diff --git a/SekoiaIO/endpoint/ingest/parser.yml b/SekoiaIO/endpoint/ingest/parser.yml index 014bdc5ad..a6d0982ca 100644 --- a/SekoiaIO/endpoint/ingest/parser.yml +++ b/SekoiaIO/endpoint/ingest/parser.yml @@ -88,10 +88,16 @@ stages: dns.question: "{{json.event.dns.question}}" dns.response_code: "{{json.event.dns.response_code}}" dns.type: "{{json.event.dns.type}}" - - - set: - dns.resolved_ip: "{{json.event.dns.resolved_ip}}" - filter: "{{json.event.dns.resolved_ip | is_ipaddress}}" + dns.resolved_ip: > + {% set ips = [] %} + {%- for answer in json.event.dns.resolved_ip -%} + {%- if answer | is_ipaddress -%} + {% set ips = ips.append(answer) %} + {%- endif -%} + {%- endfor -%} + {%- if ips | length > 0 -%} + {{ips}} + {%- endif -%} - set: action.properties.TaskContentNew_Command: "{{parsed_task_content_xml.result.Task.Actions.Exec.Command}}" diff --git a/SekoiaIO/endpoint/tests/dns_results.json b/SekoiaIO/endpoint/tests/dns_results.json index 0023193c7..9e77aab4f 100644 --- a/SekoiaIO/endpoint/tests/dns_results.json +++ b/SekoiaIO/endpoint/tests/dns_results.json @@ -1,9 +1,15 @@ { "input": { - "message": "{\"@timestamp\": \"2022-06-02T12:23:19.097868Z\", \"agent\": {\"id\": \"c7a2ee33b4ac7c46c28c597d69f4d9ad327ead3601af4375d68bc250eb62e857\", \"version\": \"0.1.0\"}, \"action\": {\"id\": 22, \"properties\": {\"Image\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \"Keywords\": \"0x8000000000000000\", \"ProcessGuid\": \"{033fb112-653e-6298-8301-000000001000}\", \"ProviderGuid\": \"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\", \"RuleName\": \"-\", \"Severity\": \"INFO\", \"SourceName\": \"Microsoft-Windows-Sysmon\", \"User\": \"TEST-PC\\\\test\", \"UtcTime\": \"2022-06-02 12:23:18.607\"}}, \"dns\": {\"answers\": [{\"name\": \"scontent.xx.fbcdn.net\", \"type\": \"CNAME\"}, {\"data\": \"157.240.21.20\", \"type\": \"A\"}, {\"data\": \"185.89.219.11\", \"type\": \"A\"}, {\"data\": \"129.134.30.11\", \"type\": \"A\"}, {\"data\": \"185.89.218.11\", \"type\": \"A\"}, {\"data\": \"129.134.31.11\", \"type\": \"A\"}, {\"data\": \"2a03:2880:f1fd:b:face:b00c:0:99\", \"type\": \"AAAA\"}, {\"data\": \"2a03:2880:f0fc:b:face:b00c:0:99\", \"type\": \"AAAA\"}, {\"data\": \"2a03:2880:f1fc:b:face:b00c:0:99\", \"type\": \"AAAA\"}, {\"data\": \"2a03:2880:f0fd:b:face:b00c:0:99\", \"type\": \"AAAA\"}], \"question\": {\"name\": \"connect.facebook.net\", \"size_in_char\": 20}, \"response_code\": \"0\"}, \"event\": {\"code\": 22, \"provider\": \"Microsoft-Windows-Sysmon\"}, \"host\": {\"hostname\": \"test-PC\"}, \"process\": {\"executable\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \"name\": \"chrome.exe\", \"pid\": 6440}, \"user\": {\"name\": \"test\", \"domain\": \"TEST-PC\"}}" + "message": "{\"@timestamp\":\"2022-06-02T12:23:19.097868Z\",\"agent\":{\"id\":\"c7a2ee33b4ac7c46c28c597d69f4d9ad327ead3601af4375d68bc250eb62e857\",\"version\":\"0.1.0\"},\"action\":{\"id\":22,\"properties\":{\"Image\":\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\"Keywords\":\"0x8000000000000000\",\"ProcessGuid\":\"{033fb112-653e-6298-8301-000000001000}\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"RuleName\":\"-\",\"Severity\":\"INFO\",\"SourceName\":\"Microsoft-Windows-Sysmon\",\"User\":\"TEST-PC\\\\test\",\"UtcTime\":\"2022-06-02 12:23:18.607\"}},\"dns\":{\"answers\":[{\"name\":\"scontent.xx.fbcdn.net\",\"type\":\"CNAME\"},{\"data\":\"157.240.21.20\",\"type\":\"A\"},{\"data\":\"185.89.219.11\",\"type\":\"A\"},{\"data\":\"129.134.30.11\",\"type\":\"A\"},{\"data\":\"185.89.218.11\",\"type\":\"A\"},{\"data\":\"129.134.31.11\",\"type\":\"A\"},{\"data\":\"2a03:2880:f1fd:b:face:b00c:0:99\",\"type\":\"AAAA\"},{\"data\":\"2a03:2880:f0fc:b:face:b00c:0:99\",\"type\":\"AAAA\"},{\"data\":\"2a03:2880:f1fc:b:face:b00c:0:99\",\"type\":\"AAAA\"},{\"data\":\"2a03:2880:f0fd:b:face:b00c:0:99\",\"type\":\"AAAA\"}],\"resolved_ip\":[\"157.240.21.20\",\"185.89.219.11\",\"129.134.30.11\",\"185.89.218.11\",\"129.134.31.11\",\"2a03:2880:f1fd:b:face:b00c:0:99\",\"2a03:2880:f0fc:b:face:b00c:0:99\",\"2a03:2880:f1fc:b:face:b00c:0:99\",\"2a03:2880:f0fd:b:face:b00c:0:99\"],\"question\":{\"name\":\"connect.facebook.net\",\"size_in_char\":20},\"response_code\":\"0\"},\"event\":{\"code\":22,\"provider\":\"Microsoft-Windows-Sysmon\"},\"host\":{\"hostname\":\"test-PC\"},\"process\":{\"executable\":\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\"name\":\"chrome.exe\",\"pid\":6440},\"user\":{\"name\":\"test\",\"domain\":\"TEST-PC\"}}\n", + "sekoiaio": { + "intake": { + "dialect": "Sekoia.io Endpoint Agent", + "dialect_uuid": "250e4095-fa08-4101-bb02-e72f870fcbd1" + } + } }, "expected": { - "message": "{\"@timestamp\": \"2022-06-02T12:23:19.097868Z\", \"agent\": {\"id\": \"c7a2ee33b4ac7c46c28c597d69f4d9ad327ead3601af4375d68bc250eb62e857\", \"version\": \"0.1.0\"}, \"action\": {\"id\": 22, \"properties\": {\"Image\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \"Keywords\": \"0x8000000000000000\", \"ProcessGuid\": \"{033fb112-653e-6298-8301-000000001000}\", \"ProviderGuid\": \"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\", \"RuleName\": \"-\", \"Severity\": \"INFO\", \"SourceName\": \"Microsoft-Windows-Sysmon\", \"User\": \"TEST-PC\\\\test\", \"UtcTime\": \"2022-06-02 12:23:18.607\"}}, \"dns\": {\"answers\": [{\"name\": \"scontent.xx.fbcdn.net\", \"type\": \"CNAME\"}, {\"data\": \"157.240.21.20\", \"type\": \"A\"}, {\"data\": \"185.89.219.11\", \"type\": \"A\"}, {\"data\": \"129.134.30.11\", \"type\": \"A\"}, {\"data\": \"185.89.218.11\", \"type\": \"A\"}, {\"data\": \"129.134.31.11\", \"type\": \"A\"}, {\"data\": \"2a03:2880:f1fd:b:face:b00c:0:99\", \"type\": \"AAAA\"}, {\"data\": \"2a03:2880:f0fc:b:face:b00c:0:99\", \"type\": \"AAAA\"}, {\"data\": \"2a03:2880:f1fc:b:face:b00c:0:99\", \"type\": \"AAAA\"}, {\"data\": \"2a03:2880:f0fd:b:face:b00c:0:99\", \"type\": \"AAAA\"}], \"question\": {\"name\": \"connect.facebook.net\", \"size_in_char\": 20}, \"response_code\": \"0\"}, \"event\": {\"code\": 22, \"provider\": \"Microsoft-Windows-Sysmon\"}, \"host\": {\"hostname\": \"test-PC\"}, \"process\": {\"executable\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \"name\": \"chrome.exe\", \"pid\": 6440}, \"user\": {\"name\": \"test\", \"domain\": \"TEST-PC\"}}", + "message": "{\"@timestamp\":\"2022-06-02T12:23:19.097868Z\",\"agent\":{\"id\":\"c7a2ee33b4ac7c46c28c597d69f4d9ad327ead3601af4375d68bc250eb62e857\",\"version\":\"0.1.0\"},\"action\":{\"id\":22,\"properties\":{\"Image\":\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\"Keywords\":\"0x8000000000000000\",\"ProcessGuid\":\"{033fb112-653e-6298-8301-000000001000}\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"RuleName\":\"-\",\"Severity\":\"INFO\",\"SourceName\":\"Microsoft-Windows-Sysmon\",\"User\":\"TEST-PC\\\\test\",\"UtcTime\":\"2022-06-02 12:23:18.607\"}},\"dns\":{\"answers\":[{\"name\":\"scontent.xx.fbcdn.net\",\"type\":\"CNAME\"},{\"data\":\"157.240.21.20\",\"type\":\"A\"},{\"data\":\"185.89.219.11\",\"type\":\"A\"},{\"data\":\"129.134.30.11\",\"type\":\"A\"},{\"data\":\"185.89.218.11\",\"type\":\"A\"},{\"data\":\"129.134.31.11\",\"type\":\"A\"},{\"data\":\"2a03:2880:f1fd:b:face:b00c:0:99\",\"type\":\"AAAA\"},{\"data\":\"2a03:2880:f0fc:b:face:b00c:0:99\",\"type\":\"AAAA\"},{\"data\":\"2a03:2880:f1fc:b:face:b00c:0:99\",\"type\":\"AAAA\"},{\"data\":\"2a03:2880:f0fd:b:face:b00c:0:99\",\"type\":\"AAAA\"}],\"resolved_ip\":[\"157.240.21.20\",\"185.89.219.11\",\"129.134.30.11\",\"185.89.218.11\",\"129.134.31.11\",\"2a03:2880:f1fd:b:face:b00c:0:99\",\"2a03:2880:f0fc:b:face:b00c:0:99\",\"2a03:2880:f1fc:b:face:b00c:0:99\",\"2a03:2880:f0fd:b:face:b00c:0:99\"],\"question\":{\"name\":\"connect.facebook.net\",\"size_in_char\":20},\"response_code\":\"0\"},\"event\":{\"code\":22,\"provider\":\"Microsoft-Windows-Sysmon\"},\"host\":{\"hostname\":\"test-PC\"},\"process\":{\"executable\":\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\"name\":\"chrome.exe\",\"pid\":6440},\"user\":{\"name\":\"test\",\"domain\":\"TEST-PC\"}}\n", "event": { "code": "22", "provider": "Microsoft-Windows-Sysmon" @@ -77,6 +83,17 @@ "subdomain": "connect", "top_level_domain": "net" }, + "resolved_ip": [ + "129.134.30.11", + "129.134.31.11", + "157.240.21.20", + "185.89.218.11", + "185.89.219.11", + "2a03:2880:f0fc:b:face:b00c:0:99", + "2a03:2880:f0fd:b:face:b00c:0:99", + "2a03:2880:f1fc:b:face:b00c:0:99", + "2a03:2880:f1fd:b:face:b00c:0:99" + ], "response_code": "0" }, "host": { @@ -93,6 +110,17 @@ "connect.facebook.net", "test-PC" ], + "ip": [ + "129.134.30.11", + "129.134.31.11", + "157.240.21.20", + "185.89.218.11", + "185.89.219.11", + "2a03:2880:f0fc:b:face:b00c:0:99", + "2a03:2880:f0fd:b:face:b00c:0:99", + "2a03:2880:f1fc:b:face:b00c:0:99", + "2a03:2880:f1fd:b:face:b00c:0:99" + ], "user": [ "test" ]