diff --git a/CybeReason/malop-json/_meta/manifest.yml b/CybeReason/malop-json/_meta/manifest.yml index f1b4f8074..e4cdd5419 100644 --- a/CybeReason/malop-json/_meta/manifest.yml +++ b/CybeReason/malop-json/_meta/manifest.yml @@ -1,7 +1,7 @@ uuid: 9f89b634-0531-437b-b060-a9d9f2d270db name: Cybereason EDR slug: cybereason-malop-json -automation_connector_uuid: ff092b32-68dc-11ee-8c99-0242ac120002 +automation_connector_uuid: 8128d255-22df-4f4c-96af-ca6c1123f4cf automation_module_uuid: b96361fb-a01b-4ae7-8927-9622b9ea0acf description: >- diff --git a/HAProxy/haproxy/CHANGELOG.md b/HAProxy/haproxy/CHANGELOG.md index 60e2c8a26..9896476a3 100644 --- a/HAProxy/haproxy/CHANGELOG.md +++ b/HAProxy/haproxy/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## 2024-12.04 - 1.0.1 + +- Add support for aktci at the end of the log + ## 2024-03.04 - 1.0.0 ### Added diff --git a/HAProxy/haproxy/ingest/parser.yml b/HAProxy/haproxy/ingest/parser.yml index 98783cd3d..557604c8a 100644 --- a/HAProxy/haproxy/ingest/parser.yml +++ b/HAProxy/haproxy/ingest/parser.yml @@ -14,7 +14,7 @@ pipeline: ([0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})([0-9]) HAPROXYURL: "(%{URIPROTO:url_scheme}://)?(?:%{USER:url_username}(?::[^@]*)?@)?(?:%{URIHOST:url_domain})?(?:%{URIPATHPARAM:url_path})" TLS_PROTOCOL: "TLS" - HAPROXYHTTPBASE: '%{IP:source_ip}:%{INT:source_port} \[%{HAPROXYDATE}\] %{NOTSPACE} %{NOTSPACE}/%{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT:http_response_status_code} %{NOTSPACE:http_response_bytes} %{DATA:http_request_cookie} %{DATA:http_response_cookie} %{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT}/%{INT} (\{%{DATA:captured_request_headers}\})?( )?(\{%{DATA:captured_response_headers}\})?( )?"(|(%{WORD:http_request_method} (?:%{HAPROXYURL:url_original})?( HTTP/%{NUMBER:http_version})?))?"( %{TLS_PROTOCOL:tls_protocol}v%{NUMBER:tls_version})?' + HAPROXYHTTPBASE: '%{IP:source_ip}:%{INT:source_port} \[%{HAPROXYDATE}\] %{NOTSPACE} %{NOTSPACE}/%{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT:http_response_status_code} %{NOTSPACE:http_response_bytes} %{DATA:http_request_cookie} %{DATA:http_response_cookie} %{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT}/%{INT} (\{%{DATA:captured_request_headers}\})?( )?(\{%{DATA:captured_response_headers}\})?( )?"(|(%{WORD:http_request_method} (?:%{HAPROXYURL:url_original})?( HTTP/%{NUMBER:http_version})?))?"( %{TLS_PROTOCOL:tls_protocol}v%{NUMBER:tls_version})?%{GREEDYDATA}' - name: json filter: "{{grok.message.json_msg | length > 0}}" diff --git a/HAProxy/haproxy/tests/access4.json b/HAProxy/haproxy/tests/access4.json new file mode 100644 index 000000000..89630f6bc --- /dev/null +++ b/HAProxy/haproxy/tests/access4.json @@ -0,0 +1,45 @@ +{ + "input": { + "message": "90.83.225.109:54761 [10/Apr/2024:15:41:58.284] frontend_https~ backend_lb/LB100 1796/0/0/28/1824 200 1060 - - --VN 296/296/33/6/0 0/0 {saas.ms.example.com} \"GET /path/get/resource HTTP/1.1\" TLSv1.2 aktci:\"46.193.65.202\"\n", + "sekoiaio": { + "intake": { + "dialect": "HAProxy", + "dialect_uuid": "ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9" + } + } + }, + "expected": { + "message": "90.83.225.109:54761 [10/Apr/2024:15:41:58.284] frontend_https~ backend_lb/LB100 1796/0/0/28/1824 200 1060 - - --VN 296/296/33/6/0 0/0 {saas.ms.example.com} \"GET /path/get/resource HTTP/1.1\" TLSv1.2 aktci:\"46.193.65.202\"\n", + "event": { + "kind": "access" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "bytes": 1060, + "status_code": 200 + }, + "version": "1.1" + }, + "related": { + "ip": [ + "90.83.225.109" + ] + }, + "source": { + "address": "90.83.225.109", + "ip": "90.83.225.109", + "port": 54761 + }, + "tls": { + "version": "1.2", + "version_protocol": "TLS" + }, + "url": { + "original": "/path/get/resource", + "path": "/path/get/resource" + } + } +} \ No newline at end of file diff --git a/HarfangLab/harfanglab/_meta/fields.yml b/HarfangLab/harfanglab/_meta/fields.yml index 611f3c079..902363c55 100644 --- a/HarfangLab/harfanglab/_meta/fields.yml +++ b/HarfangLab/harfanglab/_meta/fields.yml @@ -953,6 +953,11 @@ action.properties.param9: name: action.properties.param9 type: keyword +harfanglab.agent_ids: + description: '' + name: harfanglab.agent_ids + type: keyword + harfanglab.aggregation_key: description: The key to the events aggregation name: harfanglab.aggregation_key diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml index 5050c7429..34535641b 100644 --- a/HarfangLab/harfanglab/ingest/parser.yml +++ b/HarfangLab/harfanglab/ingest/parser.yml @@ -142,6 +142,10 @@ stages: organization.id: "{{json_event.message.tenant}}" url.original: "{{json_event.message.details_url_request.url}}" + - set: + harfanglab.agent_ids: "{{json_event.message.agents | map(attribute='agent_id') | list}}" + filter: "{{json_event.message.agents | length > 0}}" + network_info: actions: - set: diff --git a/HarfangLab/harfanglab/tests/threat_critical.json b/HarfangLab/harfanglab/tests/threat_critical.json index 94e83a1fd..ce1d2faa4 100644 --- a/HarfangLab/harfanglab/tests/threat_critical.json +++ b/HarfangLab/harfanglab/tests/threat_critical.json @@ -13,6 +13,9 @@ "name": "harfanglab" }, "harfanglab": { + "agent_ids": [ + "af5e2f63-becd-4660-ade8-30d04c0dd044" + ], "count": { "rules": 1, "users_impacted": 0 diff --git a/HarfangLab/harfanglab/tests/threat_log.json b/HarfangLab/harfanglab/tests/threat_log.json index dcab41c28..bed91707b 100644 --- a/HarfangLab/harfanglab/tests/threat_log.json +++ b/HarfangLab/harfanglab/tests/threat_log.json @@ -13,6 +13,10 @@ "name": "harfanglab" }, "harfanglab": { + "agent_ids": [ + "215fe295-905f-4a8d-8347-e9d438d4e415", + "999ba0c7-96b8-4c57-bf0e-63b24813c873" + ], "count": { "rules": 4, "users_impacted": 3 diff --git a/Microsoft/microsoft-365-defender/_meta/manifest.yml b/Microsoft/microsoft-365-defender/_meta/manifest.yml index 1c858333a..d2e9192ce 100644 --- a/Microsoft/microsoft-365-defender/_meta/manifest.yml +++ b/Microsoft/microsoft-365-defender/_meta/manifest.yml @@ -1,11 +1,11 @@ uuid: 05e6f36d-cee0-4f06-b575-9e43af779f9f -name: Microsoft 365 Defender +name: Microsoft Defender XDR / Microsoft 365 Defender slug: microsoft-365-defender automation_connector_uuid: 57f8f587-18ee-434b-a4ed-b5459f5b0fef automation_module_uuid: 525eecc0-9eee-484d-92bd-039117cf4dac description: >- - Microsoft 365 Defender is a entreprise defense suite that coordinates detection, prevention, investigation, and response across endpoints, identities, email, and cloud applications. + Microsoft Defender XDR is a entreprise defense suite that coordinates detection, prevention, investigation, and response across endpoints, identities, email, and cloud applications. Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml index 944713355..c6cf58abe 100644 --- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml @@ -626,7 +626,7 @@ pipeline: AUTHENTICATION_WEB: "User %{USERNAME:user} logged in via %{DATA} from %{IP:src} using %{DATA:proto}" REASON1: 'User-ID server monitor %{HOSTNAME:hostname}\(%{WORD:vsys}\) %{GREEDYDATA:message}' REASON2: "ldap cfg %{WORD:config_name} connected to server %{IP:destination_ip}:%{INT:port}, initiated by: %{IP:source_ip}" - REASON3: "When authenticating user %{WORD:user} from %{IP:source_ip}, a less secure authentication method %{WORD:auth_method} is used. Please migrate to %{WORD:recommended_methods1} or %{DATA:recommended_methods2}. Authentication Profile %{WORD:auth_profile}, vsys %{WORD:vsys}, Server Profile %{WORD:server_profile}, Server Address %{IP:destination_ip}" + REASON3: "When authenticating user '?%{WORD:user}'? from '?%{IP:source_ip}'?, a less secure authentication method %{WORD:auth_method} is used. Please migrate to %{WORD:recommended_methods1} or %{DATA:recommended_methods2}. Authentication Profile '?%{WORD:auth_profile}'?, vsys '?%{WORD:vsys}'?, Server Profile '?%{WORD:server_profile}'?, Server Address '?%{IP:destination_ip}'?" REASON4: "failed authentication for user %{WORD:user}. Reason: %{GREEDYDATA:reason} auth profile %{WORD:auth_profile}, vsys %{WORD:vsys}, server profile %{WORD:server_profile}, server address %{IP:destination_ip}, auth protocol %{WORD:auth_protocol}, From: %{IP:source_ip}" REASON5: 'authenticated for user %{WORD:user}\. auth profile %{WORD:auth_profile}, vsys %{WORD:vsys}, server profile %{DATA:server_profile}, server address %{IP:destination_ip}, auth protocol %{WORD:auth_protocol}, admin role %{WORD:admin_role}, From: %{IP:source_ip}\.' filter: '{{parsed_event.message.get("EventDescription") != None}}' diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json new file mode 100644 index 000000000..b4429340a --- /dev/null +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json @@ -0,0 +1,74 @@ +{ + "input": { + "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto NGFW", + "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd" + } + } + }, + "expected": { + "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00", + "event": { + "category": [ + "authentication" + ], + "dataset": "system", + "reason": "When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'", + "type": [ + "start" + ] + }, + "@timestamp": "2024-11-26T21:10:01.627000Z", + "action": { + "name": "auth-success", + "type": "auth" + }, + "destination": { + "address": "1.7.4.2", + "ip": "1.7.4.2" + }, + "log": { + "hostname": "FWPAN00", + "level": "informational", + "logger": "system" + }, + "observer": { + "name": "FWPAN00", + "product": "PAN-OS", + "serial_number": "02410100000000" + }, + "paloalto": { + "DGHierarchyLevel1": "0", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "EventID": "auth-success", + "Threat_ContentType": "auth", + "authetification": { + "profile": "FWPA" + }, + "server": { + "profile": "RADIUS_RSA" + }, + "vsys": "shared" + }, + "related": { + "ip": [ + "1.2.5.5", + "1.7.4.2" + ], + "user": [ + "test000555" + ] + }, + "source": { + "address": "1.2.5.5", + "ip": "1.2.5.5" + }, + "user": { + "name": "test000555" + } + } +} \ No newline at end of file diff --git a/Pradeo/pradeo-mtd/ingest/parser.yml b/Pradeo/pradeo-mtd/ingest/parser.yml index 239ce01d4..c10d3c444 100644 --- a/Pradeo/pradeo-mtd/ingest/parser.yml +++ b/Pradeo/pradeo-mtd/ingest/parser.yml @@ -176,16 +176,16 @@ stages: pradeo.device.mdmId: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.device.emmDeviceInfo.externalId}}" pradeo.device.emm: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.device.emmDeviceInfo.emm}}" pradeo.compliance.matchedResponseRules: "{{json_event.message.content.deviceApplication.compliance.matchedResponseRules}}" - pradeo.application.id: "{{json_event.message.content.deviceApplicationCompliance.application.id}}" - pradeo.application.package: "{{json_event.message.content.deviceApplicationCompliance.application.package.package}}" - pradeo.application.system: "{{json_event.message.content.deviceApplicationCompliance.application.package.system}}" - pradeo.application.version: "{{json_event.message.content.deviceApplicationCompliance.application.version}}" - pradeo.application.versionCode: "{{json_event.message.content.deviceApplicationCompliance.application.versionCode}}" - pradeo.application.name: "{{json_event.message.content.deviceApplicationCompliance.application.name}}" - pradeo.application.md5: "{{json_event.message.content.deviceApplicationCompliance.application.md5}}" - pradeo.application.sha1: "{{json_event.message.content.deviceApplicationCompliance.application.sha1}}" - pradeo.application.sha256: "{{json_event.message.content.deviceApplicationCompliance.application.sha256}}" - pradeo.detection.status: "{{json_event.message.content.deviceApplicationCompliance.status}}" + pradeo.application.id: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.id}}" + pradeo.application.package: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.package.package}}" + pradeo.application.system: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.package.system}}" + pradeo.application.version: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.version}}" + pradeo.application.versionCode: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.versionCode}}" + pradeo.application.name: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.name}}" + pradeo.application.md5: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.md5}}" + pradeo.application.sha1: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.sha1}}" + pradeo.application.sha256: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.sha256}}" + pradeo.detection.status: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.status}}" - filter: '{{json_event.message.type == "DeviceComplianceUpdated"}}' set: event.category: ["process"] diff --git a/Pradeo/pradeo-mtd/tests/application_compliance_updated.json b/Pradeo/pradeo-mtd/tests/application_compliance_updated.json new file mode 100644 index 000000000..916f71473 --- /dev/null +++ b/Pradeo/pradeo-mtd/tests/application_compliance_updated.json @@ -0,0 +1,55 @@ +{ + "input": { + "message": "{\n \"id\": \"1234567890\",\n \"creationDate\": \"2024-11-27T04:10:33.460Z\",\n \"source\": \"system\",\n \"category\": null,\n \"type\": \"DeviceApplicationComplianceUpdated\",\n \"content\": {\n \"deviceApplicationCompliance\": {\n \"id\": \"abcdef123456\",\n \"status\": \"Disapproved\",\n \"computed\": true,\n \"creationDate\": \"2024-11-27T04:04:26.482Z\",\n \"lastModificationDate\": \"2024-11-27T04:10:33.000Z\",\n \"deviceApplication\": {\n \"id\": \"123456789ABCDEF\",\n \"application\": {\n \"id\": \"azertyuiop\",\n \"package\": {\n \"id\": \"1234abcd\",\n \"package\": \"com.app.test\",\n \"system\": \"Android\"\n },\n \"version\": \"491.0.0.58.78\",\n \"md5\": \"0fccfdefc882c4be6d2a938001184e08\",\n \"sha1\": \"749c94cd972726ef2b3ccda7e718a2034cc9f6ac\",\n \"sha256\": \"278fde8924687bf22285d2b4415779d96ba967530cae43272029ec53ecc2eee8\",\n \"name\": \"App\",\n \"versionCode\": \"457215664\",\n \"size\": \"64262264\"\n },\n \"device\": {\n \"id\": \"device_id01\",\n \"serialNumber\": \"unknown\",\n \"imei\": null,\n \"name\": \"John\",\n \"email\": null,\n \"singleEnrollmentKey\": \"xxxxxXXXXxxXxxx\",\n \"byod\": false,\n \"lockPassword\": null,\n \"knoxVersion\": null,\n \"declaredOperatingSystem\": \"Android\",\n \"declaredOperatingSystemVersion\": \"10.0.0\",\n \"declaredOperatingSystemSecurityPatchDate\": \"2020-09-01T00:00:00.000Z\",\n \"declaredModel\": \"MODEL 01\",\n \"enrollmentStatus\": {\n \"id\": \"enrollid_12\",\n \"lastConnection\": \"2024-11-27T04:07:32.000Z\",\n \"coupled\": true\n },\n \"emmDeviceInfo\": null\n },\n \"installedAt\": \"2024-08-07T13:40:35.000Z\",\n \"uninstalledAt\": null,\n \"native\": false\n },\n \"matchedResponseRules\": [\n {\n \"id\": \"matched_response_id\",\n \"matchConditions\": [\n {\n \"type\": \"threatLevelIs\",\n \"value\": \"Red\"\n }\n ],\n \"notifyAdministrator\": false,\n \"onDeviceNotification\": false,\n \"action\": \"Disapproved\",\n \"responseRuleset\": {\n \"id\": \"yMXqFSTMT8uDn1ijwCmEGA\",\n \"name\": \"FallBack\",\n \"active\": true,\n \"type\": \"FallBack\",\n \"priority\": 0\n },\n \"priority\": 0\n }\n ]\n }\n },\n \"user\": null,\n \"device\": null,\n \"company\": {\n \"id\": \"ROhGBpGHSi2gpVagfb4FhQ\",\n \"name\": \"LAB\",\n \"creationDate\": \"2024-04-15T15:31:33.395Z\",\n \"lastModificationDate\": \"2024-08-07T13:23:42.000Z\",\n \"deletedAt\": null\n }\n}", + "sekoiaio": { + "intake": { + "dialect": "Pradeo MTD", + "dialect_uuid": "3cedbe29-02f8-42bf-9ec2-0158186c2827" + } + } + }, + "expected": { + "message": "{\n \"id\": \"1234567890\",\n \"creationDate\": \"2024-11-27T04:10:33.460Z\",\n \"source\": \"system\",\n \"category\": null,\n \"type\": \"DeviceApplicationComplianceUpdated\",\n \"content\": {\n \"deviceApplicationCompliance\": {\n \"id\": \"abcdef123456\",\n \"status\": \"Disapproved\",\n \"computed\": true,\n \"creationDate\": \"2024-11-27T04:04:26.482Z\",\n \"lastModificationDate\": \"2024-11-27T04:10:33.000Z\",\n \"deviceApplication\": {\n \"id\": \"123456789ABCDEF\",\n \"application\": {\n \"id\": \"azertyuiop\",\n \"package\": {\n \"id\": \"1234abcd\",\n \"package\": \"com.app.test\",\n \"system\": \"Android\"\n },\n \"version\": \"491.0.0.58.78\",\n \"md5\": \"0fccfdefc882c4be6d2a938001184e08\",\n \"sha1\": \"749c94cd972726ef2b3ccda7e718a2034cc9f6ac\",\n \"sha256\": \"278fde8924687bf22285d2b4415779d96ba967530cae43272029ec53ecc2eee8\",\n \"name\": \"App\",\n \"versionCode\": \"457215664\",\n \"size\": \"64262264\"\n },\n \"device\": {\n \"id\": \"device_id01\",\n \"serialNumber\": \"unknown\",\n \"imei\": null,\n \"name\": \"John\",\n \"email\": null,\n \"singleEnrollmentKey\": \"xxxxxXXXXxxXxxx\",\n \"byod\": false,\n \"lockPassword\": null,\n \"knoxVersion\": null,\n \"declaredOperatingSystem\": \"Android\",\n \"declaredOperatingSystemVersion\": \"10.0.0\",\n \"declaredOperatingSystemSecurityPatchDate\": \"2020-09-01T00:00:00.000Z\",\n \"declaredModel\": \"MODEL 01\",\n \"enrollmentStatus\": {\n \"id\": \"enrollid_12\",\n \"lastConnection\": \"2024-11-27T04:07:32.000Z\",\n \"coupled\": true\n },\n \"emmDeviceInfo\": null\n },\n \"installedAt\": \"2024-08-07T13:40:35.000Z\",\n \"uninstalledAt\": null,\n \"native\": false\n },\n \"matchedResponseRules\": [\n {\n \"id\": \"matched_response_id\",\n \"matchConditions\": [\n {\n \"type\": \"threatLevelIs\",\n \"value\": \"Red\"\n }\n ],\n \"notifyAdministrator\": false,\n \"onDeviceNotification\": false,\n \"action\": \"Disapproved\",\n \"responseRuleset\": {\n \"id\": \"yMXqFSTMT8uDn1ijwCmEGA\",\n \"name\": \"FallBack\",\n \"active\": true,\n \"type\": \"FallBack\",\n \"priority\": 0\n },\n \"priority\": 0\n }\n ]\n }\n },\n \"user\": null,\n \"device\": null,\n \"company\": {\n \"id\": \"ROhGBpGHSi2gpVagfb4FhQ\",\n \"name\": \"LAB\",\n \"creationDate\": \"2024-04-15T15:31:33.395Z\",\n \"lastModificationDate\": \"2024-08-07T13:23:42.000Z\",\n \"deletedAt\": null\n }\n}", + "event": { + "action": "DeviceApplicationComplianceUpdated", + "category": [ + "process" + ], + "type": [ + "change" + ] + }, + "@timestamp": "2024-11-27T04:10:33.460000Z", + "pradeo": { + "application": { + "id": "azertyuiop", + "md5": "0fccfdefc882c4be6d2a938001184e08", + "name": "App", + "package": "com.app.test", + "sha1": "749c94cd972726ef2b3ccda7e718a2034cc9f6ac", + "sha256": "278fde8924687bf22285d2b4415779d96ba967530cae43272029ec53ecc2eee8", + "system": "Android", + "version": "491.0.0.58.78", + "versionCode": "457215664" + }, + "device": { + "byod": false, + "coupled": true, + "declaredModel": "MODEL 01", + "declaredOperatingSystem": "Android", + "declaredOperatingSystemSecurityPatchDate": "2020-09-01T00:00:00Z", + "declaredOperatingSystemVersion": "10.0.0", + "id": "device_id01", + "lastConnection": "2024-11-27T04:07:32Z", + "name": "John", + "serialNumber": "unknown" + }, + "metadata": { + "creationDate": "2024-11-27T04:10:33.460000Z", + "id": "1234567890", + "source": "system", + "type": "DeviceApplicationComplianceUpdated" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json b/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json index 9a4b1bf43..9acf6e91d 100644 --- a/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json +++ b/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json @@ -682,6 +682,58 @@ } ] }, + { + "value": "Process {process.command_line} was created by {process.user.name}", + "conditions": [ + { + "field": "event.action", + "value": "Process Creation" + }, + { + "field": "process.user.name" + }, + { + "field": "process.command_line" + } + ], + "relationships": [ + { + "source": "process.user.name", + "target": "process.parent.command_line", + "type": "created" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.title", + "type": "has process title" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.name", + "type": "has name" + }, + { + "source": "process.command_line", + "target": "process.title", + "type": "has title" + }, + { + "source": "process.command_line", + "target": "process.name", + "type": "has name" + }, + { + "source": "process.parent.command_line", + "target": "process.command_line", + "type": "created" + }, + { + "source": "process.user.name", + "target": "host.name", + "type": "logged on" + } + ] + }, { "value": "Process {process.command_line} was created by {user.name}", "conditions": [ diff --git a/SentinelOne/cloud_funnel2.0/tests/process_processcreation_2.json b/SentinelOne/cloud_funnel2.0/tests/process_processcreation_2.json new file mode 100644 index 000000000..62320459c --- /dev/null +++ b/SentinelOne/cloud_funnel2.0/tests/process_processcreation_2.json @@ -0,0 +1,96 @@ +{ + "input": { + "message": "{\"tgt.process.displayName\":\"curl\",\"event.category\":\"process\",\"site.id\":\"1967302198659758782\",\"tgt.process.pid\":30273,\"endpoint.os\":\"osx\",\"tgt.process.name\":\"curl\",\"tgt.process.storyline.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.signedStatus\":\"signed\",\"tgt.process.isNative64Bit\":false,\"mgmt.id\":\"16205\",\"os.name\":\"OS X\",\"tgt.process.cmdline\":\"curl -H User-Agent: test.nvim v1.10.0 (+https:\\/\\/test.test\\/tttttttt\\/test.nvim) -fsSL -X GET -o \\/Users\\/test.user\\/.local\\/share\\/nvim\\/test\\/registries\\/github\\/test-org\\/test-registry\\/registry.json.zip --connect-timeout 30 https:\\/\\/test.test\\/test-org\\/test-registry\\/releases\\/download\\/2024-12-05-doting-coil\\/registry.json.zip\",\"i.version\":\"preprocess-lib-1.0\",\"process.unique.key\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.uid\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.isStorylineRoot\":false,\"mgmt.url\":\"mgm-testing-test.sentinelone.net\",\"agent.version\":\"23.3.1.7037\",\"tgt.process.subsystem\":\"SUBSYSTEM_UNKNOWN\",\"tgt.process.image.sha256\":\"8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42\",\"mgmt.osRevision\":\"14.7.1 (23H222)\",\"meta.event.name\":\"PROCESSCREATION\",\"group.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.publisher\":\"\",\"tgt.process.startTime\":1733386731479,\"tgt.process.verifiedStatus\":\"verified\",\"endpoint.type\":\"laptop\",\"tgt.process.image.path\":\"\\/usr\\/bin\\/curl\",\"i.scheme\":\"edr\",\"trace.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX\",\"tgt.process.integrityLevel\":\"INTEGRITY_LEVEL_UNKNOWN\",\"site.name\":\"LEDGER\",\"agent.uuid\":\"xxxx-XXXXXX-XXXXx-xxxxx\",\"tgt.process.image.md5\":\"fe61928bbd84ed16fc4f934307bf2f16\",\"event.time\":1733386731479,\"tgt.process.user\":\"test.user\",\"timestamp\":\"2024-12-05T08:18:51.479Z\",\"account.id\":\"1967302197074311859\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"LMFR0205\",\"packet.id\":\"949E7E9F-F1E6-4507-830F-E272AAED8F15\",\"tgt.process.sessionId\":0,\"dataSource.vendor\":\"SentinelOne\",\"dataSource.category\":\"security\",\"tgt.process.isRedirectCmdProcessor\":false,\"tgt.process.image.sha1\":\"e817c506298dc8a2dba727562b6efc60dcf4db1a\",\"account.name\":\"24 - LEDGER\",\"event.type\":\"Process Creation\",\"event.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX_77\"}" + }, + "expected": { + "message": "{\"tgt.process.displayName\":\"curl\",\"event.category\":\"process\",\"site.id\":\"1967302198659758782\",\"tgt.process.pid\":30273,\"endpoint.os\":\"osx\",\"tgt.process.name\":\"curl\",\"tgt.process.storyline.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.signedStatus\":\"signed\",\"tgt.process.isNative64Bit\":false,\"mgmt.id\":\"16205\",\"os.name\":\"OS X\",\"tgt.process.cmdline\":\"curl -H User-Agent: test.nvim v1.10.0 (+https:\\/\\/test.test\\/tttttttt\\/test.nvim) -fsSL -X GET -o \\/Users\\/test.user\\/.local\\/share\\/nvim\\/test\\/registries\\/github\\/test-org\\/test-registry\\/registry.json.zip --connect-timeout 30 https:\\/\\/test.test\\/test-org\\/test-registry\\/releases\\/download\\/2024-12-05-doting-coil\\/registry.json.zip\",\"i.version\":\"preprocess-lib-1.0\",\"process.unique.key\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.uid\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.isStorylineRoot\":false,\"mgmt.url\":\"mgm-testing-test.sentinelone.net\",\"agent.version\":\"23.3.1.7037\",\"tgt.process.subsystem\":\"SUBSYSTEM_UNKNOWN\",\"tgt.process.image.sha256\":\"8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42\",\"mgmt.osRevision\":\"14.7.1 (23H222)\",\"meta.event.name\":\"PROCESSCREATION\",\"group.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.publisher\":\"\",\"tgt.process.startTime\":1733386731479,\"tgt.process.verifiedStatus\":\"verified\",\"endpoint.type\":\"laptop\",\"tgt.process.image.path\":\"\\/usr\\/bin\\/curl\",\"i.scheme\":\"edr\",\"trace.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX\",\"tgt.process.integrityLevel\":\"INTEGRITY_LEVEL_UNKNOWN\",\"site.name\":\"LEDGER\",\"agent.uuid\":\"xxxx-XXXXXX-XXXXx-xxxxx\",\"tgt.process.image.md5\":\"fe61928bbd84ed16fc4f934307bf2f16\",\"event.time\":1733386731479,\"tgt.process.user\":\"test.user\",\"timestamp\":\"2024-12-05T08:18:51.479Z\",\"account.id\":\"1967302197074311859\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"LMFR0205\",\"packet.id\":\"949E7E9F-F1E6-4507-830F-E272AAED8F15\",\"tgt.process.sessionId\":0,\"dataSource.vendor\":\"SentinelOne\",\"dataSource.category\":\"security\",\"tgt.process.isRedirectCmdProcessor\":false,\"tgt.process.image.sha1\":\"e817c506298dc8a2dba727562b6efc60dcf4db1a\",\"account.name\":\"24 - LEDGER\",\"event.type\":\"Process Creation\",\"event.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX_77\"}", + "event": { + "action": "Process Creation", + "category": [ + "process" + ], + "dataset": "cloud-funnel-2.0", + "type": [ + "info" + ] + }, + "@timestamp": "2024-12-05T08:18:51.479000Z", + "agent": { + "version": "23.3.1.7037" + }, + "deepvisibility": { + "agent": { + "managment_url": "mgm-testing-test.sentinelone.net", + "trace_id": "XXXXXXX-XXXXXXXX-XXXXXXX", + "uuid": "xxxx-XXXXXX-XXXXx-xxxxx" + }, + "event": { + "category": "process", + "type": "Process Creation" + }, + "host": { + "os": { + "revision": "14.7.1 (23H222)" + } + }, + "process": { + "target": { + "command_line": "curl -H User-Agent: test.nvim v1.10.0 (+https://test.test/tttttttt/test.nvim) -fsSL -X GET -o /Users/test.user/.local/share/nvim/test/registries/github/test-org/test-registry/registry.json.zip --connect-timeout 30 https://test.test/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "executable": "/usr/bin/curl", + "hash": { + "md5": "fe61928bbd84ed16fc4f934307bf2f16", + "sha1": "e817c506298dc8a2dba727562b6efc60dcf4db1a", + "sha256": "8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42" + }, + "name": "curl", + "storyline_id": "EE9FB66D-9B03-4286-971C-7A20615D157B", + "title": "curl", + "working_directory": "/usr/bin" + } + } + }, + "host": { + "name": "LMFR0205", + "os": { + "family": "osx", + "name": "OS X" + }, + "type": "laptop" + }, + "observer": { + "vendor": "SentinelOne" + }, + "process": { + "command_line": "curl -H User-Agent: test.nvim v1.10.0 (+https://test.test/tttttttt/test.nvim) -fsSL -X GET -o /Users/test.user/.local/share/nvim/test/registries/github/test-org/test-registry/registry.json.zip --connect-timeout 30 https://test.test/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "executable": "/usr/bin/curl", + "hash": { + "md5": "fe61928bbd84ed16fc4f934307bf2f16", + "sha1": "e817c506298dc8a2dba727562b6efc60dcf4db1a", + "sha256": "8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42" + }, + "name": "curl", + "pid": 30273, + "start": "2024-12-05T08:18:51.479000Z", + "title": "curl", + "user": { + "name": "test.user" + }, + "working_directory": "/usr/bin" + }, + "related": { + "hash": [ + "8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42", + "e817c506298dc8a2dba727562b6efc60dcf4db1a", + "fe61928bbd84ed16fc4f934307bf2f16" + ] + }, + "url": { + "domain": "test.test", + "original": "https://test.test/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "path": "/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "port": 443, + "scheme": "https", + "subdomain": "test" + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/CHANGELOG.md b/SentinelOne/identity/CHANGELOG.md new file mode 100644 index 000000000..11bddf32c --- /dev/null +++ b/SentinelOne/identity/CHANGELOG.md @@ -0,0 +1,8 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [Unreleased] diff --git a/SentinelOne/identity/_meta/fields.yml b/SentinelOne/identity/_meta/fields.yml new file mode 100644 index 000000000..36e8acf65 --- /dev/null +++ b/SentinelOne/identity/_meta/fields.yml @@ -0,0 +1,39 @@ +sentinelone.identity.attackSurfaces: + description: '' + name: sentinelone.identity.attackSurfaces + type: keyword + +sentinelone.identity.classification: + description: '' + name: sentinelone.identity.classification + type: keyword + +sentinelone.identity.confidenceLevel: + description: '' + name: sentinelone.identity.confidenceLevel + type: keyword + +sentinelone.identity.id: + description: '' + name: sentinelone.identity.id + type: keyword + +sentinelone.identity.name: + description: '' + name: sentinelone.identity.name + type: keyword + +sentinelone.identity.result: + description: '' + name: sentinelone.identity.result + type: keyword + +sentinelone.identity.status: + description: '' + name: sentinelone.identity.status + type: keyword + +sentinelone.identity.storyLineId: + description: '' + name: sentinelone.identity.storyLineId + type: keyword diff --git a/SentinelOne/identity/_meta/logo.png b/SentinelOne/identity/_meta/logo.png new file mode 100644 index 000000000..817c84f53 Binary files /dev/null and b/SentinelOne/identity/_meta/logo.png differ diff --git a/SentinelOne/identity/_meta/manifest.yml b/SentinelOne/identity/_meta/manifest.yml new file mode 100644 index 000000000..e8b52a2d5 --- /dev/null +++ b/SentinelOne/identity/_meta/manifest.yml @@ -0,0 +1,11 @@ +uuid: b502e522-6996-4b12-9538-f69326b68243 +name: SentinelOne Singularity Identity [ALPHA] +slug: sentinelone-singularity-identity +automation_connector_uuid: 2d772558-821d-4663-87bd-af28bbb8415a +automation_module_uuid: ff675e74-e5c1-47c8-a571-d207fc297464 + +description: >- + SentinelOne Singularity Identity is a cybersecurity solution that provides identity protection and zero-trust security by continuously monitoring and analyzing user behaviors to detect and prevent potential threats. + +data_sources: + Application logs: activites performed on SentinelOne infrastructure are logged diff --git a/SentinelOne/identity/_meta/smart-descriptions.json b/SentinelOne/identity/_meta/smart-descriptions.json new file mode 100644 index 000000000..e09c5db80 --- /dev/null +++ b/SentinelOne/identity/_meta/smart-descriptions.json @@ -0,0 +1,46 @@ +[ + { + "value": "Alert defined {sentinelone.identity.name} with status {sentinelone.identity.status} on {process.command_line}", + "conditions": [ + { + "field": "sentinelone.identity.name" + }, + { + "field": "sentinelone.identity.status" + }, + { + "field": "process.command_line" + } + ] + }, + { + "value": "Alert defined {sentinelone.identity.name} with status {sentinelone.identity.status}", + "conditions": [ + { + "field": "sentinelone.identity.name" + }, + { + "field": "sentinelone.identity.status" + } + ] + }, + { + "value": "Alert defined {sentinelone.identity.name} on {process.command_line}", + "conditions": [ + { + "field": "sentinelone.identity.name" + }, + { + "field": "process.command_line" + } + ] + }, + { + "value": "Alert defined {sentinelone.identity.name}", + "conditions": [ + { + "field": "sentinelone.identity.name" + } + ] + } +] diff --git a/SentinelOne/identity/ingest/parser.yml b/SentinelOne/identity/ingest/parser.yml new file mode 100644 index 000000000..90577404d --- /dev/null +++ b/SentinelOne/identity/ingest/parser.yml @@ -0,0 +1,67 @@ +name: identity +pipeline: + - name: json_event + external: + name: json.parse-json + properties: + input_field: "{{original.message}}" + + - name: detected_at + filter: "{{json_event.message.detectedAt != null}}" + external: + name: date.parse + properties: + input_field: "{{json_event.message.detectedAt}}" + output_field: timestamp + + - name: started_at + filter: "{{json_event.message.firstSeenAt != null}}" + external: + name: date.parse + properties: + input_field: "{{json_event.message.firstSeenAt}}" + output_field: timestamp + + - name: last_seen_at + filter: "{{json_event.message.lastSeenAt != null}}" + external: + name: date.parse + properties: + input_field: "{{json_event.message.lastSeenAt}}" + output_field: timestamp + + - name: set_meta_fields +stages: + set_meta_fields: + actions: + - set: + event.kind: "alert" + event.category: "intrusion_detection" + event.type: "info" + observer.vendor: "SentinelOne" + observer.product: "Singularity Identity" + + "@timestamp": "{{detected_at.timestamp}}" + event.start: "{{started_at.timestamp}}" + event.end: "{{last_seen_at.timestamp}}" + + event.provider: "{{json_event.message.detectionSource.product}}" + event.reason: "{{json_event.message.description}}" + + process.command_line: "{{json_event.message.process.cmdLine}}" + process.parent.name: "{{json_event.message.process.parentName}}" + + process.executable: "{{json_event.message.process.file.path}}" + process.name: "{{json_event.message.process.file.path | basename}}" + process.hash.sha1: "{{json_event.message.process.file.sha1}}" + process.hash.sha256: "{{json_event.message.process.file.sha256}}" + process.hash.md5: "{{json_event.message.process.file.md5}}" + + sentinelone.identity.id: "{{json_event.message.id}}" + sentinelone.identity.name: "{{json_event.message.name}}" + sentinelone.identity.attackSurfaces: "{{json_event.message.attackSurfaces}}" + sentinelone.identity.status: "{{json_event.message.status}}" + sentinelone.identity.classification: "{{json_event.message.classification}}" + sentinelone.identity.confidenceLevel: "{{json_event.message.confidenceLevel}}" + sentinelone.identity.result: "{{json_event.message.result}}" + sentinelone.identity.storyLineId: "{{json_event.message.storyLineId}}" diff --git a/SentinelOne/identity/tests/test_alert_1.json b/SentinelOne/identity/tests/test_alert_1.json new file mode 100644 index 000000000..8d5dcf96a --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_1.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\n \"id\": \"ba485919-e4c1-4496-9e2f-feb320f6841a\",\n \"name\": \"Domain Controller Discovery Detected\",\n \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\",\n \"detectedAt\": \"2024-11-22T05:35:09.000Z\",\n \"attackSurfaces\": [\n \"IDENTITY\"\n ],\n \"detectionSource\": {\n \"product\": \"Identity\"\n },\n \"status\": \"NEW\",\n \"assignee\": null,\n \"classification\": \"ENUMERATION\",\n \"confidenceLevel\": \"MALICIOUS\",\n \"firstSeenAt\": \"2024-11-22T05:35:09.000Z\",\n \"lastSeenAt\": \"2024-11-22T05:35:09.000Z\",\n \"process\": {\n \"cmdLine\": \"C:\\\\Windows\\\\system32\\\\net1 group \\\"Domain Controllers\\\" /domain\",\n \"file\": {\n \"path\": \"c:\\\\windows\\\\system32\\\\net1.exe\",\n \"sha1\": null,\n \"sha256\": \"18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398\",\n \"md5\": null\n },\n \"parentName\": null\n },\n \"result\": null,\n \"storylineId\": null\n}" + }, + "expected": { + "message": "{\n \"id\": \"ba485919-e4c1-4496-9e2f-feb320f6841a\",\n \"name\": \"Domain Controller Discovery Detected\",\n \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\",\n \"detectedAt\": \"2024-11-22T05:35:09.000Z\",\n \"attackSurfaces\": [\n \"IDENTITY\"\n ],\n \"detectionSource\": {\n \"product\": \"Identity\"\n },\n \"status\": \"NEW\",\n \"assignee\": null,\n \"classification\": \"ENUMERATION\",\n \"confidenceLevel\": \"MALICIOUS\",\n \"firstSeenAt\": \"2024-11-22T05:35:09.000Z\",\n \"lastSeenAt\": \"2024-11-22T05:35:09.000Z\",\n \"process\": {\n \"cmdLine\": \"C:\\\\Windows\\\\system32\\\\net1 group \\\"Domain Controllers\\\" /domain\",\n \"file\": {\n \"path\": \"c:\\\\windows\\\\system32\\\\net1.exe\",\n \"sha1\": null,\n \"sha256\": \"18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398\",\n \"md5\": null\n },\n \"parentName\": null\n },\n \"result\": null,\n \"storylineId\": null\n}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T05:35:09Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T05:35:09Z", + "type": "info" + }, + "@timestamp": "2024-11-22T05:35:09Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "C:\\Windows\\system32\\net1 group \"Domain Controllers\" /domain", + "executable": "c:\\windows\\system32\\net1.exe", + "hash": { + "sha256": "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398" + }, + "name": "net1.exe" + }, + "related": { + "hash": [ + "18F76BC1F02A161EBDEDF3142273C186D05A836ADDCAAEE599194089FD59F398" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "ba485919-e4c1-4496-9e2f-feb320f6841a", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_10.json b/SentinelOne/identity/tests/test_alert_10.json new file mode 100644 index 000000000..deb56e2a5 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_10.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935322-7b49-71f0-89e0-f52562c26e53\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:09:48.731Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:09:48.731Z\", \"lastSeenAt\": \"2024-11-22T09:09:48.731Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935322-7b49-71f0-89e0-f52562c26e53\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:09:48.731Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:09:48.731Z\", \"lastSeenAt\": \"2024-11-22T09:09:48.731Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:09:48.731000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T09:09:48.731000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:09:48.731000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935322-7b49-71f0-89e0-f52562c26e53", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_11.json b/SentinelOne/identity/tests/test_alert_11.json new file mode 100644 index 000000000..84d64cee6 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_11.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\"id\": \"01935310-d00e-7616-81b9-fcb227ebb13d\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-d00e-7616-81b9-fcb227ebb13d\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T08:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:51Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-d00e-7616-81b9-fcb227ebb13d", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_12.json b/SentinelOne/identity/tests/test_alert_12.json new file mode 100644 index 000000000..3e75c9e78 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_12.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\"id\": \"01935310-eb28-7a57-9c27-87843b2cec61\", \"name\": \"AD Service Account Enumeration Detected\", \"description\": \"This event is generated when LDAP queries for enumerating service accounts are detected from an endpoint.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-eb28-7a57-9c27-87843b2cec61\", \"name\": \"AD Service Account Enumeration Detected\", \"description\": \"This event is generated when LDAP queries for enumerating service accounts are detected from an endpoint.\", \"detectedAt\": \"2024-11-22T08:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is generated when LDAP queries for enumerating service accounts are detected from an endpoint.", + "start": "2024-11-22T08:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:51Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-eb28-7a57-9c27-87843b2cec61", + "name": "AD Service Account Enumeration Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_13.json b/SentinelOne/identity/tests/test_alert_13.json new file mode 100644 index 000000000..d94a9c18b --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_13.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\"id\": \"01935310-c715-72c9-bbd9-dc1ff6a7ff1e\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-c715-72c9-bbd9-dc1ff6a7ff1e\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-c715-72c9-bbd9-dc1ff6a7ff1e", + "name": "AD Domain Computer Enumeration Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_14.json b/SentinelOne/identity/tests/test_alert_14.json new file mode 100644 index 000000000..f8a4295bb --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_14.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\"id\": \"01935310-cb9b-770e-96ee-632d4d21520b\", \"name\": \"AD ACL Enumeration\", \"description\": \"This event is generated when a command used to query or read the ACL's\\\\ Permission of any object in Active Directory.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-cb9b-770e-96ee-632d4d21520b\", \"name\": \"AD ACL Enumeration\", \"description\": \"This event is generated when a command used to query or read the ACL's\\\\ Permission of any object in Active Directory.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is generated when a command used to query or read the ACL's\\ Permission of any object in Active Directory.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-cb9b-770e-96ee-632d4d21520b", + "name": "AD ACL Enumeration", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_15.json b/SentinelOne/identity/tests/test_alert_15.json new file mode 100644 index 000000000..3d07d62a5 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_15.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\"id\": \"01935310-d4ba-7131-9e08-defa8b3aeb52\", \"name\": \"Domain Users Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the users in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-d4ba-7131-9e08-defa8b3aeb52\", \"name\": \"Domain Users Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the users in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to dump all the users in the Active Directory Domain.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-d4ba-7131-9e08-defa8b3aeb52", + "name": "Domain Users Enumeration Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_2.json b/SentinelOne/identity/tests/test_alert_2.json new file mode 100644 index 000000000..0a9dc292d --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_2.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935310-dc47-75de-8925-5f026bd5a705\", \"name\": \"LDAP Search Detected\", \"description\": \"This events is raised when a LDAP search Query is detected from the endpoint.\", \"detectedAt\": \"2024-11-22T08:45:50.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T08:45:50.000Z\", \"lastSeenAt\": \"2024-11-22T08:45:50.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T08:45:50Z", + "kind": "alert", + "provider": "Identity", + "reason": "This events is raised when a LDAP search Query is detected from the endpoint.", + "start": "2024-11-22T08:45:50Z", + "type": "info" + }, + "@timestamp": "2024-11-22T08:45:50Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935310-dc47-75de-8925-5f026bd5a705", + "name": "LDAP Search Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_3.json b/SentinelOne/identity/tests/test_alert_3.json new file mode 100644 index 000000000..cbc475032 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_3.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935359-3eda-7903-93fc-af6a0e5d0a8f\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:37.779Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:37.779Z\", \"lastSeenAt\": \"2024-11-22T10:09:37.779Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935359-3eda-7903-93fc-af6a0e5d0a8f\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:37.779Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:37.779Z\", \"lastSeenAt\": \"2024-11-22T10:09:37.779Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T10:09:37.779000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T10:09:37.779000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T10:09:37.779000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935359-3eda-7903-93fc-af6a0e5d0a8f", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_4.json b/SentinelOne/identity/tests/test_alert_4.json new file mode 100644 index 000000000..64efcfc10 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_4.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935358-ee81-7eb7-b57f-022c6f0019a9\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:17.184Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:17.184Z\", \"lastSeenAt\": \"2024-11-22T10:09:17.184Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935358-ee81-7eb7-b57f-022c6f0019a9\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T10:09:17.184Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T10:09:17.184Z\", \"lastSeenAt\": \"2024-11-22T10:09:17.184Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T10:09:17.184000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T10:09:17.184000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T10:09:17.184000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935358-ee81-7eb7-b57f-022c6f0019a9", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_5.json b/SentinelOne/identity/tests/test_alert_5.json new file mode 100644 index 000000000..6e14dbe24 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_5.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\"id\": \"0193534d-63c1-7497-b854-b883425af3f5\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:54:58.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:54:58.000Z\", \"lastSeenAt\": \"2024-11-22T09:54:58.000Z\", \"process\": {\"cmdLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\", \"file\": {\"path\": \"c:\\\\windows\\\\system32\\\\cmd.exe\", \"sha1\": null, \"sha256\": \"4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"0193534d-63c1-7497-b854-b883425af3f5\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:54:58.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:54:58.000Z\", \"lastSeenAt\": \"2024-11-22T09:54:58.000Z\", \"process\": {\"cmdLine\": \"\\\"C:\\\\Windows\\\\system32\\\\cmd.exe\\\"\", \"file\": {\"path\": \"c:\\\\windows\\\\system32\\\\cmd.exe\", \"sha1\": null, \"sha256\": \"4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:54:58Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T09:54:58Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:54:58Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "\"C:\\Windows\\system32\\cmd.exe\"", + "executable": "c:\\windows\\system32\\cmd.exe", + "hash": { + "sha256": "4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22" + }, + "name": "cmd.exe" + }, + "related": { + "hash": [ + "4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "0193534d-63c1-7497-b854-b883425af3f5", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_6.json b/SentinelOne/identity/tests/test_alert_6.json new file mode 100644 index 000000000..5b987ddc2 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_6.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\"id\": \"01935347-abf7-7457-8467-e3443470e6f3\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935347-abf7-7457-8467-e3443470e6f3\", \"name\": \"AD Domain Computer Enumeration Detected\", \"description\": \"This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to dump all the computers in the Active Directory Domain.", + "start": "2024-11-22T09:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:45:51Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935347-abf7-7457-8467-e3443470e6f3", + "name": "AD Domain Computer Enumeration Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_7.json b/SentinelOne/identity/tests/test_alert_7.json new file mode 100644 index 000000000..6fc5195cb --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_7.json @@ -0,0 +1,47 @@ +{ + "input": { + "message": "{\"id\": \"01935347-b05a-7d28-a929-5294ee16628a\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935347-b05a-7d28-a929-5294ee16628a\", \"name\": \"Domain Controller Discovery Detected\", \"description\": \"This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.\", \"detectedAt\": \"2024-11-22T09:45:51.000Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"ENUMERATION\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:51.000Z\", \"lastSeenAt\": \"2024-11-22T09:45:51.000Z\", \"process\": {\"cmdLine\": \"Sharphound.exe\", \"file\": {\"path\": \"c:\\\\users\\\\administrator\\\\desktop\\\\ad_recon\\\\sharphound.exe\", \"sha1\": null, \"sha256\": \"61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863\", \"md5\": null}, \"parentName\": null}, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:45:51Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when there is a query from an endpoint to find the domain controllers or AD Servers in the Active Directory Domain.", + "start": "2024-11-22T09:45:51Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:45:51Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "process": { + "command_line": "Sharphound.exe", + "executable": "c:\\users\\administrator\\desktop\\ad_recon\\sharphound.exe", + "hash": { + "sha256": "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + }, + "name": "sharphound.exe" + }, + "related": { + "hash": [ + "61F897ED69646E0509F6802FB2D7C5E88C3E3B93C4CA86942E24D203AA878863" + ] + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "ENUMERATION", + "confidenceLevel": "MALICIOUS", + "id": "01935347-b05a-7d28-a929-5294ee16628a", + "name": "Domain Controller Discovery Detected", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_8.json b/SentinelOne/identity/tests/test_alert_8.json new file mode 100644 index 000000000..384a41648 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_8.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935342-d073-7ed0-8c5e-2373fc013310\", \"name\": \"Default Admin Account Usage\", \"description\": \"This event is raised for default administrator account logon anywhere in the domain.\", \"detectedAt\": \"2024-11-22T09:45:07.655Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:07.655Z\", \"lastSeenAt\": \"2024-11-22T09:45:07.655Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935342-d073-7ed0-8c5e-2373fc013310\", \"name\": \"Default Admin Account Usage\", \"description\": \"This event is raised for default administrator account logon anywhere in the domain.\", \"detectedAt\": \"2024-11-22T09:45:07.655Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:45:07.655Z\", \"lastSeenAt\": \"2024-11-22T09:45:07.655Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:45:07.655000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised for default administrator account logon anywhere in the domain.", + "start": "2024-11-22T09:45:07.655000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:45:07.655000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935342-d073-7ed0-8c5e-2373fc013310", + "name": "Default Admin Account Usage", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_9.json b/SentinelOne/identity/tests/test_alert_9.json new file mode 100644 index 000000000..74ab3a7f3 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_9.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"id\": \"01935322-cc3a-76cc-890b-a1c2d1b815d4\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:10:09.467Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:10:09.467Z\", \"lastSeenAt\": \"2024-11-22T09:10:09.467Z\", \"process\": null, \"result\": null, \"storylineId\": null}" + }, + "expected": { + "message": "{\"id\": \"01935322-cc3a-76cc-890b-a1c2d1b815d4\", \"name\": \"Brute force attack - Mass Account Lockout\", \"description\": \"This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.\", \"detectedAt\": \"2024-11-22T09:10:09.467Z\", \"attackSurfaces\": [\"IDENTITY\"], \"detectionSource\": {\"product\": \"Identity\"}, \"status\": \"NEW\", \"assignee\": null, \"classification\": \"UNKNOWN\", \"confidenceLevel\": \"MALICIOUS\", \"firstSeenAt\": \"2024-11-22T09:10:09.467Z\", \"lastSeenAt\": \"2024-11-22T09:10:09.467Z\", \"process\": null, \"result\": null, \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-11-22T09:10:09.467000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is raised when ADAssessor detects lockout of multiple accounts, which could be due to brute-force attempts or a password spray.", + "start": "2024-11-22T09:10:09.467000Z", + "type": "info" + }, + "@timestamp": "2024-11-22T09:10:09.467000Z", + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "sentinelone": { + "identity": { + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "01935322-cc3a-76cc-890b-a1c2d1b815d4", + "name": "Brute force attack - Mass Account Lockout", + "status": "NEW" + } + } + } +} \ No newline at end of file diff --git a/Suricata/suricata/_meta/smart-descriptions.json b/Suricata/suricata/_meta/smart-descriptions.json index fc89638e0..432cf533d 100644 --- a/Suricata/suricata/_meta/smart-descriptions.json +++ b/Suricata/suricata/_meta/smart-descriptions.json @@ -151,8 +151,7 @@ "value": "query" }, { - "field": "action.type", - "value": "dns" + "field": "dns.question.name" } ], "relationships": [ @@ -198,6 +197,22 @@ } ] }, + { + "value": "RDP traffic from {source.ip} to {destination.ip}", + "conditions": [ + { + "field": "action.type", + "value": "rdp" + } + ], + "relationships": [ + { + "source": "source.ip", + "target": "destination.ip", + "type": "requested" + } + ] + }, { "value": "Traffic flow from {source.ip} with {user_agent.original} to {destination.ip} with {http.request.method} request to {url.original}", "conditions": [ diff --git a/Suricata/suricata/tests/rdp.json b/Suricata/suricata/tests/rdp.json new file mode 100644 index 000000000..131dd7025 --- /dev/null +++ b/Suricata/suricata/tests/rdp.json @@ -0,0 +1,57 @@ +{ + "input": { + "message": "{\"timestamp\":\"2024-11-29T15:08:06.239558+0000\",\"flow_id\":1822723333770346,\"in_iface\":\"eth0\",\"event_type\":\"rdp\",\"src_ip\":\"14.225.46.243\",\"src_port\":58953,\"dest_ip\":\"10.0.1.4\",\"dest_port\":3389,\"proto\":\"TCP\",\"community_id\":\"1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=\",\"rdp\":{\"tx_id\":2,\"event_type\":\"tls_handshake\",\"x509_serials\":[\"773dbe1ea6dc998444b4f9da1f188ba8\"]}}", + "sekoiaio": { + "intake": { + "dialect": "Suricata", + "dialect_uuid": "331fa58d-8cf9-454a-a87f-48a3dc07d4d3" + } + } + }, + "expected": { + "message": "{\"timestamp\":\"2024-11-29T15:08:06.239558+0000\",\"flow_id\":1822723333770346,\"in_iface\":\"eth0\",\"event_type\":\"rdp\",\"src_ip\":\"14.225.46.243\",\"src_port\":58953,\"dest_ip\":\"10.0.1.4\",\"dest_port\":3389,\"proto\":\"TCP\",\"community_id\":\"1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=\",\"rdp\":{\"tx_id\":2,\"event_type\":\"tls_handshake\",\"x509_serials\":[\"773dbe1ea6dc998444b4f9da1f188ba8\"]}}", + "event": { + "category": [ + "network" + ], + "type": [ + "connection" + ] + }, + "@timestamp": "2024-11-29T15:08:06.239558Z", + "action": { + "type": "rdp" + }, + "destination": { + "address": "10.0.1.4", + "ip": "10.0.1.4", + "port": 3389 + }, + "host": { + "ip": "14.225.46.243" + }, + "network": { + "community_id": "1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=", + "protocol": "TCP", + "transport": "TCP" + }, + "observer": { + "ingress": { + "interface": { + "name": "eth0" + } + } + }, + "related": { + "ip": [ + "10.0.1.4", + "14.225.46.243" + ] + }, + "source": { + "address": "14.225.46.243", + "ip": "14.225.46.243", + "port": 58953 + } + } +} \ No newline at end of file