Skip to content

Commit

Permalink
fix(Sekoia.io): fix dns.resolved_ip
Browse files Browse the repository at this point in the history
  • Loading branch information
@squioc
squioc committed Dec 17, 2024
1 parent d5c0d06 commit ba36359
Show file tree
Hide file tree
Showing 2 changed files with 40 additions and 6 deletions.
14 changes: 10 additions & 4 deletions SekoiaIO/endpoint/ingest/parser.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,10 +88,16 @@ stages:
dns.question: "{{json.event.dns.question}}"
dns.response_code: "{{json.event.dns.response_code}}"
dns.type: "{{json.event.dns.type}}"

- set:
dns.resolved_ip: "{{json.event.dns.resolved_ip}}"
filter: "{{json.event.dns.resolved_ip | is_ipaddress}}"
dns.resolved_ip: >
{% set ips = [] %}
{%- for answer in json.event.dns.resolved_ip -%}
{%- if answer | is_ipaddress -%}
{% set ips = ips.append(answer) %}
{%- endif -%}
{%- endfor -%}
{%- if ips | length > 0 -%}
{{ips}}
{%- endif -%}
- set:
action.properties.TaskContentNew_Command: "{{parsed_task_content_xml.result.Task.Actions.Exec.Command}}"
Expand Down
32 changes: 30 additions & 2 deletions SekoiaIO/endpoint/tests/dns_results.json
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,15 @@
{
"input": {
"message": "{\"@timestamp\": \"2022-06-02T12:23:19.097868Z\", \"agent\": {\"id\": \"c7a2ee33b4ac7c46c28c597d69f4d9ad327ead3601af4375d68bc250eb62e857\", \"version\": \"0.1.0\"}, \"action\": {\"id\": 22, \"properties\": {\"Image\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \"Keywords\": \"0x8000000000000000\", \"ProcessGuid\": \"{033fb112-653e-6298-8301-000000001000}\", \"ProviderGuid\": \"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\", \"RuleName\": \"-\", \"Severity\": \"INFO\", \"SourceName\": \"Microsoft-Windows-Sysmon\", \"User\": \"TEST-PC\\\\test\", \"UtcTime\": \"2022-06-02 12:23:18.607\"}}, \"dns\": {\"answers\": [{\"name\": \"scontent.xx.fbcdn.net\", \"type\": \"CNAME\"}, {\"data\": \"157.240.21.20\", \"type\": \"A\"}, {\"data\": \"185.89.219.11\", \"type\": \"A\"}, {\"data\": \"129.134.30.11\", \"type\": \"A\"}, {\"data\": \"185.89.218.11\", \"type\": \"A\"}, {\"data\": \"129.134.31.11\", \"type\": \"A\"}, {\"data\": \"2a03:2880:f1fd:b:face:b00c:0:99\", \"type\": \"AAAA\"}, {\"data\": \"2a03:2880:f0fc:b:face:b00c:0:99\", \"type\": \"AAAA\"}, {\"data\": \"2a03:2880:f1fc:b:face:b00c:0:99\", \"type\": \"AAAA\"}, {\"data\": \"2a03:2880:f0fd:b:face:b00c:0:99\", \"type\": \"AAAA\"}], \"question\": {\"name\": \"connect.facebook.net\", \"size_in_char\": 20}, \"response_code\": \"0\"}, \"event\": {\"code\": 22, \"provider\": \"Microsoft-Windows-Sysmon\"}, \"host\": {\"hostname\": \"test-PC\"}, \"process\": {\"executable\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \"name\": \"chrome.exe\", \"pid\": 6440}, \"user\": {\"name\": \"test\", \"domain\": \"TEST-PC\"}}"
"message": "{\"@timestamp\":\"2022-06-02T12:23:19.097868Z\",\"agent\":{\"id\":\"c7a2ee33b4ac7c46c28c597d69f4d9ad327ead3601af4375d68bc250eb62e857\",\"version\":\"0.1.0\"},\"action\":{\"id\":22,\"properties\":{\"Image\":\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\"Keywords\":\"0x8000000000000000\",\"ProcessGuid\":\"{033fb112-653e-6298-8301-000000001000}\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"RuleName\":\"-\",\"Severity\":\"INFO\",\"SourceName\":\"Microsoft-Windows-Sysmon\",\"User\":\"TEST-PC\\\\test\",\"UtcTime\":\"2022-06-02 12:23:18.607\"}},\"dns\":{\"answers\":[{\"name\":\"scontent.xx.fbcdn.net\",\"type\":\"CNAME\"},{\"data\":\"157.240.21.20\",\"type\":\"A\"},{\"data\":\"185.89.219.11\",\"type\":\"A\"},{\"data\":\"129.134.30.11\",\"type\":\"A\"},{\"data\":\"185.89.218.11\",\"type\":\"A\"},{\"data\":\"129.134.31.11\",\"type\":\"A\"},{\"data\":\"2a03:2880:f1fd:b:face:b00c:0:99\",\"type\":\"AAAA\"},{\"data\":\"2a03:2880:f0fc:b:face:b00c:0:99\",\"type\":\"AAAA\"},{\"data\":\"2a03:2880:f1fc:b:face:b00c:0:99\",\"type\":\"AAAA\"},{\"data\":\"2a03:2880:f0fd:b:face:b00c:0:99\",\"type\":\"AAAA\"}],\"resolved_ip\":[\"157.240.21.20\",\"185.89.219.11\",\"129.134.30.11\",\"185.89.218.11\",\"129.134.31.11\",\"2a03:2880:f1fd:b:face:b00c:0:99\",\"2a03:2880:f0fc:b:face:b00c:0:99\",\"2a03:2880:f1fc:b:face:b00c:0:99\",\"2a03:2880:f0fd:b:face:b00c:0:99\"],\"question\":{\"name\":\"connect.facebook.net\",\"size_in_char\":20},\"response_code\":\"0\"},\"event\":{\"code\":22,\"provider\":\"Microsoft-Windows-Sysmon\"},\"host\":{\"hostname\":\"test-PC\"},\"process\":{\"executable\":\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\"name\":\"chrome.exe\",\"pid\":6440},\"user\":{\"name\":\"test\",\"domain\":\"TEST-PC\"}}\n",
"sekoiaio": {
"intake": {
"dialect": "Sekoia.io Endpoint Agent",
"dialect_uuid": "250e4095-fa08-4101-bb02-e72f870fcbd1"
}
}
},
"expected": {
"message": "{\"@timestamp\": \"2022-06-02T12:23:19.097868Z\", \"agent\": {\"id\": \"c7a2ee33b4ac7c46c28c597d69f4d9ad327ead3601af4375d68bc250eb62e857\", \"version\": \"0.1.0\"}, \"action\": {\"id\": 22, \"properties\": {\"Image\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \"Keywords\": \"0x8000000000000000\", \"ProcessGuid\": \"{033fb112-653e-6298-8301-000000001000}\", \"ProviderGuid\": \"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\", \"RuleName\": \"-\", \"Severity\": \"INFO\", \"SourceName\": \"Microsoft-Windows-Sysmon\", \"User\": \"TEST-PC\\\\test\", \"UtcTime\": \"2022-06-02 12:23:18.607\"}}, \"dns\": {\"answers\": [{\"name\": \"scontent.xx.fbcdn.net\", \"type\": \"CNAME\"}, {\"data\": \"157.240.21.20\", \"type\": \"A\"}, {\"data\": \"185.89.219.11\", \"type\": \"A\"}, {\"data\": \"129.134.30.11\", \"type\": \"A\"}, {\"data\": \"185.89.218.11\", \"type\": \"A\"}, {\"data\": \"129.134.31.11\", \"type\": \"A\"}, {\"data\": \"2a03:2880:f1fd:b:face:b00c:0:99\", \"type\": \"AAAA\"}, {\"data\": \"2a03:2880:f0fc:b:face:b00c:0:99\", \"type\": \"AAAA\"}, {\"data\": \"2a03:2880:f1fc:b:face:b00c:0:99\", \"type\": \"AAAA\"}, {\"data\": \"2a03:2880:f0fd:b:face:b00c:0:99\", \"type\": \"AAAA\"}], \"question\": {\"name\": \"connect.facebook.net\", \"size_in_char\": 20}, \"response_code\": \"0\"}, \"event\": {\"code\": 22, \"provider\": \"Microsoft-Windows-Sysmon\"}, \"host\": {\"hostname\": \"test-PC\"}, \"process\": {\"executable\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \"name\": \"chrome.exe\", \"pid\": 6440}, \"user\": {\"name\": \"test\", \"domain\": \"TEST-PC\"}}",
"message": "{\"@timestamp\":\"2022-06-02T12:23:19.097868Z\",\"agent\":{\"id\":\"c7a2ee33b4ac7c46c28c597d69f4d9ad327ead3601af4375d68bc250eb62e857\",\"version\":\"0.1.0\"},\"action\":{\"id\":22,\"properties\":{\"Image\":\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\"Keywords\":\"0x8000000000000000\",\"ProcessGuid\":\"{033fb112-653e-6298-8301-000000001000}\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"RuleName\":\"-\",\"Severity\":\"INFO\",\"SourceName\":\"Microsoft-Windows-Sysmon\",\"User\":\"TEST-PC\\\\test\",\"UtcTime\":\"2022-06-02 12:23:18.607\"}},\"dns\":{\"answers\":[{\"name\":\"scontent.xx.fbcdn.net\",\"type\":\"CNAME\"},{\"data\":\"157.240.21.20\",\"type\":\"A\"},{\"data\":\"185.89.219.11\",\"type\":\"A\"},{\"data\":\"129.134.30.11\",\"type\":\"A\"},{\"data\":\"185.89.218.11\",\"type\":\"A\"},{\"data\":\"129.134.31.11\",\"type\":\"A\"},{\"data\":\"2a03:2880:f1fd:b:face:b00c:0:99\",\"type\":\"AAAA\"},{\"data\":\"2a03:2880:f0fc:b:face:b00c:0:99\",\"type\":\"AAAA\"},{\"data\":\"2a03:2880:f1fc:b:face:b00c:0:99\",\"type\":\"AAAA\"},{\"data\":\"2a03:2880:f0fd:b:face:b00c:0:99\",\"type\":\"AAAA\"}],\"resolved_ip\":[\"157.240.21.20\",\"185.89.219.11\",\"129.134.30.11\",\"185.89.218.11\",\"129.134.31.11\",\"2a03:2880:f1fd:b:face:b00c:0:99\",\"2a03:2880:f0fc:b:face:b00c:0:99\",\"2a03:2880:f1fc:b:face:b00c:0:99\",\"2a03:2880:f0fd:b:face:b00c:0:99\"],\"question\":{\"name\":\"connect.facebook.net\",\"size_in_char\":20},\"response_code\":\"0\"},\"event\":{\"code\":22,\"provider\":\"Microsoft-Windows-Sysmon\"},\"host\":{\"hostname\":\"test-PC\"},\"process\":{\"executable\":\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\"name\":\"chrome.exe\",\"pid\":6440},\"user\":{\"name\":\"test\",\"domain\":\"TEST-PC\"}}\n",
"event": {
"code": "22",
"provider": "Microsoft-Windows-Sysmon"
Expand Down Expand Up @@ -77,6 +83,17 @@
"subdomain": "connect",
"top_level_domain": "net"
},
"resolved_ip": [
"129.134.30.11",
"129.134.31.11",
"157.240.21.20",
"185.89.218.11",
"185.89.219.11",
"2a03:2880:f0fc:b:face:b00c:0:99",
"2a03:2880:f0fd:b:face:b00c:0:99",
"2a03:2880:f1fc:b:face:b00c:0:99",
"2a03:2880:f1fd:b:face:b00c:0:99"
],
"response_code": "0"
},
"host": {
Expand All @@ -93,6 +110,17 @@
"connect.facebook.net",
"test-PC"
],
"ip": [
"129.134.30.11",
"129.134.31.11",
"157.240.21.20",
"185.89.218.11",
"185.89.219.11",
"2a03:2880:f0fc:b:face:b00c:0:99",
"2a03:2880:f0fd:b:face:b00c:0:99",
"2a03:2880:f1fc:b:face:b00c:0:99",
"2a03:2880:f1fd:b:face:b00c:0:99"
],
"user": [
"test"
]
Expand Down

0 comments on commit ba36359

Please sign in to comment.