Skip to content

Commit

Permalink
Fix parser
Browse files Browse the repository at this point in the history
  • Loading branch information
@lvoloshyn-sekoia
lvoloshyn-sekoia committed Dec 11, 2024
1 parent 89e0967 commit 79c0b55
Show file tree
Hide file tree
Showing 4 changed files with 175 additions and 9 deletions.
6 changes: 3 additions & 3 deletions Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,8 @@ stages:
host.ip: "{{parsed_event.message.endpoint.ips}}"

agent.id: "{{parsed_event.message.endpoint.agentGuid}}"
event.start: "{{parsed_event.message.detail.firstSeen}}"
event.end: "{{parsed_event.message.detail.lastSeen}}"
event.start: "{{parsed_event.message.detail.firstSeen | to_rfc3339}}"
event.end: "{{parsed_event.message.detail.lastSeen | to_rfc3339}}"

host.id: "{{parsed_event.message.detail.endpointGuid}}"
host.os.name: "{{parsed_event.message.detail.osName}}"
Expand All @@ -38,7 +38,7 @@ stages:
process.parent.pid: "{{parsed_event.message.detail.processPid}}"
process.parent.user.name: "{{parsed_event.message.detail.processUser}}"
process.parent.user.domain: "{{parsed_event.message.detail.processUserDomain}}"
process.parent.start: "{{parsed_event.message.detail.processLaunchTime}}"
process.parent.start: "{{parsed_event.message.detail.processLaunchTime | to_rfc3339}}"
process.parent.command_line: "{{parsed_event.message.detail.processCmd}}"
process.parent.executable: "{{parsed_event.message.detail.processFilePath}}"
process.parent.hash.sha1: "{{parsed_event.message.detail.processFileHashSha1}}"
Expand Down
43 changes: 41 additions & 2 deletions Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@
"category": [
"intrusion_detection"
],
"kind": "alert",
"end": "2022-04-12T23:43:15Z",
"start": "2022-04-12T23:43:15Z",
"type": [
"info"
]
Expand All @@ -18,20 +19,54 @@
"id": "b1cde761-16ad-4067-9a57-cbea882915df"
},
"host": {
"id": "b1cde761-16ad-4067-9a57-cbea882915df",
"ip": [
"150.183.13.135",
"433e:5c7b:50b0:d145:2c61:9d1d:f317:627e"
],
"name": "LAB-Luwak-1048"
"name": "LAB-Luwak-1048",
"os": {
"full": "Windows 10 Enterprise (64 bit) build 19044",
"name": "Windows",
"version": "10.0.19044"
}
},
"observer": {
"product": "Vision One",
"vendor": "TrendMicro"
},
"process": {
"command_line": "C:\\Windows\\system32\\sppsvc.exe",
"name": "C:\\Windows\\System32\\services.exe",
"parent": {
"command_line": "C:\\Windows\\system32\\services.exe",
"executable": "C:\\Windows\\System32\\services.exe",
"hash": {
"md5": "dac02fbf9bebb39e34afe11bfddf2f83",
"sha1": "a75988a89b1e18c5af82f5f4f5e28f9c91c2cd3e",
"sha256": "ab6acff524930ed8fddd84787a8d65ec9ed0b6b62727dac4a23a1ec7a13b4b08"
},
"pid": 672,
"start": "2022-03-09T11:43:02.237000Z",
"user": {
"domain": "NT AUTHORITY",
"name": "SYSTEM"
}
},
"pid": 3832
},
"related": {
"hash": [
"a75988a89b1e18c5af82f5f4f5e28f9c91c2cd3e",
"ab6acff524930ed8fddd84787a8d65ec9ed0b6b62727dac4a23a1ec7a13b4b08",
"dac02fbf9bebb39e34afe11bfddf2f83"
],
"ip": [
"150.183.13.135",
"433e:5c7b:50b0:d145:2c61:9d1d:f317:627e"
],
"user": [
"NETWORK SERVICE"
]
},
"threat": {
Expand All @@ -48,6 +83,10 @@
]
}
}
},
"user": {
"domain": "NT AUTHORITY",
"name": "NETWORK SERVICE"
}
}
}
62 changes: 60 additions & 2 deletions Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_2.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@
"category": [
"intrusion_detection"
],
"kind": "alert",
"end": "2024-11-26T16:45:02.571000Z",
"start": "2024-11-26T16:45:02.571000Z",
"type": [
"info"
]
Expand All @@ -17,21 +18,74 @@
"agent": {
"id": "9f6b89c4-c3b2-4b9f-9401-dae324506ceb"
},
"group": {
"id": "3927f750-c536-480a-ae9f-d9ede20f4a9e"
},
"host": {
"id": "1c7a31e1-89e1-4192-aa7b-a341e6a8ebf1",
"ip": [
"1802:d896:65fe:b84:742d:615:f69b:6600",
"239.144.71.57"
],
"name": "Windows10"
"name": "Windows10",
"os": {
"full": "Windows 10 Pro (64 bit) build 19045",
"name": "Windows",
"version": "10.0.19045"
}
},
"observer": {
"product": "Vision One",
"vendor": "TrendMicro"
},
"process": {
"command_line": "\"C:\\Windows\\system32\\klist.exe\"",
"name": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe",
"parent": {
"command_line": "\"C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\" ",
"executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe",
"hash": {
"md5": "fe6a3a98112b13aaad196444afcc041c",
"sha1": "0aea4fdd45c998bcf774e85ec478ab2e71fb8b4b",
"sha256": "09f94c21bc54d3de56b4007b0d650cb54a1dbbb91dc1d537426ac442448c4eed"
},
"parent": {
"command_line": "C:\\Windows\\Explorer.EXE",
"executable": "C:\\Windows\\explorer.exe",
"hash": {
"md5": "a377274ae8e84c7e8ff5fd1b3bb9d080",
"sha1": "b1db7fd8ea0d2fb6ca854609c9ff7de5a822b316",
"sha256": "4e5fe7cf2873f4e4157d6592154179f6efe0b200dbb72fbdca039e4e4c72d4ac"
},
"name": "C:\\Windows\\explorer.exe",
"pid": "9920",
"start": "1732638953785",
"user": {
"domain": "Windows10",
"name": "jdoe"
}
},
"pid": 5040,
"start": "2024-11-26T16:37:55.967000Z",
"user": {
"domain": "Windows10",
"name": "jdoe"
}
},
"pid": 3464
},
"related": {
"hash": [
"09f94c21bc54d3de56b4007b0d650cb54a1dbbb91dc1d537426ac442448c4eed",
"0aea4fdd45c998bcf774e85ec478ab2e71fb8b4b",
"fe6a3a98112b13aaad196444afcc041c"
],
"ip": [
"1802:d896:65fe:b84:742d:615:f69b:6600",
"239.144.71.57"
],
"user": [
"jdoe"
]
},
"threat": {
Expand All @@ -48,6 +102,10 @@
"id": []
}
}
},
"user": {
"domain": "Windows10",
"name": "jdoe"
}
}
}
Loading

0 comments on commit 79c0b55

Please sign in to comment.