diff --git a/SekoiaIO/endpoint/ingest/parser.yml b/SekoiaIO/endpoint/ingest/parser.yml index 873db4f0b..014bdc5ad 100644 --- a/SekoiaIO/endpoint/ingest/parser.yml +++ b/SekoiaIO/endpoint/ingest/parser.yml @@ -53,7 +53,6 @@ stages: agent: "{{json.event.agent}}" destination: "{{json.event.destination}}" dll: "{{json.event.dll}}" - dns: "{{json.event.dns}}" error: "{{json.event.error}}" event.action: "{{json.event.event.action}}" event.category: "{{json.event.event.category}}" @@ -82,6 +81,18 @@ stages: sekoiaio.target_process: "{{json.event.sekoiaio.target_process}}" sekoiaio.repeat.count: "{{json.event.sekoiaio.repeat.count}}" + - set: + dns.answers: "{{json.event.dns.answers}}" + dns.id: "{{json.event.dns.id}}" + dns.op_code: "{{json.event.dns.op_code}}" + dns.question: "{{json.event.dns.question}}" + dns.response_code: "{{json.event.dns.response_code}}" + dns.type: "{{json.event.dns.type}}" + + - set: + dns.resolved_ip: "{{json.event.dns.resolved_ip}}" + filter: "{{json.event.dns.resolved_ip | is_ipaddress}}" + - set: action.properties.TaskContentNew_Command: "{{parsed_task_content_xml.result.Task.Actions.Exec.Command}}" action.properties.TaskContentNew_Args: "{{parsed_task_content_xml.result.Task.Actions.Exec.Arguments}}" diff --git a/SekoiaIO/endpoint/tests/dns_results_without_ip.json b/SekoiaIO/endpoint/tests/dns_results_without_ip.json new file mode 100644 index 000000000..f1054a0ac --- /dev/null +++ b/SekoiaIO/endpoint/tests/dns_results_without_ip.json @@ -0,0 +1,91 @@ +{ + "input": { + "message": "{\"destination\": {\"ip\": \"9e95:9c30:9793:ae93:1f19:7159:d3e1:303c\", \"port\": 49878}, \"dns\": {\"answers\": [{\"data\": \"self-events-data.trafficmanager.net\", \"name\": \"self.events.data.microsoft.com\", \"type\": \"CNAME\", \"ttl\": 71}], \"question\": {\"name\": \"self.events.data.microsoft.com\", \"type\": \"Unknown\", \"class\": \"IN\"}, \"response_code\": \"No Error\", \"type\": \"answer\", \"resolved_ip\": [\"\"], \"header_flags\": [\"RD\", \"RA\"], \"op_code\": \"Query\", \"id\": 19552}, \"event\": {\"action\": \"dns-query-result\", \"provider\": \"SEKOIA-IO-Endpoint\", \"outcome\": \"success\", \"category\": [\"network\"], \"type\": [\"connection\", \"protocol\"], \"code\": 22, \"start\": \"2024-12-13T07:06:37.188885Z\", \"end\": \"2024-12-13T07:06:37.188887Z\"}, \"agent\": {\"id\": \"d6285cf5d51861d13acbb34971e6b72e8e91fbcfcce44cfc5a9f1d45c8f0510c\", \"version\": \"v1.6.2+16cc9687c5b8fc0a32da4a766fa726a4df90c133\"}, \"host\": {\"os\": {\"type\": \"macos\"}, \"hostname\": \"EXAMPLE.local\", \"ip\": [\"192.0.0.2\"]}, \"network\": {\"transport\": \"udp\"}, \"source\": {\"ip\": \"0968:447b:0692:f381:0337:cafd:40e8:9123\", \"port\": 53}, \"timestamp\": \"2024-12-13T07:06:37.188887Z\", \"sekoiaio\": {\"repeat\": {\"count\": 1}}}" + }, + "expected": { + "message": "{\"destination\": {\"ip\": \"9e95:9c30:9793:ae93:1f19:7159:d3e1:303c\", \"port\": 49878}, \"dns\": {\"answers\": [{\"data\": \"self-events-data.trafficmanager.net\", \"name\": \"self.events.data.microsoft.com\", \"type\": \"CNAME\", \"ttl\": 71}], \"question\": {\"name\": \"self.events.data.microsoft.com\", \"type\": \"Unknown\", \"class\": \"IN\"}, \"response_code\": \"No Error\", \"type\": \"answer\", \"resolved_ip\": [\"\"], \"header_flags\": [\"RD\", \"RA\"], \"op_code\": \"Query\", \"id\": 19552}, \"event\": {\"action\": \"dns-query-result\", \"provider\": \"SEKOIA-IO-Endpoint\", \"outcome\": \"success\", \"category\": [\"network\"], \"type\": [\"connection\", \"protocol\"], \"code\": 22, \"start\": \"2024-12-13T07:06:37.188885Z\", \"end\": \"2024-12-13T07:06:37.188887Z\"}, \"agent\": {\"id\": \"d6285cf5d51861d13acbb34971e6b72e8e91fbcfcce44cfc5a9f1d45c8f0510c\", \"version\": \"v1.6.2+16cc9687c5b8fc0a32da4a766fa726a4df90c133\"}, \"host\": {\"os\": {\"type\": \"macos\"}, \"hostname\": \"EXAMPLE.local\", \"ip\": [\"192.0.0.2\"]}, \"network\": {\"transport\": \"udp\"}, \"source\": {\"ip\": \"0968:447b:0692:f381:0337:cafd:40e8:9123\", \"port\": 53}, \"timestamp\": \"2024-12-13T07:06:37.188887Z\", \"sekoiaio\": {\"repeat\": {\"count\": 1}}}", + "event": { + "action": "dns-query-result", + "category": [ + "network" + ], + "code": "22", + "end": "2024-12-13T07:06:37.188887Z", + "outcome": "success", + "provider": "SEKOIA-IO-Endpoint", + "start": "2024-12-13T07:06:37.188885Z", + "type": [ + "connection", + "protocol" + ] + }, + "action": { + "outcome": "success" + }, + "agent": { + "id": "d6285cf5d51861d13acbb34971e6b72e8e91fbcfcce44cfc5a9f1d45c8f0510c", + "version": "v1.6.2+16cc9687c5b8fc0a32da4a766fa726a4df90c133" + }, + "destination": { + "address": "9e95:9c30:9793:ae93:1f19:7159:d3e1:303c", + "ip": "9e95:9c30:9793:ae93:1f19:7159:d3e1:303c", + "port": 49878 + }, + "dns": { + "answers": [ + { + "data": "self-events-data.trafficmanager.net", + "name": "self.events.data.microsoft.com", + "ttl": 71, + "type": "CNAME" + } + ], + "id": "19552", + "op_code": "Query", + "question": { + "class": "IN", + "name": "self.events.data.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "self.events.data", + "top_level_domain": "com", + "type": "Unknown" + }, + "response_code": "No Error", + "type": "answer" + }, + "host": { + "hostname": "EXAMPLE.local", + "ip": [ + "192.0.0.2" + ], + "name": "EXAMPLE.local", + "os": { + "type": "macos" + } + }, + "network": { + "transport": "udp" + }, + "related": { + "hosts": [ + "EXAMPLE.local", + "self.events.data.microsoft.com" + ], + "ip": [ + "192.0.0.2", + "968:447b:692:f381:337:cafd:40e8:9123", + "9e95:9c30:9793:ae93:1f19:7159:d3e1:303c" + ] + }, + "sekoiaio": { + "repeat": { + "count": 1 + } + }, + "source": { + "address": "968:447b:692:f381:337:cafd:40e8:9123", + "ip": "968:447b:692:f381:337:cafd:40e8:9123", + "port": 53 + } + } +} \ No newline at end of file