Skip to content

Commit

Permalink
Sekoia Endpoint - parse dns.resolved_ip without errors
Browse files Browse the repository at this point in the history
  • Loading branch information
@lvoloshyn-sekoia
lvoloshyn-sekoia committed Dec 17, 2024
1 parent 1c7479e commit 57d71be
Show file tree
Hide file tree
Showing 2 changed files with 103 additions and 1 deletion.
13 changes: 12 additions & 1 deletion SekoiaIO/endpoint/ingest/parser.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,6 @@ stages:
agent: "{{json.event.agent}}"
destination: "{{json.event.destination}}"
dll: "{{json.event.dll}}"
dns: "{{json.event.dns}}"
error: "{{json.event.error}}"
event.action: "{{json.event.event.action}}"
event.category: "{{json.event.event.category}}"
Expand Down Expand Up @@ -82,6 +81,18 @@ stages:
sekoiaio.target_process: "{{json.event.sekoiaio.target_process}}"
sekoiaio.repeat.count: "{{json.event.sekoiaio.repeat.count}}"

- set:
dns.answers: "{{json.event.dns.answers}}"
dns.id: "{{json.event.dns.id}}"
dns.op_code: "{{json.event.dns.op_code}}"
dns.question: "{{json.event.dns.question}}"
dns.response_code: "{{json.event.dns.response_code}}"
dns.type: "{{json.event.dns.type}}"

- set:
dns.resolved_ip: "{{json.event.dns.resolved_ip}}"
filter: "{{json.event.dns.resolved_ip | is_ipaddress}}"

- set:
action.properties.TaskContentNew_Command: "{{parsed_task_content_xml.result.Task.Actions.Exec.Command}}"
action.properties.TaskContentNew_Args: "{{parsed_task_content_xml.result.Task.Actions.Exec.Arguments}}"
Expand Down
91 changes: 91 additions & 0 deletions SekoiaIO/endpoint/tests/dns_results_without_ip.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
{
"input": {
"message": "{\"destination\": {\"ip\": \"9e95:9c30:9793:ae93:1f19:7159:d3e1:303c\", \"port\": 49878}, \"dns\": {\"answers\": [{\"data\": \"self-events-data.trafficmanager.net\", \"name\": \"self.events.data.microsoft.com\", \"type\": \"CNAME\", \"ttl\": 71}], \"question\": {\"name\": \"self.events.data.microsoft.com\", \"type\": \"Unknown\", \"class\": \"IN\"}, \"response_code\": \"No Error\", \"type\": \"answer\", \"resolved_ip\": [\"<nil>\"], \"header_flags\": [\"RD\", \"RA\"], \"op_code\": \"Query\", \"id\": 19552}, \"event\": {\"action\": \"dns-query-result\", \"provider\": \"SEKOIA-IO-Endpoint\", \"outcome\": \"success\", \"category\": [\"network\"], \"type\": [\"connection\", \"protocol\"], \"code\": 22, \"start\": \"2024-12-13T07:06:37.188885Z\", \"end\": \"2024-12-13T07:06:37.188887Z\"}, \"agent\": {\"id\": \"d6285cf5d51861d13acbb34971e6b72e8e91fbcfcce44cfc5a9f1d45c8f0510c\", \"version\": \"v1.6.2+16cc9687c5b8fc0a32da4a766fa726a4df90c133\"}, \"host\": {\"os\": {\"type\": \"macos\"}, \"hostname\": \"EXAMPLE.local\", \"ip\": [\"192.0.0.2\"]}, \"network\": {\"transport\": \"udp\"}, \"source\": {\"ip\": \"0968:447b:0692:f381:0337:cafd:40e8:9123\", \"port\": 53}, \"timestamp\": \"2024-12-13T07:06:37.188887Z\", \"sekoiaio\": {\"repeat\": {\"count\": 1}}}"
},
"expected": {
"message": "{\"destination\": {\"ip\": \"9e95:9c30:9793:ae93:1f19:7159:d3e1:303c\", \"port\": 49878}, \"dns\": {\"answers\": [{\"data\": \"self-events-data.trafficmanager.net\", \"name\": \"self.events.data.microsoft.com\", \"type\": \"CNAME\", \"ttl\": 71}], \"question\": {\"name\": \"self.events.data.microsoft.com\", \"type\": \"Unknown\", \"class\": \"IN\"}, \"response_code\": \"No Error\", \"type\": \"answer\", \"resolved_ip\": [\"<nil>\"], \"header_flags\": [\"RD\", \"RA\"], \"op_code\": \"Query\", \"id\": 19552}, \"event\": {\"action\": \"dns-query-result\", \"provider\": \"SEKOIA-IO-Endpoint\", \"outcome\": \"success\", \"category\": [\"network\"], \"type\": [\"connection\", \"protocol\"], \"code\": 22, \"start\": \"2024-12-13T07:06:37.188885Z\", \"end\": \"2024-12-13T07:06:37.188887Z\"}, \"agent\": {\"id\": \"d6285cf5d51861d13acbb34971e6b72e8e91fbcfcce44cfc5a9f1d45c8f0510c\", \"version\": \"v1.6.2+16cc9687c5b8fc0a32da4a766fa726a4df90c133\"}, \"host\": {\"os\": {\"type\": \"macos\"}, \"hostname\": \"EXAMPLE.local\", \"ip\": [\"192.0.0.2\"]}, \"network\": {\"transport\": \"udp\"}, \"source\": {\"ip\": \"0968:447b:0692:f381:0337:cafd:40e8:9123\", \"port\": 53}, \"timestamp\": \"2024-12-13T07:06:37.188887Z\", \"sekoiaio\": {\"repeat\": {\"count\": 1}}}",
"event": {
"action": "dns-query-result",
"category": [
"network"
],
"code": "22",
"end": "2024-12-13T07:06:37.188887Z",
"outcome": "success",
"provider": "SEKOIA-IO-Endpoint",
"start": "2024-12-13T07:06:37.188885Z",
"type": [
"connection",
"protocol"
]
},
"action": {
"outcome": "success"
},
"agent": {
"id": "d6285cf5d51861d13acbb34971e6b72e8e91fbcfcce44cfc5a9f1d45c8f0510c",
"version": "v1.6.2+16cc9687c5b8fc0a32da4a766fa726a4df90c133"
},
"destination": {
"address": "9e95:9c30:9793:ae93:1f19:7159:d3e1:303c",
"ip": "9e95:9c30:9793:ae93:1f19:7159:d3e1:303c",
"port": 49878
},
"dns": {
"answers": [
{
"data": "self-events-data.trafficmanager.net",
"name": "self.events.data.microsoft.com",
"ttl": 71,
"type": "CNAME"
}
],
"id": "19552",
"op_code": "Query",
"question": {
"class": "IN",
"name": "self.events.data.microsoft.com",
"registered_domain": "microsoft.com",
"subdomain": "self.events.data",
"top_level_domain": "com",
"type": "Unknown"
},
"response_code": "No Error",
"type": "answer"
},
"host": {
"hostname": "EXAMPLE.local",
"ip": [
"192.0.0.2"
],
"name": "EXAMPLE.local",
"os": {
"type": "macos"
}
},
"network": {
"transport": "udp"
},
"related": {
"hosts": [
"EXAMPLE.local",
"self.events.data.microsoft.com"
],
"ip": [
"192.0.0.2",
"968:447b:692:f381:337:cafd:40e8:9123",
"9e95:9c30:9793:ae93:1f19:7159:d3e1:303c"
]
},
"sekoiaio": {
"repeat": {
"count": 1
}
},
"source": {
"address": "968:447b:692:f381:337:cafd:40e8:9123",
"ip": "968:447b:692:f381:337:cafd:40e8:9123",
"port": 53
}
}
}

0 comments on commit 57d71be

Please sign in to comment.