Apply suggestions from code review

Co-authored-by: Sébastien Quioc <[email protected]>
SEKOIA-IO · Dec 11, 2024 · 89e0967 · 89e0967
1 parent af8de4c
commit 89e0967
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 38 deletions.
diff --git a/Trend Micro/trend-micro-vision-one-oat/_meta/manifest.yml b/Trend Micro/trend-micro-vision-one-oat/_meta/manifest.yml
@@ -1,5 +1,5 @@
 uuid: 2345b987-a94a-4363-b7bc-a6e4a9efd98a
-name: Trend Micro Vision One OAT
+name: Trend Micro Vision One OAT [BETA]
 slug: trend-micro-vision-one-oat
 
 description: >-

diff --git a/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml b/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml
@@ -14,7 +14,6 @@ stages:
   set_ecs_fields:
     actions:
       - set:
-          event.kind: alert
           event.category: ["intrusion_detection"]
           event.type: ["info"]
           observer.vendor: "TrendMicro"
@@ -27,47 +26,47 @@ stages:
           host.ip: "{{parsed_event.message.endpoint.ips}}"
 
           agent.id: "{{parsed_event.message.endpoint.agentGuid}}"
-          event.start: "{{parsed_event.message.details.firstSeen}}"
-          event.end: "{{parsed_event.message.details.lastSeen}}"
+          event.start: "{{parsed_event.message.detail.firstSeen}}"
+          event.end: "{{parsed_event.message.detail.lastSeen}}"
 
-          host.id: "{{parsed_event.message.details.endpointGuid}}"
-          host.os.name: "{{parsed_event.message.details.osName}}"
-          host.os.version: "{{parsed_event.message.details.osVer}}"
-          host.os.full: "{{parsed_event.message.details.osDescription}}"
+          host.id: "{{parsed_event.message.detail.endpointGuid}}"
+          host.os.name: "{{parsed_event.message.detail.osName}}"
+          host.os.version: "{{parsed_event.message.detail.osVer}}"
+          host.os.full: "{{parsed_event.message.detail.osDescription}}"
 
-          process.name: "{{parsed_event.message.details.processName or parsed_event.message.details.ObjectName}}"
-          process.parent.pid: "{{parsed_event.message.details.processPid}}"
-          process.parent.user.name: "{{parsed_event.message.details.processUser}}"
-          process.parent.user.domain: "{{parsed_event.message.details.processUserDomain}}"
-          process.parent.start: "{{parsed_event.message.details.processLaunchTime}}"
-          process.parent.command_line: "{{parsed_event.message.details.processCmd}}"
-          process.parent.executable: "{{parsed_event.message.details.processFilePath}}"
-          process.parent.hash.sha1: "{{parsed_event.message.details.processFileHashSha1}}"
-          process.parent.hash.sha256: "{{parsed_event.message.details.processFileHashSha256}}"
-          process.parent.hash.md5: "{{parsed_event.message.details.processFileHashMd5}}"
-          process.parent.parent.name: "{{parsed_event.message.details.parentName}}"
-          process.parent.parent.executable: "{{parsed_event.message.details.parentFilePath}}"
-          process.parent.parent.command_line: "{{parsed_event.message.details.parentCmd}}"
-          process.parent.parent.pid: "{{parsed_event.message.details.parentPid}}"
-          process.parent.parent.start: "{{parsed_event.message.details.parentLaunchTime}}"
-          process.parent.parent.hash.sha1: "{{parsed_event.message.details.parentFileHashSha1}}"
-          process.parent.parent.hash.sha256: "{{parsed_event.message.details.parentFileHashSha256}}"
-          process.parent.parent.hash.md5: "{{parsed_event.message.details.parentFileHashMd5}}"
-          process.parent.parent.user.name: "{{parsed_event.message.details.parentUser}}"
-          process.parent.parent.user.domain: "{{parsed_event.message.details.parentUserDomain}}"
+          process.name: "{{parsed_event.message.detail.processName or parsed_event.message.detail.ObjectName}}"
+          process.parent.pid: "{{parsed_event.message.detail.processPid}}"
+          process.parent.user.name: "{{parsed_event.message.detail.processUser}}"
+          process.parent.user.domain: "{{parsed_event.message.detail.processUserDomain}}"
+          process.parent.start: "{{parsed_event.message.detail.processLaunchTime}}"
+          process.parent.command_line: "{{parsed_event.message.detail.processCmd}}"
+          process.parent.executable: "{{parsed_event.message.detail.processFilePath}}"
+          process.parent.hash.sha1: "{{parsed_event.message.detail.processFileHashSha1}}"
+          process.parent.hash.sha256: "{{parsed_event.message.detail.processFileHashSha256}}"
+          process.parent.hash.md5: "{{parsed_event.message.detail.processFileHashMd5}}"
+          process.parent.parent.name: "{{parsed_event.message.detail.parentName}}"
+          process.parent.parent.executable: "{{parsed_event.message.detail.parentFilePath}}"
+          process.parent.parent.command_line: "{{parsed_event.message.detail.parentCmd}}"
+          process.parent.parent.pid: "{{parsed_event.message.detail.parentPid}}"
+          process.parent.parent.start: "{{parsed_event.message.detail.parentLaunchTime}}"
+          process.parent.parent.hash.sha1: "{{parsed_event.message.detail.parentFileHashSha1}}"
+          process.parent.parent.hash.sha256: "{{parsed_event.message.detail.parentFileHashSha256}}"
+          process.parent.parent.hash.md5: "{{parsed_event.message.detail.parentFileHashMd5}}"
+          process.parent.parent.user.name: "{{parsed_event.message.detail.parentUser}}"
+          process.parent.parent.user.domain: "{{parsed_event.message.detail.parentUserDomain}}"
 
-          group.id: "{{parsed_event.message.details.groupId}}"
-          action.properties.ScriptBlockText: "{{parsed_event.message.details.objectRawDataStr}}"
+          group.id: "{{parsed_event.message.detail.groupId}}"
+          action.properties.ScriptBlockText: "{{parsed_event.message.detail.objectRawDataStr}}"
 
-          user.name: "{{parsed_event.message.details.objectUser}}"
-          user.domain: "{{parsed_event.message.details.objectUserDomain}}"
+          user.name: "{{parsed_event.message.detail.objectUser}}"
+          user.domain: "{{parsed_event.message.detail.objectUserDomain}}"
 
-          process.pid: "{{parsed_event.message.details.objectPid}}"
-          process.command_line: "{{parsed_event.message.details.objectCmd}}"
-          process.executable: "{{parsed_event.message.details.ObjectFilePath}}"
-          process.hash.md5: "{{parsed_event.message.details.ObjectFileHashMd5}}"
-          process.hash.sha1: "{{parsed_event.message.details.ObjectFileHashSha1}}"
-          process.hash.sha256: "{{parsed_event.message.details.ObjectFileHashSha256}}"
+          process.pid: "{{parsed_event.message.detail.objectPid}}"
+          process.command_line: "{{parsed_event.message.detail.objectCmd}}"
+          process.executable: "{{parsed_event.message.detail.ObjectFilePath}}"
+          process.hash.md5: "{{parsed_event.message.detail.ObjectFileHashMd5}}"
+          process.hash.sha1: "{{parsed_event.message.detail.ObjectFileHashSha1}}"
+          process.hash.sha256: "{{parsed_event.message.detail.ObjectFileHashSha256}}"
 
           threat.tactic.id: "{{parsed_event.message.filters | map(attribute='mitreTacticIds') | list | sum(start = [])}}"
           threat.technique.id: >