Merge branch 'main' into fix.EfficientIP

SEKOIA-IO · Jan 2, 2025 · 9f172d0 · 9f172d0
2 parents abee119 + b80833c
commit 9f172d0
Show file tree

Hide file tree

Showing 19 changed files with 418 additions and 13 deletions.
diff --git a/Bitdefender/gravityzone/_meta/fields.yml b/Bitdefender/gravityzone/_meta/fields.yml
@@ -1,3 +1,23 @@
+bitdefender.gravityzone.application_control.block_type:
+  description: Type of block detected by Bitdefender GravityZone Application Control.
+  name: bitdefender.gravityzone.application_control.block_type
+  type: keyword
+
+bitdefender.gravityzone.application_control.detection_count:
+  description: Number of detections by Bitdefender GravityZone Application Control.
+  name: bitdefender.gravityzone.application_control.detection_count
+  type: long
+
+bitdefender.gravityzone.application_control.type:
+  description: Type of application control detected by Bitdefender GravityZone.
+  name: bitdefender.gravityzone.application_control.type
+  type: keyword
+
+bitdefender.gravityzone.data.categories:
+  description: Data categories detected by Bitdefender GravityZone.
+  name: bitdefender.gravityzone.data.categories
+  type: keyword
+
 bitdefender.gravityzone.exploit.type:
   description: Exploit type detected by Bitdefender GravityZone.
   name: bitdefender.gravityzone.exploit.type

diff --git a/Bitdefender/gravityzone/_meta/manifest.yml b/Bitdefender/gravityzone/_meta/manifest.yml
@@ -9,3 +9,4 @@ data_sources:
   Authentication logs:
   Network device logs:
   File monitoring:
+automation_module_uuid: 26277889-b91b-46d0-8bac-7f6b2f6fb9a3
diff --git a/Bitdefender/gravityzone/ingest/parser.yml b/Bitdefender/gravityzone/ingest/parser.yml
@@ -8,7 +8,7 @@ pipeline:
     external:
       name: date.parse
       properties:
-        input_field: "{{parse_event.message.eventdate or parse_event.message.BitdefenderGZDetectionTime}}"
+        input_field: "{{parse_event.message.eventdate or parse_event.message.BitdefenderGZDetectionTime or parse_event.message.end or parse_event.message.start}}"
         output_field: datetime
 
   - name: set_event_fields
@@ -67,14 +67,14 @@ stages:
           "device-control": ["host"]
           "ransomware-mitigation": ["intrusion_detection"]
           "new-incident": ["process"]
+          "uc": ["web"]
         mapping:
           parse_event.message.BitdefenderGZModule: event.category
         filter: "{{parse_event.message.BitdefenderGZModule != None}}"
 
   set_ecs_fields:
     actions:
       - set:
-          "@timestamp": "{{parsed_date.datetime}}"
           host.ip: "{{parse_event.message.dvc}}"
           host.name: "{{parse_event.message.BitdefenderGZComputerFQDN or parse_event.message.dvchost}}"
           destination.user.name: "{{parse_event.message.duser}}"
@@ -94,8 +94,24 @@ stages:
           observer.vendor: "{{parse_event.message.DeviceVendor}}"
           observer.product: "{{parse_event.message.DeviceProduct}}"
           observer.version: "{{parse_event.message.DeviceVersion}}"
+          bitdefender.gravityzone.application_control.block_type: "{{parse_event.message.BitdefenderGZApplicationControlBlockType}}"
+          bitdefender.gravityzone.application_control.type: "{{parse_event.message.BitdefenderGZApplicationControlType}}"
+          bitdefender.gravityzone.application_control.detection_count: "{{parse_event.message.cnt}}"
+          bitdefender.gravityzone.data.categories: "{{parse_event.message.BitdefenderGZDataCategories}}"
           bitdefender.gravityzone.exploit.type: "{{parse_event.message.BitdefenderGZExploitType}}"
 
+      - set:
+          "@timestamp": "{{parsed_date.datetime}}"
+        filter: "{{parse_event.message.get('eventdate') != None or parse_event.message.get('BitdefenderGZDetectionTime') != None}}"
+
+      - set:
+          event.start: "{{parsed_date.datetime}}"
+        filter: "{{parse_event.message.get('start') != None}}"
+
+      - set:
+          event.end: "{{parsed_date.datetime}}"
+        filter: "{{parse_event.message.get('end') != None}}"
+
       - set:
           file.path: "{{parse_event.message.filePath}}"
         filter: "{{parse_event.message.get('BitdefenderGZMalwareType') == None or parse_event.message.BitdefenderGZMalwareType.lower() != 'file'}}"

diff --git a/Bitdefender/gravityzone/tests/login_1.json b/Bitdefender/gravityzone/tests/login_1.json
@@ -9,6 +9,7 @@
         "authentication"
       ],
       "severity": 3,
+      "start": "2024-06-11T11:34:56Z",
       "type": [
         "start"
       ]

diff --git a/Bitdefender/gravityzone/tests/uc_event.json b/Bitdefender/gravityzone/tests/uc_event.json
@@ -0,0 +1,65 @@
+{
+  "input": {
+    "message": "CEF:0|Bitdefender|GravityZone|6.40.1-1|1000|Web Control|9|BitdefenderGZModule=uc dvchost=example BitdefenderGZComputerFQDN=example.test.local dvc=1.2.3.4 deviceExternalId=1234567890abcdef12345678 BitdefenderGZApplicationControlType=http request=external-content.domain.com/ip3/www.test_request.com BitdefenderGZApplicationControlBlockType=http_categories BitdefenderGZDataCategories=Ads act=uc_site_blocked end=Dec 16 2024 12:34:33 Z cnt=1 [email protected] suid=S-1-5-21-1111111111-222222222-3333333333-500",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Bitdefender GravityZone [BETA]",
+        "dialect_uuid": "d11df984-840d-4c29-a6dc-b9195c3a24e3"
+      }
+    }
+  },
+  "expected": {
+    "message": "CEF:0|Bitdefender|GravityZone|6.40.1-1|1000|Web Control|9|BitdefenderGZModule=uc dvchost=example BitdefenderGZComputerFQDN=example.test.local dvc=1.2.3.4 deviceExternalId=1234567890abcdef12345678 BitdefenderGZApplicationControlType=http request=external-content.domain.com/ip3/www.test_request.com BitdefenderGZApplicationControlBlockType=http_categories BitdefenderGZDataCategories=Ads act=uc_site_blocked end=Dec 16 2024 12:34:33 Z cnt=1 [email protected] suid=S-1-5-21-1111111111-222222222-3333333333-500",
+    "event": {
+      "action": "uc_site_blocked",
+      "category": [
+        "web"
+      ],
+      "end": "2024-12-16T12:34:33Z",
+      "module": "uc",
+      "severity": 9,
+      "type": [
+        "info"
+      ]
+    },
+    "bitdefender": {
+      "gravityzone": {
+        "application_control": {
+          "block_type": "http_categories",
+          "detection_count": 1,
+          "type": "http"
+        },
+        "data": {
+          "categories": "Ads"
+        }
+      }
+    },
+    "host": {
+      "ip": "1.2.3.4",
+      "name": "example.test.local"
+    },
+    "observer": {
+      "product": "GravityZone",
+      "vendor": "Bitdefender",
+      "version": "6.40.1-1"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "[email protected]"
+      ]
+    },
+    "source": {
+      "user": {
+        "id": "S-1-5-21-1111111111-222222222-3333333333-500",
+        "name": "[email protected]"
+      }
+    },
+    "url": {
+      "original": "external-content.domain.com/ip3/www.test_request.com",
+      "path": "external-content.domain.com/ip3/www.test_request.com"
+    }
+  }
+}
diff --git a/Fortinet/fortigate/_meta/smart-descriptions.json b/Fortinet/fortigate/_meta/smart-descriptions.json
@@ -24,6 +24,31 @@
       }
     ]
   },
+  {
+    "value": "{source.ip} connected to {destination.ip}:{destination.port}",
+    "conditions": [
+      {
+        "field": "action.outcome",
+        "value": "success"
+      },
+      {
+        "field": "source.ip"
+      },
+      {
+        "field": "destination.ip"
+      },
+      {
+        "field": "destination.port"
+      }
+    ],
+    "relationships": [
+      {
+        "source": "source.ip",
+        "target": "destination.ip",
+        "type": "connected to"
+      }
+    ]
+  },
   {
     "value": "{source.ip} was denied a connection to {destination.ip}:{destination.port}",
     "conditions": [

diff --git a/Fortinet/fortigate/ingest/parser.yml b/Fortinet/fortigate/ingest/parser.yml
@@ -241,6 +241,7 @@ stages:
           fortinet.fortigate.policyid: "{{parsed_event.message.policyid}}"
           fortinet.fortigate.poluuid: "{{parsed_event.message.poluuid}}"
           network.forwarded_ip: "{{parsed_event.message.forwardedfor}}"
+          group.name: "{{parsed_event.message.group or parsed_event.message.FTNTFGTgroup}}"
 
       - set:
           fortinet.fortigate.poluuid: "{{parsed_event.message.uuid}}"

diff --git a/Fortinet/fortigate/tests/test_group_field.json b/Fortinet/fortigate/tests/test_group_field.json
@@ -0,0 +1,92 @@
+{
+  "input": {
+    "message": "time=09:35:30 devname=\"eee-111-111-ff-11\" devid=\"FG00000000000000\" eventtime=1735202130361752831 tz=\"+0100\" logid=\"0000000011\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"EFF\" srcip=1.2.3.4 srcport=10000 srcintf=\"EFF-WAN-0000\" srcintfrole=\"lan\" dstip=5.6.7.8 dstport=443 dstintf=\"EFF-DMZ-0000\" dstintfrole=\"lan\" srccountry=\"France\" dstcountry=\"France\" sessionid=400190000 proto=6 action=\"client-rst\" policyid=1018 policytype=\"policy\" poluuid=\"38fa6456-a819-51ef-3c99-000000000000000000\" service=\"HTTPS\" trandisp=\"dnat\" tranip=1.2.3.4 tranport=443 duration=6 sentbyte=100 rcvdbyte=52 sentpkt=2 rcvdpkt=1 appcat=\"unscanned\"",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Fortinet FortiGate",
+        "dialect_uuid": "5702ae4e-7d8a-455f-a47b-ef64dd87c981"
+      }
+    }
+  },
+  "expected": {
+    "message": "time=09:35:30 devname=\"eee-111-111-ff-11\" devid=\"FG00000000000000\" eventtime=1735202130361752831 tz=\"+0100\" logid=\"0000000011\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"EFF\" srcip=1.2.3.4 srcport=10000 srcintf=\"EFF-WAN-0000\" srcintfrole=\"lan\" dstip=5.6.7.8 dstport=443 dstintf=\"EFF-DMZ-0000\" dstintfrole=\"lan\" srccountry=\"France\" dstcountry=\"France\" sessionid=400190000 proto=6 action=\"client-rst\" policyid=1018 policytype=\"policy\" poluuid=\"38fa6456-a819-51ef-3c99-000000000000000000\" service=\"HTTPS\" trandisp=\"dnat\" tranip=1.2.3.4 tranport=443 duration=6 sentbyte=100 rcvdbyte=52 sentpkt=2 rcvdpkt=1 appcat=\"unscanned\"",
+    "event": {
+      "action": "client-rst",
+      "category": "traffic",
+      "code": "0000000011",
+      "dataset": "traffic:forward",
+      "outcome": "success",
+      "timezone": "+0100"
+    },
+    "@timestamp": "2024-12-26T08:35:30.361753Z",
+    "action": {
+      "name": "client-rst",
+      "outcome": "success",
+      "target": "network-traffic",
+      "type": "forward"
+    },
+    "destination": {
+      "address": "5.6.7.8",
+      "bytes": 52,
+      "ip": "5.6.7.8",
+      "nat": {
+        "ip": "1.2.3.4"
+      },
+      "packets": 1,
+      "port": 443
+    },
+    "fortinet": {
+      "fortigate": {
+        "event": {
+          "type": "traffic"
+        },
+        "policyid": "1018",
+        "poluuid": "38fa6456-a819-51ef-3c99-000000000000000000",
+        "virtual_domain": "EFF"
+      }
+    },
+    "log": {
+      "hostname": "eee-111-111-ff-11",
+      "level": "notice"
+    },
+    "network": {
+      "bytes": 152,
+      "protocol": "https",
+      "transport": "tcp"
+    },
+    "observer": {
+      "egress": {
+        "interface": {
+          "name": "EFF-DMZ-0000"
+        }
+      },
+      "hostname": "eee-111-111-ff-11",
+      "ingress": {
+        "interface": {
+          "name": "EFF-WAN-0000"
+        }
+      },
+      "serial_number": "FG00000000000000"
+    },
+    "related": {
+      "hosts": [
+        "eee-111-111-ff-11"
+      ],
+      "ip": [
+        "1.2.3.4",
+        "5.6.7.8"
+      ]
+    },
+    "rule": {
+      "category": "unscanned",
+      "ruleset": "policy"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "bytes": 100,
+      "ip": "1.2.3.4",
+      "packets": 2,
+      "port": 10000
+    }
+  }
+}
diff --git a/Fortinet/fortigate/tests/test_group_field_1.json b/Fortinet/fortigate/tests/test_group_field_1.json
@@ -0,0 +1,105 @@
+{
+  "input": {
+    "message": "time=14:53:11 devname=\"FFF00D_TEST02\" devid=\"FGT3HD300000000\" eventtime=1735000001620000000 tz=\"+0100\" logid=\"0000000010\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" srcip=1.2.3.4 srcport=50000 srcintf=\"ssl.root\" srcintfrole=\"undefined\" dstip=5.6.5.7 dstport=80 dstintf=\"VPNM-TEST\" dstintfrole=\"undefined\" srccountry=\"Reserved\" dstcountry=\"Reserved\" sessionid=100100046 proto=6 action=\"close\" policyid=274 policytype=\"policy\" poluuid=\"ac8ed64c-54e7-51eb-3525-d610000000000\" user=\"[email protected]\" group=\"TEST-SAML\" authserver=\"azure-saml\" service=\"HTTP\" trandisp=\"snat\" transip=1.0.5.8 transport=50066 duration=7 sentbyte=18800 rcvdbyte=7900 sentpkt=30 rcvdpkt=29 vpn=\"VPNM-TEST\" vpntype=\"ipsec-static\" appcat=\"unscanned\"",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Fortinet FortiGate",
+        "dialect_uuid": "5702ae4e-7d8a-455f-a47b-ef64dd87c981"
+      }
+    }
+  },
+  "expected": {
+    "message": "time=14:53:11 devname=\"FFF00D_TEST02\" devid=\"FGT3HD300000000\" eventtime=1735000001620000000 tz=\"+0100\" logid=\"0000000010\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" srcip=1.2.3.4 srcport=50000 srcintf=\"ssl.root\" srcintfrole=\"undefined\" dstip=5.6.5.7 dstport=80 dstintf=\"VPNM-TEST\" dstintfrole=\"undefined\" srccountry=\"Reserved\" dstcountry=\"Reserved\" sessionid=100100046 proto=6 action=\"close\" policyid=274 policytype=\"policy\" poluuid=\"ac8ed64c-54e7-51eb-3525-d610000000000\" user=\"[email protected]\" group=\"TEST-SAML\" authserver=\"azure-saml\" service=\"HTTP\" trandisp=\"snat\" transip=1.0.5.8 transport=50066 duration=7 sentbyte=18800 rcvdbyte=7900 sentpkt=30 rcvdpkt=29 vpn=\"VPNM-TEST\" vpntype=\"ipsec-static\" appcat=\"unscanned\"",
+    "event": {
+      "action": "close",
+      "category": "traffic",
+      "code": "0000000010",
+      "dataset": "traffic:forward",
+      "outcome": "success",
+      "timezone": "+0100"
+    },
+    "@timestamp": "2024-12-24T00:26:41.620000Z",
+    "action": {
+      "name": "close",
+      "outcome": "success",
+      "target": "network-traffic",
+      "type": "forward"
+    },
+    "destination": {
+      "address": "5.6.5.7",
+      "bytes": 7900,
+      "ip": "5.6.5.7",
+      "packets": 29,
+      "port": 80
+    },
+    "fortinet": {
+      "fortigate": {
+        "event": {
+          "type": "traffic"
+        },
+        "policyid": "274",
+        "poluuid": "ac8ed64c-54e7-51eb-3525-d610000000000",
+        "virtual_domain": "root"
+      }
+    },
+    "group": {
+      "name": "TEST-SAML"
+    },
+    "log": {
+      "hostname": "FFF00D_TEST02",
+      "level": "notice"
+    },
+    "network": {
+      "bytes": 26700,
+      "protocol": "http",
+      "transport": "tcp"
+    },
+    "observer": {
+      "egress": {
+        "interface": {
+          "name": "VPNM-TEST"
+        }
+      },
+      "hostname": "FFF00D_TEST02",
+      "ingress": {
+        "interface": {
+          "name": "ssl.root"
+        }
+      },
+      "serial_number": "FGT3HD300000000"
+    },
+    "related": {
+      "hosts": [
+        "FFF00D_TEST02"
+      ],
+      "ip": [
+        "1.0.5.8",
+        "1.2.3.4",
+        "5.6.5.7"
+      ],
+      "user": [
+        "[email protected]"
+      ]
+    },
+    "rule": {
+      "category": "unscanned",
+      "ruleset": "policy"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "bytes": 18800,
+      "ip": "1.2.3.4",
+      "nat": {
+        "ip": "1.0.5.8"
+      },
+      "packets": 30,
+      "port": 50000,
+      "user": {
+        "name": "[email protected]"
+      }
+    },
+    "user": {
+      "name": "[email protected]"
+    }
+  }
+}