanctioned_instance\": \"\", \"user_id\": \"\", \"title\": \"\", \"audit_category\": \"\", \"internal_collaborator_count\": 0, \"shared_with\": \"\", \"dst_geoip_src\": 0, \"serial\": \"\", \"numbytes\": 0, \"sAMAccountName\": \"\", \"dlp_scan_failed\": \"\", \"server_bytes\": 0, \"sessionid\": \"\", \"to_user\": \"\", \"src_geoip_src\": 0, \"total_collaborator_count\": 0, \"custom_attr\": {}, \"logintype\": \"\", \"instance\": \"\", \"fromlogs\": \"\", \"retro_scan_name\": \"\", \"justification_type\": \"\", \"from_user_category\": \"\", \"data_center\": \"\", \"custom_connector\": \"\", \"audit_type\": \"\", \"suppression_start_time\": 0, \"req_cnt\": 0, \"exposure\": \"\", \"object_id\": \"\", \"conn_duration\": 0, \"nsdeviceuid\": \"\", \"universal_connector\": \"\", \"org\": \"\", \"netskope_activity\": \"\", \"client_bytes\": 0}", + "event": { + "action": "Download", + "category": [ + "file" + ], + "dataset": "dlp_incident", + "duration": 0, + "kind": "alert", + "type": [ + "info" + ] + }, + "@timestamp": "2024-12-11T14:06:27Z", + "action": { + "name": "useralert" + }, + "destination": { + "address": "9.10.11.12", + "bytes": 0, + "geo": { + "city_name": "San Francisco", + "country_iso_code": "US", + "location": { + "lat": 37.775699615478516, + "lon": -122.39520263671875 + }, + "postal_code": "N/A", + "region_name": "California", + "timezone": "America/Los_Angeles" + }, + "ip": "9.10.11.12" + }, + "file": { + "hash": { + "md5": "eb430691fe30d16070b5a144c3d3303c", + "sha256": "d847acf7bab1b6f761779f3995c693e25eb899dceea61ef9043532d1ae9923a6" + }, + "mime_type": "image/png", + "name": "HighRes_QRCode_3.png", + "size": 1908 + }, + "host": { + "name": "EXAMPLE1", + "os": { + "name": "Windows 11", + "platform": "windows", + "type": "windows", + "version": "Windows NT 11.0" + } + }, + "http": { + "request": { + "referrer": "https://www.linkedin.com/feed/" + } + }, + "netskope": { + "alerts": { + "type": "DLP" + }, + "dlp": { + "incident": { + "id": "44444444444444" + } + }, + "events": { + "access_method": "Client", + "application": { + "category": "Professional Networking", + "name": "LinkedIn", + "suite": "Linkedin App" + }, + "ccl": "medium" + } + }, + "network": { + "bytes": 0 + }, + "observer": { + "vendor": "Netskope" + }, + "related": { + "hash": [ + "d847acf7bab1b6f761779f3995c693e25eb899dceea61ef9043532d1ae9923a6", + "eb430691fe30d16070b5a144c3d3303c" + ], + "ip": [ + "5.6.7.8", + "9.10.11.12" + ], + "user": [ + "johndoe" + ] + }, + "rule": { + "id": "981C1E7B3795DA18687613FBD66D4954 2024-12-11 13:39:20.625594", + "name": "Coach user QRCode in Social Media and IM" + }, + "source": { + "address": "5.6.7.8", + "bytes": 0, + "geo": { + "city_name": "La Courneuve", + "country_iso_code": "FR", + "location": { + "lat": 48.9247, + "lon": 2.3975 + }, + "postal_code": "93120", + "region_name": "\u00cele-de-France", + "timezone": "Europe/Paris" + }, + "ip": "5.6.7.8" + }, + "url": { + "original": "www.linkedin.com/dms/prv/vid/v2/abc/messaging-attachmentFile/messaging-attachmentFile/0/123", + "path": "www.linkedin.com/dms/prv/vid/v2/abc/messaging-attachmentFile/messaging-attachmentFile/0/123" + }, + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + }, + "user_agent": { + "name": "Chrome", + "version": "131.0.0.0" + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/_meta/fields.yml b/SentinelOne/identity/_meta/fields.yml index 36e8acf65..f31575843 100644 --- a/SentinelOne/identity/_meta/fields.yml +++ b/SentinelOne/identity/_meta/fields.yml @@ -1,3 +1,13 @@ +sentinelone.identity.analystVerdict: + description: '' + name: sentinelone.identity.analystVerdict + type: keyword + +sentinelone.identity.analyticsCategory: + description: '' + name: sentinelone.identity.analyticsCategory + type: keyword + sentinelone.identity.attackSurfaces: description: '' name: sentinelone.identity.attackSurfaces @@ -28,6 +38,16 @@ sentinelone.identity.result: name: sentinelone.identity.result type: keyword +sentinelone.identity.siteId: + description: '' + name: sentinelone.identity.siteId + type: keyword + +sentinelone.identity.siteName: + description: '' + name: sentinelone.identity.siteName + type: keyword + sentinelone.identity.status: description: '' name: sentinelone.identity.status diff --git a/SentinelOne/identity/ingest/parser.yml b/SentinelOne/identity/ingest/parser.yml index 90577404d..38cf9fddf 100644 --- a/SentinelOne/identity/ingest/parser.yml +++ b/SentinelOne/identity/ingest/parser.yml @@ -57,6 +57,11 @@ stages: process.hash.sha256: "{{json_event.message.process.file.sha256}}" process.hash.md5: "{{json_event.message.process.file.md5}}" + agent.id: "{{json_event.message.asset.agentUuid}}" + agent.version: "{{json_event.message.asset.agentVersion}}" + host.os.family: "{{json_event.message.asset.osType}}" + host.os.version: "{{json_event.message.asset.osVersion}}" + sentinelone.identity.id: "{{json_event.message.id}}" sentinelone.identity.name: "{{json_event.message.name}}" sentinelone.identity.attackSurfaces: "{{json_event.message.attackSurfaces}}" @@ -65,3 +70,26 @@ stages: sentinelone.identity.confidenceLevel: "{{json_event.message.confidenceLevel}}" sentinelone.identity.result: "{{json_event.message.result}}" sentinelone.identity.storyLineId: "{{json_event.message.storyLineId}}" + sentinelone.identity.analystVerdict: "{{json_event.message.analystVerdict}}" + sentinelone.identity.analyticsCategory: "{{json_event.message.analytics.category}}" + + - set: + threat.tactic.id: "[{% for attack in json_event.message.rawData.finding_info.attacks %}{% for tactic in attack['tactics'] %}'{{tactic.uid}}',{% endfor %}{% endfor %}]" + threat.tactic.name: "[{% for attack in json_event.message.rawData.finding_info.attacks %}{% for tactic in attack['tactics'] %}'{{tactic.name}}',{% endfor %}{% endfor %}]" + filter: "{{json_event.message.get('rawData', {}).get('finding_info', {}).get('attacks', []) | length > 0}}" + + - set: + host.name: "{{json_event.message.rawData.resources[0].name}}" + organization.id: "{{json_event.message.rawData.resources[0].s1_metadata.account_id}}" + organization.name: "{{json_event.message.rawData.resources[0].s1_metadata.account_name}}" + sentinelone.identity.siteId: "{{json_event.message.rawData.resources[0].s1_metadata.site_id}}" + sentinelone.identity.siteName: "{{json_event.message.rawData.resources[0].s1_metadata.site_name}}" + filter: "{{json_event.message.get('rawData', {}).get('resources', []) | length > 0}}" + + - set: + destination.domain: "{{json_event.message.rawData.evidences[0].dst_endpoint.hostname}}" + destination.ip: "{{json_event.message.rawData.evidences[0].dst_endpoint.ip}}" + source.domain: "{{json_event.message.rawData.evidences[0].src_endpoint.hostname}}" + source.ip: "{{json_event.message.rawData.evidences[0].src_endpoint.ip}}" + user.name: "{{json_event.message.rawData.evidences[0].actor.user.name}}" + filter: "{{json_event.message.get('rawData', {}).get('evidences', []) | length > 0}}" diff --git a/SentinelOne/identity/tests/test_alert_1_detailed.json b/SentinelOne/identity/tests/test_alert_1_detailed.json new file mode 100644 index 000000000..aaa2524e4 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_1_detailed.json @@ -0,0 +1,90 @@ +{ + "input": { + "message": "{\n \"analystVerdict\": \"UNDEFINED\",\n \"analytics\": {\n \"category\": \"ADSecure-DC\"\n },\n \"asset\": {\n \"agentUuid\": \"123123123123123\",\n \"agentVersion\": \"AgentVersion1\",\n \"category\": \"Server\",\n \"name\": \"VM0001.LAB\",\n \"osType\": \"UNKNOWN\",\n \"osVersion\": \"1.1\",\n \"subcategory\": \"Other Server\",\n \"type\": \"UNKNOWN\"\n },\n \"assignee\": null,\n \"attackSurfaces\": [\n \"IDENTITY\"\n ],\n \"classification\": \"UNKNOWN\",\n \"confidenceLevel\": \"MALICIOUS\",\n \"description\": \"This event is generated when a DCSync attack is detected.\",\n \"detectedAt\": \"2024-12-11T13:11:48.487Z\",\n \"detectionSource\": {\n \"product\": \"Identity\"\n },\n \"firstSeenAt\": \"2024-12-11T13:11:48.487Z\",\n \"id\": \"19b5cab4-9fdc-49f9-9641-dae9ed9b1c3b\",\n \"lastSeenAt\": \"2024-12-11T13:11:48.487Z\",\n \"name\": \"DCSync Attack Detected\",\n \"process\": null,\n \"rawData\": {\n \"activity_id\": 2,\n \"activity_name\": \"Update\",\n \"attack_surface_ids\": [\n 4\n ],\n \"category_uid\": 2,\n \"class_uid\": 99602001,\n \"confidence_id\": 3,\n \"evidences\": [\n {\n \"actor\": {\n \"user\": {\n\"name\":\"test_user\", \"domain\": \"LAB\"\n }\n },\n \"dst_endpoint\": {\n \"hostname\": \"VM0001\",\n \"ip\": \"5.6.7.8\",\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\"\n },\n \"src_endpoint\": {\n \"hostname\":\"tes.test\", \"ip\": \"1.2.3.4\"\n }\n }\n ],\n \"finding_info\": {\n \"analytic\": {\n \"category\": \"ADSecure-DC\",\n \"type_id\": 1,\n \"uid\": \"ADSecure-DC\"\n },\n \"attacks\": [\n {\n \"tactics\": [\n {\n \"name\": \"Credential Access\",\n \"uid\": \"TA006\"\n }\n ],\n \"technique\": {\n \"name\": \"OS Credential Dumping\",\n \"uid\": \"T1003\"\n },\n \"version\": \"ATT&CK v11\"\n }\n ],\n \"desc\": \"This event is generated when a DCSync attack is detected.\",\n \"first_seen_time\": \"1733922708487\",\n \"internal_uid\": \"d2dfca23-c7c7-409d-840c-cc0702ef7eb7\",\n \"kill_chain\": [\n {\n \"phase_id\": 2\n }\n ],\n \"last_seen_time\": \"1733922708487\",\n \"related_events\": [\n {\n \"message\": \"An authorized session has been detected with a certain privilege which could be result of an privilege escalation.\",\n \"severity_id\": 5,\n \"time\": \"1733922708487\",\n \"type\": \"Authorize Session: Other\",\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\"\n }\n ],\n \"title\": \"DCSync Attack Detected\",\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\"\n },\n \"message\": \"This event is generated when a DCSync attack is detected.\",\n \"metadata\": {\n \"extension\": {\n \"name\": \"s1\",\n \"uid\": \"996\",\n \"version\": \"0.1.0\"\n },\n \"product\": {\n \"name\": \"Identity\",\n \"vendor_name\": \"SentinelOne\"\n },\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\",\n \"version\": \"1.1.0-dev\"\n },\n \"raw_data\": \"5001802:Attacker IP=1.2.3.4 Source Port=49970 Target IP=5.6.7.8 Target Port=49155 Severity=14 Domain=LAB userName=john.doe dc_host=VM00001 CA_STATUS=ALERT client_id=xxxxxxx-xxxxxx-xxxx-xxxxxxx subscriberId:6666\",\n \"resources\": [\n {\n \"internal_uid\": \"11111111111111111111111111\",\n \"name\": \"VM0001.LAB\",\n \"s1_metadata\": {\n \"account_id\": \"123123123123123123\",\n \"account_name\": \"EXAMPLE CORP\",\n \"group_id\": \"1234567890\",\n \"group_name\": \"Default Group\",\n \"mgmt_id\": 123123,\n \"scope_id\": \"1234567890\",\n \"scope_level\": \"Group\",\n \"site_id\": \"1234567890\",\n \"site_name\": \"Sekoia.io\"\n },\n \"type\": \"server::other_server::windows_server\",\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\",\n \"version\": \"Microsoft Windows Server 2012 R2 Standard 64-bit\"\n }\n ],\n \"s1_classification_id\": 0,\n \"severity_id\": 5,\n \"status_id\": 1,\n \"time\": \"1733922708487\",\n \"type_name\": \"\",\n \"type_uid\": \"9960200101\",\n \"unmapped\": {},\n \"verdict_detail_id\": 0,\n \"verdict_id\": 0\n },\n \"result\": null,\n \"status\": \"NEW\",\n \"storylineId\": null\n}" + }, + "expected": { + "message": "{\n \"analystVerdict\": \"UNDEFINED\",\n \"analytics\": {\n \"category\": \"ADSecure-DC\"\n },\n \"asset\": {\n \"agentUuid\": \"123123123123123\",\n \"agentVersion\": \"AgentVersion1\",\n \"category\": \"Server\",\n \"name\": \"VM0001.LAB\",\n \"osType\": \"UNKNOWN\",\n \"osVersion\": \"1.1\",\n \"subcategory\": \"Other Server\",\n \"type\": \"UNKNOWN\"\n },\n \"assignee\": null,\n \"attackSurfaces\": [\n \"IDENTITY\"\n ],\n \"classification\": \"UNKNOWN\",\n \"confidenceLevel\": \"MALICIOUS\",\n \"description\": \"This event is generated when a DCSync attack is detected.\",\n \"detectedAt\": \"2024-12-11T13:11:48.487Z\",\n \"detectionSource\": {\n \"product\": \"Identity\"\n },\n \"firstSeenAt\": \"2024-12-11T13:11:48.487Z\",\n \"id\": \"19b5cab4-9fdc-49f9-9641-dae9ed9b1c3b\",\n \"lastSeenAt\": \"2024-12-11T13:11:48.487Z\",\n \"name\": \"DCSync Attack Detected\",\n \"process\": null,\n \"rawData\": {\n \"activity_id\": 2,\n \"activity_name\": \"Update\",\n \"attack_surface_ids\": [\n 4\n ],\n \"category_uid\": 2,\n \"class_uid\": 99602001,\n \"confidence_id\": 3,\n \"evidences\": [\n {\n \"actor\": {\n \"user\": {\n\"name\":\"test_user\", \"domain\": \"LAB\"\n }\n },\n \"dst_endpoint\": {\n \"hostname\": \"VM0001\",\n \"ip\": \"5.6.7.8\",\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\"\n },\n \"src_endpoint\": {\n \"hostname\":\"tes.test\", \"ip\": \"1.2.3.4\"\n }\n }\n ],\n \"finding_info\": {\n \"analytic\": {\n \"category\": \"ADSecure-DC\",\n \"type_id\": 1,\n \"uid\": \"ADSecure-DC\"\n },\n \"attacks\": [\n {\n \"tactics\": [\n {\n \"name\": \"Credential Access\",\n \"uid\": \"TA006\"\n }\n ],\n \"technique\": {\n \"name\": \"OS Credential Dumping\",\n \"uid\": \"T1003\"\n },\n \"version\": \"ATT&CK v11\"\n }\n ],\n \"desc\": \"This event is generated when a DCSync attack is detected.\",\n \"first_seen_time\": \"1733922708487\",\n \"internal_uid\": \"d2dfca23-c7c7-409d-840c-cc0702ef7eb7\",\n \"kill_chain\": [\n {\n \"phase_id\": 2\n }\n ],\n \"last_seen_time\": \"1733922708487\",\n \"related_events\": [\n {\n \"message\": \"An authorized session has been detected with a certain privilege which could be result of an privilege escalation.\",\n \"severity_id\": 5,\n \"time\": \"1733922708487\",\n \"type\": \"Authorize Session: Other\",\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\"\n }\n ],\n \"title\": \"DCSync Attack Detected\",\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\"\n },\n \"message\": \"This event is generated when a DCSync attack is detected.\",\n \"metadata\": {\n \"extension\": {\n \"name\": \"s1\",\n \"uid\": \"996\",\n \"version\": \"0.1.0\"\n },\n \"product\": {\n \"name\": \"Identity\",\n \"vendor_name\": \"SentinelOne\"\n },\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\",\n \"version\": \"1.1.0-dev\"\n },\n \"raw_data\": \"5001802:Attacker IP=1.2.3.4 Source Port=49970 Target IP=5.6.7.8 Target Port=49155 Severity=14 Domain=LAB userName=john.doe dc_host=VM00001 CA_STATUS=ALERT client_id=xxxxxxx-xxxxxx-xxxx-xxxxxxx subscriberId:6666\",\n \"resources\": [\n {\n \"internal_uid\": \"11111111111111111111111111\",\n \"name\": \"VM0001.LAB\",\n \"s1_metadata\": {\n \"account_id\": \"123123123123123123\",\n \"account_name\": \"EXAMPLE CORP\",\n \"group_id\": \"1234567890\",\n \"group_name\": \"Default Group\",\n \"mgmt_id\": 123123,\n \"scope_id\": \"1234567890\",\n \"scope_level\": \"Group\",\n \"site_id\": \"1234567890\",\n \"site_name\": \"Sekoia.io\"\n },\n \"type\": \"server::other_server::windows_server\",\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\",\n \"version\": \"Microsoft Windows Server 2012 R2 Standard 64-bit\"\n }\n ],\n \"s1_classification_id\": 0,\n \"severity_id\": 5,\n \"status_id\": 1,\n \"time\": \"1733922708487\",\n \"type_name\": \"\",\n \"type_uid\": \"9960200101\",\n \"unmapped\": {},\n \"verdict_detail_id\": 0,\n \"verdict_id\": 0\n },\n \"result\": null,\n \"status\": \"NEW\",\n \"storylineId\": null\n}", + "event": { + "category": "intrusion_detection", + "end": "2024-12-11T13:11:48.487000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is generated when a DCSync attack is detected.", + "start": "2024-12-11T13:11:48.487000Z", + "type": "info" + }, + "@timestamp": "2024-12-11T13:11:48.487000Z", + "agent": { + "id": "123123123123123", + "version": "AgentVersion1" + }, + "destination": { + "address": "VM0001", + "domain": "VM0001", + "ip": "5.6.7.8" + }, + "host": { + "name": "VM0001.LAB", + "os": { + "family": "UNKNOWN", + "version": "1.1" + } + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "organization": { + "id": "123123123123123123", + "name": "EXAMPLE CORP" + }, + "related": { + "hosts": [ + "VM0001", + "tes.test" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "test_user" + ] + }, + "sentinelone": { + "identity": { + "analystVerdict": "UNDEFINED", + "analyticsCategory": "ADSecure-DC", + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "19b5cab4-9fdc-49f9-9641-dae9ed9b1c3b", + "name": "DCSync Attack Detected", + "siteId": "1234567890", + "siteName": "Sekoia.io", + "status": "NEW" + } + }, + "source": { + "address": "tes.test", + "domain": "tes.test", + "ip": "1.2.3.4", + "subdomain": "tes" + }, + "threat": { + "tactic": { + "id": [ + "TA006" + ], + "name": [ + "Credential Access" + ] + } + }, + "user": { + "name": "test_user" + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_2_detailed.json b/SentinelOne/identity/tests/test_alert_2_detailed.json new file mode 100644 index 000000000..fed8c7e68 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_2_detailed.json @@ -0,0 +1,58 @@ +{ + "input": { + "message": "{\n \"analystVerdict\": \"UNDEFINED\",\n \"analytics\": {\n \"category\": \"ThreatPath\"\n },\n \"asset\": {\n \"agentUuid\": null,\n \"agentVersion\": null,\n \"category\": \"Workstation\",\n \"name\": \"Unknown\",\n \"osType\": \"UNKNOWN\",\n \"osVersion\": \"\",\n \"subcategory\": \"Other Workstation\",\n \"type\": \"UNKNOWN\"\n },\n \"assignee\": null,\n \"attackSurfaces\": [\n \"IDENTITY\"\n ],\n \"classification\": \"UNKNOWN\",\n \"confidenceLevel\": \"MALICIOUS\",\n \"description\": \"This event is triggered when a new Privilege Account has been detected in the Active Directory.\",\n \"detectedAt\": \"2024-12-24T05:47:33.726Z\",\n \"detectionSource\": {\n \"product\": \"Identity\"\n },\n \"firstSeenAt\": \"2024-12-24T05:47:33.726Z\",\n \"id\": \"0193f734-d130-773a-815c-fbfe892a2635\",\n \"lastSeenAt\": \"2024-12-24T05:47:33.726Z\",\n \"name\": \"New AD Privilege Accounts Detected\",\n \"process\": null,\n \"rawData\": {\n \"activity_id\": 2,\n \"activity_name\": \"Update\",\n \"attack_surface_ids\": [\n 4\n ],\n \"category_uid\": 2,\n \"class_uid\": 99602001,\n \"confidence_id\": 3,\n \"evidences\": [\n {\n \"actor\": {\n \"user\": {}\n },\n \"dst_endpoint\": {},\n \"src_endpoint\": {}\n }\n ],\n \"finding_info\": {\n \"analytic\": {\n \"category\": \"ThreatPath\",\n \"type_id\": 1,\n \"uid\": \"ThreatPath\"\n },\n \"attacks\": [\n {\n \"tactics\": [\n {\n \"id\": \"xxx-xxx-xxxx\", \"name\": \"Credential Access\",\n \"uid\": \"TA006\"\n }\n ],\n \"technique\": {\n \"name\": \"Exploitation for Credential Access\",\n \"uid\": \"T1212\"\n },\n \"version\": \"ATT&CK v11\"\n }\n ],\n \"desc\": \"This event is triggered when a new Privilege Account has been detected in the Active Directory.\",\n \"first_seen_time\": \"1735026290990\",\n \"internal_uid\": \"316e8d31-9bc5-49b6-a0e2-49f9795bf9e9\",\n \"kill_chain\": [\n {\n \"phase_id\": 0\n }\n ],\n \"last_seen_time\": \"1735026290990\",\n \"title\": \"New AD Privilege Accounts Detected\",\n \"uid\": \"316e8d31-9bc5-49b6-a0e2-49f9795bf9e9\"\n },\n \"message\": \"This event is triggered when a new Privilege Account has been detected in the Active Directory.\",\n \"metadata\": {\n \"extension\": {\n \"name\": \"s1\",\n \"uid\": \"996\",\n \"version\": \"0.1.0\"\n },\n \"product\": {\n \"name\": \"Identity\",\n \"vendor_name\": \"SentinelOne\"\n },\n \"uid\": \"316e8d31-9bc5-49b6-a0e2-49f9795bf9e9\",\n \"version\": \"1.1.0-dev\"\n },\n \"raw_data\": \"5006406:AD Privilege Accounts credentials(S1-Local-Admin) detected in domain:LAB, ip:vm00001.lab at timestamp:1733309067716 of severity:8 subscriberId:6666\",\n \"resources\": [\n {\n \"internal_uid\": \"11111111111111111111111111\",\n \"name\": \"VM0001.LAB\",\n \"s1_metadata\": {\n \"account_id\": \"617755838952421242\",\n \"account_name\": \"EXAMPLE CORP\",\n \"group_id\": \"1107851598374945694\",\n \"group_name\": \"Default Group\",\n \"mgmt_id\": 86061,\n \"scope_id\": \"1107851598374945694\",\n \"scope_level\": \"Group\",\n \"site_id\": \"1107851598374945694\",\n \"site_name\": \"Sekoia.io\"\n },\n \"type\": \"server::other_server::windows_server\",\n \"uid\": \"70629f7d-e514-4a71-b88d-28a466d0fa02VM0001\",\n \"version\": \"Microsoft Windows Server 2012 R2 Standard 64-bit\"\n }\n ],\n \"s1_classification_id\": 0,\n \"severity_id\": 3,\n \"status_id\": 1,\n \"time\": \"1735026290990\",\n \"type_name\": \"\",\n \"type_uid\": \"9960200101\",\n \"unmapped\": {},\n \"verdict_detail_id\": 0,\n \"verdict_id\": 0\n },\n \"result\": null,\n \"status\": \"NEW\",\n \"storylineId\": null}" + }, + "expected": { + "message": "{\n \"analystVerdict\": \"UNDEFINED\",\n \"analytics\": {\n \"category\": \"ThreatPath\"\n },\n \"asset\": {\n \"agentUuid\": null,\n \"agentVersion\": null,\n \"category\": \"Workstation\",\n \"name\": \"Unknown\",\n \"osType\": \"UNKNOWN\",\n \"osVersion\": \"\",\n \"subcategory\": \"Other Workstation\",\n \"type\": \"UNKNOWN\"\n },\n \"assignee\": null,\n \"attackSurfaces\": [\n \"IDENTITY\"\n ],\n \"classification\": \"UNKNOWN\",\n \"confidenceLevel\": \"MALICIOUS\",\n \"description\": \"This event is triggered when a new Privilege Account has been detected in the Active Directory.\",\n \"detectedAt\": \"2024-12-24T05:47:33.726Z\",\n \"detectionSource\": {\n \"product\": \"Identity\"\n },\n \"firstSeenAt\": \"2024-12-24T05:47:33.726Z\",\n \"id\": \"0193f734-d130-773a-815c-fbfe892a2635\",\n \"lastSeenAt\": \"2024-12-24T05:47:33.726Z\",\n \"name\": \"New AD Privilege Accounts Detected\",\n \"process\": null,\n \"rawData\": {\n \"activity_id\": 2,\n \"activity_name\": \"Update\",\n \"attack_surface_ids\": [\n 4\n ],\n \"category_uid\": 2,\n \"class_uid\": 99602001,\n \"confidence_id\": 3,\n \"evidences\": [\n {\n \"actor\": {\n \"user\": {}\n },\n \"dst_endpoint\": {},\n \"src_endpoint\": {}\n }\n ],\n \"finding_info\": {\n \"analytic\": {\n \"category\": \"ThreatPath\",\n \"type_id\": 1,\n \"uid\": \"ThreatPath\"\n },\n \"attacks\": [\n {\n \"tactics\": [\n {\n \"id\": \"xxx-xxx-xxxx\", \"name\": \"Credential Access\",\n \"uid\": \"TA006\"\n }\n ],\n \"technique\": {\n \"name\": \"Exploitation for Credential Access\",\n \"uid\": \"T1212\"\n },\n \"version\": \"ATT&CK v11\"\n }\n ],\n \"desc\": \"This event is triggered when a new Privilege Account has been detected in the Active Directory.\",\n \"first_seen_time\": \"1735026290990\",\n \"internal_uid\": \"316e8d31-9bc5-49b6-a0e2-49f9795bf9e9\",\n \"kill_chain\": [\n {\n \"phase_id\": 0\n }\n ],\n \"last_seen_time\": \"1735026290990\",\n \"title\": \"New AD Privilege Accounts Detected\",\n \"uid\": \"316e8d31-9bc5-49b6-a0e2-49f9795bf9e9\"\n },\n \"message\": \"This event is triggered when a new Privilege Account has been detected in the Active Directory.\",\n \"metadata\": {\n \"extension\": {\n \"name\": \"s1\",\n \"uid\": \"996\",\n \"version\": \"0.1.0\"\n },\n \"product\": {\n \"name\": \"Identity\",\n \"vendor_name\": \"SentinelOne\"\n },\n \"uid\": \"316e8d31-9bc5-49b6-a0e2-49f9795bf9e9\",\n \"version\": \"1.1.0-dev\"\n },\n \"raw_data\": \"5006406:AD Privilege Accounts credentials(S1-Local-Admin) detected in domain:LAB, ip:vm00001.lab at timestamp:1733309067716 of severity:8 subscriberId:6666\",\n \"resources\": [\n {\n \"internal_uid\": \"11111111111111111111111111\",\n \"name\": \"VM0001.LAB\",\n \"s1_metadata\": {\n \"account_id\": \"617755838952421242\",\n \"account_name\": \"EXAMPLE CORP\",\n \"group_id\": \"1107851598374945694\",\n \"group_name\": \"Default Group\",\n \"mgmt_id\": 86061,\n \"scope_id\": \"1107851598374945694\",\n \"scope_level\": \"Group\",\n \"site_id\": \"1107851598374945694\",\n \"site_name\": \"Sekoia.io\"\n },\n \"type\": \"server::other_server::windows_server\",\n \"uid\": \"70629f7d-e514-4a71-b88d-28a466d0fa02VM0001\",\n \"version\": \"Microsoft Windows Server 2012 R2 Standard 64-bit\"\n }\n ],\n \"s1_classification_id\": 0,\n \"severity_id\": 3,\n \"status_id\": 1,\n \"time\": \"1735026290990\",\n \"type_name\": \"\",\n \"type_uid\": \"9960200101\",\n \"unmapped\": {},\n \"verdict_detail_id\": 0,\n \"verdict_id\": 0\n },\n \"result\": null,\n \"status\": \"NEW\",\n \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-12-24T05:47:33.726000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is triggered when a new Privilege Account has been detected in the Active Directory.", + "start": "2024-12-24T05:47:33.726000Z", + "type": "info" + }, + "@timestamp": "2024-12-24T05:47:33.726000Z", + "host": { + "name": "VM0001.LAB", + "os": { + "family": "UNKNOWN" + } + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "organization": { + "id": "617755838952421242", + "name": "EXAMPLE CORP" + }, + "sentinelone": { + "identity": { + "analystVerdict": "UNDEFINED", + "analyticsCategory": "ThreatPath", + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "0193f734-d130-773a-815c-fbfe892a2635", + "name": "New AD Privilege Accounts Detected", + "siteId": "1107851598374945694", + "siteName": "Sekoia.io", + "status": "NEW" + } + }, + "threat": { + "tactic": { + "id": [ + "TA006" + ], + "name": [ + "Credential Access" + ] + } + } + } +} \ No newline at end of file