fix(MicrosoftDefenderXDR): extract additional fields for Alert Evidence

SEKOIA-IO · Dec 12, 2024 · 5c29f4c · 5c29f4c
1 parent 0691629
commit 5c29f4c
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 2 deletions.
diff --git a/Microsoft/microsoft-365-defender/_meta/fields.yml b/Microsoft/microsoft-365-defender/_meta/fields.yml
@@ -798,6 +798,11 @@ microsoft.defender.threat.detection:
   name: microsoft.defender.threat.detection
   type: keyword
 
+microsoft.defender.threat.detection_status:
+  description: The status of the detection
+  name: microsoft.defender.threat.detection_status
+  type: keyword
+
 microsoft.defender.threat.family:
   description: Malware family that the suspicious or malicious file or process has
     been classified under
@@ -815,6 +820,11 @@ microsoft.defender.threat.severity:
   name: microsoft.defender.threat.severity
   type: keyword
 
+microsoft.defender.threat.suspicion_level:
+  description: The status of the detection
+  name: microsoft.defender.threat.suspicion_level
+  type: keyword
+
 microsoft.defender.threat.types:
   description: Verdict from the email filtering stack on whether the email contains
     malware, phishing, or other threats

diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml
@@ -350,6 +350,8 @@ stages:
           microsoft.defender.evidence.direction: "{{json_event.message.properties.EvidenceDirection}}"
           microsoft.defender.threat.family: "{{json_event.message.properties.ThreatFamily}}"
           microsoft.defender.threat.severity: "{{json_event.message.properties.Severity}}"
+          microsoft.defender.threat.detection_status: "{{parse_additional_fields.fields.DetectionStatus}}"
+          microsoft.defender.threat.suspicion_level: "{{parse_additional_fields.fields.SuspicionLevel}}"
 
       - set:
           email.to.address: ["{{parse_additional_fields.fields.Recipient}}"]
@@ -363,6 +365,11 @@ stages:
           action.properties.AttachmentCount: "{{parse_additional_fields.fields.AttachmentCount}}"
           action.properties.UrlCount: "{{parse_additional_fields.fields.UrlCount}}"
 
+          process.pid: "{{parse_additional_fields.fields.ProcessId}}"
+          process.name: "{{parse_additional_fields.fields.ImageFile.Name}}"
+          process.parent.pid: "{{parse_additional_fields.fields.ParentProcess.ProcessId}}"
+          process.parent.command_line: "{{parse_additional_fields.fields.ParentProcess.CommandLine}}"
+
   set_alert_info_fields:
     actions:
       - set:

diff --git a/Microsoft/microsoft-365-defender/tests/test_alert_evidence.json b/Microsoft/microsoft-365-defender/tests/test_alert_evidence.json
@@ -43,15 +43,22 @@
           "role": "Related"
         },
         "threat": {
-          "severity": "Low"
+          "detection_status": "Detected",
+          "severity": "Low",
+          "suspicion_level": "Suspicious"
         }
       }
     },
     "process": {
       "args": [
         "8192"
       ],
-      "command_line": "splwow64.exe 8192"
+      "command_line": "splwow64.exe 8192",
+      "name": "splwow64.exe",
+      "parent": {
+        "pid": 12636
+      },
+      "pid": 19060
     },
     "related": {
       "hash": [