Merge branch 'main' into update/haproxy-support-aktci

SEKOIA-IO · Dec 10, 2024 · 85456a0 · 85456a0
2 parents e7c2918 + 525a164
commit 85456a0
Show file tree

Hide file tree

Showing 27 changed files with 962 additions and 4 deletions.
diff --git a/CybeReason/malop-json/_meta/manifest.yml b/CybeReason/malop-json/_meta/manifest.yml
@@ -1,7 +1,7 @@
 uuid: 9f89b634-0531-437b-b060-a9d9f2d270db
 name: Cybereason EDR
 slug: cybereason-malop-json
-automation_connector_uuid: ff092b32-68dc-11ee-8c99-0242ac120002
+automation_connector_uuid: 8128d255-22df-4f4c-96af-ca6c1123f4cf
 automation_module_uuid: b96361fb-a01b-4ae7-8927-9622b9ea0acf
 
 description: >-

diff --git a/Microsoft/microsoft-365-defender/_meta/manifest.yml b/Microsoft/microsoft-365-defender/_meta/manifest.yml
@@ -1,11 +1,11 @@
 uuid: 05e6f36d-cee0-4f06-b575-9e43af779f9f
-name: Microsoft 365 Defender
+name: Microsoft Defender XDR / Microsoft 365 Defender
 slug: microsoft-365-defender
 automation_connector_uuid: 57f8f587-18ee-434b-a4ed-b5459f5b0fef
 automation_module_uuid: 525eecc0-9eee-484d-92bd-039117cf4dac
 
 description: >-
-  Microsoft 365 Defender is a entreprise defense suite that coordinates detection, prevention, investigation, and response across endpoints, identities, email, and cloud applications.
+  Microsoft Defender XDR is a entreprise defense suite that coordinates detection, prevention, investigation, and response across endpoints, identities, email, and cloud applications.
 
   Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
 

diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml
@@ -626,7 +626,7 @@ pipeline:
           AUTHENTICATION_WEB: "User %{USERNAME:user} logged in via %{DATA} from %{IP:src} using %{DATA:proto}"
           REASON1: 'User-ID server monitor %{HOSTNAME:hostname}\(%{WORD:vsys}\) %{GREEDYDATA:message}'
           REASON2: "ldap cfg %{WORD:config_name} connected to server %{IP:destination_ip}:%{INT:port}, initiated by: %{IP:source_ip}"
-          REASON3: "When authenticating user %{WORD:user} from %{IP:source_ip}, a less secure authentication method %{WORD:auth_method} is used. Please migrate to %{WORD:recommended_methods1} or %{DATA:recommended_methods2}. Authentication Profile %{WORD:auth_profile}, vsys %{WORD:vsys}, Server Profile %{WORD:server_profile}, Server Address %{IP:destination_ip}"
+          REASON3: "When authenticating user '?%{WORD:user}'? from '?%{IP:source_ip}'?, a less secure authentication method %{WORD:auth_method} is used. Please migrate to %{WORD:recommended_methods1} or %{DATA:recommended_methods2}. Authentication Profile '?%{WORD:auth_profile}'?, vsys '?%{WORD:vsys}'?, Server Profile '?%{WORD:server_profile}'?, Server Address '?%{IP:destination_ip}'?"
           REASON4: "failed authentication for user %{WORD:user}. Reason: %{GREEDYDATA:reason} auth profile %{WORD:auth_profile}, vsys %{WORD:vsys}, server profile %{WORD:server_profile}, server address %{IP:destination_ip}, auth protocol %{WORD:auth_protocol}, From: %{IP:source_ip}"
           REASON5: 'authenticated for user %{WORD:user}\.   auth profile %{WORD:auth_profile}, vsys %{WORD:vsys}, server profile %{DATA:server_profile}, server address %{IP:destination_ip}, auth protocol %{WORD:auth_protocol}, admin role %{WORD:admin_role}, From: %{IP:source_ip}\.'
     filter: '{{parsed_event.message.get("EventDescription") != None}}'

diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json
@@ -0,0 +1,74 @@
+{
+  "input": {
+    "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Palo Alto NGFW",
+        "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd"
+      }
+    }
+  },
+  "expected": {
+    "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "dataset": "system",
+      "reason": "When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'",
+      "type": [
+        "start"
+      ]
+    },
+    "@timestamp": "2024-11-26T21:10:01.627000Z",
+    "action": {
+      "name": "auth-success",
+      "type": "auth"
+    },
+    "destination": {
+      "address": "1.7.4.2",
+      "ip": "1.7.4.2"
+    },
+    "log": {
+      "hostname": "FWPAN00",
+      "level": "informational",
+      "logger": "system"
+    },
+    "observer": {
+      "name": "FWPAN00",
+      "product": "PAN-OS",
+      "serial_number": "02410100000000"
+    },
+    "paloalto": {
+      "DGHierarchyLevel1": "0",
+      "DGHierarchyLevel2": "0",
+      "DGHierarchyLevel3": "0",
+      "DGHierarchyLevel4": "0",
+      "EventID": "auth-success",
+      "Threat_ContentType": "auth",
+      "authetification": {
+        "profile": "FWPA"
+      },
+      "server": {
+        "profile": "RADIUS_RSA"
+      },
+      "vsys": "shared"
+    },
+    "related": {
+      "ip": [
+        "1.2.5.5",
+        "1.7.4.2"
+      ],
+      "user": [
+        "test000555"
+      ]
+    },
+    "source": {
+      "address": "1.2.5.5",
+      "ip": "1.2.5.5"
+    },
+    "user": {
+      "name": "test000555"
+    }
+  }
+}
diff --git a/SentinelOne/identity/CHANGELOG.md b/SentinelOne/identity/CHANGELOG.md
@@ -0,0 +1,8 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
diff --git a/SentinelOne/identity/_meta/fields.yml b/SentinelOne/identity/_meta/fields.yml
@@ -0,0 +1,39 @@
+sentinelone.identity.attackSurfaces:
+  description: ''
+  name: sentinelone.identity.attackSurfaces
+  type: keyword
+
+sentinelone.identity.classification:
+  description: ''
+  name: sentinelone.identity.classification
+  type: keyword
+
+sentinelone.identity.confidenceLevel:
+  description: ''
+  name: sentinelone.identity.confidenceLevel
+  type: keyword
+
+sentinelone.identity.id:
+  description: ''
+  name: sentinelone.identity.id
+  type: keyword
+
+sentinelone.identity.name:
+  description: ''
+  name: sentinelone.identity.name
+  type: keyword
+
+sentinelone.identity.result:
+  description: ''
+  name: sentinelone.identity.result
+  type: keyword
+
+sentinelone.identity.status:
+  description: ''
+  name: sentinelone.identity.status
+  type: keyword
+
+sentinelone.identity.storyLineId:
+  description: ''
+  name: sentinelone.identity.storyLineId
+  type: keyword
diff --git a/SentinelOne/identity/_meta/logo.png b/SentinelOne/identity/_meta/logo.png
diff --git a/SentinelOne/identity/_meta/manifest.yml b/SentinelOne/identity/_meta/manifest.yml
@@ -0,0 +1,11 @@
+uuid: b502e522-6996-4b12-9538-f69326b68243
+name: SentinelOne Singularity Identity [ALPHA]
+slug: sentinelone-singularity-identity
+automation_connector_uuid: 2d772558-821d-4663-87bd-af28bbb8415a
+automation_module_uuid: ff675e74-e5c1-47c8-a571-d207fc297464
+
+description: >-
+  SentinelOne Singularity Identity is a cybersecurity solution that provides identity protection and zero-trust security by continuously monitoring and analyzing user behaviors to detect and prevent potential threats.
+
+data_sources:
+  Application logs: activites performed on SentinelOne infrastructure are logged
diff --git a/SentinelOne/identity/_meta/smart-descriptions.json b/SentinelOne/identity/_meta/smart-descriptions.json
@@ -0,0 +1,46 @@
+[
+  {
+    "value": "Alert defined {sentinelone.identity.name} with status {sentinelone.identity.status} on {process.command_line}",
+    "conditions": [
+      {
+        "field": "sentinelone.identity.name"
+      },
+      {
+        "field": "sentinelone.identity.status"
+      },
+      {
+        "field": "process.command_line"
+      }
+    ]
+  },
+  {
+    "value": "Alert defined {sentinelone.identity.name} with status {sentinelone.identity.status}",
+    "conditions": [
+      {
+        "field": "sentinelone.identity.name"
+      },
+      {
+        "field": "sentinelone.identity.status"
+      }
+    ]
+  },
+  {
+    "value": "Alert defined {sentinelone.identity.name} on {process.command_line}",
+    "conditions": [
+      {
+        "field": "sentinelone.identity.name"
+      },
+      {
+        "field": "process.command_line"
+      }
+    ]
+  },
+  {
+    "value": "Alert defined {sentinelone.identity.name}",
+    "conditions": [
+      {
+        "field": "sentinelone.identity.name"
+      }
+    ]
+  }
+]
diff --git a/SentinelOne/identity/ingest/parser.yml b/SentinelOne/identity/ingest/parser.yml
@@ -0,0 +1,67 @@
+name: identity
+pipeline:
+  - name: json_event
+    external:
+      name: json.parse-json
+      properties:
+        input_field: "{{original.message}}"
+
+  - name: detected_at
+    filter: "{{json_event.message.detectedAt != null}}"
+    external:
+      name: date.parse
+      properties:
+        input_field: "{{json_event.message.detectedAt}}"
+        output_field: timestamp
+
+  - name: started_at
+    filter: "{{json_event.message.firstSeenAt != null}}"
+    external:
+      name: date.parse
+      properties:
+        input_field: "{{json_event.message.firstSeenAt}}"
+        output_field: timestamp
+
+  - name: last_seen_at
+    filter: "{{json_event.message.lastSeenAt != null}}"
+    external:
+      name: date.parse
+      properties:
+        input_field: "{{json_event.message.lastSeenAt}}"
+        output_field: timestamp
+
+  - name: set_meta_fields
+stages:
+  set_meta_fields:
+    actions:
+      - set:
+          event.kind: "alert"
+          event.category: "intrusion_detection"
+          event.type: "info"
+          observer.vendor: "SentinelOne"
+          observer.product: "Singularity Identity"
+
+          "@timestamp": "{{detected_at.timestamp}}"
+          event.start: "{{started_at.timestamp}}"
+          event.end: "{{last_seen_at.timestamp}}"
+
+          event.provider: "{{json_event.message.detectionSource.product}}"
+          event.reason: "{{json_event.message.description}}"
+
+          process.command_line: "{{json_event.message.process.cmdLine}}"
+          process.parent.name: "{{json_event.message.process.parentName}}"
+
+          process.executable: "{{json_event.message.process.file.path}}"
+          process.name: "{{json_event.message.process.file.path | basename}}"
+          process.hash.sha1: "{{json_event.message.process.file.sha1}}"
+          process.hash.sha256: "{{json_event.message.process.file.sha256}}"
+          process.hash.md5: "{{json_event.message.process.file.md5}}"
+
+          sentinelone.identity.id: "{{json_event.message.id}}"
+          sentinelone.identity.name: "{{json_event.message.name}}"
+          sentinelone.identity.attackSurfaces: "{{json_event.message.attackSurfaces}}"
+          sentinelone.identity.status: "{{json_event.message.status}}"
+          sentinelone.identity.classification: "{{json_event.message.classification}}"
+          sentinelone.identity.confidenceLevel: "{{json_event.message.confidenceLevel}}"
+          sentinelone.identity.result: "{{json_event.message.result}}"
+          sentinelone.identity.storyLineId: "{{json_event.message.storyLineId}}"
diff --git a/SentinelOne/identity/tests/test_alert_1.json b/SentinelOne/identity/tests/test_alert_1.json
@@ -0,0 +1,47 @@
+{
+  "input": {
+    "message": "{\n  \"id\": \"ba485919-e4c1-4496-9e2f-feb320f6841a\",\n  \"name\": \"Domain Controller Discovery Detected\",\n  \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\",\n  \"detectedAt\": \"2024-11-22T05:35:09.000Z\",\n  \"attackSurfaces\": [\n    \"IDENTITY\"\n  ],\n  \"detectionSource\": {\n    \"product\": \"Identity\"\n  },\n  \"status\": \"NEW\",\n  \"assignee\": null,\n  \"classification\": \"ENUMERATION\",\n  \"confidenceLevel\": \"MALICIOUS\",\n  \"firstSeenAt\": \"2024-11-22T05:35:09.000Z\",\n  \"lastSeenAt\": \"2024-11-22T05:35:09.000Z\",\n  \"process\": {\n    \"cmdLine\": \"C:\\\\Windows\\\\system32\\\\net1 group \\\"Domain Controllers\\\" /domain\",\n    \"file\": {\n      \"path\": \"c:\\\\windows\\\\system32\\\\net1.exe\",\n      \"sha1\": null,\n      \"sha256\": \"18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398\",\n      \"md5\": null\n    },\n    \"parentName\": null\n  },\n  \"result\": null,\n  \"storylineId\": null\n}"
+  },
+  "expected": {
+    "message": "{\n  \"id\": \"ba485919-e4c1-4496-9e2f-feb320f6841a\",\n  \"name\": \"Domain Controller Discovery Detected\",\n  \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\",\n  \"detectedAt\": \"2024-11-22T05:35:09.000Z\",\n  \"attackSurfaces\": [\n    \"IDENTITY\"\n  ],\n  \"detectionSource\": {\n    \"product\": \"Identity\"\n  },\n  \"status\": \"NEW\",\n  \"assignee\": null,\n  \"classification\": \"ENUMERATION\",\n  \"confidenceLevel\": \"MALICIOUS\",\n  \"firstSeenAt\": \"2024-11-22T05:35:09.000Z\",\n  \"lastSeenAt\": \"2024-11-22T05:35:09.000Z\",\n  \"process\": {\n    \"cmdLine\": \"C:\\\\Windows\\\\system32\\\\net1 group \\\"Domain Controllers\\\" /domain\",\n    \"file\": {\n      \"path\": \"c:\\\\windows\\\\system32\\\\net1.exe\",\n      \"sha1\": null,\n      \"sha256\": \"18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398\",\n      \"md5\": null\n    },\n    \"parentName\": null\n  },\n  \"result\": null,\n  \"storylineId\": null\n}",
+    "event": {
+      "category": "intrusion_detection",
+      "end": "2024-11-22T05:35:09Z",
+      "kind": "alert",
+      "provider": "Identity",
+      "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.",
+      "start": "2024-11-22T05:35:09Z",
+      "type": "info"
+    },
+    "@timestamp": "2024-11-22T05:35:09Z",
+    "observer": {
+      "product": "Singularity Identity",
+      "vendor": "SentinelOne"
+    },
+    "process": {
+      "command_line": "C:\\Windows\\system32\\net1 group \"Domain Controllers\" /domain",
+      "executable": "c:\\windows\\system32\\net1.exe",
+      "hash": {
+        "sha256": "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398"
+      },
+      "name": "net1.exe"
+    },
+    "related": {
+      "hash": [
+        "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398"
+      ]
+    },
+    "sentinelone": {
+      "identity": {
+        "attackSurfaces": [
+          "IDENTITY"
+        ],
+        "classification": "ENUMERATION",
+        "confidenceLevel": "MALICIOUS",
+        "id": "ba485919-e4c1-4496-9e2f-feb320f6841a",
+        "name": "Domain Controller Discovery Detected",
+        "status": "NEW"
+      }
+    }
+  }
+}
diff --git a/SentinelOne/identity/tests/test_alert_10.json b/SentinelOne/identity/tests/test_alert_10.json
@@ -0,0 +1,34 @@
+{
+  "input": {
+    "message": "{\"id\": \"01935322-7b49-71f0-89e0-f52562c26e53\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:09:48.731Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:09:48.731Z\", \"lastSeenAt\": \"2024-11-22T09:09:48.731Z\", \"process\": null, \"result\": null, \"storylineId\": null}"
+  },
+  "expected": {
+    "message": "{\"id\": \"01935322-7b49-71f0-89e0-f52562c26e53\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:09:48.731Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:09:48.731Z\", \"lastSeenAt\": \"2024-11-22T09:09:48.731Z\", \"process\": null, \"result\": null, \"storylineId\": null}",
+    "event": {
+      "category": "intrusion_detection",
+      "end": "2024-11-22T09:09:48.731000Z",
+      "kind": "alert",
+      "provider": "Identity",
+      "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.",
+      "start": "2024-11-22T09:09:48.731000Z",
+      "type": "info"
+    },
+    "@timestamp": "2024-11-22T09:09:48.731000Z",
+    "observer": {
+      "product": "Singularity Identity",
+      "vendor": "SentinelOne"
+    },
+    "sentinelone": {
+      "identity": {
+        "attackSurfaces": [
+          "IDENTITY"
+        ],
+        "classification": "UNKNOWN",
+        "confidenceLevel": "MALICIOUS",
+        "id": "01935322-7b49-71f0-89e0-f52562c26e53",
+        "name": "Brute force attack - Mass Account Lockout",
+        "status": "NEW"
+      }
+    }
+  }
+}