Merge branch 'main' into fix/vmware_esxi

.github/workflows/main.yml

@@ -37,7 +37,7 @@ jobs:
 
       - name: Install dependencies
         run: |
-          poetry install
+          poetry install --only main
 
       - name: Checking modules & formats
         run: |

.github/workflows/smart_desc.yml

@@ -31,7 +31,7 @@ jobs:
 
       - name: Install dependencies
         run: |
-          poetry install
+          poetry install --only main
 
       - name: Generate smart descriptinos
         id: smartdesc

.github/workflows/test.yml

@@ -31,7 +31,7 @@ jobs:
 
       - name: Install dependencies
         run: |
-          poetry install
+          poetry install --only main
 
       - name: Execute tests
         run: |

.github/workflows/test_linting.yml

@@ -27,7 +27,7 @@ jobs:
 
       - name: Install dependencies
         run: |
-          poetry install
+          poetry install --only main
 
       - name: Execute tests
         run: |

Azure/azure-ad/_meta/fields.yml

@@ -10,11 +10,6 @@ action.target:
   short: action.target
   type: keyword
 
-azuread.Level:
-  description: ''
-  name: azuread.Level
-  type: long
-
 azuread.activityDateTime:
   description: ''
   name: azuread.activityDateTime

Azure/azure-ad/ingest/parser.yml

@@ -113,6 +113,7 @@ stages:
           user.id: "{{ parsed_event.message.userId}}"
           user.name: "{{ parsed_event.message.userPrincipalName}}"
           user_agent.original: "{{ parsed_event.message.userAgent }}"
+          log.level: "{{parsed_event.message.Level}}"
 
       - set:
           source.ip: "{{parsed_event.message.ipAddress}}"
@@ -128,7 +129,6 @@ stages:
           azuread.durationMs: "{{parsed_event.message.durationMs}}"
           azuread.correlationId: "{{parsed_event.message.correlationId}}"
           azuread.identity: "{{parsed_event.message.identity}}"
-          azuread.Level: "{{parsed_event.message.Level}}"
 
           azuread.activityDateTime: "{{parsed_event.message.activityDateTime}}"
           azuread.detectedDateTime: "{{parsed_event.message.detectedDateTime}}"

Azure/azure-ad/tests/empty_geolocalisation.json

@@ -19,7 +19,6 @@
       "outcome": "success"
     },
     "azuread": {
-      "Level": 4,
       "authenticationDetails": [
         {
           "RequestSequence": 1,
@@ -65,6 +64,9 @@
         "type": "Windows 10"
       }
     },
+    "log": {
+      "level": "4"
+    },
     "related": {
       "ip": [
         "2001:db8:85a3::8a2e:370:7334"

Azure/azure-ad/tests/sign-in_activity.json

@@ -20,7 +20,6 @@
       "outcome": "failure"
     },
     "azuread": {
-      "Level": 4,
       "authenticationDetails": [
         {
           "RequestSequence": 0,
@@ -68,6 +67,9 @@
         "type": "Windows 10"
       }
     },
+    "log": {
+      "level": "4"
+    },
     "related": {
       "ip": [
         "11.11.11.11"

Azure/azure-ad/tests/sign-in_activity2.json

@@ -19,7 +19,6 @@
       "outcome": "success"
     },
     "azuread": {
-      "Level": 4,
       "authenticationDetails": [
         {
           "RequestSequence": 0,
@@ -67,6 +66,9 @@
         "type": "Windows 10"
       }
     },
+    "log": {
+      "level": "4"
+    },
     "related": {
       "ip": [
         "11.11.11.11"

Azure/azure-ad/tests/sign-in_activity3.json

@@ -19,7 +19,6 @@
       "outcome": "success"
     },
     "azuread": {
-      "Level": 4,
       "authenticationDetails": [
         {
           "RequestSequence": 1,
@@ -76,6 +75,9 @@
         "type": "Ios"
       }
     },
+    "log": {
+      "level": "4"
+    },
     "related": {
       "ip": [
         "1.2.3.4"

Azure/azure-ad/tests/sign-in_activity4.json

@@ -19,7 +19,6 @@
       "outcome": "success"
     },
     "azuread": {
-      "Level": 4,
       "authenticationDetails": [],
       "callerIpAddress": "11.11.11.11",
       "category": "SignInLogs",
@@ -63,6 +62,9 @@
         "type": "Ios"
       }
     },
+    "log": {
+      "level": "4"
+    },
     "related": {
       "hosts": [
         "LPTC-PC1M4VZQ"

Azure/azure-ad/tests/user_risk_detection.json

@@ -18,7 +18,6 @@
       "name": "User Risk Detection"
     },
     "azuread": {
-      "Level": 4,
       "callerIpAddress": "11.22.33.44",
       "category": "UserRiskEvents",
       "correlationId": "ef7868bd7e94b06ecd6cc965fc826c85d367bb5b9b083da9a26686786a791080",
@@ -41,6 +40,9 @@
       "resourceId": "/tenants/2d0c1986-ef7b-4bbf-8428-3c837471e7ad/providers/microsoft.aadiam",
       "tenantId": "2d0c1986-ef7b-4bbf-8428-3c837471e7ad"
     },
+    "log": {
+      "level": "4"
+    },
     "related": {
       "ip": [
         "11.22.33.44"

Azure/azure-ad/tests/user_risk_detection_2.json

@@ -24,7 +24,6 @@
       "name": "User Risk Detection"
     },
     "azuread": {
-      "Level": 4,
       "callerIpAddress": "11.22.33.44",
       "category": "UserRiskEvents",
       "correlationId": "ef7868bd7e94b06ecd6cc965fc826c85d367bb5b9b083da9a26686786a791080",
@@ -56,6 +55,9 @@
       "resourceId": "/tenants/2d0c1986-ef7b-4bbf-8428-3c837471e7ad/providers/microsoft.aadiam",
       "tenantId": "2d0c1986-ef7b-4bbf-8428-3c837471e7ad"
     },
+    "log": {
+      "level": "4"
+    },
     "related": {
       "ip": [
         "11.22.33.44"

Azure/azure-ad/tests/user_risk_detection_3.json

@@ -0,0 +1,99 @@
+{
+  "input": {
+    "message": "{\"time\":\"12/13/2024 4:34:03 PM\",\"resourceId\":\"/tenants/1ed21da3-c6d6-41a5-8764-ebec8ba8a020/providers/microsoft.aadiam\",\"operationName\":\"User Risk Detection\",\"operationVersion\":\"1.0\",\"category\":\"UserRiskEvents\",\"tenantId\":\"1ed21da3-c6d6-41a5-8764-ebec8ba8a020\",\"resultSignature\":\"None\",\"durationMs\":0,\"callerIpAddress\":\"1.2.3.4\",\"correlationId\":\"111111111111111111111111111111111111\",\"identity\":\"doe john\",\"Level\":\"Information\",\"location\":\"fr\",\"properties\":{\"id\":\"111111111111111111111111111111111111\",\"requestId\":\"a91dd168-5e09-48e1-9120-185626543431\",\"correlationId\":\"d6e4b382-39a3-4988-9db3-85156bcdadfd\",\"riskType\":\"unfamiliarFeatures\",\"riskEventType\":\"unfamiliarFeatures\",\"riskState\":\"dismissed\",\"riskLevel\":\"low\",\"riskDetail\":\"aiConfirmedSigninSafe\",\"source\":\"IdentityProtection\",\"detectionTimingType\":\"realtime\",\"activity\":\"signin\",\"ipAddress\":\"1.2.3.4\",\"location\":{\"city\":\"Rennes\",\"state\":\"Bretagne\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"altitude\":0.0,\"latitude\":0.0,\"longitude\":0.0}},\"activityDateTime\":\"2024-12-13T16:31:49.945Z\",\"detectedDateTime\":\"2024-12-13T16:31:49.945Z\",\"lastUpdatedDateTime\":\"2024-12-13T16:34:03.966Z\",\"userId\":\"d6e4b382-39a3-4988-9db3-85156bcdadfd\",\"userDisplayName\":\"DOE John\",\"userPrincipalName\":\"[email protected]\",\"additionalInfo\":\"[{\\\"Key\\\":\\\"riskReasons\\\",\\\"Value\\\":[\\\"UnfamiliarBrowser\\\",\\\"UnfamiliarDevice\\\",\\\"UnfamiliarIP\\\",\\\"UnfamiliarLocation\\\",\\\"UnfamiliarEASId\\\",\\\"UnfamiliarTenantIPsubnet\\\"]},{\\\"Key\\\":\\\"userAgent\\\",\\\"Value\\\":\\\"Mozilla/5.0 (Linux; Android 14; SM-S911B Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/131.0.6778.105 Mobile Safari/537.36 PKeyAuth/1.0\\\"},{\\\"Key\\\":\\\"alertUrl\\\",\\\"Value\\\":null},{\\\"Key\\\":\\\"mitreTechniques\\\",\\\"Value\\\":\\\"T1078.004\\\"}]\",\"tokenIssuerType\":\"AzureAD\",\"resourceTenantId\":null,\"homeTenantId\":\"1ed21da3-c6d6-41a5-8764-ebec8ba8a020\",\"userType\":\"member\",\"crossTenantAccessType\":\"none\",\"mitreTechniqueId\":\"T1078.004\"}}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Microsoft Entra ID / Azure AD",
+        "dialect_uuid": "19cd2ed6-f90c-47f7-a46b-974354a107bb"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"time\":\"12/13/2024 4:34:03 PM\",\"resourceId\":\"/tenants/1ed21da3-c6d6-41a5-8764-ebec8ba8a020/providers/microsoft.aadiam\",\"operationName\":\"User Risk Detection\",\"operationVersion\":\"1.0\",\"category\":\"UserRiskEvents\",\"tenantId\":\"1ed21da3-c6d6-41a5-8764-ebec8ba8a020\",\"resultSignature\":\"None\",\"durationMs\":0,\"callerIpAddress\":\"1.2.3.4\",\"correlationId\":\"111111111111111111111111111111111111\",\"identity\":\"doe john\",\"Level\":\"Information\",\"location\":\"fr\",\"properties\":{\"id\":\"111111111111111111111111111111111111\",\"requestId\":\"a91dd168-5e09-48e1-9120-185626543431\",\"correlationId\":\"d6e4b382-39a3-4988-9db3-85156bcdadfd\",\"riskType\":\"unfamiliarFeatures\",\"riskEventType\":\"unfamiliarFeatures\",\"riskState\":\"dismissed\",\"riskLevel\":\"low\",\"riskDetail\":\"aiConfirmedSigninSafe\",\"source\":\"IdentityProtection\",\"detectionTimingType\":\"realtime\",\"activity\":\"signin\",\"ipAddress\":\"1.2.3.4\",\"location\":{\"city\":\"Rennes\",\"state\":\"Bretagne\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"altitude\":0.0,\"latitude\":0.0,\"longitude\":0.0}},\"activityDateTime\":\"2024-12-13T16:31:49.945Z\",\"detectedDateTime\":\"2024-12-13T16:31:49.945Z\",\"lastUpdatedDateTime\":\"2024-12-13T16:34:03.966Z\",\"userId\":\"d6e4b382-39a3-4988-9db3-85156bcdadfd\",\"userDisplayName\":\"DOE John\",\"userPrincipalName\":\"[email protected]\",\"additionalInfo\":\"[{\\\"Key\\\":\\\"riskReasons\\\",\\\"Value\\\":[\\\"UnfamiliarBrowser\\\",\\\"UnfamiliarDevice\\\",\\\"UnfamiliarIP\\\",\\\"UnfamiliarLocation\\\",\\\"UnfamiliarEASId\\\",\\\"UnfamiliarTenantIPsubnet\\\"]},{\\\"Key\\\":\\\"userAgent\\\",\\\"Value\\\":\\\"Mozilla/5.0 (Linux; Android 14; SM-S911B Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/131.0.6778.105 Mobile Safari/537.36 PKeyAuth/1.0\\\"},{\\\"Key\\\":\\\"alertUrl\\\",\\\"Value\\\":null},{\\\"Key\\\":\\\"mitreTechniques\\\",\\\"Value\\\":\\\"T1078.004\\\"}]\",\"tokenIssuerType\":\"AzureAD\",\"resourceTenantId\":null,\"homeTenantId\":\"1ed21da3-c6d6-41a5-8764-ebec8ba8a020\",\"userType\":\"member\",\"crossTenantAccessType\":\"none\",\"mitreTechniqueId\":\"T1078.004\"}}",
+    "event": {
+      "category": [
+        "iam"
+      ],
+      "reason": "unfamiliarFeatures",
+      "type": [
+        "connection"
+      ]
+    },
+    "@timestamp": "2024-12-13T16:34:03Z",
+    "action": {
+      "name": "User Risk Detection"
+    },
+    "azuread": {
+      "callerIpAddress": "1.2.3.4",
+      "category": "UserRiskEvents",
+      "correlationId": "111111111111111111111111111111111111",
+      "durationMs": 0,
+      "identity": "doe john",
+      "operationName": "User Risk Detection",
+      "operationVersion": "1.0",
+      "properties": {
+        "activity": "signin",
+        "correlationId": "d6e4b382-39a3-4988-9db3-85156bcdadfd",
+        "detectionTimingType": "realtime",
+        "id": "111111111111111111111111111111111111",
+        "requestId": "a91dd168-5e09-48e1-9120-185626543431",
+        "riskDetail": "aiConfirmedSigninSafe",
+        "riskEventType": "unfamiliarFeatures",
+        "riskLevel": "low",
+        "riskReasons": [
+          "UnfamiliarBrowser",
+          "UnfamiliarDevice",
+          "UnfamiliarEASId",
+          "UnfamiliarIP",
+          "UnfamiliarLocation",
+          "UnfamiliarTenantIPsubnet"
+        ],
+        "riskState": "dismissed",
+        "source": "IdentityProtection"
+      },
+      "resourceId": "/tenants/1ed21da3-c6d6-41a5-8764-ebec8ba8a020/providers/microsoft.aadiam",
+      "tenantId": "1ed21da3-c6d6-41a5-8764-ebec8ba8a020"
+    },
+    "log": {
+      "level": "Information"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ]
+    },
+    "service": {
+      "name": "Azure Active Directory",
+      "type": "ldap"
+    },
+    "source": {
+      "address": "1.2.3.4",
+      "geo": {
+        "city_name": "Rennes",
+        "country_iso_code": "fr",
+        "location": {
+          "lat": 0.0,
+          "lon": 0.0
+        },
+        "region_name": "Bretagne"
+      },
+      "ip": "1.2.3.4"
+    },
+    "user": {
+      "email": "[email protected]",
+      "full_name": "DOE John"
+    },
+    "user_agent": {
+      "device": {
+        "name": "Samsung SM-S911B"
+      },
+      "name": "Chrome Mobile WebView",
+      "original": "Mozilla/5.0 (Linux; Android 14; SM-S911B Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/131.0.6778.105 Mobile Safari/537.36 PKeyAuth/1.0",
+      "os": {
+        "name": "Android",
+        "version": "14"
+      },
+      "version": "131.0.6778"
+    }
+  }
+}

Bitdefender/gravityzone/_meta/fields.yml

@@ -1,3 +1,23 @@
+bitdefender.gravityzone.application_control.block_type:
+  description: Type of block detected by Bitdefender GravityZone Application Control.
+  name: bitdefender.gravityzone.application_control.block_type
+  type: keyword
+
+bitdefender.gravityzone.application_control.detection_count:
+  description: Number of detections by Bitdefender GravityZone Application Control.
+  name: bitdefender.gravityzone.application_control.detection_count
+  type: long
+
+bitdefender.gravityzone.application_control.type:
+  description: Type of application control detected by Bitdefender GravityZone.
+  name: bitdefender.gravityzone.application_control.type
+  type: keyword
+
+bitdefender.gravityzone.data.categories:
+  description: Data categories detected by Bitdefender GravityZone.
+  name: bitdefender.gravityzone.data.categories
+  type: keyword
+
 bitdefender.gravityzone.exploit.type:
   description: Exploit type detected by Bitdefender GravityZone.
   name: bitdefender.gravityzone.exploit.type

Bitdefender/gravityzone/_meta/manifest.yml

@@ -9,3 +9,4 @@ data_sources:
   Authentication logs:
   Network device logs:
   File monitoring:
+automation_module_uuid: 26277889-b91b-46d0-8bac-7f6b2f6fb9a3

Bitdefender/gravityzone/ingest/parser.yml

@@ -8,7 +8,7 @@ pipeline:
     external:
       name: date.parse
       properties:
-        input_field: "{{parse_event.message.eventdate or parse_event.message.BitdefenderGZDetectionTime}}"
+        input_field: "{{parse_event.message.eventdate or parse_event.message.BitdefenderGZDetectionTime or parse_event.message.end or parse_event.message.start}}"
         output_field: datetime
 
   - name: set_event_fields
@@ -67,14 +67,14 @@ stages:
           "device-control": ["host"]
           "ransomware-mitigation": ["intrusion_detection"]
           "new-incident": ["process"]
+          "uc": ["web"]
         mapping:
           parse_event.message.BitdefenderGZModule: event.category
         filter: "{{parse_event.message.BitdefenderGZModule != None}}"
 
   set_ecs_fields:
     actions:
       - set:
-          "@timestamp": "{{parsed_date.datetime}}"
           host.ip: "{{parse_event.message.dvc}}"
           host.name: "{{parse_event.message.BitdefenderGZComputerFQDN or parse_event.message.dvchost}}"
           destination.user.name: "{{parse_event.message.duser}}"
@@ -94,8 +94,24 @@ stages:
           observer.vendor: "{{parse_event.message.DeviceVendor}}"
           observer.product: "{{parse_event.message.DeviceProduct}}"
           observer.version: "{{parse_event.message.DeviceVersion}}"
+          bitdefender.gravityzone.application_control.block_type: "{{parse_event.message.BitdefenderGZApplicationControlBlockType}}"
+          bitdefender.gravityzone.application_control.type: "{{parse_event.message.BitdefenderGZApplicationControlType}}"
+          bitdefender.gravityzone.application_control.detection_count: "{{parse_event.message.cnt}}"
+          bitdefender.gravityzone.data.categories: "{{parse_event.message.BitdefenderGZDataCategories}}"
           bitdefender.gravityzone.exploit.type: "{{parse_event.message.BitdefenderGZExploitType}}"
 
+      - set:
+          "@timestamp": "{{parsed_date.datetime}}"
+        filter: "{{parse_event.message.get('eventdate') != None or parse_event.message.get('BitdefenderGZDetectionTime') != None}}"
+
+      - set:
+          event.start: "{{parsed_date.datetime}}"
+        filter: "{{parse_event.message.get('start') != None}}"
+
+      - set:
+          event.end: "{{parsed_date.datetime}}"
+        filter: "{{parse_event.message.get('end') != None}}"
+
       - set:
           file.path: "{{parse_event.message.filePath}}"
         filter: "{{parse_event.message.get('BitdefenderGZMalwareType') == None or parse_event.message.BitdefenderGZMalwareType.lower() != 'file'}}"

Bitdefender/gravityzone/tests/login_1.json

@@ -9,6 +9,7 @@
         "authentication"
       ],
       "severity": 3,
+      "start": "2024-06-11T11:34:56Z",
       "type": [
         "start"
       ]