From 4d63741595f95d292e5454a4a5ce65b030613ae8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gr=C3=A9goire=20Clermont?= <129874202+gcl-sekoia@users.noreply.github.com> Date: Thu, 7 Nov 2024 16:01:35 +0100 Subject: [PATCH 01/10] fix(o365): Parse ClientAppId in Exchange events --- Office 365/o365/ingest/parser.yml | 7 +++++++ Office 365/o365/tests/clientipadress.json | 5 +++++ Office 365/o365/tests/exchange_item_update.json | 5 +++++ Office 365/o365/tests/inbox_rule.json | 5 ++++- 4 files changed, 21 insertions(+), 1 deletion(-) diff --git a/Office 365/o365/ingest/parser.yml b/Office 365/o365/ingest/parser.yml index 62a4098df..13036065f 100644 --- a/Office 365/o365/ingest/parser.yml +++ b/Office 365/o365/ingest/parser.yml @@ -164,6 +164,10 @@ stages: filter: '{{json_event.message.get("Parameters") != None}}' - set: office365.context.aad_session_id: "{{json_event.message.SessionId}}" + office365.context.client.id: "{{json_event.message.ClientAppId}}" + - set: + office365.context.client.id: "{{json_event.message.AppId}}" + filter: '{{json_event.message.get("ClientAppId") == ""}}' parse_exchange_item: actions: @@ -189,6 +193,7 @@ stages: user.id: "{{json_event.message.LogonUserSid}}" office365.exchange.mailbox_guid: "{{json_event.message.MailboxGuid}}" office365.context.aad_session_id: "{{json_event.message.SessionId}}" + office365.context.client.id: "{{json_event.message.ClientAppId}}" - set: email.subject: "{{json_event.message.Item.Subject}}" email.message_id: "{{json_event.message.Item.InternetMessageId[1:-1]}}" @@ -237,6 +242,7 @@ stages: ] - set: office365.context.aad_session_id: "{{json_event.message.SessionId}}" + office365.context.client.id: "{{json_event.message.ClientAppId}}" parse_share_point: actions: - set: @@ -254,6 +260,7 @@ stages: actions: - set: office365.context.aad_session_id: "{{json_event.message.SessionId}}" + office365.context.client.id: "{{json_event.message.ClientAppId}}" parse_network_traffic: actions: diff --git a/Office 365/o365/tests/clientipadress.json b/Office 365/o365/tests/clientipadress.json index c20107759..6f5c9ac9d 100644 --- a/Office 365/o365/tests/clientipadress.json +++ b/Office 365/o365/tests/clientipadress.json @@ -23,6 +23,11 @@ "target": "user" }, "office365": { + "context": { + "client": { + "id": "clientappidxxxx-xxx-xxx-xxxx" + } + }, "record_type": 50, "result_status": "Succeeded", "user_type": { diff --git a/Office 365/o365/tests/exchange_item_update.json b/Office 365/o365/tests/exchange_item_update.json index ad69be989..30682248f 100644 --- a/Office 365/o365/tests/exchange_item_update.json +++ b/Office 365/o365/tests/exchange_item_update.json @@ -29,6 +29,11 @@ "subject": "HI" }, "office365": { + "context": { + "client": { + "id": "037fd006-a72b-49ae-4bb0-08dba30c8729" + } + }, "exchange": { "mailbox_guid": "8208550a-4001-439d-a9f6-e95d76767507" }, diff --git a/Office 365/o365/tests/inbox_rule.json b/Office 365/o365/tests/inbox_rule.json index 8af518085..f3609c050 100644 --- a/Office 365/o365/tests/inbox_rule.json +++ b/Office 365/o365/tests/inbox_rule.json @@ -21,7 +21,10 @@ "object_id": "EURPR07A010.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/example.onmicrosoft.com/bc1b1df3-f861-4aec-bf7c-40ce5b5566c1\\RULE_NAME" }, "context": { - "aad_session_id": "984c0958-0631-4b90-b116-15094fc36847" + "aad_session_id": "984c0958-0631-4b90-b116-15094fc36847", + "client": { + "id": "00000002-0000-0ff1-ce00-000000000000" + } }, "exchange_admin": { "parameters": [ From 60131a16889905c6cb7b1fd2044d4ad5ab89bfea Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Fri, 8 Nov 2024 13:48:57 +0200 Subject: [PATCH 02/10] HarfangLab - fix ip parsing --- HarfangLab/harfanglab/ingest/parser.yml | 5 +- .../harfanglab/tests/authentication_2.json | 103 ++++++++++++++++++ 2 files changed, 107 insertions(+), 1 deletion(-) create mode 100644 HarfangLab/harfanglab/tests/authentication_2.json diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml index 7ff16f6df..1376e0758 100644 --- a/HarfangLab/harfanglab/ingest/parser.yml +++ b/HarfangLab/harfanglab/ingest/parser.yml @@ -277,7 +277,6 @@ stages: event.type: ["info"] event.provider: "{{json_event.message.source_name}}" event.code: "{{json_event.message.event_id|string}}" - source.ip: "{{json_event.message.event_data.IpAddress}}" action.id: "{{json_event.message.event_id}}" user.name: "{{json_event.message.event_data.SubjectUserName}}" user.domain: "{{json_event.message.event_data.SubjectDomainName}}" @@ -475,6 +474,10 @@ stages: action.properties.TaskContentNew_Command: "{{parse_task_info.message.Task.Actions.Exec.Command}}" action.properties.TaskContentNew_Args: "{{parse_task_info.message.Task.Actions.Exec.Arguments}}" + - set: + source.ip: "{{json_event.message.event_data.IpAddress}}" + filter: "{{json_event.message.event_data.IpAddress | is_ipaddress}}" + authentication_info: actions: - set: diff --git a/HarfangLab/harfanglab/tests/authentication_2.json b/HarfangLab/harfanglab/tests/authentication_2.json new file mode 100644 index 000000000..0f5d169e9 --- /dev/null +++ b/HarfangLab/harfanglab/tests/authentication_2.json @@ -0,0 +1,103 @@ +{ + "input": { + "message": "{\"event_data\": {\"RestrictedAdminMode\": \"-\", \"SubjectUserName\": \"-\", \"SubjectUserSid\": \"S-1-0-0\", \"TargetOutboundUserName\": \"-\", \"ElevatedToken\": \"%%1843\", \"VirtualAccount\": \"%%1843\", \"ProcessId\": \"0x0\", \"AuthenticationPackageName\": \"NTLM\", \"LogonProcessName\": \"NtLmSsp\", \"IpPort\": \"-\", \"WorkstationName\": \"WORKSTATION_NAME\", \"LogonGuid\": \"{00000000-0000-0000-0000-000000000000}\", \"IpAddress\": \"-\", \"TargetLinkedLogonId\": \"0x0\", \"SubjectDomainName\": \"-\", \"TargetOutboundDomainName\": \"-\", \"ImpersonationLevel\": \"%%1833\", \"SubjectLogonId\": \"0x0\", \"TargetLogonId\": \"0x6accabcc3\", \"LogonType\": \"3\", \"TargetUserSid\": \"S-1-5-21-11111111111-111111111111-11111111-111\", \"LmPackageName\": \"NTLM V2\", \"TargetUserName\": \"johndoe\", \"TransmittedServices\": \"-\", \"TargetDomainName\": \"EXAMPLE\", \"ProcessName\": \"-\", \"KeyLength\": \"128\"}, \"groups\": [], \"type\": \"wineventlog\", \"computer_name\": \"example.local\", \"destination\": \"syslog\", \"record_number\": 177355019, \"@Version\": \"1\", \"log_name\": \"Security\", \"@event_create_date\": \"2024-11-05T11:10:19.543Z\", \"level\": \"log_always\", \"timestamp\": \"2024-11-05T11:10:20.274688148Z\", \"process_id\": 704, \"user_data\": {}, \"log_type\": \"eventlog\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"user\": {\"domain\": \"\", \"identifier\": \"\", \"name\": \"\", \"type\": \"unknown\"}, \"tenant\": \"11111111111111111111\", \"thread_id\": 9168, \"agent\": {\"dnsdomainname\": \"example.local\", \"osproducttype\": \"Windows Server 2022 Datacenter\", \"domain\": null, \"osversion\": \"10.0.20348\", \"ostype\": \"windows\", \"distroid\": null, \"domainname\": \"EXAMPLE\", \"additional_info\": {}, \"version\": \"4.1.6\", \"hostname\": \"EXAMPLE\", \"agentid\": \"555555555-9999-9999-9999-3e333333cccc\"}, \"event_id\": 4624, \"provider_guid\": \"555555555-9999-9999-9999-3e333333cccc\", \"source_name\": \"Microsoft-Windows-Security-Auditing\"}" + }, + "expected": { + "message": "{\"event_data\": {\"RestrictedAdminMode\": \"-\", \"SubjectUserName\": \"-\", \"SubjectUserSid\": \"S-1-0-0\", \"TargetOutboundUserName\": \"-\", \"ElevatedToken\": \"%%1843\", \"VirtualAccount\": \"%%1843\", \"ProcessId\": \"0x0\", \"AuthenticationPackageName\": \"NTLM\", \"LogonProcessName\": \"NtLmSsp\", \"IpPort\": \"-\", \"WorkstationName\": \"WORKSTATION_NAME\", \"LogonGuid\": \"{00000000-0000-0000-0000-000000000000}\", \"IpAddress\": \"-\", \"TargetLinkedLogonId\": \"0x0\", \"SubjectDomainName\": \"-\", \"TargetOutboundDomainName\": \"-\", \"ImpersonationLevel\": \"%%1833\", \"SubjectLogonId\": \"0x0\", \"TargetLogonId\": \"0x6accabcc3\", \"LogonType\": \"3\", \"TargetUserSid\": \"S-1-5-21-11111111111-111111111111-11111111-111\", \"LmPackageName\": \"NTLM V2\", \"TargetUserName\": \"johndoe\", \"TransmittedServices\": \"-\", \"TargetDomainName\": \"EXAMPLE\", \"ProcessName\": \"-\", \"KeyLength\": \"128\"}, \"groups\": [], \"type\": \"wineventlog\", \"computer_name\": \"example.local\", \"destination\": \"syslog\", \"record_number\": 177355019, \"@Version\": \"1\", \"log_name\": \"Security\", \"@event_create_date\": \"2024-11-05T11:10:19.543Z\", \"level\": \"log_always\", \"timestamp\": \"2024-11-05T11:10:20.274688148Z\", \"process_id\": 704, \"user_data\": {}, \"log_type\": \"eventlog\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"user\": {\"domain\": \"\", \"identifier\": \"\", \"name\": \"\", \"type\": \"unknown\"}, \"tenant\": \"11111111111111111111\", \"thread_id\": 9168, \"agent\": {\"dnsdomainname\": \"example.local\", \"osproducttype\": \"Windows Server 2022 Datacenter\", \"domain\": null, \"osversion\": \"10.0.20348\", \"ostype\": \"windows\", \"distroid\": null, \"domainname\": \"EXAMPLE\", \"additional_info\": {}, \"version\": \"4.1.6\", \"hostname\": \"EXAMPLE\", \"agentid\": \"555555555-9999-9999-9999-3e333333cccc\"}, \"event_id\": 4624, \"provider_guid\": \"555555555-9999-9999-9999-3e333333cccc\", \"source_name\": \"Microsoft-Windows-Security-Auditing\"}", + "event": { + "action": "authentication_network", + "category": [ + "authentication" + ], + "code": "4624", + "dataset": "eventlog", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "info", + "start" + ] + }, + "@timestamp": "2024-11-05T11:10:19.543000Z", + "action": { + "id": 4624, + "outcome": "success", + "properties": { + "AuthenticationPackageName": "NTLM", + "ElevatedToken": "%%1843", + "ImpersonationLevel": "%%1833", + "KeyLength": "128", + "LmPackageName": "NTLM V2", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "NtLmSsp", + "LogonType": "3", + "ProcessId": "0x0", + "SubjectLogonId": "0x0", + "SubjectUserSid": "S-1-0-0", + "TargetDomainName": "EXAMPLE", + "TargetLinkedLogonId": "0x0", + "TargetLogonId": "0x6accabcc3", + "TargetUserName": "johndoe", + "TargetUserSid": "S-1-5-21-11111111111-111111111111-11111111-111", + "VirtualAccount": "%%1843", + "WorkstationName": "WORKSTATION_NAME" + } + }, + "agent": { + "id": "555555555-9999-9999-9999-3e333333cccc", + "name": "harfanglab" + }, + "harfanglab": { + "groups": [] + }, + "host": { + "domain": "EXAMPLE", + "hostname": "EXAMPLE", + "name": "EXAMPLE", + "os": { + "full": "Windows Server 2022 Datacenter", + "version": "10.0.20348" + } + }, + "log": { + "hostname": "EXAMPLE" + }, + "organization": { + "id": "11111111111111111111" + }, + "related": { + "hosts": [ + "EXAMPLE" + ] + }, + "sekoiaio": { + "authentication": { + "process": { + "name": "NtLmSsp" + } + }, + "client": { + "name": "WORKSTATION_NAME", + "os": { + "type": "windows" + } + }, + "server": { + "name": "EXAMPLE", + "os": { + "type": "windows" + } + } + }, + "server": { + "domain": "EXAMPLE" + }, + "user": { + "id": "S-1-0-0", + "target": { + "domain": "EXAMPLE", + "id": "S-1-5-21-11111111111-111111111111-11111111-111", + "name": "johndoe" + } + } + } +} \ No newline at end of file From eb0b0cc5c8a73329d021db69174c4f92ac35bfaa Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Mon, 11 Nov 2024 11:14:06 +0200 Subject: [PATCH 03/10] CrowdStrike Telemetry - parse ContextBaseFileName --- CrowdStrike/crowdstrike-telemetry/_meta/fields.yml | 5 +++++ CrowdStrike/crowdstrike-telemetry/ingest/parser.yml | 3 +++ .../crowdstrike-telemetry/tests/telemetry_event_26.json | 1 + 3 files changed, 9 insertions(+) diff --git a/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml b/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml index a59b68006..75e1b7434 100644 --- a/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml +++ b/CrowdStrike/crowdstrike-telemetry/_meta/fields.yml @@ -1,3 +1,8 @@ +crowdstrike.base_filename: + description: Base Filename + name: crowdstrike.base_filename + type: keyword + crowdstrike.customer_id: description: Customer ID (cid) name: crowdstrike.customer_id diff --git a/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml b/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml index f5da81755..03e9819e7 100644 --- a/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml +++ b/CrowdStrike/crowdstrike-telemetry/ingest/parser.yml @@ -53,6 +53,9 @@ stages: "host.domain": "{{parsed_event.message.MachineDomain}}" "host.mac": "{{parsed_event.message.MAC}}" + - set: + crowdstrike.base_filename: "{{parsed_event.message.ContextBaseFileName}}" + set_registry_fields: actions: - set: diff --git a/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json b/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json index 82baec896..1e7368eee 100644 --- a/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json +++ b/CrowdStrike/crowdstrike-telemetry/tests/telemetry_event_26.json @@ -18,6 +18,7 @@ "id": "111111111111111" }, "crowdstrike": { + "base_filename": "svchost.exe", "customer_id": "222222222222222222222" }, "file": { From 9336df505b67a0453815a0e29b09800fa904a387 Mon Sep 17 00:00:00 2001 From: "vladyslav.guriev" Date: Tue, 12 Nov 2024 13:19:50 +0200 Subject: [PATCH 04/10] Fix: Salesforce login event --- .../salesforce-events/ingest/parser.yml | 9 +++ .../tests/salesforce_complete_event.json | 6 +- .../tests/salesforce_complete_event_1.json | 6 +- .../tests/salesforce_login_event.json | 9 +++ .../tests/salesforce_login_event_1.json | 69 +++++++++++++++++++ .../tests/session_integrity.json | 14 ++-- 6 files changed, 107 insertions(+), 6 deletions(-) create mode 100644 Salesforce/salesforce-events/tests/salesforce_login_event_1.json diff --git a/Salesforce/salesforce-events/ingest/parser.yml b/Salesforce/salesforce-events/ingest/parser.yml index 01b66855f..54db25d6c 100644 --- a/Salesforce/salesforce-events/ingest/parser.yml +++ b/Salesforce/salesforce-events/ingest/parser.yml @@ -147,6 +147,14 @@ stages: user.name: "{{json_event.output.USERNAME}}" filter: "{{json_event.output.USERNAME != None}}" + - set: + user.name: "{{json_event.output.USER_NAME}}" + filter: "{{json_event.output.USER_NAME != None and '@' not in json_event.output.USER_NAME}}" + + - set: + user.email: "{{json_event.output.USER_NAME}}" + filter: "{{json_event.output.USER_NAME != None and '@' in json_event.output.USER_NAME}}" + - set: user.email: "{{json_event.output.USER}}" filter: "{{json_event.output.USER != None}}" @@ -201,6 +209,7 @@ stages: tls.cipher: "{{json_event.output.CIPHER_SUITE}}" tls.version: "{{json_event.output.TLS_PROTOCOL}}" + url.original: "{{json_event.output.LOGIN_URL}}" host.id: "{{json_event.output.DEVICE_ID}}" host.os.name: "{{json_event.output.OS_NAME}}" host.os.version: "{{json_event.output.OS_VERSION}}" diff --git a/Salesforce/salesforce-events/tests/salesforce_complete_event.json b/Salesforce/salesforce-events/tests/salesforce_complete_event.json index 03b6811ee..ceeb7b881 100644 --- a/Salesforce/salesforce-events/tests/salesforce_complete_event.json +++ b/Salesforce/salesforce-events/tests/salesforce_complete_event.json @@ -45,6 +45,9 @@ "related": { "ip": [ "1.2.3.4" + ], + "user": [ + "test_user" ] }, "salesforce": { @@ -119,7 +122,8 @@ "query": "queryParam1=val1&queryParam2=val2" }, "user": { - "id": "00530000009M943" + "id": "00530000009M943", + "name": "test_user" }, "user_agent": { "device": { diff --git a/Salesforce/salesforce-events/tests/salesforce_complete_event_1.json b/Salesforce/salesforce-events/tests/salesforce_complete_event_1.json index 051638d22..89c90352a 100644 --- a/Salesforce/salesforce-events/tests/salesforce_complete_event_1.json +++ b/Salesforce/salesforce-events/tests/salesforce_complete_event_1.json @@ -45,6 +45,9 @@ "related": { "ip": [ "1.2.3.4" + ], + "user": [ + "test_user" ] }, "salesforce": { @@ -115,7 +118,8 @@ "path": "/sObject/0064100000JXITSAA5/view" }, "user": { - "id": "00530000009M943" + "id": "00530000009M943", + "name": "test_user" }, "user_agent": { "name": "Chrome", diff --git a/Salesforce/salesforce-events/tests/salesforce_login_event.json b/Salesforce/salesforce-events/tests/salesforce_login_event.json index e87c6f5a9..7719dc746 100644 --- a/Salesforce/salesforce-events/tests/salesforce_login_event.json +++ b/Salesforce/salesforce-events/tests/salesforce_login_event.json @@ -28,6 +28,15 @@ "address": "192.168.0.1", "ip": "192.168.0.1" }, + "url": { + "domain": "login.salesforce.com", + "original": "https://login.salesforce.com", + "port": 443, + "registered_domain": "salesforce.com", + "scheme": "https", + "subdomain": "login", + "top_level_domain": "com" + }, "user": { "email": "john.doe@example.com" } diff --git a/Salesforce/salesforce-events/tests/salesforce_login_event_1.json b/Salesforce/salesforce-events/tests/salesforce_login_event_1.json new file mode 100644 index 000000000..ed22aefee --- /dev/null +++ b/Salesforce/salesforce-events/tests/salesforce_login_event_1.json @@ -0,0 +1,69 @@ +{ + "input": { + "message": "{\"EVENT_TYPE\":\"Login\",\"TIMESTAMP\":\"20241026044641.024\",\"REQUEST_ID\":\"request_id_test\",\"ORGANIZATION_ID\":\"ORG_ID_TEST\",\"USER_ID\":\"USER_ID_TEST\",\"RUN_TIME\":\"47\",\"CPU_TIME\":\"12\",\"URI\":\"/services/oauth2/token\",\"SESSION_KEY\":\"\",\"LOGIN_KEY\":\"xxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"\",\"DB_TOTAL_TIME\":\"29963703\",\"LOGIN_TYPE\":\"i\",\"BROWSER_TYPE\":\"python-requests/2.28.0\",\"API_TYPE\":\"\",\"API_VERSION\":\"9998.0\",\"USER_NAME\":\"user.integration@test.com\",\"TLS_PROTOCOL\":\"TLSv1.3\",\"CIPHER_SUITE\":\"TLS_AES_256_GCM_SHA384\",\"LOGIN_URL\":\"test.my.salesforce.com\",\"AUTHENTICATION_METHOD_REFERENCE\":\"\",\"LOGIN_SUB_TYPE\":\"oauthclientcredentials\",\"AUTHENTICATION_SERVICE_ID\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-26T04:46:41.024Z\",\"USER_ID_DERIVED\":\"USER_ID_TEST_IA4\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\",\"LOGIN_STATUS\":\"LOGIN_NO_ERROR\",\"SOURCE_IP\":\"1.2.3.4\",\"FORWARDED_FOR_IP\":\"\"}" + }, + "expected": { + "message": "{\"EVENT_TYPE\":\"Login\",\"TIMESTAMP\":\"20241026044641.024\",\"REQUEST_ID\":\"request_id_test\",\"ORGANIZATION_ID\":\"ORG_ID_TEST\",\"USER_ID\":\"USER_ID_TEST\",\"RUN_TIME\":\"47\",\"CPU_TIME\":\"12\",\"URI\":\"/services/oauth2/token\",\"SESSION_KEY\":\"\",\"LOGIN_KEY\":\"xxxxxxxxxxxxx\",\"USER_TYPE\":\"Standard\",\"REQUEST_STATUS\":\"\",\"DB_TOTAL_TIME\":\"29963703\",\"LOGIN_TYPE\":\"i\",\"BROWSER_TYPE\":\"python-requests/2.28.0\",\"API_TYPE\":\"\",\"API_VERSION\":\"9998.0\",\"USER_NAME\":\"user.integration@test.com\",\"TLS_PROTOCOL\":\"TLSv1.3\",\"CIPHER_SUITE\":\"TLS_AES_256_GCM_SHA384\",\"LOGIN_URL\":\"test.my.salesforce.com\",\"AUTHENTICATION_METHOD_REFERENCE\":\"\",\"LOGIN_SUB_TYPE\":\"oauthclientcredentials\",\"AUTHENTICATION_SERVICE_ID\":\"\",\"TIMESTAMP_DERIVED\":\"2024-10-26T04:46:41.024Z\",\"USER_ID_DERIVED\":\"USER_ID_TEST_IA4\",\"CLIENT_IP\":\"1.2.3.4\",\"URI_ID_DERIVED\":\"\",\"LOGIN_STATUS\":\"LOGIN_NO_ERROR\",\"SOURCE_IP\":\"1.2.3.4\",\"FORWARDED_FOR_IP\":\"\"}", + "event": { + "category": [ + "authentication" + ], + "dataset": "Login", + "type": [ + "start" + ] + }, + "@timestamp": "2034-02-21T02:43:24.464103Z", + "organization": { + "id": "ORG_ID_TEST" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "salesforce": { + "api": { + "version": "9998.0" + }, + "login": { + "key": "xxxxxxxxxxxxx", + "status": "LOGIN_NO_ERROR", + "sub_type": "oauthclientcredentials" + }, + "request": { + "id": "request_id_test" + }, + "user": { + "type": "Standard" + } + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "tls": { + "cipher": "TLS_AES_256_GCM_SHA384", + "version": "TLSv1.3" + }, + "url": { + "original": "test.my.salesforce.com", + "path": "/services/oauth2/token" + }, + "user": { + "email": "user.integration@test.com", + "id": "USER_ID_TEST" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Python Requests", + "original": "python-requests/2.28.0", + "os": { + "name": "Other" + }, + "version": "2.28" + } + } +} \ No newline at end of file diff --git a/Wallix/wallix-bastion/tests/session_integrity.json b/Wallix/wallix-bastion/tests/session_integrity.json index 39e8a6363..1c01481e9 100644 --- a/Wallix/wallix-bastion/tests/session_integrity.json +++ b/Wallix/wallix-bastion/tests/session_integrity.json @@ -6,13 +6,19 @@ "message": "[sessionintegrity] session_uid=\"1830c403be7caf0c00505688c380\" status=\"failed\" type=\"SSH_SHELL_SESSION\" user=\"adm@CORP.NET@1.1.1.1\" target=\"domain@local@target01.corp.net:SSH_1\" begin=\"2022-08-19 11:31:17\" end=\"2022-08-19 11:32:50\" files=[/var/wab/remote/recorded/ssh/2022-08-19/182b5714b466cba10050568e16d9,adm@CORP.NET@1.1.1.1,domain@target01.corp.net,20220819-113117,foo-bastion-bar.corp.net,1805.ttyrec]", "event": { "action": "SSH_SHELL_SESSION", - "category": ["session"], + "category": [ + "session" + ], "dataset": "session_integrity", "outcome": "failure", - "type": ["info"] + "type": [ + "info" + ] }, "related": { - "user": ["adm@CORP.NET@1.1.1.1"] + "user": [ + "adm@CORP.NET@1.1.1.1" + ] }, "user": { "name": "adm@CORP.NET@1.1.1.1" @@ -21,4 +27,4 @@ "type": "SSH_SHELL_SESSION" } } -} +} \ No newline at end of file From 8ae4ab6122886eb074acbfd38cfba1780259d7f1 Mon Sep 17 00:00:00 2001 From: "vladyslav.guriev" Date: Tue, 12 Nov 2024 13:21:11 +0200 Subject: [PATCH 05/10] rollback other --- Wallix/wallix-bastion/tests/session_integrity.json | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/Wallix/wallix-bastion/tests/session_integrity.json b/Wallix/wallix-bastion/tests/session_integrity.json index 1c01481e9..39e8a6363 100644 --- a/Wallix/wallix-bastion/tests/session_integrity.json +++ b/Wallix/wallix-bastion/tests/session_integrity.json @@ -6,19 +6,13 @@ "message": "[sessionintegrity] session_uid=\"1830c403be7caf0c00505688c380\" status=\"failed\" type=\"SSH_SHELL_SESSION\" user=\"adm@CORP.NET@1.1.1.1\" target=\"domain@local@target01.corp.net:SSH_1\" begin=\"2022-08-19 11:31:17\" end=\"2022-08-19 11:32:50\" files=[/var/wab/remote/recorded/ssh/2022-08-19/182b5714b466cba10050568e16d9,adm@CORP.NET@1.1.1.1,domain@target01.corp.net,20220819-113117,foo-bastion-bar.corp.net,1805.ttyrec]", "event": { "action": "SSH_SHELL_SESSION", - "category": [ - "session" - ], + "category": ["session"], "dataset": "session_integrity", "outcome": "failure", - "type": [ - "info" - ] + "type": ["info"] }, "related": { - "user": [ - "adm@CORP.NET@1.1.1.1" - ] + "user": ["adm@CORP.NET@1.1.1.1"] }, "user": { "name": "adm@CORP.NET@1.1.1.1" @@ -27,4 +21,4 @@ "type": "SSH_SHELL_SESSION" } } -} \ No newline at end of file +} From 7de6200578c1e1cf707f61343f99b60d962cdf82 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Tue, 12 Nov 2024 16:54:59 +0100 Subject: [PATCH 06/10] [Improvement] microsoft 365 / office 365 logs : Addition of operation properties --- .vscode/settings.json | 22 +++++ .../microsoft-365-defender/_meta/fields.yml | 5 + .../microsoft-365-defender/ingest/parser.yml | 15 +++ .../tests/test_cloud_app3.json | 6 ++ Office 365/o365/_meta/fields.yml | 6 ++ Office 365/o365/ingest/parser.yml | 15 +++ Office 365/o365/tests/clientipadress.json | 6 ++ .../o365/tests/exchange_item_aggregated.json | 6 ++ .../o365/tests/operation_properties_01.json | 91 +++++++++++++++++++ .../o365/tests/operation_properties_02.json | 88 ++++++++++++++++++ 10 files changed, 260 insertions(+) create mode 100644 .vscode/settings.json create mode 100644 Office 365/o365/tests/operation_properties_01.json create mode 100644 Office 365/o365/tests/operation_properties_02.json diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 000000000..b92839d53 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,22 @@ +{ + "workbench.colorCustomizations": { + "activityBar.activeBackground": "#65c89b", + "activityBar.background": "#65c89b", + "activityBar.foreground": "#15202b", + "activityBar.inactiveForeground": "#15202b99", + "activityBarBadge.background": "#945bc4", + "activityBarBadge.foreground": "#e7e7e7", + "commandCenter.border": "#15202b99", + "sash.hoverBorder": "#65c89b", + "statusBar.background": "#42b883", + "statusBar.foreground": "#15202b", + "statusBarItem.hoverBackground": "#359268", + "statusBarItem.remoteBackground": "#42b883", + "statusBarItem.remoteForeground": "#15202b", + "titleBar.activeBackground": "#42b883", + "titleBar.activeForeground": "#15202b", + "titleBar.inactiveBackground": "#42b88399", + "titleBar.inactiveForeground": "#15202b99" + }, + "peacock.color": "#42b883" +} \ No newline at end of file diff --git a/Microsoft/microsoft-365-defender/_meta/fields.yml b/Microsoft/microsoft-365-defender/_meta/fields.yml index 3a95175de..f69ef372d 100644 --- a/Microsoft/microsoft-365-defender/_meta/fields.yml +++ b/Microsoft/microsoft-365-defender/_meta/fields.yml @@ -777,6 +777,11 @@ microsoft.defender.observer.interface.type: name: microsoft.defender.observer.interface.type type: keyword +microsoft.defender.operation.properties: + description: Additional properties of the operation + name: microsoft.defender.operation.properties + type: object + microsoft.defender.report.id: description: Unique identifier for the event name: microsoft.defender.report.id diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml index f22b21ce1..39d179145 100644 --- a/Microsoft/microsoft-365-defender/ingest/parser.yml +++ b/Microsoft/microsoft-365-defender/ingest/parser.yml @@ -259,6 +259,21 @@ stages: - set: network.protocol: "{{json_event.message.properties.RequestProtocol or json_event.message.properties.Protocol}}" filter: '{{json_event.message.properties.get("RequestProtocol") != None or (json_event.message.properties.get("Protocol") != None and json_event.message.properties.Protocol != "Negotiate")}}' + - set: + microsoft.defender.operation.properties: > + { + {%- for property in json_event.message.properties.RawEventData.OperationProperties -%} + {%- if property.Value != null -%} + {%- if property.Value | from_json == None -%} + "{{property.Name}}":"{{property.Value}}", + {%- else -%} + "{{property.Name}}": {{property.Value | from_json}}, + {%- endif -%} + {%- endif -%} + {%- endfor -%} + } + filter: '{{json_event.message.properties.RawEventData.get("OperationProperties") != None}}' + set_alert_evidence_fields: actions: - set: diff --git a/Microsoft/microsoft-365-defender/tests/test_cloud_app3.json b/Microsoft/microsoft-365-defender/tests/test_cloud_app3.json index d60cc39a1..764942b33 100644 --- a/Microsoft/microsoft-365-defender/tests/test_cloud_app3.json +++ b/Microsoft/microsoft-365-defender/tests/test_cloud_app3.json @@ -84,6 +84,12 @@ ], "type": "Run" }, + "operation": { + "properties": { + "IsThrottled": "False", + "MailAccessType": "Bind" + } + }, "report": { "id": "98261974_20893_f747c19c-0664-45c8-aac9-8f16e7714de1" } diff --git a/Office 365/o365/_meta/fields.yml b/Office 365/o365/_meta/fields.yml index 96bb48e86..190ce038e 100644 --- a/Office 365/o365/_meta/fields.yml +++ b/Office 365/o365/_meta/fields.yml @@ -408,6 +408,12 @@ office365.logon_error: name: office365.logon_error type: keyword + +office365.operation.properties: + description: A list of objects describing the operation + name: office365.operation.properties + type: object + office365.record_type: description: The type of the operation name: office365.record_type diff --git a/Office 365/o365/ingest/parser.yml b/Office 365/o365/ingest/parser.yml index 62a4098df..879592c7b 100644 --- a/Office 365/o365/ingest/parser.yml +++ b/Office 365/o365/ingest/parser.yml @@ -118,6 +118,21 @@ stages: office365.audit.object_id: "{{json_event.message.ObjectId}}" office365.virus_info: "{{json_event.message.VirusInfo}}" office365.virus_vendor: "{{json_event.message.VirusVendor}}" + - set: + office365.operation.properties: > + { + {%- for property in json_event.message.OperationProperties -%} + {%- if property.Value != null -%} + {%- if property.Value | from_json == None -%} + "{{property.Name}}":"{{property.Value}}", + {%- else -%} + "{{property.Name}}": {{property.Value | from_json}}, + {%- endif -%} + {%- endif -%} + {%- endfor -%} + } + filter: '{{json_event.message.get("OperationProperties") != None}}' + - translate: dictionary: 0: "Regular" diff --git a/Office 365/o365/tests/clientipadress.json b/Office 365/o365/tests/clientipadress.json index c20107759..8555c1c9d 100644 --- a/Office 365/o365/tests/clientipadress.json +++ b/Office 365/o365/tests/clientipadress.json @@ -23,6 +23,12 @@ "target": "user" }, "office365": { + "operation": { + "properties": { + "IsThrottled": "False", + "MailAccessType": "Bind" + } + }, "record_type": 50, "result_status": "Succeeded", "user_type": { diff --git a/Office 365/o365/tests/exchange_item_aggregated.json b/Office 365/o365/tests/exchange_item_aggregated.json index 11cbfdefc..c15d8da5b 100644 --- a/Office 365/o365/tests/exchange_item_aggregated.json +++ b/Office 365/o365/tests/exchange_item_aggregated.json @@ -20,6 +20,12 @@ "context": { "aad_session_id": "dcdad6b2-f279-48c6-9ed8-3df0ffde4ece" }, + "operation": { + "properties": { + "IsThrottled": "False", + "MailAccessType": "Bind" + } + }, "record_type": 50, "result_status": "Succeeded", "user_type": { diff --git a/Office 365/o365/tests/operation_properties_01.json b/Office 365/o365/tests/operation_properties_01.json new file mode 100644 index 000000000..8354f4415 --- /dev/null +++ b/Office 365/o365/tests/operation_properties_01.json @@ -0,0 +1,91 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 / Office 365", + "dialect_uuid": "caa13404-9243-493b-943e-9848cadb1f99" + } + }, + "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-28T10:34:13\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"xxxx-xxx-xxx-xxxx\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.17328.20550\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":2,\"LogonUserSid\":\"S-1-2-3-4\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerMasterAccountSid\":\"S-1-2-3\",\"MailboxOwnerSid\":\"S-1-2-3-4-5\",\"MailboxOwnerUPN\":\"owner@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"-123\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(Exists(ItemClass))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"john.doe@mail.fr\\\",\\\"user@email.fr\\\",\\\"asmithee@mailbox.fr\\\",\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"ID12345\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"ID12345\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}" + }, + "expected": { + "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-28T10:34:13\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"xxxx-xxx-xxx-xxxx\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.17328.20550\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":2,\"LogonUserSid\":\"S-1-2-3-4\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerMasterAccountSid\":\"S-1-2-3\",\"MailboxOwnerSid\":\"S-1-2-3-4-5\",\"MailboxOwnerUPN\":\"owner@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"-123\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(Exists(ItemClass))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"john.doe@mail.fr\\\",\\\"user@email.fr\\\",\\\"asmithee@mailbox.fr\\\",\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"ID12345\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"ID12345\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}", + "event": { + "action": "UpdateInboxRules", + "category": [ + "email", + "file" + ], + "code": "2", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-10-28T10:34:13Z", + "action": { + "id": 2, + "name": "UpdateInboxRules", + "outcome": "success", + "target": "user" + }, + "office365": { + "context": { + "aad_session_id": "xxxx-xxx-xxx-xxxx" + }, + "exchange": { + "mailbox_guid": "xxxx-xxx-xxx-xxxx" + }, + "operation": { + "properties": { + "RuleActions": [ + { + "ActionType": "Forward", + "ForwardFlags": "None", + "Recipients": [ + "john.doe@mail.fr", + "user@email.fr", + "asmithee@mailbox.fr", + "user.name@mail.fr" + ] + } + ], + "RuleCondition": "{(Exists(ItemClass))}", + "RuleId": -123, + "RuleOperation": "ModifyMailboxRule", + "RuleProvider": "RuleOrganizer", + "RuleState": "Enabled" + } + }, + "record_type": 2, + "result_status": "Succeeded", + "user_type": { + "code": 0, + "name": "Regular" + } + }, + "organization": { + "id": "xxxx-xxx-xxx-xxxx" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe@mail.fr" + ] + }, + "service": { + "name": "Exchange" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "email": "john.doe@mail.fr", + "id": "S-1-2-3-4", + "name": "john.doe@mail.fr" + } + } +} \ No newline at end of file diff --git a/Office 365/o365/tests/operation_properties_02.json b/Office 365/o365/tests/operation_properties_02.json new file mode 100644 index 000000000..7f11fadc3 --- /dev/null +++ b/Office 365/o365/tests/operation_properties_02.json @@ -0,0 +1,88 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 / Office 365", + "dialect_uuid": "caa13404-9243-493b-943e-9848cadb1f99" + } + }, + "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-23T12:26:18\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.16731.20456\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":0,\"LogonUserSid\":\"S-1-2-3\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerSid\":\"S-1-2-3\",\"MailboxOwnerUPN\":\"john.doe@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"4561233110666051585\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(&(([RssServerLockStartTime=1, =r, =noreply-wham@mail.fr, DisplayType=0], ((SenderSearchKey Equal SMTP:NOREPLY-WHAM@MAIL.FR)))(SubString IgnoreCase(SubjectProperty)=WHAM)))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.name.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}" + }, + "expected": { + "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-23T12:26:18\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.16731.20456\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":0,\"LogonUserSid\":\"S-1-2-3\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerSid\":\"S-1-2-3\",\"MailboxOwnerUPN\":\"john.doe@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"4561233110666051585\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(&(([RssServerLockStartTime=1, =r, =noreply-wham@mail.fr, DisplayType=0], ((SenderSearchKey Equal SMTP:NOREPLY-WHAM@MAIL.FR)))(SubString IgnoreCase(SubjectProperty)=WHAM)))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.name.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}", + "event": { + "action": "UpdateInboxRules", + "category": [ + "email", + "file" + ], + "code": "2", + "outcome": "success", + "type": [ + "info" + ] + }, + "@timestamp": "2024-10-23T12:26:18Z", + "action": { + "id": 2, + "name": "UpdateInboxRules", + "outcome": "success", + "target": "user" + }, + "office365": { + "context": { + "aad_session_id": "xxxx-xxx-xxx-xxxx" + }, + "exchange": { + "mailbox_guid": "xxxx-xxx-xxx-xxxx" + }, + "operation": { + "properties": { + "RuleActions": [ + { + "ActionType": "Forward", + "ForwardFlags": "None", + "Recipients": [ + "user.name@mail.fr" + ] + } + ], + "RuleCondition": "{(&(([RssServerLockStartTime=1, =r, =noreply-wham@mail.fr, DisplayType=0], ((SenderSearchKey Equal SMTP:NOREPLY-WHAM@MAIL.FR)))(SubString IgnoreCase(SubjectProperty)=WHAM)))}", + "RuleId": 4561233110666051585, + "RuleOperation": "ModifyMailboxRule", + "RuleProvider": "RuleOrganizer", + "RuleState": "Enabled" + } + }, + "record_type": 2, + "result_status": "Succeeded", + "user_type": { + "code": 0, + "name": "Regular" + } + }, + "organization": { + "id": "xxxx-xxx-xxx-xxxx" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe@mail.fr" + ] + }, + "service": { + "name": "Exchange" + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "user": { + "email": "john.doe@mail.fr", + "id": "S-1-2-3", + "name": "john.doe@mail.fr" + } + } +} \ No newline at end of file From a4fd269ed55b824e5c811577722dce79d9611c29 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Tue, 12 Nov 2024 16:58:53 +0100 Subject: [PATCH 07/10] fix on linting --- Microsoft/microsoft-365-defender/ingest/parser.yml | 2 +- Office 365/o365/_meta/fields.yml | 1 - Office 365/o365/ingest/parser.yml | 2 +- Office 365/o365/tests/operation_properties_01.json | 4 ++-- Office 365/o365/tests/operation_properties_02.json | 4 ++-- 5 files changed, 6 insertions(+), 7 deletions(-) diff --git a/Microsoft/microsoft-365-defender/ingest/parser.yml b/Microsoft/microsoft-365-defender/ingest/parser.yml index 39d179145..2a8b6655f 100644 --- a/Microsoft/microsoft-365-defender/ingest/parser.yml +++ b/Microsoft/microsoft-365-defender/ingest/parser.yml @@ -273,7 +273,7 @@ stages: {%- endfor -%} } filter: '{{json_event.message.properties.RawEventData.get("OperationProperties") != None}}' - + set_alert_evidence_fields: actions: - set: diff --git a/Office 365/o365/_meta/fields.yml b/Office 365/o365/_meta/fields.yml index 190ce038e..02c13a28b 100644 --- a/Office 365/o365/_meta/fields.yml +++ b/Office 365/o365/_meta/fields.yml @@ -408,7 +408,6 @@ office365.logon_error: name: office365.logon_error type: keyword - office365.operation.properties: description: A list of objects describing the operation name: office365.operation.properties diff --git a/Office 365/o365/ingest/parser.yml b/Office 365/o365/ingest/parser.yml index 879592c7b..b65d6f8e6 100644 --- a/Office 365/o365/ingest/parser.yml +++ b/Office 365/o365/ingest/parser.yml @@ -132,7 +132,7 @@ stages: {%- endfor -%} } filter: '{{json_event.message.get("OperationProperties") != None}}' - + - translate: dictionary: 0: "Regular" diff --git a/Office 365/o365/tests/operation_properties_01.json b/Office 365/o365/tests/operation_properties_01.json index 8354f4415..790c6b45f 100644 --- a/Office 365/o365/tests/operation_properties_01.json +++ b/Office 365/o365/tests/operation_properties_01.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-28T10:34:13\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"xxxx-xxx-xxx-xxxx\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.17328.20550\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":2,\"LogonUserSid\":\"S-1-2-3-4\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerMasterAccountSid\":\"S-1-2-3\",\"MailboxOwnerSid\":\"S-1-2-3-4-5\",\"MailboxOwnerUPN\":\"owner@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"-123\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(Exists(ItemClass))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"john.doe@mail.fr\\\",\\\"user@email.fr\\\",\\\"asmithee@mailbox.fr\\\",\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"ID12345\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"ID12345\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}", "sekoiaio": { "intake": { "dialect": "Microsoft 365 / Office 365", "dialect_uuid": "caa13404-9243-493b-943e-9848cadb1f99" } - }, - "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-28T10:34:13\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"xxxx-xxx-xxx-xxxx\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.17328.20550\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":2,\"LogonUserSid\":\"S-1-2-3-4\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerMasterAccountSid\":\"S-1-2-3\",\"MailboxOwnerSid\":\"S-1-2-3-4-5\",\"MailboxOwnerUPN\":\"owner@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"-123\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(Exists(ItemClass))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"john.doe@mail.fr\\\",\\\"user@email.fr\\\",\\\"asmithee@mailbox.fr\\\",\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"ID12345\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"ID12345\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}" + } }, "expected": { "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-28T10:34:13\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"xxxx-xxx-xxx-xxxx\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.17328.20550\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":2,\"LogonUserSid\":\"S-1-2-3-4\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerMasterAccountSid\":\"S-1-2-3\",\"MailboxOwnerSid\":\"S-1-2-3-4-5\",\"MailboxOwnerUPN\":\"owner@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"-123\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(Exists(ItemClass))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"john.doe@mail.fr\\\",\\\"user@email.fr\\\",\\\"asmithee@mailbox.fr\\\",\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"ID12345\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"ID12345\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}", diff --git a/Office 365/o365/tests/operation_properties_02.json b/Office 365/o365/tests/operation_properties_02.json index 7f11fadc3..3c91bcb5d 100644 --- a/Office 365/o365/tests/operation_properties_02.json +++ b/Office 365/o365/tests/operation_properties_02.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-23T12:26:18\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.16731.20456\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":0,\"LogonUserSid\":\"S-1-2-3\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerSid\":\"S-1-2-3\",\"MailboxOwnerUPN\":\"john.doe@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"4561233110666051585\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(&(([RssServerLockStartTime=1, =r, =noreply-wham@mail.fr, DisplayType=0], ((SenderSearchKey Equal SMTP:NOREPLY-WHAM@MAIL.FR)))(SubString IgnoreCase(SubjectProperty)=WHAM)))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.name.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}", "sekoiaio": { "intake": { "dialect": "Microsoft 365 / Office 365", "dialect_uuid": "caa13404-9243-493b-943e-9848cadb1f99" } - }, - "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-23T12:26:18\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.16731.20456\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":0,\"LogonUserSid\":\"S-1-2-3\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerSid\":\"S-1-2-3\",\"MailboxOwnerUPN\":\"john.doe@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"4561233110666051585\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(&(([RssServerLockStartTime=1, =r, =noreply-wham@mail.fr, DisplayType=0], ((SenderSearchKey Equal SMTP:NOREPLY-WHAM@MAIL.FR)))(SubString IgnoreCase(SubjectProperty)=WHAM)))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.name.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}" + } }, "expected": { "message": "{\"AppAccessContext\":{},\"CreationTime\":\"2024-10-23T12:26:18\",\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Operation\":\"UpdateInboxRules\",\"OrganizationId\":\"xxxx-xxx-xxx-xxxx\",\"RecordType\":2,\"ResultStatus\":\"Succeeded\",\"UserKey\":\"123456\",\"UserType\":0,\"Version\":1,\"Workload\":\"Exchange\",\"ClientIP\":\"1.2.3.4\",\"UserId\":\"john.doe@mail.fr\",\"ClientIPAddress\":\"1.2.3.4\",\"ClientInfoString\":\"Client=xxxx-xxx-xxx-xxxx\",\"ClientProcessName\":\"PROCESS.EXE\",\"ClientRequestId\":\"{xxxx-xxx-xxx-xxxx}\",\"ClientVersion\":\"16.0.16731.20456\",\"ExternalAccess\":false,\"InternalLogonType\":0,\"LogonType\":0,\"LogonUserSid\":\"S-1-2-3\",\"MailboxGuid\":\"xxxx-xxx-xxx-xxxx\",\"MailboxOwnerSid\":\"S-1-2-3\",\"MailboxOwnerUPN\":\"john.doe@mail.fr\",\"OperationProperties\":[{\"Name\":\"RuleOperation\",\"Value\":\"ModifyMailboxRule\"},{\"Name\":\"RuleId\",\"Value\":\"4561233110666051585\"},{\"Name\":\"RuleState\",\"Value\":\"Enabled\"},{\"Name\":\"RuleCondition\",\"Value\":\"{(&(([RssServerLockStartTime=1, =r, =noreply-wham@mail.fr, DisplayType=0], ((SenderSearchKey Equal SMTP:NOREPLY-WHAM@MAIL.FR)))(SubString IgnoreCase(SubjectProperty)=WHAM)))}\"},{\"Name\":\"RuleName\"},{\"Name\":\"RuleProvider\",\"Value\":\"RuleOrganizer\"},{\"Name\":\"RuleActions\",\"Value\":\"[{\\\"ActionType\\\":\\\"Forward\\\",\\\"Recipients\\\":[\\\"user.name@mail.fr\\\"],\\\"ForwardFlags\\\":\\\"None\\\"}]\"}],\"OrganizationName\":\"organization.name.com\",\"OriginatingServer\":\"Origin Server\\r\\n\",\"SessionId\":\"xxxx-xxx-xxx-xxxx\",\"Item\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"ImmutableId\":\"ErrorDuringIdConversion\",\"ParentFolder\":{\"Id\":\"xxxx-xxx-xxx-xxxx\",\"Name\":\"Bo\u00eete de r\u00e9ception\",\"Path\":\"\\\\Bo\u00eete de r\u00e9ception\"}}}", From 2c5909d2a02678580e98ccee0e606360c9ca9b9a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9na=C3=AFg?= <126670263+LenaigKaliou@users.noreply.github.com> Date: Tue, 12 Nov 2024 17:01:51 +0100 Subject: [PATCH 08/10] Delete .vscode/settings.json Delete a unnecessary file --- .vscode/settings.json | 22 ---------------------- 1 file changed, 22 deletions(-) delete mode 100644 .vscode/settings.json diff --git a/.vscode/settings.json b/.vscode/settings.json deleted file mode 100644 index b92839d53..000000000 --- a/.vscode/settings.json +++ /dev/null @@ -1,22 +0,0 @@ -{ - "workbench.colorCustomizations": { - "activityBar.activeBackground": "#65c89b", - "activityBar.background": "#65c89b", - "activityBar.foreground": "#15202b", - "activityBar.inactiveForeground": "#15202b99", - "activityBarBadge.background": "#945bc4", - "activityBarBadge.foreground": "#e7e7e7", - "commandCenter.border": "#15202b99", - "sash.hoverBorder": "#65c89b", - "statusBar.background": "#42b883", - "statusBar.foreground": "#15202b", - "statusBarItem.hoverBackground": "#359268", - "statusBarItem.remoteBackground": "#42b883", - "statusBarItem.remoteForeground": "#15202b", - "titleBar.activeBackground": "#42b883", - "titleBar.activeForeground": "#15202b", - "titleBar.inactiveBackground": "#42b88399", - "titleBar.inactiveForeground": "#15202b99" - }, - "peacock.color": "#42b883" -} \ No newline at end of file From 99b7d065b680791ad270f5eb80aa0b40480c6650 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Thu, 14 Nov 2024 09:20:57 +0100 Subject: [PATCH 09/10] fix(OCSF): fix destination.ip --- OCSF/ocsf/ingest/parser.yml | 4 +- OCSF/ocsf/tests/test_network_activity_7.json | 42 ++++++++++++++++++++ 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 OCSF/ocsf/tests/test_network_activity_7.json diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml index 765a6a76d..e43994811 100644 --- a/OCSF/ocsf/ingest/parser.yml +++ b/OCSF/ocsf/ingest/parser.yml @@ -567,9 +567,11 @@ stages: destination.domain: "{{ parse_event.message.dst_endpoint.hostname }}" filter: "{{ parse_event.message.dst_endpoint.get('hostname') != None }}" - set: - destination.ip: "{{ parse_event.message.dst_endpoint.ip }}" destination.mac: "{{ parse_event.message.dst_endpoint.mac }}" destination.port: "{{ parse_event.message.dst_endpoint.port }}" + - set: + destination.ip: "{{ parse_event.message.dst_endpoint.ip }}" + filter: "{{ parse_event.message.dst_endpoint.ip | is_ipaddress }}" - set: network.application: "{{ parse_event.message.dst_endpoint.svc_name }}" filter: "{{ parse_event.message.dst_endpoint.get('svc_name') != None }}" diff --git a/OCSF/ocsf/tests/test_network_activity_7.json b/OCSF/ocsf/tests/test_network_activity_7.json new file mode 100644 index 000000000..271c6e7a2 --- /dev/null +++ b/OCSF/ocsf/tests/test_network_activity_7.json @@ -0,0 +1,42 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "OCSF [BETA]", + "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" + } + }, + "message": "{\"metadata\":{\"product\":{\"version\":\"5\",\"name\":\"Amazon VPC\",\"feature\":{\"name\":\"Flowlogs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"zone\":\"euw3-az1\",\"provider\":\"AWS\"},\"src_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":\"eni-11111111111111111\",\"vpc_uid\":\"vpc-11111111111111111\",\"instance_uid\":\"-\",\"subnet_uid\":\"subnet-11111111111111111\"},\"dst_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":null,\"vpc_uid\":null,\"instance_uid\":null,\"subnet_uid\":null},\"connection_info\":{\"protocol_num\":null,\"tcp_flags\":null,\"protocol_ver\":\"-\",\"boundary_id\":99,\"boundary\":null,\"direction_id\":99,\"direction\":\"-\"},\"traffic\":null,\"time\":1731529427000,\"time_dt\":1731529427000,\"start_time_dt\":1731529427000,\"end_time_dt\":1731529458000,\"status_code\":\"NODATA\",\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"Network Activity\",\"class_uid\":4001,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_name\":\"Unknown\",\"activity_id\":0,\"action\":\"-\",\"action_id\":99,\"disposition\":\"-\",\"type_uid\":400100,\"type_name\":\"Network Activity: Unknown\",\"accountid\":null,\"region\":null,\"asl_version\":null,\"unmapped\":[[\"sublocation_id\",\"-\"],[\"sublocation_type\",\"-\"]],\"observables\":null}\n" + }, + "expected": { + "message": "{\"metadata\":{\"product\":{\"version\":\"5\",\"name\":\"Amazon VPC\",\"feature\":{\"name\":\"Flowlogs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"zone\":\"euw3-az1\",\"provider\":\"AWS\"},\"src_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":\"eni-11111111111111111\",\"vpc_uid\":\"vpc-11111111111111111\",\"instance_uid\":\"-\",\"subnet_uid\":\"subnet-11111111111111111\"},\"dst_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":null,\"vpc_uid\":null,\"instance_uid\":null,\"subnet_uid\":null},\"connection_info\":{\"protocol_num\":null,\"tcp_flags\":null,\"protocol_ver\":\"-\",\"boundary_id\":99,\"boundary\":null,\"direction_id\":99,\"direction\":\"-\"},\"traffic\":null,\"time\":1731529427000,\"time_dt\":1731529427000,\"start_time_dt\":1731529427000,\"end_time_dt\":1731529458000,\"status_code\":\"NODATA\",\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"Network Activity\",\"class_uid\":4001,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_name\":\"Unknown\",\"activity_id\":0,\"action\":\"-\",\"action_id\":99,\"disposition\":\"-\",\"type_uid\":400100,\"type_name\":\"Network Activity: Unknown\",\"accountid\":null,\"region\":null,\"asl_version\":null,\"unmapped\":[[\"sublocation_id\",\"-\"],[\"sublocation_type\",\"-\"]],\"observables\":null}\n", + "event": { + "action": "unknown", + "category": [ + "network" + ], + "end": "2024-11-13T20:24:18Z", + "kind": "event", + "severity": 1, + "start": "2024-11-13T20:23:47Z", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-13T20:23:47Z", + "cloud": { + "account": { + "id": "111111111111" + }, + "availability_zone": "euw3-az1", + "provider": "AWS", + "region": "eu-west-3" + }, + "ocsf": { + "activity_id": 0, + "activity_name": "Unknown", + "class_name": "Network Activity", + "class_uid": 4001 + } + } +} \ No newline at end of file From b2374d10776dfee644f3660f54064d4ce87002b8 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Thu, 14 Nov 2024 09:23:57 +0100 Subject: [PATCH 10/10] fix(OCSF): apply linter --- OCSF/ocsf/tests/test_network_activity_7.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/OCSF/ocsf/tests/test_network_activity_7.json b/OCSF/ocsf/tests/test_network_activity_7.json index 271c6e7a2..c6192eda7 100644 --- a/OCSF/ocsf/tests/test_network_activity_7.json +++ b/OCSF/ocsf/tests/test_network_activity_7.json @@ -1,12 +1,12 @@ { "input": { + "message": "{\"metadata\":{\"product\":{\"version\":\"5\",\"name\":\"Amazon VPC\",\"feature\":{\"name\":\"Flowlogs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"zone\":\"euw3-az1\",\"provider\":\"AWS\"},\"src_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":\"eni-11111111111111111\",\"vpc_uid\":\"vpc-11111111111111111\",\"instance_uid\":\"-\",\"subnet_uid\":\"subnet-11111111111111111\"},\"dst_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":null,\"vpc_uid\":null,\"instance_uid\":null,\"subnet_uid\":null},\"connection_info\":{\"protocol_num\":null,\"tcp_flags\":null,\"protocol_ver\":\"-\",\"boundary_id\":99,\"boundary\":null,\"direction_id\":99,\"direction\":\"-\"},\"traffic\":null,\"time\":1731529427000,\"time_dt\":1731529427000,\"start_time_dt\":1731529427000,\"end_time_dt\":1731529458000,\"status_code\":\"NODATA\",\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"Network Activity\",\"class_uid\":4001,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_name\":\"Unknown\",\"activity_id\":0,\"action\":\"-\",\"action_id\":99,\"disposition\":\"-\",\"type_uid\":400100,\"type_name\":\"Network Activity: Unknown\",\"accountid\":null,\"region\":null,\"asl_version\":null,\"unmapped\":[[\"sublocation_id\",\"-\"],[\"sublocation_type\",\"-\"]],\"observables\":null}\n", "sekoiaio": { "intake": { "dialect": "OCSF [BETA]", "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5" } - }, - "message": "{\"metadata\":{\"product\":{\"version\":\"5\",\"name\":\"Amazon VPC\",\"feature\":{\"name\":\"Flowlogs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"zone\":\"euw3-az1\",\"provider\":\"AWS\"},\"src_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":\"eni-11111111111111111\",\"vpc_uid\":\"vpc-11111111111111111\",\"instance_uid\":\"-\",\"subnet_uid\":\"subnet-11111111111111111\"},\"dst_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":null,\"vpc_uid\":null,\"instance_uid\":null,\"subnet_uid\":null},\"connection_info\":{\"protocol_num\":null,\"tcp_flags\":null,\"protocol_ver\":\"-\",\"boundary_id\":99,\"boundary\":null,\"direction_id\":99,\"direction\":\"-\"},\"traffic\":null,\"time\":1731529427000,\"time_dt\":1731529427000,\"start_time_dt\":1731529427000,\"end_time_dt\":1731529458000,\"status_code\":\"NODATA\",\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"Network Activity\",\"class_uid\":4001,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_name\":\"Unknown\",\"activity_id\":0,\"action\":\"-\",\"action_id\":99,\"disposition\":\"-\",\"type_uid\":400100,\"type_name\":\"Network Activity: Unknown\",\"accountid\":null,\"region\":null,\"asl_version\":null,\"unmapped\":[[\"sublocation_id\",\"-\"],[\"sublocation_type\",\"-\"]],\"observables\":null}\n" + } }, "expected": { "message": "{\"metadata\":{\"product\":{\"version\":\"5\",\"name\":\"Amazon VPC\",\"feature\":{\"name\":\"Flowlogs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"zone\":\"euw3-az1\",\"provider\":\"AWS\"},\"src_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":\"eni-11111111111111111\",\"vpc_uid\":\"vpc-11111111111111111\",\"instance_uid\":\"-\",\"subnet_uid\":\"subnet-11111111111111111\"},\"dst_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":null,\"vpc_uid\":null,\"instance_uid\":null,\"subnet_uid\":null},\"connection_info\":{\"protocol_num\":null,\"tcp_flags\":null,\"protocol_ver\":\"-\",\"boundary_id\":99,\"boundary\":null,\"direction_id\":99,\"direction\":\"-\"},\"traffic\":null,\"time\":1731529427000,\"time_dt\":1731529427000,\"start_time_dt\":1731529427000,\"end_time_dt\":1731529458000,\"status_code\":\"NODATA\",\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"Network Activity\",\"class_uid\":4001,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_name\":\"Unknown\",\"activity_id\":0,\"action\":\"-\",\"action_id\":99,\"disposition\":\"-\",\"type_uid\":400100,\"type_name\":\"Network Activity: Unknown\",\"accountid\":null,\"region\":null,\"asl_version\":null,\"unmapped\":[[\"sublocation_id\",\"-\"],[\"sublocation_type\",\"-\"]],\"observables\":null}\n",