Skip to content

Commit

Permalink
Merge branch 'main' into fix/CiscoESA
Browse files Browse the repository at this point in the history
  • Loading branch information
@LenaigKaliou
LenaigKaliou authored Dec 11, 2024
2 parents 1757251 + 27fe310 commit 7a12573
Show file tree
Hide file tree
Showing 8 changed files with 229 additions and 10 deletions.
5 changes: 5 additions & 0 deletions HarfangLab/harfanglab/_meta/fields.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -953,6 +953,11 @@ action.properties.param9:
name: action.properties.param9
type: keyword

harfanglab.agent_ids:
description: ''
name: harfanglab.agent_ids
type: keyword

harfanglab.aggregation_key:
description: The key to the events aggregation
name: harfanglab.aggregation_key
Expand Down
4 changes: 4 additions & 0 deletions HarfangLab/harfanglab/ingest/parser.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,10 @@ stages:
organization.id: "{{json_event.message.tenant}}"
url.original: "{{json_event.message.details_url_request.url}}"

- set:
harfanglab.agent_ids: "{{json_event.message.agents | map(attribute='agent_id') | list}}"
filter: "{{json_event.message.agents | length > 0}}"

network_info:
actions:
- set:
Expand Down
3 changes: 3 additions & 0 deletions HarfangLab/harfanglab/tests/threat_critical.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@
"name": "harfanglab"
},
"harfanglab": {
"agent_ids": [
"af5e2f63-becd-4660-ade8-30d04c0dd044"
],
"count": {
"rules": 1,
"users_impacted": 0
Expand Down
4 changes: 4 additions & 0 deletions HarfangLab/harfanglab/tests/threat_log.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,10 @@
"name": "harfanglab"
},
"harfanglab": {
"agent_ids": [
"215fe295-905f-4a8d-8347-e9d438d4e415",
"999ba0c7-96b8-4c57-bf0e-63b24813c873"
],
"count": {
"rules": 4,
"users_impacted": 3
Expand Down
20 changes: 10 additions & 10 deletions Pradeo/pradeo-mtd/ingest/parser.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -176,16 +176,16 @@ stages:
pradeo.device.mdmId: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.device.emmDeviceInfo.externalId}}"
pradeo.device.emm: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.device.emmDeviceInfo.emm}}"
pradeo.compliance.matchedResponseRules: "{{json_event.message.content.deviceApplication.compliance.matchedResponseRules}}"
pradeo.application.id: "{{json_event.message.content.deviceApplicationCompliance.application.id}}"
pradeo.application.package: "{{json_event.message.content.deviceApplicationCompliance.application.package.package}}"
pradeo.application.system: "{{json_event.message.content.deviceApplicationCompliance.application.package.system}}"
pradeo.application.version: "{{json_event.message.content.deviceApplicationCompliance.application.version}}"
pradeo.application.versionCode: "{{json_event.message.content.deviceApplicationCompliance.application.versionCode}}"
pradeo.application.name: "{{json_event.message.content.deviceApplicationCompliance.application.name}}"
pradeo.application.md5: "{{json_event.message.content.deviceApplicationCompliance.application.md5}}"
pradeo.application.sha1: "{{json_event.message.content.deviceApplicationCompliance.application.sha1}}"
pradeo.application.sha256: "{{json_event.message.content.deviceApplicationCompliance.application.sha256}}"
pradeo.detection.status: "{{json_event.message.content.deviceApplicationCompliance.status}}"
pradeo.application.id: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.id}}"
pradeo.application.package: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.package.package}}"
pradeo.application.system: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.package.system}}"
pradeo.application.version: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.version}}"
pradeo.application.versionCode: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.versionCode}}"
pradeo.application.name: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.name}}"
pradeo.application.md5: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.md5}}"
pradeo.application.sha1: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.sha1}}"
pradeo.application.sha256: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.sha256}}"
pradeo.detection.status: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.status}}"
- filter: '{{json_event.message.type == "DeviceComplianceUpdated"}}'
set:
event.category: ["process"]
Expand Down
55 changes: 55 additions & 0 deletions Pradeo/pradeo-mtd/tests/application_compliance_updated.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
{
"input": {
"message": "{\n \"id\": \"1234567890\",\n \"creationDate\": \"2024-11-27T04:10:33.460Z\",\n \"source\": \"system\",\n \"category\": null,\n \"type\": \"DeviceApplicationComplianceUpdated\",\n \"content\": {\n \"deviceApplicationCompliance\": {\n \"id\": \"abcdef123456\",\n \"status\": \"Disapproved\",\n \"computed\": true,\n \"creationDate\": \"2024-11-27T04:04:26.482Z\",\n \"lastModificationDate\": \"2024-11-27T04:10:33.000Z\",\n \"deviceApplication\": {\n \"id\": \"123456789ABCDEF\",\n \"application\": {\n \"id\": \"azertyuiop\",\n \"package\": {\n \"id\": \"1234abcd\",\n \"package\": \"com.app.test\",\n \"system\": \"Android\"\n },\n \"version\": \"491.0.0.58.78\",\n \"md5\": \"0fccfdefc882c4be6d2a938001184e08\",\n \"sha1\": \"749c94cd972726ef2b3ccda7e718a2034cc9f6ac\",\n \"sha256\": \"278fde8924687bf22285d2b4415779d96ba967530cae43272029ec53ecc2eee8\",\n \"name\": \"App\",\n \"versionCode\": \"457215664\",\n \"size\": \"64262264\"\n },\n \"device\": {\n \"id\": \"device_id01\",\n \"serialNumber\": \"unknown\",\n \"imei\": null,\n \"name\": \"John\",\n \"email\": null,\n \"singleEnrollmentKey\": \"xxxxxXXXXxxXxxx\",\n \"byod\": false,\n \"lockPassword\": null,\n \"knoxVersion\": null,\n \"declaredOperatingSystem\": \"Android\",\n \"declaredOperatingSystemVersion\": \"10.0.0\",\n \"declaredOperatingSystemSecurityPatchDate\": \"2020-09-01T00:00:00.000Z\",\n \"declaredModel\": \"MODEL 01\",\n \"enrollmentStatus\": {\n \"id\": \"enrollid_12\",\n \"lastConnection\": \"2024-11-27T04:07:32.000Z\",\n \"coupled\": true\n },\n \"emmDeviceInfo\": null\n },\n \"installedAt\": \"2024-08-07T13:40:35.000Z\",\n \"uninstalledAt\": null,\n \"native\": false\n },\n \"matchedResponseRules\": [\n {\n \"id\": \"matched_response_id\",\n \"matchConditions\": [\n {\n \"type\": \"threatLevelIs\",\n \"value\": \"Red\"\n }\n ],\n \"notifyAdministrator\": false,\n \"onDeviceNotification\": false,\n \"action\": \"Disapproved\",\n \"responseRuleset\": {\n \"id\": \"yMXqFSTMT8uDn1ijwCmEGA\",\n \"name\": \"FallBack\",\n \"active\": true,\n \"type\": \"FallBack\",\n \"priority\": 0\n },\n \"priority\": 0\n }\n ]\n }\n },\n \"user\": null,\n \"device\": null,\n \"company\": {\n \"id\": \"ROhGBpGHSi2gpVagfb4FhQ\",\n \"name\": \"LAB\",\n \"creationDate\": \"2024-04-15T15:31:33.395Z\",\n \"lastModificationDate\": \"2024-08-07T13:23:42.000Z\",\n \"deletedAt\": null\n }\n}",
"sekoiaio": {
"intake": {
"dialect": "Pradeo MTD",
"dialect_uuid": "3cedbe29-02f8-42bf-9ec2-0158186c2827"
}
}
},
"expected": {
"message": "{\n \"id\": \"1234567890\",\n \"creationDate\": \"2024-11-27T04:10:33.460Z\",\n \"source\": \"system\",\n \"category\": null,\n \"type\": \"DeviceApplicationComplianceUpdated\",\n \"content\": {\n \"deviceApplicationCompliance\": {\n \"id\": \"abcdef123456\",\n \"status\": \"Disapproved\",\n \"computed\": true,\n \"creationDate\": \"2024-11-27T04:04:26.482Z\",\n \"lastModificationDate\": \"2024-11-27T04:10:33.000Z\",\n \"deviceApplication\": {\n \"id\": \"123456789ABCDEF\",\n \"application\": {\n \"id\": \"azertyuiop\",\n \"package\": {\n \"id\": \"1234abcd\",\n \"package\": \"com.app.test\",\n \"system\": \"Android\"\n },\n \"version\": \"491.0.0.58.78\",\n \"md5\": \"0fccfdefc882c4be6d2a938001184e08\",\n \"sha1\": \"749c94cd972726ef2b3ccda7e718a2034cc9f6ac\",\n \"sha256\": \"278fde8924687bf22285d2b4415779d96ba967530cae43272029ec53ecc2eee8\",\n \"name\": \"App\",\n \"versionCode\": \"457215664\",\n \"size\": \"64262264\"\n },\n \"device\": {\n \"id\": \"device_id01\",\n \"serialNumber\": \"unknown\",\n \"imei\": null,\n \"name\": \"John\",\n \"email\": null,\n \"singleEnrollmentKey\": \"xxxxxXXXXxxXxxx\",\n \"byod\": false,\n \"lockPassword\": null,\n \"knoxVersion\": null,\n \"declaredOperatingSystem\": \"Android\",\n \"declaredOperatingSystemVersion\": \"10.0.0\",\n \"declaredOperatingSystemSecurityPatchDate\": \"2020-09-01T00:00:00.000Z\",\n \"declaredModel\": \"MODEL 01\",\n \"enrollmentStatus\": {\n \"id\": \"enrollid_12\",\n \"lastConnection\": \"2024-11-27T04:07:32.000Z\",\n \"coupled\": true\n },\n \"emmDeviceInfo\": null\n },\n \"installedAt\": \"2024-08-07T13:40:35.000Z\",\n \"uninstalledAt\": null,\n \"native\": false\n },\n \"matchedResponseRules\": [\n {\n \"id\": \"matched_response_id\",\n \"matchConditions\": [\n {\n \"type\": \"threatLevelIs\",\n \"value\": \"Red\"\n }\n ],\n \"notifyAdministrator\": false,\n \"onDeviceNotification\": false,\n \"action\": \"Disapproved\",\n \"responseRuleset\": {\n \"id\": \"yMXqFSTMT8uDn1ijwCmEGA\",\n \"name\": \"FallBack\",\n \"active\": true,\n \"type\": \"FallBack\",\n \"priority\": 0\n },\n \"priority\": 0\n }\n ]\n }\n },\n \"user\": null,\n \"device\": null,\n \"company\": {\n \"id\": \"ROhGBpGHSi2gpVagfb4FhQ\",\n \"name\": \"LAB\",\n \"creationDate\": \"2024-04-15T15:31:33.395Z\",\n \"lastModificationDate\": \"2024-08-07T13:23:42.000Z\",\n \"deletedAt\": null\n }\n}",
"event": {
"action": "DeviceApplicationComplianceUpdated",
"category": [
"process"
],
"type": [
"change"
]
},
"@timestamp": "2024-11-27T04:10:33.460000Z",
"pradeo": {
"application": {
"id": "azertyuiop",
"md5": "0fccfdefc882c4be6d2a938001184e08",
"name": "App",
"package": "com.app.test",
"sha1": "749c94cd972726ef2b3ccda7e718a2034cc9f6ac",
"sha256": "278fde8924687bf22285d2b4415779d96ba967530cae43272029ec53ecc2eee8",
"system": "Android",
"version": "491.0.0.58.78",
"versionCode": "457215664"
},
"device": {
"byod": false,
"coupled": true,
"declaredModel": "MODEL 01",
"declaredOperatingSystem": "Android",
"declaredOperatingSystemSecurityPatchDate": "2020-09-01T00:00:00Z",
"declaredOperatingSystemVersion": "10.0.0",
"id": "device_id01",
"lastConnection": "2024-11-27T04:07:32Z",
"name": "John",
"serialNumber": "unknown"
},
"metadata": {
"creationDate": "2024-11-27T04:10:33.460000Z",
"id": "1234567890",
"source": "system",
"type": "DeviceApplicationComplianceUpdated"
}
}
}
}
52 changes: 52 additions & 0 deletions SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -682,6 +682,58 @@
}
]
},
{
"value": "Process {process.command_line} was created by {process.user.name}",
"conditions": [
{
"field": "event.action",
"value": "Process Creation"
},
{
"field": "process.user.name"
},
{
"field": "process.command_line"
}
],
"relationships": [
{
"source": "process.user.name",
"target": "process.parent.command_line",
"type": "created"
},
{
"source": "process.parent.command_line",
"target": "process.parent.title",
"type": "has process title"
},
{
"source": "process.parent.command_line",
"target": "process.parent.name",
"type": "has name"
},
{
"source": "process.command_line",
"target": "process.title",
"type": "has title"
},
{
"source": "process.command_line",
"target": "process.name",
"type": "has name"
},
{
"source": "process.parent.command_line",
"target": "process.command_line",
"type": "created"
},
{
"source": "process.user.name",
"target": "host.name",
"type": "logged on"
}
]
},
{
"value": "Process {process.command_line} was created by {user.name}",
"conditions": [
Expand Down
Loading

0 comments on commit 7a12573

Please sign in to comment.