From 89e096703a1ac929aa8047b96d6d433ef3a7faf7 Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia <135212489+lvoloshyn-sekoia@users.noreply.github.com> Date: Wed, 11 Dec 2024 16:53:49 +0200 Subject: [PATCH] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sébastien Quioc --- .../_meta/manifest.yml | 2 +- .../ingest/parser.yml | 73 +++++++++---------- 2 files changed, 37 insertions(+), 38 deletions(-) diff --git a/Trend Micro/trend-micro-vision-one-oat/_meta/manifest.yml b/Trend Micro/trend-micro-vision-one-oat/_meta/manifest.yml index 937879bc0..5a63e0082 100644 --- a/Trend Micro/trend-micro-vision-one-oat/_meta/manifest.yml +++ b/Trend Micro/trend-micro-vision-one-oat/_meta/manifest.yml @@ -1,5 +1,5 @@ uuid: 2345b987-a94a-4363-b7bc-a6e4a9efd98a -name: Trend Micro Vision One OAT +name: Trend Micro Vision One OAT [BETA] slug: trend-micro-vision-one-oat description: >- diff --git a/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml b/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml index 0dc189228..ca5137a4b 100644 --- a/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml +++ b/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml @@ -14,7 +14,6 @@ stages: set_ecs_fields: actions: - set: - event.kind: alert event.category: ["intrusion_detection"] event.type: ["info"] observer.vendor: "TrendMicro" @@ -27,47 +26,47 @@ stages: host.ip: "{{parsed_event.message.endpoint.ips}}" agent.id: "{{parsed_event.message.endpoint.agentGuid}}" - event.start: "{{parsed_event.message.details.firstSeen}}" - event.end: "{{parsed_event.message.details.lastSeen}}" + event.start: "{{parsed_event.message.detail.firstSeen}}" + event.end: "{{parsed_event.message.detail.lastSeen}}" - host.id: "{{parsed_event.message.details.endpointGuid}}" - host.os.name: "{{parsed_event.message.details.osName}}" - host.os.version: "{{parsed_event.message.details.osVer}}" - host.os.full: "{{parsed_event.message.details.osDescription}}" + host.id: "{{parsed_event.message.detail.endpointGuid}}" + host.os.name: "{{parsed_event.message.detail.osName}}" + host.os.version: "{{parsed_event.message.detail.osVer}}" + host.os.full: "{{parsed_event.message.detail.osDescription}}" - process.name: "{{parsed_event.message.details.processName or parsed_event.message.details.ObjectName}}" - process.parent.pid: "{{parsed_event.message.details.processPid}}" - process.parent.user.name: "{{parsed_event.message.details.processUser}}" - process.parent.user.domain: "{{parsed_event.message.details.processUserDomain}}" - process.parent.start: "{{parsed_event.message.details.processLaunchTime}}" - process.parent.command_line: "{{parsed_event.message.details.processCmd}}" - process.parent.executable: "{{parsed_event.message.details.processFilePath}}" - process.parent.hash.sha1: "{{parsed_event.message.details.processFileHashSha1}}" - process.parent.hash.sha256: "{{parsed_event.message.details.processFileHashSha256}}" - process.parent.hash.md5: "{{parsed_event.message.details.processFileHashMd5}}" - process.parent.parent.name: "{{parsed_event.message.details.parentName}}" - process.parent.parent.executable: "{{parsed_event.message.details.parentFilePath}}" - process.parent.parent.command_line: "{{parsed_event.message.details.parentCmd}}" - process.parent.parent.pid: "{{parsed_event.message.details.parentPid}}" - process.parent.parent.start: "{{parsed_event.message.details.parentLaunchTime}}" - process.parent.parent.hash.sha1: "{{parsed_event.message.details.parentFileHashSha1}}" - process.parent.parent.hash.sha256: "{{parsed_event.message.details.parentFileHashSha256}}" - process.parent.parent.hash.md5: "{{parsed_event.message.details.parentFileHashMd5}}" - process.parent.parent.user.name: "{{parsed_event.message.details.parentUser}}" - process.parent.parent.user.domain: "{{parsed_event.message.details.parentUserDomain}}" + process.name: "{{parsed_event.message.detail.processName or parsed_event.message.detail.ObjectName}}" + process.parent.pid: "{{parsed_event.message.detail.processPid}}" + process.parent.user.name: "{{parsed_event.message.detail.processUser}}" + process.parent.user.domain: "{{parsed_event.message.detail.processUserDomain}}" + process.parent.start: "{{parsed_event.message.detail.processLaunchTime}}" + process.parent.command_line: "{{parsed_event.message.detail.processCmd}}" + process.parent.executable: "{{parsed_event.message.detail.processFilePath}}" + process.parent.hash.sha1: "{{parsed_event.message.detail.processFileHashSha1}}" + process.parent.hash.sha256: "{{parsed_event.message.detail.processFileHashSha256}}" + process.parent.hash.md5: "{{parsed_event.message.detail.processFileHashMd5}}" + process.parent.parent.name: "{{parsed_event.message.detail.parentName}}" + process.parent.parent.executable: "{{parsed_event.message.detail.parentFilePath}}" + process.parent.parent.command_line: "{{parsed_event.message.detail.parentCmd}}" + process.parent.parent.pid: "{{parsed_event.message.detail.parentPid}}" + process.parent.parent.start: "{{parsed_event.message.detail.parentLaunchTime}}" + process.parent.parent.hash.sha1: "{{parsed_event.message.detail.parentFileHashSha1}}" + process.parent.parent.hash.sha256: "{{parsed_event.message.detail.parentFileHashSha256}}" + process.parent.parent.hash.md5: "{{parsed_event.message.detail.parentFileHashMd5}}" + process.parent.parent.user.name: "{{parsed_event.message.detail.parentUser}}" + process.parent.parent.user.domain: "{{parsed_event.message.detail.parentUserDomain}}" - group.id: "{{parsed_event.message.details.groupId}}" - action.properties.ScriptBlockText: "{{parsed_event.message.details.objectRawDataStr}}" + group.id: "{{parsed_event.message.detail.groupId}}" + action.properties.ScriptBlockText: "{{parsed_event.message.detail.objectRawDataStr}}" - user.name: "{{parsed_event.message.details.objectUser}}" - user.domain: "{{parsed_event.message.details.objectUserDomain}}" + user.name: "{{parsed_event.message.detail.objectUser}}" + user.domain: "{{parsed_event.message.detail.objectUserDomain}}" - process.pid: "{{parsed_event.message.details.objectPid}}" - process.command_line: "{{parsed_event.message.details.objectCmd}}" - process.executable: "{{parsed_event.message.details.ObjectFilePath}}" - process.hash.md5: "{{parsed_event.message.details.ObjectFileHashMd5}}" - process.hash.sha1: "{{parsed_event.message.details.ObjectFileHashSha1}}" - process.hash.sha256: "{{parsed_event.message.details.ObjectFileHashSha256}}" + process.pid: "{{parsed_event.message.detail.objectPid}}" + process.command_line: "{{parsed_event.message.detail.objectCmd}}" + process.executable: "{{parsed_event.message.detail.ObjectFilePath}}" + process.hash.md5: "{{parsed_event.message.detail.ObjectFileHashMd5}}" + process.hash.sha1: "{{parsed_event.message.detail.ObjectFileHashSha1}}" + process.hash.sha256: "{{parsed_event.message.detail.ObjectFileHashSha256}}" threat.tactic.id: "{{parsed_event.message.filters | map(attribute='mitreTacticIds') | list | sum(start = [])}}" threat.technique.id: >