diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index fb39f5d2a..a693925f9 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -37,7 +37,7 @@ jobs: - name: Install dependencies run: | - poetry install + poetry install --only main - name: Checking modules & formats run: | diff --git a/.github/workflows/smart_desc.yml b/.github/workflows/smart_desc.yml index 927db239d..6e256ec8c 100644 --- a/.github/workflows/smart_desc.yml +++ b/.github/workflows/smart_desc.yml @@ -31,7 +31,7 @@ jobs: - name: Install dependencies run: | - poetry install + poetry install --only main - name: Generate smart descriptinos id: smartdesc diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d5e8abb3b..e25122ea0 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -31,7 +31,7 @@ jobs: - name: Install dependencies run: | - poetry install + poetry install --only main - name: Execute tests run: | diff --git a/.github/workflows/test_linting.yml b/.github/workflows/test_linting.yml index 6cc7a9924..e750a4791 100644 --- a/.github/workflows/test_linting.yml +++ b/.github/workflows/test_linting.yml @@ -27,7 +27,7 @@ jobs: - name: Install dependencies run: | - poetry install + poetry install --only main - name: Execute tests run: | diff --git a/Azure/azure-ad/_meta/fields.yml b/Azure/azure-ad/_meta/fields.yml index f8651d7fd..c60eb2683 100644 --- a/Azure/azure-ad/_meta/fields.yml +++ b/Azure/azure-ad/_meta/fields.yml @@ -10,11 +10,6 @@ action.target: short: action.target type: keyword -azuread.Level: - description: '' - name: azuread.Level - type: long - azuread.activityDateTime: description: '' name: azuread.activityDateTime diff --git a/Azure/azure-ad/ingest/parser.yml b/Azure/azure-ad/ingest/parser.yml index 1b4dbe8bd..39aa3f40a 100644 --- a/Azure/azure-ad/ingest/parser.yml +++ b/Azure/azure-ad/ingest/parser.yml @@ -113,6 +113,7 @@ stages: user.id: "{{ parsed_event.message.userId}}" user.name: "{{ parsed_event.message.userPrincipalName}}" user_agent.original: "{{ parsed_event.message.userAgent }}" + log.level: "{{parsed_event.message.Level}}" - set: source.ip: "{{parsed_event.message.ipAddress}}" @@ -128,7 +129,6 @@ stages: azuread.durationMs: "{{parsed_event.message.durationMs}}" azuread.correlationId: "{{parsed_event.message.correlationId}}" azuread.identity: "{{parsed_event.message.identity}}" - azuread.Level: "{{parsed_event.message.Level}}" azuread.activityDateTime: "{{parsed_event.message.activityDateTime}}" azuread.detectedDateTime: "{{parsed_event.message.detectedDateTime}}" diff --git a/Azure/azure-ad/tests/empty_geolocalisation.json b/Azure/azure-ad/tests/empty_geolocalisation.json index 830836e2a..d6ccc49da 100644 --- a/Azure/azure-ad/tests/empty_geolocalisation.json +++ b/Azure/azure-ad/tests/empty_geolocalisation.json @@ -19,7 +19,6 @@ "outcome": "success" }, "azuread": { - "Level": 4, "authenticationDetails": [ { "RequestSequence": 1, @@ -65,6 +64,9 @@ "type": "Windows 10" } }, + "log": { + "level": "4" + }, "related": { "ip": [ "2001:db8:85a3::8a2e:370:7334" diff --git a/Azure/azure-ad/tests/sign-in_activity.json b/Azure/azure-ad/tests/sign-in_activity.json index 63748a911..46264f0a3 100644 --- a/Azure/azure-ad/tests/sign-in_activity.json +++ b/Azure/azure-ad/tests/sign-in_activity.json @@ -20,7 +20,6 @@ "outcome": "failure" }, "azuread": { - "Level": 4, "authenticationDetails": [ { "RequestSequence": 0, @@ -68,6 +67,9 @@ "type": "Windows 10" } }, + "log": { + "level": "4" + }, "related": { "ip": [ "11.11.11.11" diff --git a/Azure/azure-ad/tests/sign-in_activity2.json b/Azure/azure-ad/tests/sign-in_activity2.json index f90ae1002..3777a28c9 100644 --- a/Azure/azure-ad/tests/sign-in_activity2.json +++ b/Azure/azure-ad/tests/sign-in_activity2.json @@ -19,7 +19,6 @@ "outcome": "success" }, "azuread": { - "Level": 4, "authenticationDetails": [ { "RequestSequence": 0, @@ -67,6 +66,9 @@ "type": "Windows 10" } }, + "log": { + "level": "4" + }, "related": { "ip": [ "11.11.11.11" diff --git a/Azure/azure-ad/tests/sign-in_activity3.json b/Azure/azure-ad/tests/sign-in_activity3.json index f4e6a4693..c108f44e6 100644 --- a/Azure/azure-ad/tests/sign-in_activity3.json +++ b/Azure/azure-ad/tests/sign-in_activity3.json @@ -19,7 +19,6 @@ "outcome": "success" }, "azuread": { - "Level": 4, "authenticationDetails": [ { "RequestSequence": 1, @@ -76,6 +75,9 @@ "type": "Ios" } }, + "log": { + "level": "4" + }, "related": { "ip": [ "1.2.3.4" diff --git a/Azure/azure-ad/tests/sign-in_activity4.json b/Azure/azure-ad/tests/sign-in_activity4.json index 94e02cf9c..350582b22 100644 --- a/Azure/azure-ad/tests/sign-in_activity4.json +++ b/Azure/azure-ad/tests/sign-in_activity4.json @@ -19,7 +19,6 @@ "outcome": "success" }, "azuread": { - "Level": 4, "authenticationDetails": [], "callerIpAddress": "11.11.11.11", "category": "SignInLogs", @@ -63,6 +62,9 @@ "type": "Ios" } }, + "log": { + "level": "4" + }, "related": { "hosts": [ "LPTC-PC1M4VZQ" diff --git a/Azure/azure-ad/tests/user_risk_detection.json b/Azure/azure-ad/tests/user_risk_detection.json index c36bcceec..3d1301b3c 100644 --- a/Azure/azure-ad/tests/user_risk_detection.json +++ b/Azure/azure-ad/tests/user_risk_detection.json @@ -18,7 +18,6 @@ "name": "User Risk Detection" }, "azuread": { - "Level": 4, "callerIpAddress": "11.22.33.44", "category": "UserRiskEvents", "correlationId": "ef7868bd7e94b06ecd6cc965fc826c85d367bb5b9b083da9a26686786a791080", @@ -41,6 +40,9 @@ "resourceId": "/tenants/2d0c1986-ef7b-4bbf-8428-3c837471e7ad/providers/microsoft.aadiam", "tenantId": "2d0c1986-ef7b-4bbf-8428-3c837471e7ad" }, + "log": { + "level": "4" + }, "related": { "ip": [ "11.22.33.44" diff --git a/Azure/azure-ad/tests/user_risk_detection_2.json b/Azure/azure-ad/tests/user_risk_detection_2.json index 2b15f2500..ae6101985 100644 --- a/Azure/azure-ad/tests/user_risk_detection_2.json +++ b/Azure/azure-ad/tests/user_risk_detection_2.json @@ -24,7 +24,6 @@ "name": "User Risk Detection" }, "azuread": { - "Level": 4, "callerIpAddress": "11.22.33.44", "category": "UserRiskEvents", "correlationId": "ef7868bd7e94b06ecd6cc965fc826c85d367bb5b9b083da9a26686786a791080", @@ -56,6 +55,9 @@ "resourceId": "/tenants/2d0c1986-ef7b-4bbf-8428-3c837471e7ad/providers/microsoft.aadiam", "tenantId": "2d0c1986-ef7b-4bbf-8428-3c837471e7ad" }, + "log": { + "level": "4" + }, "related": { "ip": [ "11.22.33.44" diff --git a/Azure/azure-ad/tests/user_risk_detection_3.json b/Azure/azure-ad/tests/user_risk_detection_3.json new file mode 100644 index 000000000..838ead2ac --- /dev/null +++ b/Azure/azure-ad/tests/user_risk_detection_3.json @@ -0,0 +1,99 @@ +{ + "input": { + "message": "{\"time\":\"12/13/2024 4:34:03 PM\",\"resourceId\":\"/tenants/1ed21da3-c6d6-41a5-8764-ebec8ba8a020/providers/microsoft.aadiam\",\"operationName\":\"User Risk Detection\",\"operationVersion\":\"1.0\",\"category\":\"UserRiskEvents\",\"tenantId\":\"1ed21da3-c6d6-41a5-8764-ebec8ba8a020\",\"resultSignature\":\"None\",\"durationMs\":0,\"callerIpAddress\":\"1.2.3.4\",\"correlationId\":\"111111111111111111111111111111111111\",\"identity\":\"doe john\",\"Level\":\"Information\",\"location\":\"fr\",\"properties\":{\"id\":\"111111111111111111111111111111111111\",\"requestId\":\"a91dd168-5e09-48e1-9120-185626543431\",\"correlationId\":\"d6e4b382-39a3-4988-9db3-85156bcdadfd\",\"riskType\":\"unfamiliarFeatures\",\"riskEventType\":\"unfamiliarFeatures\",\"riskState\":\"dismissed\",\"riskLevel\":\"low\",\"riskDetail\":\"aiConfirmedSigninSafe\",\"source\":\"IdentityProtection\",\"detectionTimingType\":\"realtime\",\"activity\":\"signin\",\"ipAddress\":\"1.2.3.4\",\"location\":{\"city\":\"Rennes\",\"state\":\"Bretagne\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"altitude\":0.0,\"latitude\":0.0,\"longitude\":0.0}},\"activityDateTime\":\"2024-12-13T16:31:49.945Z\",\"detectedDateTime\":\"2024-12-13T16:31:49.945Z\",\"lastUpdatedDateTime\":\"2024-12-13T16:34:03.966Z\",\"userId\":\"d6e4b382-39a3-4988-9db3-85156bcdadfd\",\"userDisplayName\":\"DOE John\",\"userPrincipalName\":\"DOE@company.com\",\"additionalInfo\":\"[{\\\"Key\\\":\\\"riskReasons\\\",\\\"Value\\\":[\\\"UnfamiliarBrowser\\\",\\\"UnfamiliarDevice\\\",\\\"UnfamiliarIP\\\",\\\"UnfamiliarLocation\\\",\\\"UnfamiliarEASId\\\",\\\"UnfamiliarTenantIPsubnet\\\"]},{\\\"Key\\\":\\\"userAgent\\\",\\\"Value\\\":\\\"Mozilla/5.0 (Linux; Android 14; SM-S911B Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/131.0.6778.105 Mobile Safari/537.36 PKeyAuth/1.0\\\"},{\\\"Key\\\":\\\"alertUrl\\\",\\\"Value\\\":null},{\\\"Key\\\":\\\"mitreTechniques\\\",\\\"Value\\\":\\\"T1078.004\\\"}]\",\"tokenIssuerType\":\"AzureAD\",\"resourceTenantId\":null,\"homeTenantId\":\"1ed21da3-c6d6-41a5-8764-ebec8ba8a020\",\"userType\":\"member\",\"crossTenantAccessType\":\"none\",\"mitreTechniqueId\":\"T1078.004\"}}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft Entra ID / Azure AD", + "dialect_uuid": "19cd2ed6-f90c-47f7-a46b-974354a107bb" + } + } + }, + "expected": { + "message": "{\"time\":\"12/13/2024 4:34:03 PM\",\"resourceId\":\"/tenants/1ed21da3-c6d6-41a5-8764-ebec8ba8a020/providers/microsoft.aadiam\",\"operationName\":\"User Risk Detection\",\"operationVersion\":\"1.0\",\"category\":\"UserRiskEvents\",\"tenantId\":\"1ed21da3-c6d6-41a5-8764-ebec8ba8a020\",\"resultSignature\":\"None\",\"durationMs\":0,\"callerIpAddress\":\"1.2.3.4\",\"correlationId\":\"111111111111111111111111111111111111\",\"identity\":\"doe john\",\"Level\":\"Information\",\"location\":\"fr\",\"properties\":{\"id\":\"111111111111111111111111111111111111\",\"requestId\":\"a91dd168-5e09-48e1-9120-185626543431\",\"correlationId\":\"d6e4b382-39a3-4988-9db3-85156bcdadfd\",\"riskType\":\"unfamiliarFeatures\",\"riskEventType\":\"unfamiliarFeatures\",\"riskState\":\"dismissed\",\"riskLevel\":\"low\",\"riskDetail\":\"aiConfirmedSigninSafe\",\"source\":\"IdentityProtection\",\"detectionTimingType\":\"realtime\",\"activity\":\"signin\",\"ipAddress\":\"1.2.3.4\",\"location\":{\"city\":\"Rennes\",\"state\":\"Bretagne\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"altitude\":0.0,\"latitude\":0.0,\"longitude\":0.0}},\"activityDateTime\":\"2024-12-13T16:31:49.945Z\",\"detectedDateTime\":\"2024-12-13T16:31:49.945Z\",\"lastUpdatedDateTime\":\"2024-12-13T16:34:03.966Z\",\"userId\":\"d6e4b382-39a3-4988-9db3-85156bcdadfd\",\"userDisplayName\":\"DOE John\",\"userPrincipalName\":\"DOE@company.com\",\"additionalInfo\":\"[{\\\"Key\\\":\\\"riskReasons\\\",\\\"Value\\\":[\\\"UnfamiliarBrowser\\\",\\\"UnfamiliarDevice\\\",\\\"UnfamiliarIP\\\",\\\"UnfamiliarLocation\\\",\\\"UnfamiliarEASId\\\",\\\"UnfamiliarTenantIPsubnet\\\"]},{\\\"Key\\\":\\\"userAgent\\\",\\\"Value\\\":\\\"Mozilla/5.0 (Linux; Android 14; SM-S911B Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/131.0.6778.105 Mobile Safari/537.36 PKeyAuth/1.0\\\"},{\\\"Key\\\":\\\"alertUrl\\\",\\\"Value\\\":null},{\\\"Key\\\":\\\"mitreTechniques\\\",\\\"Value\\\":\\\"T1078.004\\\"}]\",\"tokenIssuerType\":\"AzureAD\",\"resourceTenantId\":null,\"homeTenantId\":\"1ed21da3-c6d6-41a5-8764-ebec8ba8a020\",\"userType\":\"member\",\"crossTenantAccessType\":\"none\",\"mitreTechniqueId\":\"T1078.004\"}}", + "event": { + "category": [ + "iam" + ], + "reason": "unfamiliarFeatures", + "type": [ + "connection" + ] + }, + "@timestamp": "2024-12-13T16:34:03Z", + "action": { + "name": "User Risk Detection" + }, + "azuread": { + "callerIpAddress": "1.2.3.4", + "category": "UserRiskEvents", + "correlationId": "111111111111111111111111111111111111", + "durationMs": 0, + "identity": "doe john", + "operationName": "User Risk Detection", + "operationVersion": "1.0", + "properties": { + "activity": "signin", + "correlationId": "d6e4b382-39a3-4988-9db3-85156bcdadfd", + "detectionTimingType": "realtime", + "id": "111111111111111111111111111111111111", + "requestId": "a91dd168-5e09-48e1-9120-185626543431", + "riskDetail": "aiConfirmedSigninSafe", + "riskEventType": "unfamiliarFeatures", + "riskLevel": "low", + "riskReasons": [ + "UnfamiliarBrowser", + "UnfamiliarDevice", + "UnfamiliarEASId", + "UnfamiliarIP", + "UnfamiliarLocation", + "UnfamiliarTenantIPsubnet" + ], + "riskState": "dismissed", + "source": "IdentityProtection" + }, + "resourceId": "/tenants/1ed21da3-c6d6-41a5-8764-ebec8ba8a020/providers/microsoft.aadiam", + "tenantId": "1ed21da3-c6d6-41a5-8764-ebec8ba8a020" + }, + "log": { + "level": "Information" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "service": { + "name": "Azure Active Directory", + "type": "ldap" + }, + "source": { + "address": "1.2.3.4", + "geo": { + "city_name": "Rennes", + "country_iso_code": "fr", + "location": { + "lat": 0.0, + "lon": 0.0 + }, + "region_name": "Bretagne" + }, + "ip": "1.2.3.4" + }, + "user": { + "email": "DOE@company.com", + "full_name": "DOE John" + }, + "user_agent": { + "device": { + "name": "Samsung SM-S911B" + }, + "name": "Chrome Mobile WebView", + "original": "Mozilla/5.0 (Linux; Android 14; SM-S911B Build/UP1A.231005.007; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/131.0.6778.105 Mobile Safari/537.36 PKeyAuth/1.0", + "os": { + "name": "Android", + "version": "14" + }, + "version": "131.0.6778" + } + } +} \ No newline at end of file diff --git a/Bitdefender/gravityzone/_meta/fields.yml b/Bitdefender/gravityzone/_meta/fields.yml index 52fd0cc6a..cad225376 100644 --- a/Bitdefender/gravityzone/_meta/fields.yml +++ b/Bitdefender/gravityzone/_meta/fields.yml @@ -1,3 +1,23 @@ +bitdefender.gravityzone.application_control.block_type: + description: Type of block detected by Bitdefender GravityZone Application Control. + name: bitdefender.gravityzone.application_control.block_type + type: keyword + +bitdefender.gravityzone.application_control.detection_count: + description: Number of detections by Bitdefender GravityZone Application Control. + name: bitdefender.gravityzone.application_control.detection_count + type: long + +bitdefender.gravityzone.application_control.type: + description: Type of application control detected by Bitdefender GravityZone. + name: bitdefender.gravityzone.application_control.type + type: keyword + +bitdefender.gravityzone.data.categories: + description: Data categories detected by Bitdefender GravityZone. + name: bitdefender.gravityzone.data.categories + type: keyword + bitdefender.gravityzone.exploit.type: description: Exploit type detected by Bitdefender GravityZone. name: bitdefender.gravityzone.exploit.type diff --git a/Bitdefender/gravityzone/_meta/manifest.yml b/Bitdefender/gravityzone/_meta/manifest.yml index 51df52c6b..2cc4311b5 100644 --- a/Bitdefender/gravityzone/_meta/manifest.yml +++ b/Bitdefender/gravityzone/_meta/manifest.yml @@ -9,3 +9,4 @@ data_sources: Authentication logs: Network device logs: File monitoring: +automation_module_uuid: 26277889-b91b-46d0-8bac-7f6b2f6fb9a3 diff --git a/Bitdefender/gravityzone/ingest/parser.yml b/Bitdefender/gravityzone/ingest/parser.yml index b6af1ad11..e2593c886 100644 --- a/Bitdefender/gravityzone/ingest/parser.yml +++ b/Bitdefender/gravityzone/ingest/parser.yml @@ -8,7 +8,7 @@ pipeline: external: name: date.parse properties: - input_field: "{{parse_event.message.eventdate or parse_event.message.BitdefenderGZDetectionTime}}" + input_field: "{{parse_event.message.eventdate or parse_event.message.BitdefenderGZDetectionTime or parse_event.message.end or parse_event.message.start}}" output_field: datetime - name: set_event_fields @@ -67,6 +67,7 @@ stages: "device-control": ["host"] "ransomware-mitigation": ["intrusion_detection"] "new-incident": ["process"] + "uc": ["web"] mapping: parse_event.message.BitdefenderGZModule: event.category filter: "{{parse_event.message.BitdefenderGZModule != None}}" @@ -74,7 +75,6 @@ stages: set_ecs_fields: actions: - set: - "@timestamp": "{{parsed_date.datetime}}" host.ip: "{{parse_event.message.dvc}}" host.name: "{{parse_event.message.BitdefenderGZComputerFQDN or parse_event.message.dvchost}}" destination.user.name: "{{parse_event.message.duser}}" @@ -94,8 +94,24 @@ stages: observer.vendor: "{{parse_event.message.DeviceVendor}}" observer.product: "{{parse_event.message.DeviceProduct}}" observer.version: "{{parse_event.message.DeviceVersion}}" + bitdefender.gravityzone.application_control.block_type: "{{parse_event.message.BitdefenderGZApplicationControlBlockType}}" + bitdefender.gravityzone.application_control.type: "{{parse_event.message.BitdefenderGZApplicationControlType}}" + bitdefender.gravityzone.application_control.detection_count: "{{parse_event.message.cnt}}" + bitdefender.gravityzone.data.categories: "{{parse_event.message.BitdefenderGZDataCategories}}" bitdefender.gravityzone.exploit.type: "{{parse_event.message.BitdefenderGZExploitType}}" + - set: + "@timestamp": "{{parsed_date.datetime}}" + filter: "{{parse_event.message.get('eventdate') != None or parse_event.message.get('BitdefenderGZDetectionTime') != None}}" + + - set: + event.start: "{{parsed_date.datetime}}" + filter: "{{parse_event.message.get('start') != None}}" + + - set: + event.end: "{{parsed_date.datetime}}" + filter: "{{parse_event.message.get('end') != None}}" + - set: file.path: "{{parse_event.message.filePath}}" filter: "{{parse_event.message.get('BitdefenderGZMalwareType') == None or parse_event.message.BitdefenderGZMalwareType.lower() != 'file'}}" diff --git a/Bitdefender/gravityzone/tests/login_1.json b/Bitdefender/gravityzone/tests/login_1.json index ddf96c93f..c6b345332 100644 --- a/Bitdefender/gravityzone/tests/login_1.json +++ b/Bitdefender/gravityzone/tests/login_1.json @@ -9,6 +9,7 @@ "authentication" ], "severity": 3, + "start": "2024-06-11T11:34:56Z", "type": [ "start" ] diff --git a/Bitdefender/gravityzone/tests/uc_event.json b/Bitdefender/gravityzone/tests/uc_event.json new file mode 100644 index 000000000..68751f9b2 --- /dev/null +++ b/Bitdefender/gravityzone/tests/uc_event.json @@ -0,0 +1,65 @@ +{ + "input": { + "message": "CEF:0|Bitdefender|GravityZone|6.40.1-1|1000|Web Control|9|BitdefenderGZModule=uc dvchost=example BitdefenderGZComputerFQDN=example.test.local dvc=1.2.3.4 deviceExternalId=1234567890abcdef12345678 BitdefenderGZApplicationControlType=http request=external-content.domain.com/ip3/www.test_request.com BitdefenderGZApplicationControlBlockType=http_categories BitdefenderGZDataCategories=Ads act=uc_site_blocked end=Dec 16 2024 12:34:33 Z cnt=1 suser=john.doe@test.local suid=S-1-5-21-1111111111-222222222-3333333333-500", + "sekoiaio": { + "intake": { + "dialect": "Bitdefender GravityZone [BETA]", + "dialect_uuid": "d11df984-840d-4c29-a6dc-b9195c3a24e3" + } + } + }, + "expected": { + "message": "CEF:0|Bitdefender|GravityZone|6.40.1-1|1000|Web Control|9|BitdefenderGZModule=uc dvchost=example BitdefenderGZComputerFQDN=example.test.local dvc=1.2.3.4 deviceExternalId=1234567890abcdef12345678 BitdefenderGZApplicationControlType=http request=external-content.domain.com/ip3/www.test_request.com BitdefenderGZApplicationControlBlockType=http_categories BitdefenderGZDataCategories=Ads act=uc_site_blocked end=Dec 16 2024 12:34:33 Z cnt=1 suser=john.doe@test.local suid=S-1-5-21-1111111111-222222222-3333333333-500", + "event": { + "action": "uc_site_blocked", + "category": [ + "web" + ], + "end": "2024-12-16T12:34:33Z", + "module": "uc", + "severity": 9, + "type": [ + "info" + ] + }, + "bitdefender": { + "gravityzone": { + "application_control": { + "block_type": "http_categories", + "detection_count": 1, + "type": "http" + }, + "data": { + "categories": "Ads" + } + } + }, + "host": { + "ip": "1.2.3.4", + "name": "example.test.local" + }, + "observer": { + "product": "GravityZone", + "vendor": "Bitdefender", + "version": "6.40.1-1" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe@test.local" + ] + }, + "source": { + "user": { + "id": "S-1-5-21-1111111111-222222222-3333333333-500", + "name": "john.doe@test.local" + } + }, + "url": { + "original": "external-content.domain.com/ip3/www.test_request.com", + "path": "external-content.domain.com/ip3/www.test_request.com" + } + } +} \ No newline at end of file diff --git a/EfficientIP/solidserver-ddi/_meta/fields.yml b/EfficientIP/solidserver-ddi/_meta/fields.yml index 4f1536e2d..094273b7d 100644 --- a/EfficientIP/solidserver-ddi/_meta/fields.yml +++ b/EfficientIP/solidserver-ddi/_meta/fields.yml @@ -1,3 +1,28 @@ +efficientip.dhcp.interface.ip: + description: The IP address of the interface that received the query + name: efficientip.dhcp.interface.ip + type: keyword + +efficientip.dhcp.interface.name: + description: The name of the interface that received the query + name: efficientip.dhcp.interface.name + type: keyword + +efficientip.dhcp.message: + description: The DHCP message + name: efficientip.dhcp.message + type: keyword + +efficientip.dhcp.operation: + description: The operation performed on the DHCP lease + name: efficientip.dhcp.operation + type: keyword + +efficientip.dhcp.release_state: + description: The state of the DHCP release + name: efficientip.dhcp.release_state + type: keyword + efficientip.guardian_action: description: EfficientIP Guardian action name: efficientip.guardian_action diff --git a/EfficientIP/solidserver-ddi/_meta/smart-descriptions.json b/EfficientIP/solidserver-ddi/_meta/smart-descriptions.json index 0a94c2c43..9944e99d3 100644 --- a/EfficientIP/solidserver-ddi/_meta/smart-descriptions.json +++ b/EfficientIP/solidserver-ddi/_meta/smart-descriptions.json @@ -49,7 +49,7 @@ }, { "field": "event.outcome", - "value": "failure" + "value": "failure" } ] }, @@ -141,5 +141,105 @@ "field": "dns.type" } ] + }, + { + "value": "A {efficientip.dhcp.operation} query has been launched from {client.address} to {destination.address}: {efficientip.dhcp.message}", + "conditions": [ + { + "field": "efficientip.dhcp.operation" + }, + { + "field": "efficientip.dhcp.message" + }, + { + "field": "destination.address" + }, + { + "field": "client.address" + } + ] + }, + { + "value": "A {efficientip.dhcp.operation} query has been launched from {client.address}: {efficientip.dhcp.message}", + "conditions": [ + { + "field": "efficientip.dhcp.operation" + }, + { + "field": "efficientip.dhcp.message" + }, + { + "field": "client.address" + } + ] + }, + { + "value": "A {efficientip.dhcp.operation} query has been launched to {destination.address}: {efficientip.dhcp.message}", + "conditions": [ + { + "field": "efficientip.dhcp.operation" + }, + { + "field": "efficientip.dhcp.message" + }, + { + "field": "destination.address" + } + ] + }, + { + "value": "A {efficientip.dhcp.operation} query has been launched: {efficientip.dhcp.message}", + "conditions": [ + { + "field": "efficientip.dhcp.operation" + }, + { + "field": "efficientip.dhcp.message" + } + ] + }, + { + "value": "A DHCP {efficientip.dhcp.operation} query has been launched from {client.mac} about {client.address}", + "conditions": [ + { + "field": "efficientip.dhcp.operation" + }, + { + "field": "client.mac" + }, + { + "field": "client.address" + } + ] + }, + { + "value": "A DHCP {efficientip.dhcp.operation} query has been launched about {client.address}", + "conditions": [ + { + "field": "efficientip.dhcp.operation" + }, + { + "field": "client.address" + } + ] + }, + { + "value": "A DHCP {efficientip.dhcp.operation} query has been launched from {client.mac}", + "conditions": [ + { + "field": "efficientip.dhcp.operation" + }, + { + "field": "client.mac" + } + ] + }, + { + "value": "A DHCP {efficientip.dhcp.operation} query has been launched", + "conditions": [ + { + "field": "efficientip.dhcp.operation" + } + ] } ] diff --git a/EfficientIP/solidserver-ddi/ingest/parser.yml b/EfficientIP/solidserver-ddi/ingest/parser.yml index 3c5ddd91e..a47e59cbe 100644 --- a/EfficientIP/solidserver-ddi/ingest/parser.yml +++ b/EfficientIP/solidserver-ddi/ingest/parser.yml @@ -5,8 +5,9 @@ pipeline: name: grok.match properties: output_field: message - pattern: "%{EFFICIENTIP_DNS_QUERY}|%{EFFICIENTIP_DNS_ANSWER_1}|%{EFFICIENTIP_DNS_ANSWER_DEFAULT}|%{EFFICIENTIP_DNS_UPDATING_ZONE}|%{EFFICIENTIP_DNS_GUARDIAN}|%{EFFICIENTIP_DNS_GUARDIAN_LISTLOG}|%{EFFICIENTIP_RPZ_TRANSFER}|%{EFFICIENTIP_RPZ_ZONE}|%{EFFICIENTIP_RPZ_QNAME}|%{EFFICIENTIP_DNS_ERROR}|%{EFFICIENTIP_DNS_FORMAT_ERROR}|%{EFFICIENTIP_DNS_RECEIVED_NOTIFY}" + pattern: "%{EFFICIENTIP_DNS_QUERY}|%{EFFICIENTIP_DNS_ANSWER_1}|%{EFFICIENTIP_DNS_ANSWER_DEFAULT}|%{EFFICIENTIP_DNS_UPDATING_ZONE}|%{EFFICIENTIP_DNS_GUARDIAN}|%{EFFICIENTIP_DNS_GUARDIAN_LISTLOG}|%{EFFICIENTIP_RPZ_TRANSFER}|%{EFFICIENTIP_RPZ_ZONE}|%{EFFICIENTIP_RPZ_QNAME}|%{EFFICIENTIP_DNS_ERROR}|%{EFFICIENTIP_DNS_FORMAT_ERROR}|%{EFFICIENTIP_DNS_RECEIVED_NOTIFY}|%{EFFICIENTIP_DHCP}" custom_patterns: + EFFICIENTIP_DHCP: "DHCP(%{DHCPD_DISCOVER}|%{DHCPD_OFFER_ACK}|%{DHCPD_REQUEST}|%{DHCPD_DECLINE}|%{DHCPD_RELEASE}|%{DHCPD_INFORM})(: %{GREEDYDATA:dhcpd_message})?" EFFICIENTIP_DNS_QUERY: '%{DNS_HEADER}: query: %{GREEDYDATA:dns_question_name} %{QUERY_CLASS:dns_question_class} %{QUESTION_TYPE:dns_question_type}( %{QUERY_FLAGS})? \(%{IP:server_ip}\)$' EFFICIENTIP_DNS_ANSWER_1: '%{DNS_HEADER}: answer: %{GREEDYDATA:dns_question_name} %{QUERY_CLASS:dns_question_class} %{QUESTION_TYPE:dns_question_type}( %{QUERY_FLAGS})? \(%{IP:server_ip}\) -> %{WORD:response_code} %{GREEDYDATA:dns_records}$' EFFICIENTIP_DNS_ANSWER_DEFAULT: '%{DNS_HEADER}: answer: %{GREEDYDATA:dns_question_name} %{QUERY_CLASS:dns_question_class} %{QUESTION_TYPE:dns_question_type}( %{QUERY_FLAGS})? \(%{IP:server_ip}\) -> %{WORD:response_code}( %{GREEDYDATA:dns_records})?$' @@ -34,6 +35,13 @@ pipeline: GUARDIAN_ACTION: "(DIS)?ARMING" RPZ_SOURCE: "(%{IP:source_ip}#%{INT:source_port}|%{DATA:source_name})" ERROR_REASON: "FORMERR|REFUSED %{DATA:reason}" + DHCPD_VIA: 'via (%{IP:interface_ip}|(?P[^: ]+))( \[%{INT}\])?' + DHCPD_DISCOVER: '(?PDISCOVER) from %{MAC:client_mac}( \(%{DATA:client_name}\))? %{DHCPD_VIA}' + DHCPD_OFFER_ACK: '(?P(OFFER|N?ACK)) on %{IP:client_ip} to %{MAC:client_mac}( \(%{DATA:client_name}\))? %{DHCPD_VIA}' + DHCPD_REQUEST: '(?PREQUEST) for %{IP:client_ip}( \(%{DATA:server_ip}\))? from %{MAC:client_mac}( \(%{DATA:client_name}\))? %{DHCPD_VIA}' + DHCPD_DECLINE: '(?PDECLINE) of %{IP:client_ip} from %{MAC:client_mac}( \(%{DATA:client_name}\))? %{DHCPD_VIA}' + DHCPD_RELEASE: '(?PRELEASE) of %{IP:client_ip} from %{MAC:client_mac}( \(%{DATA:client_name}\))? %{DHCPD_VIA} \((?P(not )?found)\)' + DHCPD_INFORM: "(?PINFORM) from %{IP:client_ip}? %{DHCPD_VIA}" - name: parse_dns_https filter: "{{ parse_event.message.get('dns_records') != None and 'HTTPS' in parse_event.message.get('dns_records')}}" @@ -79,6 +87,8 @@ stages: event.type: ["info"] observer.vendor: "EfficientIp" client.port: "{{parse_event.message.client_port}}" + client.mac: "{{parse_event.message.client_mac}}" + source.domain: "{{parse_event.message.client_name}}" source.port: "{{parse_event.message.source_port}}" server.port: "{{parse_event.message.server_port}}" event.action: "{{parse_event.message.action}}" @@ -175,3 +185,19 @@ stages: efficientip.rpz.query.class: "{{parse_event.message.rpz_query_class}}" efficientip.rpz.view: "{{parse_event.message.rpz_view}}" efficientip.rpz.source.name: "{{parse_event.message.source_name}}" + + - set: + efficientip.dhcp.interface.ip: "{{parse_event.message.interface_ip}}" + efficientip.dhcp.interface.name: "{{parse_event.message.interface_name}}" + + - set: + efficientip.dhcp.operation: "{{parse_event.message.dhcp_operation|lower}}" + filter: '{{parse_event.message.get("dhcp_operation") != None}}' + + - set: + efficientip.dhcp.release_state: "{{parse_event.message.dhcpd_release}}" + filter: '{{parse_event.message.get("dhcpd_release") != None}}' + + - set: + efficientip.dhcp.message: "{{parse_event.message.dhcpd_message}}" + filter: '{{parse_event.message.get("dhcpd_message") != None}}' diff --git a/EfficientIP/solidserver-ddi/tests/dhcp_ack_01.json b/EfficientIP/solidserver-ddi/tests/dhcp_ack_01.json new file mode 100644 index 000000000..a57ba8e7c --- /dev/null +++ b/EfficientIP/solidserver-ddi/tests/dhcp_ack_01.json @@ -0,0 +1,57 @@ +{ + "input": { + "message": "DHCPACK on 1.2.3.4 to f8:82:d0:37:44:c7 (FPHX) via 1.0.0.1 [14400]", + "sekoiaio": { + "intake": { + "dialect": "EfficientIP SOLIDServer DDI", + "dialect_uuid": "f95fea50-533c-4897-9272-2f8361e63644" + } + } + }, + "expected": { + "message": "DHCPACK on 1.2.3.4 to f8:82:d0:37:44:c7 (FPHX) via 1.0.0.1 [14400]", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "f8:82:d0:37:44:c7" + }, + "dns": { + "type": "query" + }, + "efficientip": { + "dhcp": { + "interface": { + "ip": "1.0.0.1" + }, + "operation": "ack" + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "hosts": [ + "FPHX" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "FPHX", + "domain": "FPHX" + } + } +} \ No newline at end of file diff --git a/EfficientIP/solidserver-ddi/tests/dhcp_ack_02.json b/EfficientIP/solidserver-ddi/tests/dhcp_ack_02.json new file mode 100644 index 000000000..9fa3f56bf --- /dev/null +++ b/EfficientIP/solidserver-ddi/tests/dhcp_ack_02.json @@ -0,0 +1,50 @@ +{ + "input": { + "message": "DHCPACK on 1.2.3.4 to f8:82:d0:37:44:c7 via 1.0.0.1 [691200]", + "sekoiaio": { + "intake": { + "dialect": "EfficientIP SOLIDServer DDI", + "dialect_uuid": "f95fea50-533c-4897-9272-2f8361e63644" + } + } + }, + "expected": { + "message": "DHCPACK on 1.2.3.4 to f8:82:d0:37:44:c7 via 1.0.0.1 [691200]", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "f8:82:d0:37:44:c7" + }, + "dns": { + "type": "query" + }, + "efficientip": { + "dhcp": { + "interface": { + "ip": "1.0.0.1" + }, + "operation": "ack" + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + } + } +} \ No newline at end of file diff --git a/EfficientIP/solidserver-ddi/tests/dhcp_ack_03.json b/EfficientIP/solidserver-ddi/tests/dhcp_ack_03.json new file mode 100644 index 000000000..93e3857ad --- /dev/null +++ b/EfficientIP/solidserver-ddi/tests/dhcp_ack_03.json @@ -0,0 +1,50 @@ +{ + "input": { + "message": "DHCPACK on 1.2.3.4 to f8:82:d0:37:44:c7 via vmx1 [691200]", + "sekoiaio": { + "intake": { + "dialect": "EfficientIP SOLIDServer DDI", + "dialect_uuid": "f95fea50-533c-4897-9272-2f8361e63644" + } + } + }, + "expected": { + "message": "DHCPACK on 1.2.3.4 to f8:82:d0:37:44:c7 via vmx1 [691200]", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "f8:82:d0:37:44:c7" + }, + "dns": { + "type": "query" + }, + "efficientip": { + "dhcp": { + "interface": { + "name": "vmx1" + }, + "operation": "ack" + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + } + } +} \ No newline at end of file diff --git a/EfficientIP/solidserver-ddi/tests/dhcp_discover_01.json b/EfficientIP/solidserver-ddi/tests/dhcp_discover_01.json new file mode 100644 index 000000000..536411785 --- /dev/null +++ b/EfficientIP/solidserver-ddi/tests/dhcp_discover_01.json @@ -0,0 +1,52 @@ +{ + "input": { + "message": "DHCPDISCOVER from f8:82:d0:37:44:c7 (FPHX) via 1.0.0.1", + "sekoiaio": { + "intake": { + "dialect": "EfficientIP SOLIDServer DDI", + "dialect_uuid": "f95fea50-533c-4897-9272-2f8361e63644" + } + } + }, + "expected": { + "message": "DHCPDISCOVER from f8:82:d0:37:44:c7 (FPHX) via 1.0.0.1", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "mac": "f8:82:d0:37:44:c7" + }, + "dns": { + "type": "query" + }, + "efficientip": { + "dhcp": { + "interface": { + "ip": "1.0.0.1" + }, + "operation": "discover" + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "hosts": [ + "FPHX" + ] + }, + "source": { + "address": "FPHX", + "domain": "FPHX" + } + } +} \ No newline at end of file diff --git a/EfficientIP/solidserver-ddi/tests/dhcp_discover_02.json b/EfficientIP/solidserver-ddi/tests/dhcp_discover_02.json new file mode 100644 index 000000000..b93efa9b9 --- /dev/null +++ b/EfficientIP/solidserver-ddi/tests/dhcp_discover_02.json @@ -0,0 +1,44 @@ +{ + "input": { + "message": "DHCPDISCOVER from f8:82:d0:37:44:c7 via 1.0.0.1: load balance to peer failover-smart-dhcp.example.org", + "sekoiaio": { + "intake": { + "dialect": "EfficientIP SOLIDServer DDI", + "dialect_uuid": "f95fea50-533c-4897-9272-2f8361e63644" + } + } + }, + "expected": { + "message": "DHCPDISCOVER from f8:82:d0:37:44:c7 via 1.0.0.1: load balance to peer failover-smart-dhcp.example.org", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "mac": "f8:82:d0:37:44:c7" + }, + "dns": { + "type": "query" + }, + "efficientip": { + "dhcp": { + "interface": { + "ip": "1.0.0.1" + }, + "message": "load balance to peer failover-smart-dhcp.example.org", + "operation": "discover" + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + } + } +} \ No newline at end of file diff --git a/EfficientIP/solidserver-ddi/tests/dhcp_discover_03.json b/EfficientIP/solidserver-ddi/tests/dhcp_discover_03.json new file mode 100644 index 000000000..7be7bb77a --- /dev/null +++ b/EfficientIP/solidserver-ddi/tests/dhcp_discover_03.json @@ -0,0 +1,43 @@ +{ + "input": { + "message": "DHCPDISCOVER from f8:82:d0:37:44:c7 via 1.0.0.1", + "sekoiaio": { + "intake": { + "dialect": "EfficientIP SOLIDServer DDI", + "dialect_uuid": "f95fea50-533c-4897-9272-2f8361e63644" + } + } + }, + "expected": { + "message": "DHCPDISCOVER from f8:82:d0:37:44:c7 via 1.0.0.1", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "mac": "f8:82:d0:37:44:c7" + }, + "dns": { + "type": "query" + }, + "efficientip": { + "dhcp": { + "interface": { + "ip": "1.0.0.1" + }, + "operation": "discover" + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + } + } +} \ No newline at end of file diff --git a/EfficientIP/solidserver-ddi/tests/dhcp_discover_04.json b/EfficientIP/solidserver-ddi/tests/dhcp_discover_04.json new file mode 100644 index 000000000..2453b2ddc --- /dev/null +++ b/EfficientIP/solidserver-ddi/tests/dhcp_discover_04.json @@ -0,0 +1,44 @@ +{ + "input": { + "message": "DHCPDISCOVER from f8:82:d0:37:44:c7 via 1.0.0.1: network 1.0.0.0/24: no free leases", + "sekoiaio": { + "intake": { + "dialect": "EfficientIP SOLIDServer DDI", + "dialect_uuid": "f95fea50-533c-4897-9272-2f8361e63644" + } + } + }, + "expected": { + "message": "DHCPDISCOVER from f8:82:d0:37:44:c7 via 1.0.0.1: network 1.0.0.0/24: no free leases", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "mac": "f8:82:d0:37:44:c7" + }, + "dns": { + "type": "query" + }, + "efficientip": { + "dhcp": { + "interface": { + "ip": "1.0.0.1" + }, + "message": "network 1.0.0.0/24: no free leases", + "operation": "discover" + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + } + } +} \ No newline at end of file diff --git a/EfficientIP/solidserver-ddi/tests/dhcp_discover_05.json b/EfficientIP/solidserver-ddi/tests/dhcp_discover_05.json new file mode 100644 index 000000000..b462ee891 --- /dev/null +++ b/EfficientIP/solidserver-ddi/tests/dhcp_discover_05.json @@ -0,0 +1,44 @@ +{ + "input": { + "message": "DHCPDISCOVER from f8:82:d0:37:44:c7 via 1.0.0.1: unknown network segment", + "sekoiaio": { + "intake": { + "dialect": "EfficientIP SOLIDServer DDI", + "dialect_uuid": "f95fea50-533c-4897-9272-2f8361e63644" + } + } + }, + "expected": { + "message": "DHCPDISCOVER from f8:82:d0:37:44:c7 via 1.0.0.1: unknown network segment", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "mac": "f8:82:d0:37:44:c7" + }, + "dns": { + "type": "query" + }, + "efficientip": { + "dhcp": { + "interface": { + "ip": "1.0.0.1" + }, + "message": "unknown network segment", + "operation": "discover" + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + } + } +} \ No newline at end of file diff --git a/EfficientIP/solidserver-ddi/tests/dhcp_inform.json b/EfficientIP/solidserver-ddi/tests/dhcp_inform.json new file mode 100644 index 000000000..77980ddfe --- /dev/null +++ b/EfficientIP/solidserver-ddi/tests/dhcp_inform.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "DHCPINFORM from 1.2.3.4 via 1.0.0.1", + "sekoiaio": { + "intake": { + "dialect": "EfficientIP SOLIDServer DDI", + "dialect_uuid": "f95fea50-533c-4897-9272-2f8361e63644" + } + } + }, + "expected": { + "message": "DHCPINFORM from 1.2.3.4 via 1.0.0.1", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "dns": { + "type": "query" + }, + "efficientip": { + "dhcp": { + "interface": { + "ip": "1.0.0.1" + }, + "operation": "inform" + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + } + } +} \ No newline at end of file diff --git a/EfficientIP/solidserver-ddi/tests/dhcp_nack.json b/EfficientIP/solidserver-ddi/tests/dhcp_nack.json new file mode 100644 index 000000000..497a51337 --- /dev/null +++ b/EfficientIP/solidserver-ddi/tests/dhcp_nack.json @@ -0,0 +1,50 @@ +{ + "input": { + "message": "DHCPNACK on 1.2.3.4 to f8:82:d0:37:44:c7 via 1.0.0.1", + "sekoiaio": { + "intake": { + "dialect": "EfficientIP SOLIDServer DDI", + "dialect_uuid": "f95fea50-533c-4897-9272-2f8361e63644" + } + } + }, + "expected": { + "message": "DHCPNACK on 1.2.3.4 to f8:82:d0:37:44:c7 via 1.0.0.1", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "f8:82:d0:37:44:c7" + }, + "dns": { + "type": "query" + }, + "efficientip": { + "dhcp": { + "interface": { + "ip": "1.0.0.1" + }, + "operation": "nack" + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + } + } +} \ No newline at end of file diff --git a/EfficientIP/solidserver-ddi/tests/dhcp_offer_01.json b/EfficientIP/solidserver-ddi/tests/dhcp_offer_01.json new file mode 100644 index 000000000..9bcfc226d --- /dev/null +++ b/EfficientIP/solidserver-ddi/tests/dhcp_offer_01.json @@ -0,0 +1,50 @@ +{ + "input": { + "message": "DHCPOFFER on 1.2.3.4 to f8:82:d0:37:44:c7 via 1.0.0.1 [14400]", + "sekoiaio": { + "intake": { + "dialect": "EfficientIP SOLIDServer DDI", + "dialect_uuid": "f95fea50-533c-4897-9272-2f8361e63644" + } + } + }, + "expected": { + "message": "DHCPOFFER on 1.2.3.4 to f8:82:d0:37:44:c7 via 1.0.0.1 [14400]", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "f8:82:d0:37:44:c7" + }, + "dns": { + "type": "query" + }, + "efficientip": { + "dhcp": { + "interface": { + "ip": "1.0.0.1" + }, + "operation": "offer" + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + } + } +} \ No newline at end of file diff --git a/EfficientIP/solidserver-ddi/tests/dhcp_offer_02.json b/EfficientIP/solidserver-ddi/tests/dhcp_offer_02.json new file mode 100644 index 000000000..1e35754ec --- /dev/null +++ b/EfficientIP/solidserver-ddi/tests/dhcp_offer_02.json @@ -0,0 +1,57 @@ +{ + "input": { + "message": "DHCPOFFER on 1.2.3.4 to f8:82:d0:37:44:c7 (TL-WPA4220) via 1.0.0.1 [43200]", + "sekoiaio": { + "intake": { + "dialect": "EfficientIP SOLIDServer DDI", + "dialect_uuid": "f95fea50-533c-4897-9272-2f8361e63644" + } + } + }, + "expected": { + "message": "DHCPOFFER on 1.2.3.4 to f8:82:d0:37:44:c7 (TL-WPA4220) via 1.0.0.1 [43200]", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "f8:82:d0:37:44:c7" + }, + "dns": { + "type": "query" + }, + "efficientip": { + "dhcp": { + "interface": { + "ip": "1.0.0.1" + }, + "operation": "offer" + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "hosts": [ + "TL-WPA4220" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "TL-WPA4220", + "domain": "TL-WPA4220" + } + } +} \ No newline at end of file diff --git a/EfficientIP/solidserver-ddi/tests/dhcp_release_01.json b/EfficientIP/solidserver-ddi/tests/dhcp_release_01.json new file mode 100644 index 000000000..09e9575f4 --- /dev/null +++ b/EfficientIP/solidserver-ddi/tests/dhcp_release_01.json @@ -0,0 +1,58 @@ +{ + "input": { + "message": "DHCPRELEASE of 1.2.3.4 from f8:82:d0:37:44:c7 (TL-WPA4220) via vmx1 (found)", + "sekoiaio": { + "intake": { + "dialect": "EfficientIP SOLIDServer DDI", + "dialect_uuid": "f95fea50-533c-4897-9272-2f8361e63644" + } + } + }, + "expected": { + "message": "DHCPRELEASE of 1.2.3.4 from f8:82:d0:37:44:c7 (TL-WPA4220) via vmx1 (found)", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "f8:82:d0:37:44:c7" + }, + "dns": { + "type": "query" + }, + "efficientip": { + "dhcp": { + "interface": { + "name": "vmx1" + }, + "operation": "release", + "release_state": "found" + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "hosts": [ + "TL-WPA4220" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "TL-WPA4220", + "domain": "TL-WPA4220" + } + } +} \ No newline at end of file diff --git a/EfficientIP/solidserver-ddi/tests/dhcp_release_02.json b/EfficientIP/solidserver-ddi/tests/dhcp_release_02.json new file mode 100644 index 000000000..4a32c5c57 --- /dev/null +++ b/EfficientIP/solidserver-ddi/tests/dhcp_release_02.json @@ -0,0 +1,51 @@ +{ + "input": { + "message": "DHCPRELEASE of 1.2.3.4 from f8:82:d0:37:44:c7 via vmx1 (found)", + "sekoiaio": { + "intake": { + "dialect": "EfficientIP SOLIDServer DDI", + "dialect_uuid": "f95fea50-533c-4897-9272-2f8361e63644" + } + } + }, + "expected": { + "message": "DHCPRELEASE of 1.2.3.4 from f8:82:d0:37:44:c7 via vmx1 (found)", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "f8:82:d0:37:44:c7" + }, + "dns": { + "type": "query" + }, + "efficientip": { + "dhcp": { + "interface": { + "name": "vmx1" + }, + "operation": "release", + "release_state": "found" + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + } + } +} \ No newline at end of file diff --git a/EfficientIP/solidserver-ddi/tests/dhcp_request_01.json b/EfficientIP/solidserver-ddi/tests/dhcp_request_01.json new file mode 100644 index 000000000..09144f7d7 --- /dev/null +++ b/EfficientIP/solidserver-ddi/tests/dhcp_request_01.json @@ -0,0 +1,54 @@ +{ + "input": { + "message": "DHCPREQUEST for 1.2.3.4 (1.2.3.1) from f8:82:d0:37:44:c7 via 1.0.0.1", + "sekoiaio": { + "intake": { + "dialect": "EfficientIP SOLIDServer DDI", + "dialect_uuid": "f95fea50-533c-4897-9272-2f8361e63644" + } + } + }, + "expected": { + "message": "DHCPREQUEST for 1.2.3.4 (1.2.3.1) from f8:82:d0:37:44:c7 via 1.0.0.1", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "f8:82:d0:37:44:c7" + }, + "dns": { + "type": "query" + }, + "efficientip": { + "dhcp": { + "interface": { + "ip": "1.0.0.1" + }, + "operation": "request" + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "ip": [ + "1.2.3.1", + "1.2.3.4" + ] + }, + "server": { + "ip": "1.2.3.1" + } + } +} \ No newline at end of file diff --git a/EfficientIP/solidserver-ddi/tests/dhcp_request_02.json b/EfficientIP/solidserver-ddi/tests/dhcp_request_02.json new file mode 100644 index 000000000..d13f9dff8 --- /dev/null +++ b/EfficientIP/solidserver-ddi/tests/dhcp_request_02.json @@ -0,0 +1,57 @@ +{ + "input": { + "message": "DHCPREQUEST for 1.2.3.4 from f8:82:d0:37:44:c7 (TL-WPA4220) via vmx1", + "sekoiaio": { + "intake": { + "dialect": "EfficientIP SOLIDServer DDI", + "dialect_uuid": "f95fea50-533c-4897-9272-2f8361e63644" + } + } + }, + "expected": { + "message": "DHCPREQUEST for 1.2.3.4 from f8:82:d0:37:44:c7 (TL-WPA4220) via vmx1", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "f8:82:d0:37:44:c7" + }, + "dns": { + "type": "query" + }, + "efficientip": { + "dhcp": { + "interface": { + "name": "vmx1" + }, + "operation": "request" + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "hosts": [ + "TL-WPA4220" + ], + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "TL-WPA4220", + "domain": "TL-WPA4220" + } + } +} \ No newline at end of file diff --git a/EfficientIP/solidserver-ddi/tests/dhcp_request_03.json b/EfficientIP/solidserver-ddi/tests/dhcp_request_03.json new file mode 100644 index 000000000..76cf9e352 --- /dev/null +++ b/EfficientIP/solidserver-ddi/tests/dhcp_request_03.json @@ -0,0 +1,50 @@ +{ + "input": { + "message": "DHCPREQUEST for 1.2.3.4 from f8:82:d0:37:44:c7 via vmx1", + "sekoiaio": { + "intake": { + "dialect": "EfficientIP SOLIDServer DDI", + "dialect_uuid": "f95fea50-533c-4897-9272-2f8361e63644" + } + } + }, + "expected": { + "message": "DHCPREQUEST for 1.2.3.4 from f8:82:d0:37:44:c7 via vmx1", + "event": { + "category": [ + "network" + ], + "dataset": "solidserver-ddi", + "type": [ + "info" + ] + }, + "client": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "mac": "f8:82:d0:37:44:c7" + }, + "dns": { + "type": "query" + }, + "efficientip": { + "dhcp": { + "interface": { + "name": "vmx1" + }, + "operation": "request" + } + }, + "network": { + "transport": "udp" + }, + "observer": { + "vendor": "EfficientIp" + }, + "related": { + "ip": [ + "1.2.3.4" + ] + } + } +} \ No newline at end of file diff --git a/Fortinet/fortigate/_meta/smart-descriptions.json b/Fortinet/fortigate/_meta/smart-descriptions.json index 3017002ce..d1f06e563 100644 --- a/Fortinet/fortigate/_meta/smart-descriptions.json +++ b/Fortinet/fortigate/_meta/smart-descriptions.json @@ -24,6 +24,31 @@ } ] }, + { + "value": "{source.ip} connected to {destination.ip}:{destination.port}", + "conditions": [ + { + "field": "action.outcome", + "value": "success" + }, + { + "field": "source.ip" + }, + { + "field": "destination.ip" + }, + { + "field": "destination.port" + } + ], + "relationships": [ + { + "source": "source.ip", + "target": "destination.ip", + "type": "connected to" + } + ] + }, { "value": "{source.ip} was denied a connection to {destination.ip}:{destination.port}", "conditions": [ diff --git a/Fortinet/fortigate/ingest/parser.yml b/Fortinet/fortigate/ingest/parser.yml index 000b90405..9cb6f3f7d 100644 --- a/Fortinet/fortigate/ingest/parser.yml +++ b/Fortinet/fortigate/ingest/parser.yml @@ -241,6 +241,7 @@ stages: fortinet.fortigate.policyid: "{{parsed_event.message.policyid}}" fortinet.fortigate.poluuid: "{{parsed_event.message.poluuid}}" network.forwarded_ip: "{{parsed_event.message.forwardedfor}}" + group.name: "{{parsed_event.message.group or parsed_event.message.FTNTFGTgroup}}" - set: fortinet.fortigate.poluuid: "{{parsed_event.message.uuid}}" diff --git a/Fortinet/fortigate/tests/test_group_field.json b/Fortinet/fortigate/tests/test_group_field.json new file mode 100644 index 000000000..5e683a864 --- /dev/null +++ b/Fortinet/fortigate/tests/test_group_field.json @@ -0,0 +1,92 @@ +{ + "input": { + "message": "time=09:35:30 devname=\"eee-111-111-ff-11\" devid=\"FG00000000000000\" eventtime=1735202130361752831 tz=\"+0100\" logid=\"0000000011\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"EFF\" srcip=1.2.3.4 srcport=10000 srcintf=\"EFF-WAN-0000\" srcintfrole=\"lan\" dstip=5.6.7.8 dstport=443 dstintf=\"EFF-DMZ-0000\" dstintfrole=\"lan\" srccountry=\"France\" dstcountry=\"France\" sessionid=400190000 proto=6 action=\"client-rst\" policyid=1018 policytype=\"policy\" poluuid=\"38fa6456-a819-51ef-3c99-000000000000000000\" service=\"HTTPS\" trandisp=\"dnat\" tranip=1.2.3.4 tranport=443 duration=6 sentbyte=100 rcvdbyte=52 sentpkt=2 rcvdpkt=1 appcat=\"unscanned\"", + "sekoiaio": { + "intake": { + "dialect": "Fortinet FortiGate", + "dialect_uuid": "5702ae4e-7d8a-455f-a47b-ef64dd87c981" + } + } + }, + "expected": { + "message": "time=09:35:30 devname=\"eee-111-111-ff-11\" devid=\"FG00000000000000\" eventtime=1735202130361752831 tz=\"+0100\" logid=\"0000000011\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"EFF\" srcip=1.2.3.4 srcport=10000 srcintf=\"EFF-WAN-0000\" srcintfrole=\"lan\" dstip=5.6.7.8 dstport=443 dstintf=\"EFF-DMZ-0000\" dstintfrole=\"lan\" srccountry=\"France\" dstcountry=\"France\" sessionid=400190000 proto=6 action=\"client-rst\" policyid=1018 policytype=\"policy\" poluuid=\"38fa6456-a819-51ef-3c99-000000000000000000\" service=\"HTTPS\" trandisp=\"dnat\" tranip=1.2.3.4 tranport=443 duration=6 sentbyte=100 rcvdbyte=52 sentpkt=2 rcvdpkt=1 appcat=\"unscanned\"", + "event": { + "action": "client-rst", + "category": "traffic", + "code": "0000000011", + "dataset": "traffic:forward", + "outcome": "success", + "timezone": "+0100" + }, + "@timestamp": "2024-12-26T08:35:30.361753Z", + "action": { + "name": "client-rst", + "outcome": "success", + "target": "network-traffic", + "type": "forward" + }, + "destination": { + "address": "5.6.7.8", + "bytes": 52, + "ip": "5.6.7.8", + "nat": { + "ip": "1.2.3.4" + }, + "packets": 1, + "port": 443 + }, + "fortinet": { + "fortigate": { + "event": { + "type": "traffic" + }, + "policyid": "1018", + "poluuid": "38fa6456-a819-51ef-3c99-000000000000000000", + "virtual_domain": "EFF" + } + }, + "log": { + "hostname": "eee-111-111-ff-11", + "level": "notice" + }, + "network": { + "bytes": 152, + "protocol": "https", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "EFF-DMZ-0000" + } + }, + "hostname": "eee-111-111-ff-11", + "ingress": { + "interface": { + "name": "EFF-WAN-0000" + } + }, + "serial_number": "FG00000000000000" + }, + "related": { + "hosts": [ + "eee-111-111-ff-11" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ] + }, + "rule": { + "category": "unscanned", + "ruleset": "policy" + }, + "source": { + "address": "1.2.3.4", + "bytes": 100, + "ip": "1.2.3.4", + "packets": 2, + "port": 10000 + } + } +} \ No newline at end of file diff --git a/Fortinet/fortigate/tests/test_group_field_1.json b/Fortinet/fortigate/tests/test_group_field_1.json new file mode 100644 index 000000000..364680578 --- /dev/null +++ b/Fortinet/fortigate/tests/test_group_field_1.json @@ -0,0 +1,105 @@ +{ + "input": { + "message": "time=14:53:11 devname=\"FFF00D_TEST02\" devid=\"FGT3HD300000000\" eventtime=1735000001620000000 tz=\"+0100\" logid=\"0000000010\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" srcip=1.2.3.4 srcport=50000 srcintf=\"ssl.root\" srcintfrole=\"undefined\" dstip=5.6.5.7 dstport=80 dstintf=\"VPNM-TEST\" dstintfrole=\"undefined\" srccountry=\"Reserved\" dstcountry=\"Reserved\" sessionid=100100046 proto=6 action=\"close\" policyid=274 policytype=\"policy\" poluuid=\"ac8ed64c-54e7-51eb-3525-d610000000000\" user=\"xxxxx.xxxxx@test.fr\" group=\"TEST-SAML\" authserver=\"azure-saml\" service=\"HTTP\" trandisp=\"snat\" transip=1.0.5.8 transport=50066 duration=7 sentbyte=18800 rcvdbyte=7900 sentpkt=30 rcvdpkt=29 vpn=\"VPNM-TEST\" vpntype=\"ipsec-static\" appcat=\"unscanned\"", + "sekoiaio": { + "intake": { + "dialect": "Fortinet FortiGate", + "dialect_uuid": "5702ae4e-7d8a-455f-a47b-ef64dd87c981" + } + } + }, + "expected": { + "message": "time=14:53:11 devname=\"FFF00D_TEST02\" devid=\"FGT3HD300000000\" eventtime=1735000001620000000 tz=\"+0100\" logid=\"0000000010\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" srcip=1.2.3.4 srcport=50000 srcintf=\"ssl.root\" srcintfrole=\"undefined\" dstip=5.6.5.7 dstport=80 dstintf=\"VPNM-TEST\" dstintfrole=\"undefined\" srccountry=\"Reserved\" dstcountry=\"Reserved\" sessionid=100100046 proto=6 action=\"close\" policyid=274 policytype=\"policy\" poluuid=\"ac8ed64c-54e7-51eb-3525-d610000000000\" user=\"xxxxx.xxxxx@test.fr\" group=\"TEST-SAML\" authserver=\"azure-saml\" service=\"HTTP\" trandisp=\"snat\" transip=1.0.5.8 transport=50066 duration=7 sentbyte=18800 rcvdbyte=7900 sentpkt=30 rcvdpkt=29 vpn=\"VPNM-TEST\" vpntype=\"ipsec-static\" appcat=\"unscanned\"", + "event": { + "action": "close", + "category": "traffic", + "code": "0000000010", + "dataset": "traffic:forward", + "outcome": "success", + "timezone": "+0100" + }, + "@timestamp": "2024-12-24T00:26:41.620000Z", + "action": { + "name": "close", + "outcome": "success", + "target": "network-traffic", + "type": "forward" + }, + "destination": { + "address": "5.6.5.7", + "bytes": 7900, + "ip": "5.6.5.7", + "packets": 29, + "port": 80 + }, + "fortinet": { + "fortigate": { + "event": { + "type": "traffic" + }, + "policyid": "274", + "poluuid": "ac8ed64c-54e7-51eb-3525-d610000000000", + "virtual_domain": "root" + } + }, + "group": { + "name": "TEST-SAML" + }, + "log": { + "hostname": "FFF00D_TEST02", + "level": "notice" + }, + "network": { + "bytes": 26700, + "protocol": "http", + "transport": "tcp" + }, + "observer": { + "egress": { + "interface": { + "name": "VPNM-TEST" + } + }, + "hostname": "FFF00D_TEST02", + "ingress": { + "interface": { + "name": "ssl.root" + } + }, + "serial_number": "FGT3HD300000000" + }, + "related": { + "hosts": [ + "FFF00D_TEST02" + ], + "ip": [ + "1.0.5.8", + "1.2.3.4", + "5.6.5.7" + ], + "user": [ + "xxxxx.xxxxx@test.fr" + ] + }, + "rule": { + "category": "unscanned", + "ruleset": "policy" + }, + "source": { + "address": "1.2.3.4", + "bytes": 18800, + "ip": "1.2.3.4", + "nat": { + "ip": "1.0.5.8" + }, + "packets": 30, + "port": 50000, + "user": { + "name": "xxxxx.xxxxx@test.fr" + } + }, + "user": { + "name": "xxxxx.xxxxx@test.fr" + } + } +} \ No newline at end of file diff --git a/Fortinet/fortigate/tests/tunnel.json b/Fortinet/fortigate/tests/tunnel.json index 41a34c2c2..70ffc2c82 100644 --- a/Fortinet/fortigate/tests/tunnel.json +++ b/Fortinet/fortigate/tests/tunnel.json @@ -37,6 +37,9 @@ "virtual_domain": "IPSEC" } }, + "group": { + "name": "GRP_Generic_JAIL_VPN" + }, "log": { "description": "SSL VPN statistics", "hostname": "abc", diff --git a/GateWatcher/aioniq_ecs/_meta/manifest.yml b/GateWatcher/aioniq_ecs/_meta/manifest.yml index a1e0c5867..1b4efda9d 100644 --- a/GateWatcher/aioniq_ecs/_meta/manifest.yml +++ b/GateWatcher/aioniq_ecs/_meta/manifest.yml @@ -8,4 +8,4 @@ description: >- data_sources: Network intrusion detection system: AIONIQ identify suspicious behaviors Network protocol analysis: AIONIQ analyze traffic protocol - +automation_module_uuid: 65d0b877-3e3c-4ce8-b184-1db084a1acd3 diff --git a/Google Cloud/google-report/_meta/manifest.yml b/Google Cloud/google-report/_meta/manifest.yml index fa9b49df2..dc2e8fd17 100644 --- a/Google Cloud/google-report/_meta/manifest.yml +++ b/Google Cloud/google-report/_meta/manifest.yml @@ -4,6 +4,6 @@ automation_module_uuid: 4f682a9e-9a25-43a5-8a48-cd9bd7fade7e name: Google Report slug: google-report description: >- - The Google Report is a Google service that provides detailed activity reports for Google Workspace (formerly G Suite) accounts. It offers access to audit logs for various services like Gmail, Drive, Google Meet, Google Calendar, and more. And in our case we do this for drive application. So administrators can retreive all important informations about drive application. + The Google Report is a Google service that provides detailed activity reports for Google Workspace (formerly G Suite) accounts. It offers access to audit logs for various services like Gmail, Drive, Google Meet, Google Calendar, and more. data_sources: GCP audit logs: Google Cloud Audit contains logs from multiple Google Cloud source such as Google Workspace. diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml index 287c50c83..adbbed8b0 100644 --- a/HarfangLab/harfanglab/ingest/parser.yml +++ b/HarfangLab/harfanglab/ingest/parser.yml @@ -123,8 +123,14 @@ stages: - set: harfanglab.rule_level: "{{json_event.message.rules[0].rule_level}}" + rule.name: "{{json_event.message.rules[0].rule_name}}" + rule.category: "{{json_event.message.rules[0].rule_type}}" filter: "{{json_event.message.rules | length > 0}}" + - set: + user.name: '{{json_event.message.impacted_users[0].user_name.replace("\\", " ")}}' + filter: "{{json_event.message.impacted_users | length > 0}}" + agent_info: actions: - set: diff --git a/HarfangLab/harfanglab/tests/test_threat_log_1.json b/HarfangLab/harfanglab/tests/test_threat_log_1.json new file mode 100644 index 000000000..214262ea3 --- /dev/null +++ b/HarfangLab/harfanglab/tests/test_threat_log_1.json @@ -0,0 +1,53 @@ +{ + "input": { + "message": "{\"log_type\":\"threat\",\"id\":14904,\"first_seen\":\"2024-12-23T04:47:00-06:00\",\"last_seen\":\"2024-12-23T04:47:00-06:00\",\"status\":\"new\",\"level\":\"critical\",\"last_update\":\"2024-12-23T04:47:16.555804-06:00\",\"total_security_event_count\":1,\"agents\":[{\"agent_id\":\"94777777-8888-aaaa-ffff-0000000000000\",\"agent_hostname\":\"B810000\",\"agent_ostype\":\"windows\",\"security_event_count\":1}],\"agent_count\":1,\"rules\":[{\"id\":218000,\"rule_id\":\"Ransomware Detected via Canary File\",\"rule_level\":\"critical\",\"rule_name\":\"Ransomware Detected via Canary File\",\"security_event_count\":1,\"rule_type\":\"ransom\",\"rule_msg\":\"The C:\\\\Users\\\\benelarabis\\\\ransomguard.docx canary file was deleted.\",\"creation_date\":null,\"last_update\":null,\"description\":null,\"rule_os\":[]}],\"rule_count\":1,\"impacted_users\":[{\"user_name\":\"JONE\\\\doe\",\"user_sid\":\"S-1-1-11-111111111111-222222222-3333333333-33333\",\"security_event_count\":1}],\"impacted_user_count\":1,\"creation_date\":\"2024-12-23T04:47:16.555819-06:00\",\"groups\":[{\"id\":\"fa59ed2b-3333-4444-9999-e9cccccccccc5\",\"name\":\"test group\"},{\"id\":\"36b1f96b-3333-4444-9999-e9cccccccccc5\",\"name\":\"test group 1\"},{\"id\":\"db322316-3333-4444-9999-e9cccccccccc5\",\"name\":\"test group 2\"}]}", + "sekoiaio": { + "intake": { + "dialect": "HarfangLab EDR", + "dialect_uuid": "3c7057d3-4689-4fae-8033-6f1f887a70f2" + } + } + }, + "expected": { + "message": "{\"log_type\":\"threat\",\"id\":14904,\"first_seen\":\"2024-12-23T04:47:00-06:00\",\"last_seen\":\"2024-12-23T04:47:00-06:00\",\"status\":\"new\",\"level\":\"critical\",\"last_update\":\"2024-12-23T04:47:16.555804-06:00\",\"total_security_event_count\":1,\"agents\":[{\"agent_id\":\"94777777-8888-aaaa-ffff-0000000000000\",\"agent_hostname\":\"B810000\",\"agent_ostype\":\"windows\",\"security_event_count\":1}],\"agent_count\":1,\"rules\":[{\"id\":218000,\"rule_id\":\"Ransomware Detected via Canary File\",\"rule_level\":\"critical\",\"rule_name\":\"Ransomware Detected via Canary File\",\"security_event_count\":1,\"rule_type\":\"ransom\",\"rule_msg\":\"The C:\\\\Users\\\\benelarabis\\\\ransomguard.docx canary file was deleted.\",\"creation_date\":null,\"last_update\":null,\"description\":null,\"rule_os\":[]}],\"rule_count\":1,\"impacted_users\":[{\"user_name\":\"JONE\\\\doe\",\"user_sid\":\"S-1-1-11-111111111111-222222222-3333333333-33333\",\"security_event_count\":1}],\"impacted_user_count\":1,\"creation_date\":\"2024-12-23T04:47:16.555819-06:00\",\"groups\":[{\"id\":\"fa59ed2b-3333-4444-9999-e9cccccccccc5\",\"name\":\"test group\"},{\"id\":\"36b1f96b-3333-4444-9999-e9cccccccccc5\",\"name\":\"test group 1\"},{\"id\":\"db322316-3333-4444-9999-e9cccccccccc5\",\"name\":\"test group 2\"}]}", + "event": { + "dataset": "threat", + "end": "2024-12-23T10:47:00Z", + "start": "2024-12-23T10:47:00Z" + }, + "agent": { + "name": "harfanglab" + }, + "harfanglab": { + "agent_ids": [ + "94777777-8888-aaaa-ffff-0000000000000" + ], + "count": { + "rules": 1, + "users_impacted": 1 + }, + "groups": [ + "{\"id\": \"36b1f96b-3333-4444-9999-e9cccccccccc5\", \"name\": \"test group 1\"}", + "{\"id\": \"db322316-3333-4444-9999-e9cccccccccc5\", \"name\": \"test group 2\"}", + "{\"id\": \"fa59ed2b-3333-4444-9999-e9cccccccccc5\", \"name\": \"test group\"}" + ], + "level": "critical", + "rule_level": "critical", + "status": "new", + "threat_id": "14904" + }, + "related": { + "user": [ + "JONE doe" + ] + }, + "rule": { + "category": "ransom", + "name": "Ransomware Detected via Canary File" + }, + "user": { + "name": "JONE doe", + "roles": "testgroup,testgroup1,testgroup2" + } + } +} \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/threat_critical.json b/HarfangLab/harfanglab/tests/threat_critical.json index ce1d2faa4..7c15c06a1 100644 --- a/HarfangLab/harfanglab/tests/threat_critical.json +++ b/HarfangLab/harfanglab/tests/threat_critical.json @@ -28,6 +28,9 @@ }, "organization": { "id": "11111111111111111111" + }, + "rule": { + "name": "Recommended driver block list" } } } \ No newline at end of file diff --git a/HarfangLab/harfanglab/tests/threat_log.json b/HarfangLab/harfanglab/tests/threat_log.json index bed91707b..c208a69b4 100644 --- a/HarfangLab/harfanglab/tests/threat_log.json +++ b/HarfangLab/harfanglab/tests/threat_log.json @@ -32,7 +32,16 @@ "organization": { "id": "111111111111111" }, + "related": { + "user": [ + "root" + ] + }, + "rule": { + "name": "NewLaunchDaemonaddedviacommandline" + }, "user": { + "name": "root", "roles": "MyGroup!" } } diff --git a/Mimecast/mimecast-email-security/_meta/fields.yml b/Mimecast/mimecast-email-security/_meta/fields.yml index d28378aca..47c39d6ab 100644 --- a/Mimecast/mimecast-email-security/_meta/fields.yml +++ b/Mimecast/mimecast-email-security/_meta/fields.yml @@ -40,6 +40,11 @@ mimecast.siem.rejection.type: name: mimecast.siem.rejection.type type: keyword +mimecast.siem.scan_results: + description: The reason that the click was blocked. + name: mimecast.siem.scan_results + type: keyword + mimecast.siem.virus_found: description: The name of the virus found on the email, if applicable. name: mimecast.siem.virus_found diff --git a/Mimecast/mimecast-email-security/_meta/smart-descriptions.json b/Mimecast/mimecast-email-security/_meta/smart-descriptions.json index d3968018e..2198bf43e 100644 --- a/Mimecast/mimecast-email-security/_meta/smart-descriptions.json +++ b/Mimecast/mimecast-email-security/_meta/smart-descriptions.json @@ -1,7 +1,19 @@ [ { "value": "{mimecast.siem.rejection.info} for email from {email.from.address}", - "conditions": [{ "field": "mimecast.siem.rejection.info" }] + "conditions": [ + { "field": "mimecast.siem.rejection.info" }, + { "field": "email.from.address" } + ] + }, + { + "value": "Protected {email.to.address} by {event.action} URL {url.original}", + "conditions": [ + { "field": "event.dataset", "value": "url protect" }, + { "field": "event.action" }, + { "field": "email.to.address" }, + { "field": "url.original" } + ] }, { "value": "{event.action} {email.direction} email from {email.from.address} to {email.to.address}", @@ -26,5 +38,34 @@ { "field": "event.action" }, { "field": "email.from.address" } ] + }, + { + "value": "Spam detected in email from {email.from.address} to {email.to.address}", + "conditions": [ + { "field": "event.dataset", "value": "spam" }, + { "field": "email.from.address" }, + { "field": "email.to.address" } + ] + }, + { + "value": "Attachment Protect triggered on file {email.attachments.file.name}", + "conditions": [ + { "field": "event.dataset", "value": "attachment protect" }, + { "field": "email.attachments.file.name" } + ] + }, + { + "value": "AV detected {mimecast.siem.virus_found} in file {email.attachments.file.name} from {email.from.address}", + "conditions": [ + { "field": "event.dataset", "value": "av" }, + { "field": "mimecast.siem.virus_found" } + ] + }, + { + "value": "{mimecast.siem.scan_results} on email from {email.from.address}", + "conditions": [ + { "field": "mimecast.siem.scan_results" }, + { "field": "email.from.address" } + ] } ] diff --git a/Mimecast/mimecast-email-security/ingest/parser.yml b/Mimecast/mimecast-email-security/ingest/parser.yml index 41d3d89de..d5f5cd38f 100644 --- a/Mimecast/mimecast-email-security/ingest/parser.yml +++ b/Mimecast/mimecast-email-security/ingest/parser.yml @@ -7,6 +7,16 @@ pipeline: input_field: "{{original.message}}" output_field: message + - name: parse_rejectioninfo + filter: '{{ "Url" in parse_event.message.rejectionInfo}}' + external: + name: kv.parse-kv + properties: + input_field: '{{parse_event.message.rejectionInfo.replace("[","").replace("]","")}}' + output_field: message + value_sep: ":" + item_sep: "," + - name: set_ecs_fields stages: @@ -34,11 +44,7 @@ stages: source.ip: "{{parse_event.message.senderIp}}" email.message_id: "{{parse_event.message.messageId.lstrip('<').rstrip('>')}}" - email.to.address: ["{{parse_event.message.recipients}}"] - email.from.address: - [ - "{{parse_event.message.senderEnvelope or parse_event.message.senderHeader}}", - ] + email.subject: "{{parse_event.message.subject}}" mimecast.siem.rejection.code: "{{parse_event.message.rejectionCode}}" mimecast.siem.rejection.info: "{{parse_event.message.rejectionInfo}}" @@ -49,7 +55,21 @@ stages: mimecast.siem.delivered: "{{parse_event.message.delivered}}" mimecast.siem.delivery_errors: "{{parse_event.message.deliveryErrors}}" + mimecast.siem.scan_results: "{{parse_event.message.scanResults}}" + destination.ip: "{{parse_event.message.destinationIp}}" + url.original: "{{parse_event.message.url}}" + + - set: + email.to.address: ["{{parse_event.message.recipients}}"] + filter: "{{parse_event.message.get('recipients') != None}}" + + - set: + email.from.address: + [ + "{{parse_event.message.senderEnvelope or parse_event.message.senderHeader}}", + ] + filter: "{{parse_event.message.get('senderEnvelope') != None or parse_event.message.get('senderHeader') != None}}" - set: email.attachments: > @@ -58,3 +78,15 @@ stages: {"file": {"name": "{{ item.strip('" ') }}"}}, {%- endfor -%} ] + filter: "{{parse_event.message.get('attachments') != None}}" + + - set: + email.attachments: > + [ + {"file": {"name": "{{ parse_event.message.fileName.strip('" ') }}"}}, + ] + filter: "{{parse_event.message.get('fileName') != None}}" + + - set: + url.original: "{{ parse_rejectioninfo.message.Url }}" + filter: '{{ "Url" in parse_event.message.rejectionInfo}}' diff --git a/Mimecast/mimecast-email-security/tests/test_attachment_protect.json b/Mimecast/mimecast-email-security/tests/test_attachment_protect.json new file mode 100644 index 000000000..b4a3345f7 --- /dev/null +++ b/Mimecast/mimecast-email-security/tests/test_attachment_protect.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"sha1\": \"816b013c8be6e5708690645964b5d442c085041e\", \"accountId\": \"C0A0\", \"fileName\": \"tpsreport.docx\", \"sha256\": \"efe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12\", \"fileExtension\": \"xlsm\", \"subType\": null, \"eventType\": \"attachment protect\", \"timestamp\": 1689692409135, \"md5\": \"4dbe9dbfb53438d9ce410535355cd973\"}" + }, + "expected": { + "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"sha1\": \"816b013c8be6e5708690645964b5d442c085041e\", \"accountId\": \"C0A0\", \"fileName\": \"tpsreport.docx\", \"sha256\": \"efe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12\", \"fileExtension\": \"xlsm\", \"subType\": null, \"eventType\": \"attachment protect\", \"timestamp\": 1689692409135, \"md5\": \"4dbe9dbfb53438d9ce410535355cd973\"}", + "event": { + "category": [ + "email" + ], + "dataset": "attachment protect", + "provider": "Mimecast", + "type": [ + "info" + ] + }, + "@timestamp": "2023-07-18T15:00:09.135000Z", + "email": { + "attachments": [ + { + "file": { + "name": "tpsreport.docx" + } + } + ] + }, + "mimecast": { + "siem": { + "aggregate_id": "aggregateId", + "processing_id": "processingId" + } + } + } +} \ No newline at end of file diff --git a/Mimecast/mimecast-email-security/tests/test_av_logs.json b/Mimecast/mimecast-email-security/tests/test_av_logs.json new file mode 100644 index 000000000..0ffb637ed --- /dev/null +++ b/Mimecast/mimecast-email-security/tests/test_av_logs.json @@ -0,0 +1,56 @@ +{ + "input": { + "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"fileName\": \"tpsreport.docx\", \"sha256\": \"efe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12\", \"subject\": \"siem_av - email subject line\", \"senderEnvelope\": \"auser@mimecast.com\", \"messageId\": \"messageId\", \"senderDomainInternal\": \"true\", \"eventType\": \"av\", \"sha1\": \"816b013c8be6e5708690645964b5d442c085041e\", \"accountId\": \"C0A0\", \"virusFound\": \"bad.virus.found\", \"route\": \"Inbound\", \"recipients\": \"auser@mimecast.com\", \"fileExtension\": \"docx\", \"subType\": null, \"senderIp\": \"123.123.123.123\", \"senderDomain\": \"mimecast.com\", \"timestamp\": 1689685338586, \"emailSize\": \"1648832\", \"md5\": \"4dbe9dbfb53438d9ce410535355cd973\"}" + }, + "expected": { + "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"fileName\": \"tpsreport.docx\", \"sha256\": \"efe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12\", \"subject\": \"siem_av - email subject line\", \"senderEnvelope\": \"auser@mimecast.com\", \"messageId\": \"messageId\", \"senderDomainInternal\": \"true\", \"eventType\": \"av\", \"sha1\": \"816b013c8be6e5708690645964b5d442c085041e\", \"accountId\": \"C0A0\", \"virusFound\": \"bad.virus.found\", \"route\": \"Inbound\", \"recipients\": \"auser@mimecast.com\", \"fileExtension\": \"docx\", \"subType\": null, \"senderIp\": \"123.123.123.123\", \"senderDomain\": \"mimecast.com\", \"timestamp\": 1689685338586, \"emailSize\": \"1648832\", \"md5\": \"4dbe9dbfb53438d9ce410535355cd973\"}", + "event": { + "category": [ + "email" + ], + "dataset": "av", + "provider": "Mimecast", + "type": [ + "info" + ] + }, + "@timestamp": "2023-07-18T13:02:18.586000Z", + "email": { + "attachments": [ + { + "file": { + "name": "tpsreport.docx" + } + } + ], + "from": { + "address": [ + "auser@mimecast.com" + ] + }, + "message_id": "messageId", + "subject": "siem_av - email subject line", + "to": { + "address": [ + "auser@mimecast.com" + ] + } + }, + "mimecast": { + "siem": { + "aggregate_id": "aggregateId", + "processing_id": "processingId", + "virus_found": "bad.virus.found" + } + }, + "related": { + "ip": [ + "123.123.123.123" + ] + }, + "source": { + "address": "123.123.123.123", + "ip": "123.123.123.123" + } + } +} \ No newline at end of file diff --git a/Mimecast/mimecast-email-security/tests/test_delivery.json b/Mimecast/mimecast-email-security/tests/test_delivery.json new file mode 100644 index 000000000..2475bff2d --- /dev/null +++ b/Mimecast/mimecast-email-security/tests/test_delivery.json @@ -0,0 +1,50 @@ +{ + "input": { + "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"accountId\": \"C0A0\", \"timestamp\": 1731187649343, \"messageId\": \"<11111111111111111111111111111111111111@mail.gmail.com>\", \"senderEnvelope\": \"john.doe@example.org\", \"subject\": \"My little subject\", \"recipients\": \"jane.doe@example.com\", \"delivered\": \"true\", \"destinationIp\": \"5.6.7.8\", \"Hostname\": \"mail-111111111.inbound.protection.outlook.com\", \"numberAttachments\": \"0\", \"direction\": \"Inbound\", \"totalSizeAttachments\": \"0\", \"deliveryAttempts\": \"1\", \"tlsVersion\": \"TLSv1.3\", \"tlsCipher\": \"TLS_AES_256_GCM_SHA384\", \"emailSize\": \"30126\", \"tlsUsed\": \"Yes\", \"route\": \"Office 365 Inbound Routing Policy Definition\", \"deliveryErrors\": null, \"rejectionType\": null, \"rejectionCode\": null, \"rejectionInfo\": null, \"deliveryTime\": \"5333\", \"type\": \"delivery\", \"subtype\": \"true\", \"_offset\": 1069263, \"_partition\": 66}" + }, + "expected": { + "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"accountId\": \"C0A0\", \"timestamp\": 1731187649343, \"messageId\": \"<11111111111111111111111111111111111111@mail.gmail.com>\", \"senderEnvelope\": \"john.doe@example.org\", \"subject\": \"My little subject\", \"recipients\": \"jane.doe@example.com\", \"delivered\": \"true\", \"destinationIp\": \"5.6.7.8\", \"Hostname\": \"mail-111111111.inbound.protection.outlook.com\", \"numberAttachments\": \"0\", \"direction\": \"Inbound\", \"totalSizeAttachments\": \"0\", \"deliveryAttempts\": \"1\", \"tlsVersion\": \"TLSv1.3\", \"tlsCipher\": \"TLS_AES_256_GCM_SHA384\", \"emailSize\": \"30126\", \"tlsUsed\": \"Yes\", \"route\": \"Office 365 Inbound Routing Policy Definition\", \"deliveryErrors\": null, \"rejectionType\": null, \"rejectionCode\": null, \"rejectionInfo\": null, \"deliveryTime\": \"5333\", \"type\": \"delivery\", \"subtype\": \"true\", \"_offset\": 1069263, \"_partition\": 66}", + "event": { + "category": [ + "email" + ], + "dataset": "delivery", + "provider": "Mimecast", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-09T21:27:29.343000Z", + "destination": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "email": { + "direction": "Inbound", + "from": { + "address": [ + "john.doe@example.org" + ] + }, + "message_id": "11111111111111111111111111111111111111@mail.gmail.com", + "subject": "My little subject", + "to": { + "address": [ + "jane.doe@example.com" + ] + } + }, + "mimecast": { + "siem": { + "aggregate_id": "aggregateId", + "delivered": true, + "processing_id": "processingId" + } + }, + "related": { + "ip": [ + "5.6.7.8" + ] + } + } +} \ No newline at end of file diff --git a/Mimecast/mimecast-email-security/tests/test_impersonation_protect.json b/Mimecast/mimecast-email-security/tests/test_impersonation_protect.json new file mode 100644 index 000000000..2485acafd --- /dev/null +++ b/Mimecast/mimecast-email-security/tests/test_impersonation_protect.json @@ -0,0 +1,48 @@ +{ + "input": { + "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"taggedMalicious\": \"false\", \"subject\": \"siem_impersonation - email subject line\", \"internalUserName\": \"false\", \"senderEnvelope\": \"auser@mimecast.com\", \"policyDefinition\": \"Default Impersonation Definition\", \"newDomain\": \"false\", \"customThreatDictionary\": \"false\", \"action\": \"Hold\", \"senderIp\": \"123.123.123.123\", \"timestamp\": 1689685338545, \"similarInternalDomain\": \"false\", \"messageId\": \"\", \"eventType\": \"impersonation protect\", \"itemsDetected\": \"1\", \"mimecastThreatDictionary\": \"false\", \"accountId\": \"C0A0\", \"customNameMatch\": \"false\", \"route\": \"Inbound\", \"similarMimecastExternalDomain\": \"false\", \"recipients\": \"auser@mimecast.com\", \"similarCustomExternalDomain\": \"false\", \"subType\": \"Hold\", \"taggedExternal\": \"false\", \"replyMismatch\": \"false\"}" + }, + "expected": { + "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"taggedMalicious\": \"false\", \"subject\": \"siem_impersonation - email subject line\", \"internalUserName\": \"false\", \"senderEnvelope\": \"auser@mimecast.com\", \"policyDefinition\": \"Default Impersonation Definition\", \"newDomain\": \"false\", \"customThreatDictionary\": \"false\", \"action\": \"Hold\", \"senderIp\": \"123.123.123.123\", \"timestamp\": 1689685338545, \"similarInternalDomain\": \"false\", \"messageId\": \"\", \"eventType\": \"impersonation protect\", \"itemsDetected\": \"1\", \"mimecastThreatDictionary\": \"false\", \"accountId\": \"C0A0\", \"customNameMatch\": \"false\", \"route\": \"Inbound\", \"similarMimecastExternalDomain\": \"false\", \"recipients\": \"auser@mimecast.com\", \"similarCustomExternalDomain\": \"false\", \"subType\": \"Hold\", \"taggedExternal\": \"false\", \"replyMismatch\": \"false\"}", + "event": { + "action": "Hold", + "category": [ + "email" + ], + "dataset": "impersonation protect", + "provider": "Mimecast", + "type": [ + "info" + ] + }, + "@timestamp": "2023-07-18T13:02:18.545000Z", + "email": { + "from": { + "address": [ + "auser@mimecast.com" + ] + }, + "subject": "siem_impersonation - email subject line", + "to": { + "address": [ + "auser@mimecast.com" + ] + } + }, + "mimecast": { + "siem": { + "aggregate_id": "aggregateId", + "processing_id": "processingId" + } + }, + "related": { + "ip": [ + "123.123.123.123" + ] + }, + "source": { + "address": "123.123.123.123", + "ip": "123.123.123.123" + } + } +} \ No newline at end of file diff --git a/Mimecast/mimecast-email-security/tests/test_internal_email_project.json b/Mimecast/mimecast-email-security/tests/test_internal_email_project.json new file mode 100644 index 000000000..c96b751bd --- /dev/null +++ b/Mimecast/mimecast-email-security/tests/test_internal_email_project.json @@ -0,0 +1,40 @@ +{ + "input": { + "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"accountId\": \"C0A0\", \"timestamp\": 1730905847558, \"messageId\": \"<11111111111111111111111111111111111111@mail.gmail.com>\", \"senderEnvelope\": \"john.doe@example.org\", \"subject\": \"My dangerous email\", \"recipients\": \"jane.doe@example.com\", \"urlCategory\": \"Dangerous file extension\", \"scanResults\": \"Restricted File Type - Found executable extension: dll\", \"route\": \"Internal\", \"monitoredDomainSource\": null, \"similarDomain\": null, \"type\": \"internal email protect\", \"subtype\": null, \"_offset\": 994904, \"_partition\": 66}" + }, + "expected": { + "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"accountId\": \"C0A0\", \"timestamp\": 1730905847558, \"messageId\": \"<11111111111111111111111111111111111111@mail.gmail.com>\", \"senderEnvelope\": \"john.doe@example.org\", \"subject\": \"My dangerous email\", \"recipients\": \"jane.doe@example.com\", \"urlCategory\": \"Dangerous file extension\", \"scanResults\": \"Restricted File Type - Found executable extension: dll\", \"route\": \"Internal\", \"monitoredDomainSource\": null, \"similarDomain\": null, \"type\": \"internal email protect\", \"subtype\": null, \"_offset\": 994904, \"_partition\": 66}", + "event": { + "category": [ + "email" + ], + "dataset": "internal email protect", + "provider": "Mimecast", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-06T15:10:47.558000Z", + "email": { + "from": { + "address": [ + "john.doe@example.org" + ] + }, + "message_id": "11111111111111111111111111111111111111@mail.gmail.com", + "subject": "My dangerous email", + "to": { + "address": [ + "jane.doe@example.com" + ] + } + }, + "mimecast": { + "siem": { + "aggregate_id": "aggregateId", + "processing_id": "processingId", + "scan_results": "Restricted File Type - Found executable extension: dll" + } + } + } +} \ No newline at end of file diff --git a/Mimecast/mimecast-email-security/tests/test_process.json b/Mimecast/mimecast-email-security/tests/test_process.json index 52a887bae..3eb706d80 100644 --- a/Mimecast/mimecast-email-security/tests/test_process.json +++ b/Mimecast/mimecast-email-security/tests/test_process.json @@ -23,11 +23,7 @@ ] }, "message_id": "CAF7=BmDb+6qHo+J5EB9oH+S4ncJOfEMsUYAEirX4MRZRJX+esw@mail.gmail.com", - "to": { - "address": [ - "null" - ] - } + "subject": "Moderate" }, "mimecast": { "siem": { diff --git a/Mimecast/mimecast-email-security/tests/test_process_with_attachment.json b/Mimecast/mimecast-email-security/tests/test_process_with_attachment.json index b48c8cb61..f74ef7ef2 100644 --- a/Mimecast/mimecast-email-security/tests/test_process_with_attachment.json +++ b/Mimecast/mimecast-email-security/tests/test_process_with_attachment.json @@ -30,11 +30,7 @@ ] }, "message_id": "messageId", - "to": { - "address": [ - "null" - ] - } + "subject": "siem_process - email subject line" }, "mimecast": { "siem": { diff --git a/Mimecast/mimecast-email-security/tests/test_process_with_multiple_attachments.json b/Mimecast/mimecast-email-security/tests/test_process_with_multiple_attachments.json index 4d335bb96..164fe08cd 100644 --- a/Mimecast/mimecast-email-security/tests/test_process_with_multiple_attachments.json +++ b/Mimecast/mimecast-email-security/tests/test_process_with_multiple_attachments.json @@ -100,11 +100,7 @@ ] }, "message_id": "1@mail.gmail.com", - "to": { - "address": [ - "null" - ] - } + "subject": "TEST SEKOIA" }, "mimecast": { "siem": { diff --git a/Mimecast/mimecast-email-security/tests/test_receipt.json b/Mimecast/mimecast-email-security/tests/test_receipt.json index 8f81db770..78635f69e 100644 --- a/Mimecast/mimecast-email-security/tests/test_receipt.json +++ b/Mimecast/mimecast-email-security/tests/test_receipt.json @@ -24,6 +24,7 @@ ] }, "message_id": "CAF7=BmDb+6qHo+J5EB9oH+S4ncJOfEMsUYAAarX4MRZRJX+esw@mail.gmail.com", + "subject": "Moderate", "to": { "address": [ "admin@mcfr2.pro" diff --git a/Mimecast/mimecast-email-security/tests/test_receipt_urls.json b/Mimecast/mimecast-email-security/tests/test_receipt_urls.json new file mode 100644 index 000000000..5fa8633c7 --- /dev/null +++ b/Mimecast/mimecast-email-security/tests/test_receipt_urls.json @@ -0,0 +1,64 @@ +{ + "input": { + "message": "{\"aggregateId\":\"YvXi4vUANvSwDaBxkq6SYA\",\"processingId\":\"RMkDQFp7L5gGaZ5jnsGVW4zLmvTVvWVb0lQeO9EBDRo_1736242544\",\"accountId\":\"CDE22A102\",\"timestamp\":1736242547621,\"action\":\"Rej\",\"senderEnvelope\":\"john.doe@gmail.com\",\"messageId\":\"\",\"subject\":\"Rejected email with URL\",\"recipients\":\"admin@mcfr.pro\",\"senderIp\":\"209.85.216.51\",\"rejectionType\":\"Malicious QRCode Detection\",\"rejectionCode\":\"554\",\"direction\":\"Inbound\",\"numberAttachments\":\"2\",\"senderHeader\":\"john.doe@gmail.com\",\"rejectionInfo\":\"[Type: [Phishing & Fraud],Url: [https://assistance-mon-espace.com/pages/billing.php],UrlBlock: [ORIGINAL:https://assistance-mon-espace.com/pages/billin]\",\"tlsVersion\":\"TLSv1.3\",\"tlsCipher\":\"TLS_AES_256_GCM_SHA384\",\"spamInfo\":null,\"spamProcessingDetail\":\"{\\\"spf\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"}}\",\"virusFound\":null,\"spamScore\":null,\"spamDetectionLevel\":null,\"receiptErrors\":\"Malicious QRCode detected in email: UrlReputationScan\",\"type\":\"receipt\",\"subtype\":\"Rej\",\"_offset\":293625,\"_partition\":137}" + }, + "expected": { + "message": "{\"aggregateId\":\"YvXi4vUANvSwDaBxkq6SYA\",\"processingId\":\"RMkDQFp7L5gGaZ5jnsGVW4zLmvTVvWVb0lQeO9EBDRo_1736242544\",\"accountId\":\"CDE22A102\",\"timestamp\":1736242547621,\"action\":\"Rej\",\"senderEnvelope\":\"john.doe@gmail.com\",\"messageId\":\"\",\"subject\":\"Rejected email with URL\",\"recipients\":\"admin@mcfr.pro\",\"senderIp\":\"209.85.216.51\",\"rejectionType\":\"Malicious QRCode Detection\",\"rejectionCode\":\"554\",\"direction\":\"Inbound\",\"numberAttachments\":\"2\",\"senderHeader\":\"john.doe@gmail.com\",\"rejectionInfo\":\"[Type: [Phishing & Fraud],Url: [https://assistance-mon-espace.com/pages/billing.php],UrlBlock: [ORIGINAL:https://assistance-mon-espace.com/pages/billin]\",\"tlsVersion\":\"TLSv1.3\",\"tlsCipher\":\"TLS_AES_256_GCM_SHA384\",\"spamInfo\":null,\"spamProcessingDetail\":\"{\\\"spf\\\":{\\\"allow\\\":true,\\\"info\\\":\\\"ALLOW\\\"}}\",\"virusFound\":null,\"spamScore\":null,\"spamDetectionLevel\":null,\"receiptErrors\":\"Malicious QRCode detected in email: UrlReputationScan\",\"type\":\"receipt\",\"subtype\":\"Rej\",\"_offset\":293625,\"_partition\":137}", + "event": { + "action": "Rej", + "category": [ + "email" + ], + "dataset": "receipt", + "provider": "Mimecast", + "type": [ + "denied" + ] + }, + "@timestamp": "2025-01-07T09:35:47.621000Z", + "email": { + "direction": "Inbound", + "from": { + "address": [ + "john.doe@gmail.com" + ] + }, + "message_id": "CAF7=BmAn9O711xhrO3-CQqJ6YmAfitXyk+5Kd9Xixc5cBmy48g@mail.gmail.com", + "subject": "Rejected email with URL", + "to": { + "address": [ + "admin@mcfr.pro" + ] + } + }, + "mimecast": { + "siem": { + "aggregate_id": "YvXi4vUANvSwDaBxkq6SYA", + "processing_id": "RMkDQFp7L5gGaZ5jnsGVW4zLmvTVvWVb0lQeO9EBDRo_1736242544", + "rejection": { + "code": 554, + "info": "[Type: [Phishing & Fraud],Url: [https://assistance-mon-espace.com/pages/billing.php],UrlBlock: [ORIGINAL:https://assistance-mon-espace.com/pages/billin]", + "type": "Malicious QRCode Detection" + } + } + }, + "related": { + "ip": [ + "209.85.216.51" + ] + }, + "source": { + "address": "209.85.216.51", + "ip": "209.85.216.51" + }, + "url": { + "domain": "assistance-mon-espace.com", + "original": "https://assistance-mon-espace.com/pages/billing.php", + "path": "/pages/billing.php", + "port": 443, + "registered_domain": "assistance-mon-espace.com", + "scheme": "https", + "top_level_domain": "com" + } + } +} \ No newline at end of file diff --git a/Mimecast/mimecast-email-security/tests/test_spam.json b/Mimecast/mimecast-email-security/tests/test_spam.json new file mode 100644 index 000000000..52a756602 --- /dev/null +++ b/Mimecast/mimecast-email-security/tests/test_spam.json @@ -0,0 +1,48 @@ +{ + "input": { + "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"accountId\": \"C0A0\", \"timestamp\": 1731193597481, \"messageId\": \"<11111111111111111111111111111111111111@mail.gmail.com>\", \"senderEnvelope\": \"john.doe@example.org\", \"subject\": \"My little subject\", \"recipients\": \"jane.doe@example.com\", \"senderIp\": \"1.2.3.4\", \"senderDomain\": \"example.org\", \"route\": \"Inbound\", \"senderHeader\": \"john.doe@example.org\", \"type\": \"spam\", \"subtype\": null, \"_offset\": 1069434, \"_partition\": 66}" + }, + "expected": { + "message": "{\"processingId\": \"processingId\", \"aggregateId\": \"aggregateId\", \"accountId\": \"C0A0\", \"timestamp\": 1731193597481, \"messageId\": \"<11111111111111111111111111111111111111@mail.gmail.com>\", \"senderEnvelope\": \"john.doe@example.org\", \"subject\": \"My little subject\", \"recipients\": \"jane.doe@example.com\", \"senderIp\": \"1.2.3.4\", \"senderDomain\": \"example.org\", \"route\": \"Inbound\", \"senderHeader\": \"john.doe@example.org\", \"type\": \"spam\", \"subtype\": null, \"_offset\": 1069434, \"_partition\": 66}", + "event": { + "category": [ + "email" + ], + "dataset": "spam", + "provider": "Mimecast", + "type": [ + "info" + ] + }, + "@timestamp": "2024-11-09T23:06:37.481000Z", + "email": { + "from": { + "address": [ + "john.doe@example.org" + ] + }, + "message_id": "11111111111111111111111111111111111111@mail.gmail.com", + "subject": "My little subject", + "to": { + "address": [ + "jane.doe@example.com" + ] + } + }, + "mimecast": { + "siem": { + "aggregate_id": "aggregateId", + "processing_id": "processingId" + } + }, + "related": { + "ip": [ + "1.2.3.4" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + } + } +} \ No newline at end of file diff --git a/Mimecast/mimecast-email-security/tests/test_url_protect_blocked.json b/Mimecast/mimecast-email-security/tests/test_url_protect_blocked.json new file mode 100644 index 000000000..3b4bba2c5 --- /dev/null +++ b/Mimecast/mimecast-email-security/tests/test_url_protect_blocked.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"processingId\": \"req-aa8ae4a3334b30fbb07bbb9c2fb69048_1715766931\", \"aggregateId\": \"Y12X0yjKNr6A6yhIH48Wkw_1715766931\", \"timestamp\": 1715767102752, \"accountId\": \"CDE22A102\", \"urlCategory\": \"Phishing & Fraud\", \"action\": \"Block\", \"url\": \"http://www.mimcast.com\", \"subject\": \"TEST URL\", \"sourceIp\": \"209.123.123.123\", \"senderDomain\": \"gmail.com\", \"senderEnvelope\": \"jeanne@gmail.com\", \"route\": \"inbound\", \"recipients\": \"john@mcfr2.pro\", \"blockReason\": \"malicious\", \"messageId\": \"\", \"analysis\": \"{\\\"CredentialTheftEvidence\\\":[\\\"The website uses an unencrypted connection\\\"],\\\"CredentialTheftTags\\\":[\\\"NO_CERTIFICATE\\\",\\\"NO_IMAGES_PASSED_FILTERING\\\",\\\"REDIRECTION\\\",\\\"REMOTE_RESOURCES\\\"]}\", \"type\": \"url protect\", \"subtype\": \"Block\", \"_offset\": 106007, \"_partition\": 137}" + }, + "expected": { + "message": "{\"processingId\": \"req-aa8ae4a3334b30fbb07bbb9c2fb69048_1715766931\", \"aggregateId\": \"Y12X0yjKNr6A6yhIH48Wkw_1715766931\", \"timestamp\": 1715767102752, \"accountId\": \"CDE22A102\", \"urlCategory\": \"Phishing & Fraud\", \"action\": \"Block\", \"url\": \"http://www.mimcast.com\", \"subject\": \"TEST URL\", \"sourceIp\": \"209.123.123.123\", \"senderDomain\": \"gmail.com\", \"senderEnvelope\": \"jeanne@gmail.com\", \"route\": \"inbound\", \"recipients\": \"john@mcfr2.pro\", \"blockReason\": \"malicious\", \"messageId\": \"\", \"analysis\": \"{\\\"CredentialTheftEvidence\\\":[\\\"The website uses an unencrypted connection\\\"],\\\"CredentialTheftTags\\\":[\\\"NO_CERTIFICATE\\\",\\\"NO_IMAGES_PASSED_FILTERING\\\",\\\"REDIRECTION\\\",\\\"REMOTE_RESOURCES\\\"]}\", \"type\": \"url protect\", \"subtype\": \"Block\", \"_offset\": 106007, \"_partition\": 137}", + "event": { + "action": "Block", + "category": [ + "email" + ], + "dataset": "url protect", + "provider": "Mimecast", + "type": [ + "info" + ] + }, + "@timestamp": "2024-05-15T09:58:22.752000Z", + "email": { + "from": { + "address": [ + "jeanne@gmail.com" + ] + }, + "message_id": "CAF7=BmDfJHJO0j34Y9F6pY2C5MEEq9SLVizm7R+JGwJ2OPtoGw@mail.gmail.com", + "subject": "TEST URL", + "to": { + "address": [ + "john@mcfr2.pro" + ] + } + }, + "mimecast": { + "siem": { + "aggregate_id": "Y12X0yjKNr6A6yhIH48Wkw_1715766931", + "processing_id": "req-aa8ae4a3334b30fbb07bbb9c2fb69048_1715766931" + } + }, + "url": { + "domain": "www.mimcast.com", + "original": "http://www.mimcast.com", + "port": 80, + "registered_domain": "mimcast.com", + "scheme": "http", + "subdomain": "www", + "top_level_domain": "com" + } + } +} \ No newline at end of file diff --git a/Netskope/netskope_events/_meta/smart-descriptions.json b/Netskope/netskope_events/_meta/smart-descriptions.json index bdc92b317..44a72bd68 100644 --- a/Netskope/netskope_events/_meta/smart-descriptions.json +++ b/Netskope/netskope_events/_meta/smart-descriptions.json @@ -214,5 +214,26 @@ "field": "netskope.dlp.policy" } ] + }, + { + "value": "DLP incident detected on {source.ip}: {user.name} attempted to {event.action} file {file.name}", + "conditions": [ + { + "field": "event.dataset", + "value": "dlp_incident" + }, + { + "field": "event.action" + }, + { + "field": "source.ip" + }, + { + "field": "user.name" + }, + { + "field": "file.name" + } + ] } ] diff --git a/Netskope/netskope_events/tests/test_dlp_incident_wo_policy.json b/Netskope/netskope_events/tests/test_dlp_incident_wo_policy.json new file mode 100644 index 000000000..4e00cda31 --- /dev/null +++ b/Netskope/netskope_events/tests/test_dlp_incident_wo_policy.json @@ -0,0 +1,134 @@ +{ + "input": { + "message": "{\"_id\": \"11fc1dee8256ff3645f6d25f0\", \"access_method\": \"Client\", \"action\": \"useralert\", \"activity\": \"Download\", \"alert\": \"yes\", \"alert_type\": \"DLP\", \"app\": \"LinkedIn\", \"app_session_id\": 1111111111111111111, \"appcategory\": \"Professional Networking\", \"appsuite\": \"Linkedin App\", \"browser\": \"Chrome\", \"browser_session_id\": 222222222222222, \"browser_version\": \"131.0.0.0\", \"category\": \"Professional Networking\", \"cci\": 68, \"ccl\": \"medium\", \"connection_id\": 3333333333333, \"count\": 1, \"device\": \"Windows Device\", \"device_classification\": \"unmanaged\", \"dlp_file\": \"HighRes_QRCode_3.png\", \"dlp_incident_id\": 44444444444444, \"dlp_is_unique_count\": \"false\", \"dlp_parent_id\": 44444444444444, \"dlp_profile\": \"ML-TYOC-QRCode\", \"dlp_rule\": \"QRCode\", \"dlp_rule_count\": 0, \"dlp_rule_severity\": \"Medium\", \"dst_country\": \"US\", \"dst_latitude\": 37.775699615478516, \"dst_location\": \"San Francisco\", \"dst_longitude\": -122.39520263671875, \"dst_region\": \"California\", \"dst_timezone\": \"America/Los_Angeles\", \"dst_zipcode\": \"N/A\", \"dstip\": \"9.10.11.12\", \"dstport\": 443, \"file_lang\": \"Unknown\", \"file_size\": 1908, \"file_type\": \"image/png\", \"from_user\": \"john.doe@gmail.com\", \"hostname\": \"EXAMPLE1\", \"managed_app\": \"no\", \"md5\": \"eb430691fe30d16070b5a144c3d3303c\", \"netskope_pop\": \"FR-PAR2\", \"object\": \"HighRes_QRCode_3.png\", \"object_type\": \"File\", \"organization_unit\": \"\", \"os\": \"Windows 11\", \"os_version\": \"Windows NT 11.0\", \"other_categories\": [\"All Internet\", \"Professional Networking\"], \"page\": \"www.linkedin.com\", \"page_site\": \"Linkedin\", \"policy\": \"Coach user QRCode in Social Media and IM\", \"policy_id\": \"981C1E7B3795DA18687613FBD66D4954 2024-12-11 13:39:20.625594\", \"protocol\": \"HTTPS/1.1\", \"referer\": \"https://www.linkedin.com/feed/\", \"request_id\": 2994008614773293824, \"scan_type\": \"\", \"severity\": \"unknown\", \"sha256\": \"d847acf7bab1b6f761779f3995c693e25eb899dceea61ef9043532d1ae9923a6\", \"site\": \"Linkedin\", \"src_country\": \"FR\", \"src_latitude\": 48.9247, \"src_location\": \"La Courneuve\", \"src_longitude\": 2.3975, \"src_region\": \"\\u00cele-de-France\", \"src_time\": \"Wed Dec 11 15:06:00 2024\", \"src_timezone\": \"Europe/Paris\", \"src_zipcode\": \"93120\", \"srcip\": \"5.6.7.8\", \"timestamp\": 1733925987, \"traffic_type\": \"CloudApp\", \"transaction_id\": 555555555555555, \"true_obj_category\": \"Image (Raster)\", \"true_obj_type\": \"Portable Network Graphics (PNG)\", \"tss_mode\": \"inline\", \"type\": \"nspolicy\", \"ur_normalized\": \"johndoe@example.com\", \"url\": \"www.linkedin.com/dms/prv/vid/v2/abc/messaging-attachmentFile/messaging-attachmentFile/0/123\", \"user\": \"johndoe@example.com\", \"useragent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36\", \"userip\": \"1.2.3.4\", \"userkey\": \"johndoe@example.com\", \"ext_labels\": [], \"dlp_fail_reason\": \"\", \"workspace\": \"\", \"instance_id\": \"\", \"tss_scan_failed\": \"\", \"dlp_unique_count\": 0, \"dlp_mail_parent_id\": \"\", \"notify_template\": \"\", \"tss_fail_reason\": \"\", \"channel_id\": \"\", \"mime_type\": \"\", \"resp_cnt\": 0, \"file_path\": \"\", \"orignal_file_path\": \"\", \"suppression_end_time\": 0, \"log_file_name\": \"\", \"modified\": 0, \"user_category\": \"\", \"CononicalName\": \"\", \"suppression_key\": \"\", \"web_universal_connector\": \"\", \"owner\": \"\", \"ja3\": \"\", \"dsthost\": \"\", \"data_type\": \"\", \"loginurl\": \"\", \"workspace_id\": \"\", \"managementID\": \"\", \"telemetry_app\": \"\", \"user_confidence_index\": 0, \"parent_id\": \"\", \"ja3s\": \"\", \"userPrincipalName\": \"\", \"smtp_to\": [], \"justification_reason\": \"\", \"app_activity\": \"\", \"sanctioned_instance\": \"\", \"user_id\": \"\", \"title\": \"\", \"audit_category\": \"\", \"internal_collaborator_count\": 0, \"shared_with\": \"\", \"dst_geoip_src\": 0, \"serial\": \"\", \"numbytes\": 0, \"sAMAccountName\": \"\", \"dlp_scan_failed\": \"\", \"server_bytes\": 0, \"sessionid\": \"\", \"to_user\": \"\", \"src_geoip_src\": 0, \"total_collaborator_count\": 0, \"custom_attr\": {}, \"logintype\": \"\", \"instance\": \"\", \"fromlogs\": \"\", \"retro_scan_name\": \"\", \"justification_type\": \"\", \"from_user_category\": \"\", \"data_center\": \"\", \"custom_connector\": \"\", \"audit_type\": \"\", \"suppression_start_time\": 0, \"req_cnt\": 0, \"exposure\": \"\", \"object_id\": \"\", \"conn_duration\": 0, \"nsdeviceuid\": \"\", \"universal_connector\": \"\", \"org\": \"\", \"netskope_activity\": \"\", \"client_bytes\": 0}" + }, + "expected": { + "message": "{\"_id\": \"11fc1dee8256ff3645f6d25f0\", \"access_method\": \"Client\", \"action\": \"useralert\", \"activity\": \"Download\", \"alert\": \"yes\", \"alert_type\": \"DLP\", \"app\": \"LinkedIn\", \"app_session_id\": 1111111111111111111, \"appcategory\": \"Professional Networking\", \"appsuite\": \"Linkedin App\", \"browser\": \"Chrome\", \"browser_session_id\": 222222222222222, \"browser_version\": \"131.0.0.0\", \"category\": \"Professional Networking\", \"cci\": 68, \"ccl\": \"medium\", \"connection_id\": 3333333333333, \"count\": 1, \"device\": \"Windows Device\", \"device_classification\": \"unmanaged\", \"dlp_file\": \"HighRes_QRCode_3.png\", \"dlp_incident_id\": 44444444444444, \"dlp_is_unique_count\": \"false\", \"dlp_parent_id\": 44444444444444, \"dlp_profile\": \"ML-TYOC-QRCode\", \"dlp_rule\": \"QRCode\", \"dlp_rule_count\": 0, \"dlp_rule_severity\": \"Medium\", \"dst_country\": \"US\", \"dst_latitude\": 37.775699615478516, \"dst_location\": \"San Francisco\", \"dst_longitude\": -122.39520263671875, \"dst_region\": \"California\", \"dst_timezone\": \"America/Los_Angeles\", \"dst_zipcode\": \"N/A\", \"dstip\": \"9.10.11.12\", \"dstport\": 443, \"file_lang\": \"Unknown\", \"file_size\": 1908, \"file_type\": \"image/png\", \"from_user\": \"john.doe@gmail.com\", \"hostname\": \"EXAMPLE1\", \"managed_app\": \"no\", \"md5\": \"eb430691fe30d16070b5a144c3d3303c\", \"netskope_pop\": \"FR-PAR2\", \"object\": \"HighRes_QRCode_3.png\", \"object_type\": \"File\", \"organization_unit\": \"\", \"os\": \"Windows 11\", \"os_version\": \"Windows NT 11.0\", \"other_categories\": [\"All Internet\", \"Professional Networking\"], \"page\": \"www.linkedin.com\", \"page_site\": \"Linkedin\", \"policy\": \"Coach user QRCode in Social Media and IM\", \"policy_id\": \"981C1E7B3795DA18687613FBD66D4954 2024-12-11 13:39:20.625594\", \"protocol\": \"HTTPS/1.1\", \"referer\": \"https://www.linkedin.com/feed/\", \"request_id\": 2994008614773293824, \"scan_type\": \"\", \"severity\": \"unknown\", \"sha256\": \"d847acf7bab1b6f761779f3995c693e25eb899dceea61ef9043532d1ae9923a6\", \"site\": \"Linkedin\", \"src_country\": \"FR\", \"src_latitude\": 48.9247, \"src_location\": \"La Courneuve\", \"src_longitude\": 2.3975, \"src_region\": \"\\u00cele-de-France\", \"src_time\": \"Wed Dec 11 15:06:00 2024\", \"src_timezone\": \"Europe/Paris\", \"src_zipcode\": \"93120\", \"srcip\": \"5.6.7.8\", \"timestamp\": 1733925987, \"traffic_type\": \"CloudApp\", \"transaction_id\": 555555555555555, \"true_obj_category\": \"Image (Raster)\", \"true_obj_type\": \"Portable Network Graphics (PNG)\", \"tss_mode\": \"inline\", \"type\": \"nspolicy\", \"ur_normalized\": \"johndoe@example.com\", \"url\": \"www.linkedin.com/dms/prv/vid/v2/abc/messaging-attachmentFile/messaging-attachmentFile/0/123\", \"user\": \"johndoe@example.com\", \"useragent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36\", \"userip\": \"1.2.3.4\", \"userkey\": \"johndoe@example.com\", \"ext_labels\": [], \"dlp_fail_reason\": \"\", \"workspace\": \"\", \"instance_id\": \"\", \"tss_scan_failed\": \"\", \"dlp_unique_count\": 0, \"dlp_mail_parent_id\": \"\", \"notify_template\": \"\", \"tss_fail_reason\": \"\", \"channel_id\": \"\", \"mime_type\": \"\", \"resp_cnt\": 0, \"file_path\": \"\", \"orignal_file_path\": \"\", \"suppression_end_time\": 0, \"log_file_name\": \"\", \"modified\": 0, \"user_category\": \"\", \"CononicalName\": \"\", \"suppression_key\": \"\", \"web_universal_connector\": \"\", \"owner\": \"\", \"ja3\": \"\", \"dsthost\": \"\", \"data_type\": \"\", \"loginurl\": \"\", \"workspace_id\": \"\", \"managementID\": \"\", \"telemetry_app\": \"\", \"user_confidence_index\": 0, \"parent_id\": \"\", \"ja3s\": \"\", \"userPrincipalName\": \"\", \"smtp_to\": [], \"justification_reason\": \"\", \"app_activity\": \"\", \"sanctioned_instance\": \"\", \"user_id\": \"\", \"title\": \"\", \"audit_category\": \"\", \"internal_collaborator_count\": 0, \"shared_with\": \"\", \"dst_geoip_src\": 0, \"serial\": \"\", \"numbytes\": 0, \"sAMAccountName\": \"\", \"dlp_scan_failed\": \"\", \"server_bytes\": 0, \"sessionid\": \"\", \"to_user\": \"\", \"src_geoip_src\": 0, \"total_collaborator_count\": 0, \"custom_attr\": {}, \"logintype\": \"\", \"instance\": \"\", \"fromlogs\": \"\", \"retro_scan_name\": \"\", \"justification_type\": \"\", \"from_user_category\": \"\", \"data_center\": \"\", \"custom_connector\": \"\", \"audit_type\": \"\", \"suppression_start_time\": 0, \"req_cnt\": 0, \"exposure\": \"\", \"object_id\": \"\", \"conn_duration\": 0, \"nsdeviceuid\": \"\", \"universal_connector\": \"\", \"org\": \"\", \"netskope_activity\": \"\", \"client_bytes\": 0}", + "event": { + "action": "Download", + "category": [ + "file" + ], + "dataset": "dlp_incident", + "duration": 0, + "kind": "alert", + "type": [ + "info" + ] + }, + "@timestamp": "2024-12-11T14:06:27Z", + "action": { + "name": "useralert" + }, + "destination": { + "address": "9.10.11.12", + "bytes": 0, + "geo": { + "city_name": "San Francisco", + "country_iso_code": "US", + "location": { + "lat": 37.775699615478516, + "lon": -122.39520263671875 + }, + "postal_code": "N/A", + "region_name": "California", + "timezone": "America/Los_Angeles" + }, + "ip": "9.10.11.12" + }, + "file": { + "hash": { + "md5": "eb430691fe30d16070b5a144c3d3303c", + "sha256": "d847acf7bab1b6f761779f3995c693e25eb899dceea61ef9043532d1ae9923a6" + }, + "mime_type": "image/png", + "name": "HighRes_QRCode_3.png", + "size": 1908 + }, + "host": { + "name": "EXAMPLE1", + "os": { + "name": "Windows 11", + "platform": "windows", + "type": "windows", + "version": "Windows NT 11.0" + } + }, + "http": { + "request": { + "referrer": "https://www.linkedin.com/feed/" + } + }, + "netskope": { + "alerts": { + "type": "DLP" + }, + "dlp": { + "incident": { + "id": "44444444444444" + } + }, + "events": { + "access_method": "Client", + "application": { + "category": "Professional Networking", + "name": "LinkedIn", + "suite": "Linkedin App" + }, + "ccl": "medium" + } + }, + "network": { + "bytes": 0 + }, + "observer": { + "vendor": "Netskope" + }, + "related": { + "hash": [ + "d847acf7bab1b6f761779f3995c693e25eb899dceea61ef9043532d1ae9923a6", + "eb430691fe30d16070b5a144c3d3303c" + ], + "ip": [ + "5.6.7.8", + "9.10.11.12" + ], + "user": [ + "johndoe" + ] + }, + "rule": { + "id": "981C1E7B3795DA18687613FBD66D4954 2024-12-11 13:39:20.625594", + "name": "Coach user QRCode in Social Media and IM" + }, + "source": { + "address": "5.6.7.8", + "bytes": 0, + "geo": { + "city_name": "La Courneuve", + "country_iso_code": "FR", + "location": { + "lat": 48.9247, + "lon": 2.3975 + }, + "postal_code": "93120", + "region_name": "\u00cele-de-France", + "timezone": "Europe/Paris" + }, + "ip": "5.6.7.8" + }, + "url": { + "original": "www.linkedin.com/dms/prv/vid/v2/abc/messaging-attachmentFile/messaging-attachmentFile/0/123", + "path": "www.linkedin.com/dms/prv/vid/v2/abc/messaging-attachmentFile/messaging-attachmentFile/0/123" + }, + "user": { + "domain": "example.com", + "email": "johndoe@example.com", + "name": "johndoe" + }, + "user_agent": { + "name": "Chrome", + "version": "131.0.0.0" + } + } +} \ No newline at end of file diff --git a/Office 365/o365/ingest/parser.yml b/Office 365/o365/ingest/parser.yml index bae0981af..bc6393df6 100644 --- a/Office 365/o365/ingest/parser.yml +++ b/Office 365/o365/ingest/parser.yml @@ -165,6 +165,47 @@ stages: office365.context.correlation.id: "{{json_event.message.AppAccessContext.CorrelationId}}" filter: '{{json_event.message.get("AppAccessContext") != None}}' + - translate: + dictionary: + "00b41c95-dab0-4487-9791-b9d2c32c80f2": "Office 365 Management" + "04b07795-8ddb-461a-bbee-02f9e1bf7b46": "Microsoft Azure CLI" + "1950a258-227b-4e31-a9cf-717495945fc2": "Microsoft Azure PowerShell" + "1fec8e78-bce4-4aaf-ab1b-5451cc387264": "Microsoft Teams" + "26a7ee05-5602-4d76-a7ba-eae8b7b67941": "Windows Search" + "27922004-5251-4030-b22d-91ecd9a37ea4": "Outlook Mobile" + "4813382a-8fa7-425e-ab75-3b753aab3abb": "Microsoft Authenticator App" + "ab9b8c07-8f02-4f72-87fa-80105867a763": "OneDrive SyncEngine" + "d3590ed6-52b3-4102-aeff-aad2292ab01c": "Microsoft Office" + "872cd9fa-d31f-45e0-9eab-6e460a02d1f1": "Visual Studio" + "af124e86-4e96-495a-b70a-90f90ab96707": "OneDrive iOS App" + "2d7f3606-b07d-41d1-b9d2-0d0c9296a6e8": "Microsoft Bing Search for Microsoft Edge" + "844cca35-0656-46ce-b636-13f48b0eecbd": "Microsoft Stream Mobile Native" + "87749df4-7ccf-48f8-aa87-704bad0e0e16": "Microsoft Teams - Device Admin Agent" + "cf36b471-5b44-428c-9ce7-313bf84528de": "Microsoft Bing Search" + "0ec893e0-5785-4de6-99da-4ed124e5296c": "Office UWP PWA" + "22098786-6e16-43cc-a27d-191a01a1e3b5": "Microsoft To-Do client" + "4e291c71-d680-4d0e-9640-0a3358e31177": "PowerApps" + "57336123-6e14-4acc-8dcf-287b6088aa28": "Microsoft Whiteboard Client" + "57fcbcfa-7cee-4eb1-8b25-12d2030b4ee0": "Microsoft Flow" + "66375f6b-983f-4c2c-9701-d680650f588f": "Microsoft Planner" + "9ba1a5c7-f17a-4de9-a1f1-6178c8d51223": "Microsoft Intune Company Portal" + "a40d7d7d-59aa-447e-a655-679a4107e548": "Accounts Control UI" + "a569458c-7f2b-45cb-bab9-b7dee514d112": "Yammer iPhone" + "b26aadf8-566f-4478-926f-589f601d9c74": "OneDrive" + "c0d2a505-13b8-4ae0-aa9e-cddd5eab0b12": "Microsoft Power BI" + "d326c1ce-6cc6-4de2-bebc-4591e5e13ef0": "SharePoint" + "f44b1140-bc5e-48c6-8dc0-5cf5a53c0e34": "Microsoft Edge" + "eb539595-3fe1-474e-9c1d-feb3625d1be5": "Microsoft Tunnel" + "f05ff7c9-f75a-4acd-a3b5-f4b6a870245d": "SharePoint Android" + "be1918be-3fe3-4be9-b32b-b542fc27f02e": "M365 Compliance Drive Client" + "cab96880-db5b-4e15-90a7-f3f1d62ffe39": "Microsoft Defender Platform" + "d7b530a4-7680-4c23-a8bf-c52c121d2e87": "Microsoft Edge Enterprise New Tab Page" + "dd47d17a-3194-4d86-bfd5-c6ae6f5651e3": "Microsoft Defender for Mobile" + "e9b154d0-7658-433b-bb25-6b8e0a8a7c59": "Outlook Lite" + mapping: + office365.context.client.id: office365.context.client.name + filter: "{{json_event.message.get('AppAccessContext').get('ClientAppId') != None and json_event.message.get('AppAccessContext').get('ClientAppName') == None}}" + parse_exchange_admin: actions: - translate: @@ -188,6 +229,47 @@ stages: office365.context.client.id: "{{json_event.message.AppId}}" filter: '{{json_event.message.get("ClientAppId") == ""}}' + - translate: + dictionary: + "00b41c95-dab0-4487-9791-b9d2c32c80f2": "Office 365 Management" + "04b07795-8ddb-461a-bbee-02f9e1bf7b46": "Microsoft Azure CLI" + "1950a258-227b-4e31-a9cf-717495945fc2": "Microsoft Azure PowerShell" + "1fec8e78-bce4-4aaf-ab1b-5451cc387264": "Microsoft Teams" + "26a7ee05-5602-4d76-a7ba-eae8b7b67941": "Windows Search" + "27922004-5251-4030-b22d-91ecd9a37ea4": "Outlook Mobile" + "4813382a-8fa7-425e-ab75-3b753aab3abb": "Microsoft Authenticator App" + "ab9b8c07-8f02-4f72-87fa-80105867a763": "OneDrive SyncEngine" + "d3590ed6-52b3-4102-aeff-aad2292ab01c": "Microsoft Office" + "872cd9fa-d31f-45e0-9eab-6e460a02d1f1": "Visual Studio" + "af124e86-4e96-495a-b70a-90f90ab96707": "OneDrive iOS App" + "2d7f3606-b07d-41d1-b9d2-0d0c9296a6e8": "Microsoft Bing Search for Microsoft Edge" + "844cca35-0656-46ce-b636-13f48b0eecbd": "Microsoft Stream Mobile Native" + "87749df4-7ccf-48f8-aa87-704bad0e0e16": "Microsoft Teams - Device Admin Agent" + "cf36b471-5b44-428c-9ce7-313bf84528de": "Microsoft Bing Search" + "0ec893e0-5785-4de6-99da-4ed124e5296c": "Office UWP PWA" + "22098786-6e16-43cc-a27d-191a01a1e3b5": "Microsoft To-Do client" + "4e291c71-d680-4d0e-9640-0a3358e31177": "PowerApps" + "57336123-6e14-4acc-8dcf-287b6088aa28": "Microsoft Whiteboard Client" + "57fcbcfa-7cee-4eb1-8b25-12d2030b4ee0": "Microsoft Flow" + "66375f6b-983f-4c2c-9701-d680650f588f": "Microsoft Planner" + "9ba1a5c7-f17a-4de9-a1f1-6178c8d51223": "Microsoft Intune Company Portal" + "a40d7d7d-59aa-447e-a655-679a4107e548": "Accounts Control UI" + "a569458c-7f2b-45cb-bab9-b7dee514d112": "Yammer iPhone" + "b26aadf8-566f-4478-926f-589f601d9c74": "OneDrive" + "c0d2a505-13b8-4ae0-aa9e-cddd5eab0b12": "Microsoft Power BI" + "d326c1ce-6cc6-4de2-bebc-4591e5e13ef0": "SharePoint" + "f44b1140-bc5e-48c6-8dc0-5cf5a53c0e34": "Microsoft Edge" + "eb539595-3fe1-474e-9c1d-feb3625d1be5": "Microsoft Tunnel" + "f05ff7c9-f75a-4acd-a3b5-f4b6a870245d": "SharePoint Android" + "be1918be-3fe3-4be9-b32b-b542fc27f02e": "M365 Compliance Drive Client" + "cab96880-db5b-4e15-90a7-f3f1d62ffe39": "Microsoft Defender Platform" + "d7b530a4-7680-4c23-a8bf-c52c121d2e87": "Microsoft Edge Enterprise New Tab Page" + "dd47d17a-3194-4d86-bfd5-c6ae6f5651e3": "Microsoft Defender for Mobile" + "e9b154d0-7658-433b-bb25-6b8e0a8a7c59": "Outlook Lite" + mapping: + office365.context.client.id: office365.context.client.name + filter: "{{json_event.message.get('ClientAppId') != None or json_event.message.get('AppId') != None}}" + parse_exchange_item: actions: - translate: @@ -213,6 +295,48 @@ stages: office365.exchange.mailbox_guid: "{{json_event.message.MailboxGuid}}" office365.context.aad_session_id: "{{json_event.message.SessionId}}" office365.context.client.id: "{{json_event.message.ClientAppId}}" + + - translate: + dictionary: + "00b41c95-dab0-4487-9791-b9d2c32c80f2": "Office 365 Management" + "04b07795-8ddb-461a-bbee-02f9e1bf7b46": "Microsoft Azure CLI" + "1950a258-227b-4e31-a9cf-717495945fc2": "Microsoft Azure PowerShell" + "1fec8e78-bce4-4aaf-ab1b-5451cc387264": "Microsoft Teams" + "26a7ee05-5602-4d76-a7ba-eae8b7b67941": "Windows Search" + "27922004-5251-4030-b22d-91ecd9a37ea4": "Outlook Mobile" + "4813382a-8fa7-425e-ab75-3b753aab3abb": "Microsoft Authenticator App" + "ab9b8c07-8f02-4f72-87fa-80105867a763": "OneDrive SyncEngine" + "d3590ed6-52b3-4102-aeff-aad2292ab01c": "Microsoft Office" + "872cd9fa-d31f-45e0-9eab-6e460a02d1f1": "Visual Studio" + "af124e86-4e96-495a-b70a-90f90ab96707": "OneDrive iOS App" + "2d7f3606-b07d-41d1-b9d2-0d0c9296a6e8": "Microsoft Bing Search for Microsoft Edge" + "844cca35-0656-46ce-b636-13f48b0eecbd": "Microsoft Stream Mobile Native" + "87749df4-7ccf-48f8-aa87-704bad0e0e16": "Microsoft Teams - Device Admin Agent" + "cf36b471-5b44-428c-9ce7-313bf84528de": "Microsoft Bing Search" + "0ec893e0-5785-4de6-99da-4ed124e5296c": "Office UWP PWA" + "22098786-6e16-43cc-a27d-191a01a1e3b5": "Microsoft To-Do client" + "4e291c71-d680-4d0e-9640-0a3358e31177": "PowerApps" + "57336123-6e14-4acc-8dcf-287b6088aa28": "Microsoft Whiteboard Client" + "57fcbcfa-7cee-4eb1-8b25-12d2030b4ee0": "Microsoft Flow" + "66375f6b-983f-4c2c-9701-d680650f588f": "Microsoft Planner" + "9ba1a5c7-f17a-4de9-a1f1-6178c8d51223": "Microsoft Intune Company Portal" + "a40d7d7d-59aa-447e-a655-679a4107e548": "Accounts Control UI" + "a569458c-7f2b-45cb-bab9-b7dee514d112": "Yammer iPhone" + "b26aadf8-566f-4478-926f-589f601d9c74": "OneDrive" + "c0d2a505-13b8-4ae0-aa9e-cddd5eab0b12": "Microsoft Power BI" + "d326c1ce-6cc6-4de2-bebc-4591e5e13ef0": "SharePoint" + "f44b1140-bc5e-48c6-8dc0-5cf5a53c0e34": "Microsoft Edge" + "eb539595-3fe1-474e-9c1d-feb3625d1be5": "Microsoft Tunnel" + "f05ff7c9-f75a-4acd-a3b5-f4b6a870245d": "SharePoint Android" + "be1918be-3fe3-4be9-b32b-b542fc27f02e": "M365 Compliance Drive Client" + "cab96880-db5b-4e15-90a7-f3f1d62ffe39": "Microsoft Defender Platform" + "d7b530a4-7680-4c23-a8bf-c52c121d2e87": "Microsoft Edge Enterprise New Tab Page" + "dd47d17a-3194-4d86-bfd5-c6ae6f5651e3": "Microsoft Defender for Mobile" + "e9b154d0-7658-433b-bb25-6b8e0a8a7c59": "Outlook Lite" + mapping: + office365.context.client.id: office365.context.client.name + filter: "{{json_event.message.get('ClientAppId') != None }}" + - set: email.subject: "{{json_event.message.Item.Subject}}" email.message_id: "{{json_event.message.Item.InternetMessageId[1:-1]}}" @@ -262,6 +386,47 @@ stages: - set: office365.context.aad_session_id: "{{json_event.message.SessionId}}" office365.context.client.id: "{{json_event.message.ClientAppId}}" + + - translate: + dictionary: + "00b41c95-dab0-4487-9791-b9d2c32c80f2": "Office 365 Management" + "04b07795-8ddb-461a-bbee-02f9e1bf7b46": "Microsoft Azure CLI" + "1950a258-227b-4e31-a9cf-717495945fc2": "Microsoft Azure PowerShell" + "1fec8e78-bce4-4aaf-ab1b-5451cc387264": "Microsoft Teams" + "26a7ee05-5602-4d76-a7ba-eae8b7b67941": "Windows Search" + "27922004-5251-4030-b22d-91ecd9a37ea4": "Outlook Mobile" + "4813382a-8fa7-425e-ab75-3b753aab3abb": "Microsoft Authenticator App" + "ab9b8c07-8f02-4f72-87fa-80105867a763": "OneDrive SyncEngine" + "d3590ed6-52b3-4102-aeff-aad2292ab01c": "Microsoft Office" + "872cd9fa-d31f-45e0-9eab-6e460a02d1f1": "Visual Studio" + "af124e86-4e96-495a-b70a-90f90ab96707": "OneDrive iOS App" + "2d7f3606-b07d-41d1-b9d2-0d0c9296a6e8": "Microsoft Bing Search for Microsoft Edge" + "844cca35-0656-46ce-b636-13f48b0eecbd": "Microsoft Stream Mobile Native" + "87749df4-7ccf-48f8-aa87-704bad0e0e16": "Microsoft Teams - Device Admin Agent" + "cf36b471-5b44-428c-9ce7-313bf84528de": "Microsoft Bing Search" + "0ec893e0-5785-4de6-99da-4ed124e5296c": "Office UWP PWA" + "22098786-6e16-43cc-a27d-191a01a1e3b5": "Microsoft To-Do client" + "4e291c71-d680-4d0e-9640-0a3358e31177": "PowerApps" + "57336123-6e14-4acc-8dcf-287b6088aa28": "Microsoft Whiteboard Client" + "57fcbcfa-7cee-4eb1-8b25-12d2030b4ee0": "Microsoft Flow" + "66375f6b-983f-4c2c-9701-d680650f588f": "Microsoft Planner" + "9ba1a5c7-f17a-4de9-a1f1-6178c8d51223": "Microsoft Intune Company Portal" + "a40d7d7d-59aa-447e-a655-679a4107e548": "Accounts Control UI" + "a569458c-7f2b-45cb-bab9-b7dee514d112": "Yammer iPhone" + "b26aadf8-566f-4478-926f-589f601d9c74": "OneDrive" + "c0d2a505-13b8-4ae0-aa9e-cddd5eab0b12": "Microsoft Power BI" + "d326c1ce-6cc6-4de2-bebc-4591e5e13ef0": "SharePoint" + "f44b1140-bc5e-48c6-8dc0-5cf5a53c0e34": "Microsoft Edge" + "eb539595-3fe1-474e-9c1d-feb3625d1be5": "Microsoft Tunnel" + "f05ff7c9-f75a-4acd-a3b5-f4b6a870245d": "SharePoint Android" + "be1918be-3fe3-4be9-b32b-b542fc27f02e": "M365 Compliance Drive Client" + "cab96880-db5b-4e15-90a7-f3f1d62ffe39": "Microsoft Defender Platform" + "d7b530a4-7680-4c23-a8bf-c52c121d2e87": "Microsoft Edge Enterprise New Tab Page" + "dd47d17a-3194-4d86-bfd5-c6ae6f5651e3": "Microsoft Defender for Mobile" + "e9b154d0-7658-433b-bb25-6b8e0a8a7c59": "Outlook Lite" + mapping: + office365.context.client.id: office365.context.client.name + filter: "{{json_event.message.get('ClientAppId') != None }}" parse_share_point: actions: - set: @@ -281,6 +446,47 @@ stages: office365.context.aad_session_id: "{{json_event.message.SessionId}}" office365.context.client.id: "{{json_event.message.ClientAppId}}" + - translate: + dictionary: + "00b41c95-dab0-4487-9791-b9d2c32c80f2": "Office 365 Management" + "04b07795-8ddb-461a-bbee-02f9e1bf7b46": "Microsoft Azure CLI" + "1950a258-227b-4e31-a9cf-717495945fc2": "Microsoft Azure PowerShell" + "1fec8e78-bce4-4aaf-ab1b-5451cc387264": "Microsoft Teams" + "26a7ee05-5602-4d76-a7ba-eae8b7b67941": "Windows Search" + "27922004-5251-4030-b22d-91ecd9a37ea4": "Outlook Mobile" + "4813382a-8fa7-425e-ab75-3b753aab3abb": "Microsoft Authenticator App" + "ab9b8c07-8f02-4f72-87fa-80105867a763": "OneDrive SyncEngine" + "d3590ed6-52b3-4102-aeff-aad2292ab01c": "Microsoft Office" + "872cd9fa-d31f-45e0-9eab-6e460a02d1f1": "Visual Studio" + "af124e86-4e96-495a-b70a-90f90ab96707": "OneDrive iOS App" + "2d7f3606-b07d-41d1-b9d2-0d0c9296a6e8": "Microsoft Bing Search for Microsoft Edge" + "844cca35-0656-46ce-b636-13f48b0eecbd": "Microsoft Stream Mobile Native" + "87749df4-7ccf-48f8-aa87-704bad0e0e16": "Microsoft Teams - Device Admin Agent" + "cf36b471-5b44-428c-9ce7-313bf84528de": "Microsoft Bing Search" + "0ec893e0-5785-4de6-99da-4ed124e5296c": "Office UWP PWA" + "22098786-6e16-43cc-a27d-191a01a1e3b5": "Microsoft To-Do client" + "4e291c71-d680-4d0e-9640-0a3358e31177": "PowerApps" + "57336123-6e14-4acc-8dcf-287b6088aa28": "Microsoft Whiteboard Client" + "57fcbcfa-7cee-4eb1-8b25-12d2030b4ee0": "Microsoft Flow" + "66375f6b-983f-4c2c-9701-d680650f588f": "Microsoft Planner" + "9ba1a5c7-f17a-4de9-a1f1-6178c8d51223": "Microsoft Intune Company Portal" + "a40d7d7d-59aa-447e-a655-679a4107e548": "Accounts Control UI" + "a569458c-7f2b-45cb-bab9-b7dee514d112": "Yammer iPhone" + "b26aadf8-566f-4478-926f-589f601d9c74": "OneDrive" + "c0d2a505-13b8-4ae0-aa9e-cddd5eab0b12": "Microsoft Power BI" + "d326c1ce-6cc6-4de2-bebc-4591e5e13ef0": "SharePoint" + "f44b1140-bc5e-48c6-8dc0-5cf5a53c0e34": "Microsoft Edge" + "eb539595-3fe1-474e-9c1d-feb3625d1be5": "Microsoft Tunnel" + "f05ff7c9-f75a-4acd-a3b5-f4b6a870245d": "SharePoint Android" + "be1918be-3fe3-4be9-b32b-b542fc27f02e": "M365 Compliance Drive Client" + "cab96880-db5b-4e15-90a7-f3f1d62ffe39": "Microsoft Defender Platform" + "d7b530a4-7680-4c23-a8bf-c52c121d2e87": "Microsoft Edge Enterprise New Tab Page" + "dd47d17a-3194-4d86-bfd5-c6ae6f5651e3": "Microsoft Defender for Mobile" + "e9b154d0-7658-433b-bb25-6b8e0a8a7c59": "Outlook Lite" + mapping: + office365.context.client.id: office365.context.client.name + filter: "{{json_event.message.get('ClientAppId') != None }}" + parse_network_traffic: actions: - set: @@ -291,6 +497,47 @@ stages: office365.error_number: "{{json_event.message.ErrorNumber}}" office365.context.client.id: "{{json_event.message.ApplicationId}}" + - translate: + dictionary: + "00b41c95-dab0-4487-9791-b9d2c32c80f2": "Office 365 Management" + "04b07795-8ddb-461a-bbee-02f9e1bf7b46": "Microsoft Azure CLI" + "1950a258-227b-4e31-a9cf-717495945fc2": "Microsoft Azure PowerShell" + "1fec8e78-bce4-4aaf-ab1b-5451cc387264": "Microsoft Teams" + "26a7ee05-5602-4d76-a7ba-eae8b7b67941": "Windows Search" + "27922004-5251-4030-b22d-91ecd9a37ea4": "Outlook Mobile" + "4813382a-8fa7-425e-ab75-3b753aab3abb": "Microsoft Authenticator App" + "ab9b8c07-8f02-4f72-87fa-80105867a763": "OneDrive SyncEngine" + "d3590ed6-52b3-4102-aeff-aad2292ab01c": "Microsoft Office" + "872cd9fa-d31f-45e0-9eab-6e460a02d1f1": "Visual Studio" + "af124e86-4e96-495a-b70a-90f90ab96707": "OneDrive iOS App" + "2d7f3606-b07d-41d1-b9d2-0d0c9296a6e8": "Microsoft Bing Search for Microsoft Edge" + "844cca35-0656-46ce-b636-13f48b0eecbd": "Microsoft Stream Mobile Native" + "87749df4-7ccf-48f8-aa87-704bad0e0e16": "Microsoft Teams - Device Admin Agent" + "cf36b471-5b44-428c-9ce7-313bf84528de": "Microsoft Bing Search" + "0ec893e0-5785-4de6-99da-4ed124e5296c": "Office UWP PWA" + "22098786-6e16-43cc-a27d-191a01a1e3b5": "Microsoft To-Do client" + "4e291c71-d680-4d0e-9640-0a3358e31177": "PowerApps" + "57336123-6e14-4acc-8dcf-287b6088aa28": "Microsoft Whiteboard Client" + "57fcbcfa-7cee-4eb1-8b25-12d2030b4ee0": "Microsoft Flow" + "66375f6b-983f-4c2c-9701-d680650f588f": "Microsoft Planner" + "9ba1a5c7-f17a-4de9-a1f1-6178c8d51223": "Microsoft Intune Company Portal" + "a40d7d7d-59aa-447e-a655-679a4107e548": "Accounts Control UI" + "a569458c-7f2b-45cb-bab9-b7dee514d112": "Yammer iPhone" + "b26aadf8-566f-4478-926f-589f601d9c74": "OneDrive" + "c0d2a505-13b8-4ae0-aa9e-cddd5eab0b12": "Microsoft Power BI" + "d326c1ce-6cc6-4de2-bebc-4591e5e13ef0": "SharePoint" + "f44b1140-bc5e-48c6-8dc0-5cf5a53c0e34": "Microsoft Edge" + "eb539595-3fe1-474e-9c1d-feb3625d1be5": "Microsoft Tunnel" + "f05ff7c9-f75a-4acd-a3b5-f4b6a870245d": "SharePoint Android" + "be1918be-3fe3-4be9-b32b-b542fc27f02e": "M365 Compliance Drive Client" + "cab96880-db5b-4e15-90a7-f3f1d62ffe39": "Microsoft Defender Platform" + "d7b530a4-7680-4c23-a8bf-c52c121d2e87": "Microsoft Edge Enterprise New Tab Page" + "dd47d17a-3194-4d86-bfd5-c6ae6f5651e3": "Microsoft Defender for Mobile" + "e9b154d0-7658-433b-bb25-6b8e0a8a7c59": "Outlook Lite" + mapping: + office365.context.client.id: office365.context.client.name + filter: "{{json_event.message.get('ApplicationId') != None }}" + - set: host.os.full: '{% for deviceProperty in json_event.message.DeviceProperties %}{% if deviceProperty.Name == "OS" %}{% if deviceProperty.get("Value") != None and deviceProperty.Value != ""%}{{deviceProperty.Value}}{% endif %}{% endif %}{% endfor %}' host.name: '{% for deviceProperty in json_event.message.DeviceProperties %}{% if deviceProperty.Name == "DisplayName" %}{% if deviceProperty.get("Value") != None and deviceProperty.Value != ""%}{{deviceProperty.Value}}{% endif %}{% endif %}{% endfor %}' diff --git a/Office 365/o365/tests/test_appName_field.json b/Office 365/o365/tests/test_appName_field.json new file mode 100644 index 000000000..4df581bfe --- /dev/null +++ b/Office 365/o365/tests/test_appName_field.json @@ -0,0 +1,101 @@ +{ + "input": { + "message": "{\"CreationTime\": \"2025-01-02T08:01:41\", \"Id\": \"f96dedc3-0e53-4444-bbbb-ef0000000000000\", \"Operation\": \"UserLoggedIn\", \"OrganizationId\": \"3e49b082-62d5-4849-a5b0-86ed519287d2\", \"RecordType\": 15, \"ResultStatus\": \"Success\", \"UserKey\": \"37fc2dfc-bdcc-4444-8fff-8700000b15e3\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"AzureActiveDirectory\", \"ClientIP\": \"2001:4444:1111:5555:3333:1222:bbbb:555\", \"ObjectId\": \"0000000a-0000-0000-c000-000000000000\", \"UserId\": \"Joe.Done@test.fr\", \"AzureActiveDirectoryEventType\": 1, \"ExtendedProperties\": [{\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Linux; Android 14; FFF-N49 Build/Test-N49; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/131.0.6778.200 Mobile Safari/537.36 PKeyAuth/1.0\"}, {\"Name\": \"RequestType\", \"Value\": \"OrgIdWsFederation:federation\"}], \"ModifiedProperties\": [], \"Actor\": [{\"ID\": \"37fc2dfc-cccc-4888-8fff-00000000000000003\", \"Type\": 0}, {\"ID\": \"Joe.Done@test.fr\", \"Type\": 5}], \"ActorContextId\": \"3e49b082-6666-4444-aaaa-8777777777d2\", \"ActorIpAddress\": \"2000:4444:1111:5555:3333:1111:bbbb:555\", \"InterSystemsId\": \"a282e7bb-2eea-4773-b296-00000000000000\", \"IntraSystemId\": \"f96dedc3-0e53-4724-ba85-000000000000800\", \"SupportTicketId\": \"\", \"Target\": [{\"ID\": \"0000000a-0000-0000-c000-000000000000\", \"Type\": 0}], \"TargetContextId\": \"3e49b082-62d5-4849-a5b0-86ed519287d2\", \"ApplicationId\": \"9ba1a5c7-f17a-4de9-a1f1-6178c8d51223\", \"DeviceProperties\": [{\"Name\": \"OS\", \"Value\": \"Android\"}, {\"Name\": \"BrowserType\", \"Value\": \"AndroidWebViewLollipopAndAbove\"}, {\"Name\": \"SessionId\", \"Value\": \"1584fd84-0508-419e-b678-ac60c80000000000\"}], \"ErrorNumber\": \"0\"}", + "sekoiaio": { + "intake": { + "dialect": "Microsoft 365 / Office 365", + "dialect_uuid": "caa13404-9243-493b-943e-9848cadb1f99" + } + } + }, + "expected": { + "message": "{\"CreationTime\": \"2025-01-02T08:01:41\", \"Id\": \"f96dedc3-0e53-4444-bbbb-ef0000000000000\", \"Operation\": \"UserLoggedIn\", \"OrganizationId\": \"3e49b082-62d5-4849-a5b0-86ed519287d2\", \"RecordType\": 15, \"ResultStatus\": \"Success\", \"UserKey\": \"37fc2dfc-bdcc-4444-8fff-8700000b15e3\", \"UserType\": 0, \"Version\": 1, \"Workload\": \"AzureActiveDirectory\", \"ClientIP\": \"2001:4444:1111:5555:3333:1222:bbbb:555\", \"ObjectId\": \"0000000a-0000-0000-c000-000000000000\", \"UserId\": \"Joe.Done@test.fr\", \"AzureActiveDirectoryEventType\": 1, \"ExtendedProperties\": [{\"Name\": \"ResultStatusDetail\", \"Value\": \"Redirect\"}, {\"Name\": \"UserAgent\", \"Value\": \"Mozilla/5.0 (Linux; Android 14; FFF-N49 Build/Test-N49; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/131.0.6778.200 Mobile Safari/537.36 PKeyAuth/1.0\"}, {\"Name\": \"RequestType\", \"Value\": \"OrgIdWsFederation:federation\"}], \"ModifiedProperties\": [], \"Actor\": [{\"ID\": \"37fc2dfc-cccc-4888-8fff-00000000000000003\", \"Type\": 0}, {\"ID\": \"Joe.Done@test.fr\", \"Type\": 5}], \"ActorContextId\": \"3e49b082-6666-4444-aaaa-8777777777d2\", \"ActorIpAddress\": \"2000:4444:1111:5555:3333:1111:bbbb:555\", \"InterSystemsId\": \"a282e7bb-2eea-4773-b296-00000000000000\", \"IntraSystemId\": \"f96dedc3-0e53-4724-ba85-000000000000800\", \"SupportTicketId\": \"\", \"Target\": [{\"ID\": \"0000000a-0000-0000-c000-000000000000\", \"Type\": 0}], \"TargetContextId\": \"3e49b082-62d5-4849-a5b0-86ed519287d2\", \"ApplicationId\": \"9ba1a5c7-f17a-4de9-a1f1-6178c8d51223\", \"DeviceProperties\": [{\"Name\": \"OS\", \"Value\": \"Android\"}, {\"Name\": \"BrowserType\", \"Value\": \"AndroidWebViewLollipopAndAbove\"}, {\"Name\": \"SessionId\", \"Value\": \"1584fd84-0508-419e-b678-ac60c80000000000\"}], \"ErrorNumber\": \"0\"}", + "event": { + "action": "UserLoggedIn", + "category": [ + "authentication" + ], + "code": "15", + "outcome": "success", + "type": [ + "start" + ] + }, + "@timestamp": "2025-01-02T08:01:41Z", + "action": { + "id": 15, + "name": "UserLoggedIn", + "outcome": "success", + "target": "network-traffic" + }, + "host": { + "os": { + "full": "Android" + } + }, + "office365": { + "audit": { + "object_id": "0000000a-0000-0000-c000-000000000000" + }, + "auth": { + "request_type": "OrgIdWsFederation:federation", + "result_status_detail": "Redirect" + }, + "context": { + "aad_session_id": "1584fd84-0508-419e-b678-ac60c80000000000", + "client": { + "id": "9ba1a5c7-f17a-4de9-a1f1-6178c8d51223", + "name": "Microsoft Intune Company Portal" + }, + "correlation": { + "id": "a282e7bb-2eea-4773-b296-00000000000000" + } + }, + "device": { + "browser_type": "AndroidWebViewLollipopAndAbove" + }, + "error_number": 0, + "record_type": 15, + "result_status": "Success", + "user_type": { + "code": 0, + "name": "Regular" + } + }, + "organization": { + "id": "3e49b082-62d5-4849-a5b0-86ed519287d2" + }, + "related": { + "ip": [ + "2001:4444:1111:5555:3333:1222:bbbb:555" + ], + "user": [ + "Joe.Done@test.fr" + ] + }, + "service": { + "name": "AzureActiveDirectory" + }, + "source": { + "address": "2001:4444:1111:5555:3333:1222:bbbb:555", + "ip": "2001:4444:1111:5555:3333:1222:bbbb:555" + }, + "user": { + "email": "Joe.Done@test.fr", + "id": "37fc2dfc-bdcc-4444-8fff-8700000b15e3", + "name": "Joe.Done@test.fr" + }, + "user_agent": { + "device": { + "name": "FFF-N49" + }, + "name": "Chrome Mobile WebView", + "original": "Mozilla/5.0 (Linux; Android 14; FFF-N49 Build/Test-N49; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/131.0.6778.200 Mobile Safari/537.36 PKeyAuth/1.0", + "os": { + "name": "Android", + "version": "14" + }, + "version": "131.0.6778" + } + } +} \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml b/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml index 4b07b6065..344b3eec3 100644 --- a/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml +++ b/Palo Alto Networks/paloalto-ngfw/_meta/fields.yml @@ -258,9 +258,9 @@ paloalto.authentication.method: name: paloalto.authentication.method type: keyword -paloalto.authetification.profile: +paloalto.authentication.profile: description: The authentication profile - name: paloalto.authetification.profile + name: paloalto.authentication.profile type: keyword paloalto.connection.method: diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml index c6cf58abe..b6da444e2 100644 --- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml @@ -599,7 +599,7 @@ pipeline: properties: raise_errors: false input_field: "{{parsed_event.message.EventDescription}}" - pattern: "%{SYSTEM_AUTH_AUTHENTICATION_FOR}|%{CONNECTION}|%{CONTENT}|%{WILDFIRE}|%{NETWORK}|%{PANDB_GENERIC}|%{CLOUD_ELECTION}|%{AUTHENTICATION}|%{REASON1}|%{REASON2}|%{REASON3}|%{REASON4}|%{REASON5}" + pattern: "%{SYSTEM_AUTH_AUTHENTICATION_FOR}|%{CONNECTION}|%{CONTENT}|%{WILDFIRE}|%{NETWORK}|%{PANDB_GENERIC}|%{CLOUD_ELECTION}|%{AUTHENTICATION}|%{REASON}" custom_patterns: SYSTEM_AUTH_AUTHENTICATION_FOR: "authenticated for user '%{USERNAME:user}'. auth profile '%{DATA:auth_profile}', vsys '%{DATA:vsys}', server profile '%{DATA:server_profile}', server address '%{HOSTNAME:server_address}', From: %{IP:src}." CONNECTION: "%{CONNECTION_SUCCESS}|%{CONNECTION_TO_SERVER}|%{CONNECTION_REGISTERED}" @@ -624,10 +624,11 @@ pipeline: AUTHENTICATION: "%{AUTHENTICATION_CONSOLE}|%{AUTHENTICATION_WEB}" AUTHENTICATION_CONSOLE: "authenticated for user '%{USERNAME:user}'. From: %{IP:src}." AUTHENTICATION_WEB: "User %{USERNAME:user} logged in via %{DATA} from %{IP:src} using %{DATA:proto}" + REASON: "%{REASON1}|%{REASON2}|%{REASON3}|%{REASON4}|%{REASON5}" REASON1: 'User-ID server monitor %{HOSTNAME:hostname}\(%{WORD:vsys}\) %{GREEDYDATA:message}' REASON2: "ldap cfg %{WORD:config_name} connected to server %{IP:destination_ip}:%{INT:port}, initiated by: %{IP:source_ip}" REASON3: "When authenticating user '?%{WORD:user}'? from '?%{IP:source_ip}'?, a less secure authentication method %{WORD:auth_method} is used. Please migrate to %{WORD:recommended_methods1} or %{DATA:recommended_methods2}. Authentication Profile '?%{WORD:auth_profile}'?, vsys '?%{WORD:vsys}'?, Server Profile '?%{WORD:server_profile}'?, Server Address '?%{IP:destination_ip}'?" - REASON4: "failed authentication for user %{WORD:user}. Reason: %{GREEDYDATA:reason} auth profile %{WORD:auth_profile}, vsys %{WORD:vsys}, server profile %{WORD:server_profile}, server address %{IP:destination_ip}, auth protocol %{WORD:auth_protocol}, From: %{IP:source_ip}" + REASON4: "failed authentication for user %{USERNAME:user}. Reason: %{GREEDYDATA:reason} auth profile %{DATA:auth_profile}, vsys %{WORD:vsys}, server profile %{WORD:server_profile}, server address %{IP:destination_ip}, auth protocol %{WORD:auth_protocol}, From: %{IP:source_ip}." REASON5: 'authenticated for user %{WORD:user}\. auth profile %{WORD:auth_profile}, vsys %{WORD:vsys}, server profile %{DATA:server_profile}, server address %{IP:destination_ip}, auth protocol %{WORD:auth_protocol}, admin role %{WORD:admin_role}, From: %{IP:source_ip}\.' filter: '{{parsed_event.message.get("EventDescription") != None}}' @@ -918,7 +919,7 @@ stages: paloalto.threat.id: "{{parsed_event.message.ThreatID or parsed_event.message.PanOSThreatID or parsed_threat.message.threat_code}}" paloalto.threat.name: "{{parsed_threat.message.threat_description}}" paloalto.vsys: "{{parsed_description.message.vsys}}" - paloalto.authetification.profile: "{{parsed_description.message.auth_profile}}" + paloalto.authentication.profile: "{{parsed_description.message.auth_profile}}" paloalto.server.profile: "{{parsed_description.message.server_profile}}" paloalto.tls.chain_status: "{{parsed_event.message.ChainStatus}}" paloalto.tls.root_status: "{{parsed_event.message.RootStatus}}" diff --git a/Palo Alto Networks/paloalto-ngfw/tests/system_csv.json b/Palo Alto Networks/paloalto-ngfw/tests/system_csv.json index 70c22f924..b6b8bf80a 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/system_csv.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/system_csv.json @@ -36,7 +36,7 @@ "DGHierarchyLevel4": "0", "EventID": "auth-success", "Threat_ContentType": "auth", - "authetification": { + "authentication": { "profile": "GP" }, "server": { diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason2.json b/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason2.json index 4fb229b1d..a26347c40 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason2.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason2.json @@ -46,7 +46,7 @@ "DGHierarchyLevel4": "0", "EventID": "auth-success", "Threat_ContentType": "auth", - "authetification": { + "authentication": { "profile": "FFFF" }, "server": { diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason3.json b/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason3.json index 6c18a16dc..b8cc8f9f7 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason3.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_event_reason3.json @@ -46,7 +46,7 @@ "DGHierarchyLevel4": "0", "EventID": "auth-success", "Threat_ContentType": "auth", - "authetification": { + "authentication": { "profile": "FFFF" }, "server": { diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json index b4429340a..b7deb24ec 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json @@ -46,7 +46,7 @@ "DGHierarchyLevel4": "0", "EventID": "auth-success", "Threat_ContentType": "auth", - "authetification": { + "authentication": { "profile": "FWPA" }, "server": { diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_14.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_14.json new file mode 100644 index 000000000..d78d4765a --- /dev/null +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_14.json @@ -0,0 +1,74 @@ +{ + "input": { + "message": "1,2024/12/16 20:19:04,016301013072,SYSTEM,auth,2561,2024/12/16 20:19:04,,auth-fail,ESA-AUTH,0,0,general,medium,\"failed authentication for user john.doe. Reason: Authentication request is timed out. auth profile ESA-AUTH, vsys vsys1, server profile ESA, server address 1.2.3.4, auth protocol PAP, From: 5.6.7.8.\",7439393285273531690,0x0,0,0,0,0,,FWPADC1,0,0,2024-12-16T20:19:04.851+01:00", + "sekoiaio": { + "intake": { + "dialect": "Palo Alto NGFW", + "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd" + } + } + }, + "expected": { + "message": "1,2024/12/16 20:19:04,016301013072,SYSTEM,auth,2561,2024/12/16 20:19:04,,auth-fail,ESA-AUTH,0,0,general,medium,\"failed authentication for user john.doe. Reason: Authentication request is timed out. auth profile ESA-AUTH, vsys vsys1, server profile ESA, server address 1.2.3.4, auth protocol PAP, From: 5.6.7.8.\",7439393285273531690,0x0,0,0,0,0,,FWPADC1,0,0,2024-12-16T20:19:04.851+01:00", + "event": { + "category": [ + "authentication" + ], + "dataset": "system", + "reason": "Authentication request is timed out.", + "type": [ + "info" + ] + }, + "@timestamp": "2024-12-16T19:19:04.851000Z", + "action": { + "name": "auth-fail", + "type": "auth" + }, + "destination": { + "address": "1.2.3.4", + "ip": "1.2.3.4" + }, + "log": { + "hostname": "FWPADC1", + "level": "medium", + "logger": "system" + }, + "observer": { + "name": "FWPADC1", + "product": "PAN-OS", + "serial_number": "016301013072" + }, + "paloalto": { + "DGHierarchyLevel1": "0", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "EventID": "auth-fail", + "Threat_ContentType": "auth", + "authentication": { + "profile": "ESA-AUTH" + }, + "server": { + "profile": "ESA" + }, + "vsys": "vsys1" + }, + "related": { + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "john.doe" + ] + }, + "source": { + "address": "5.6.7.8", + "ip": "5.6.7.8" + }, + "user": { + "name": "john.doe" + } + } +} \ No newline at end of file diff --git a/Palo Alto Networks/paloalto-prisma-access/_meta/manifest.yml b/Palo Alto Networks/paloalto-prisma-access/_meta/manifest.yml index aefbc2559..8b0a6c22f 100644 --- a/Palo Alto Networks/paloalto-prisma-access/_meta/manifest.yml +++ b/Palo Alto Networks/paloalto-prisma-access/_meta/manifest.yml @@ -1,4 +1,4 @@ -uuid: ea265b9d-fb48-4e92-9c26-dcfbf937b630 +uuid: ea265b9d-fb48-4e92-9c26-dcfbf937b630 name: Palo Alto Prisma access slug: paloalto-prisma-access description: >- @@ -10,3 +10,4 @@ data_sources: Authentication logs: Prisma Access monitor authentications to resources Web logs: Prisma Access monitor and logs HTTP requests Web application firewall logs: Prisma Access monitor and logs network traffic +automation_module_uuid: 64a3b634-605d-4d69-a203-3a53c0474cae diff --git a/SentinelOne/identity/_meta/fields.yml b/SentinelOne/identity/_meta/fields.yml index 36e8acf65..f31575843 100644 --- a/SentinelOne/identity/_meta/fields.yml +++ b/SentinelOne/identity/_meta/fields.yml @@ -1,3 +1,13 @@ +sentinelone.identity.analystVerdict: + description: '' + name: sentinelone.identity.analystVerdict + type: keyword + +sentinelone.identity.analyticsCategory: + description: '' + name: sentinelone.identity.analyticsCategory + type: keyword + sentinelone.identity.attackSurfaces: description: '' name: sentinelone.identity.attackSurfaces @@ -28,6 +38,16 @@ sentinelone.identity.result: name: sentinelone.identity.result type: keyword +sentinelone.identity.siteId: + description: '' + name: sentinelone.identity.siteId + type: keyword + +sentinelone.identity.siteName: + description: '' + name: sentinelone.identity.siteName + type: keyword + sentinelone.identity.status: description: '' name: sentinelone.identity.status diff --git a/SentinelOne/identity/ingest/parser.yml b/SentinelOne/identity/ingest/parser.yml index 90577404d..38cf9fddf 100644 --- a/SentinelOne/identity/ingest/parser.yml +++ b/SentinelOne/identity/ingest/parser.yml @@ -57,6 +57,11 @@ stages: process.hash.sha256: "{{json_event.message.process.file.sha256}}" process.hash.md5: "{{json_event.message.process.file.md5}}" + agent.id: "{{json_event.message.asset.agentUuid}}" + agent.version: "{{json_event.message.asset.agentVersion}}" + host.os.family: "{{json_event.message.asset.osType}}" + host.os.version: "{{json_event.message.asset.osVersion}}" + sentinelone.identity.id: "{{json_event.message.id}}" sentinelone.identity.name: "{{json_event.message.name}}" sentinelone.identity.attackSurfaces: "{{json_event.message.attackSurfaces}}" @@ -65,3 +70,26 @@ stages: sentinelone.identity.confidenceLevel: "{{json_event.message.confidenceLevel}}" sentinelone.identity.result: "{{json_event.message.result}}" sentinelone.identity.storyLineId: "{{json_event.message.storyLineId}}" + sentinelone.identity.analystVerdict: "{{json_event.message.analystVerdict}}" + sentinelone.identity.analyticsCategory: "{{json_event.message.analytics.category}}" + + - set: + threat.tactic.id: "[{% for attack in json_event.message.rawData.finding_info.attacks %}{% for tactic in attack['tactics'] %}'{{tactic.uid}}',{% endfor %}{% endfor %}]" + threat.tactic.name: "[{% for attack in json_event.message.rawData.finding_info.attacks %}{% for tactic in attack['tactics'] %}'{{tactic.name}}',{% endfor %}{% endfor %}]" + filter: "{{json_event.message.get('rawData', {}).get('finding_info', {}).get('attacks', []) | length > 0}}" + + - set: + host.name: "{{json_event.message.rawData.resources[0].name}}" + organization.id: "{{json_event.message.rawData.resources[0].s1_metadata.account_id}}" + organization.name: "{{json_event.message.rawData.resources[0].s1_metadata.account_name}}" + sentinelone.identity.siteId: "{{json_event.message.rawData.resources[0].s1_metadata.site_id}}" + sentinelone.identity.siteName: "{{json_event.message.rawData.resources[0].s1_metadata.site_name}}" + filter: "{{json_event.message.get('rawData', {}).get('resources', []) | length > 0}}" + + - set: + destination.domain: "{{json_event.message.rawData.evidences[0].dst_endpoint.hostname}}" + destination.ip: "{{json_event.message.rawData.evidences[0].dst_endpoint.ip}}" + source.domain: "{{json_event.message.rawData.evidences[0].src_endpoint.hostname}}" + source.ip: "{{json_event.message.rawData.evidences[0].src_endpoint.ip}}" + user.name: "{{json_event.message.rawData.evidences[0].actor.user.name}}" + filter: "{{json_event.message.get('rawData', {}).get('evidences', []) | length > 0}}" diff --git a/SentinelOne/identity/tests/test_alert_1_detailed.json b/SentinelOne/identity/tests/test_alert_1_detailed.json new file mode 100644 index 000000000..aaa2524e4 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_1_detailed.json @@ -0,0 +1,90 @@ +{ + "input": { + "message": "{\n \"analystVerdict\": \"UNDEFINED\",\n \"analytics\": {\n \"category\": \"ADSecure-DC\"\n },\n \"asset\": {\n \"agentUuid\": \"123123123123123\",\n \"agentVersion\": \"AgentVersion1\",\n \"category\": \"Server\",\n \"name\": \"VM0001.LAB\",\n \"osType\": \"UNKNOWN\",\n \"osVersion\": \"1.1\",\n \"subcategory\": \"Other Server\",\n \"type\": \"UNKNOWN\"\n },\n \"assignee\": null,\n \"attackSurfaces\": [\n \"IDENTITY\"\n ],\n \"classification\": \"UNKNOWN\",\n \"confidenceLevel\": \"MALICIOUS\",\n \"description\": \"This event is generated when a DCSync attack is detected.\",\n \"detectedAt\": \"2024-12-11T13:11:48.487Z\",\n \"detectionSource\": {\n \"product\": \"Identity\"\n },\n \"firstSeenAt\": \"2024-12-11T13:11:48.487Z\",\n \"id\": \"19b5cab4-9fdc-49f9-9641-dae9ed9b1c3b\",\n \"lastSeenAt\": \"2024-12-11T13:11:48.487Z\",\n \"name\": \"DCSync Attack Detected\",\n \"process\": null,\n \"rawData\": {\n \"activity_id\": 2,\n \"activity_name\": \"Update\",\n \"attack_surface_ids\": [\n 4\n ],\n \"category_uid\": 2,\n \"class_uid\": 99602001,\n \"confidence_id\": 3,\n \"evidences\": [\n {\n \"actor\": {\n \"user\": {\n\"name\":\"test_user\", \"domain\": \"LAB\"\n }\n },\n \"dst_endpoint\": {\n \"hostname\": \"VM0001\",\n \"ip\": \"5.6.7.8\",\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\"\n },\n \"src_endpoint\": {\n \"hostname\":\"tes.test\", \"ip\": \"1.2.3.4\"\n }\n }\n ],\n \"finding_info\": {\n \"analytic\": {\n \"category\": \"ADSecure-DC\",\n \"type_id\": 1,\n \"uid\": \"ADSecure-DC\"\n },\n \"attacks\": [\n {\n \"tactics\": [\n {\n \"name\": \"Credential Access\",\n \"uid\": \"TA006\"\n }\n ],\n \"technique\": {\n \"name\": \"OS Credential Dumping\",\n \"uid\": \"T1003\"\n },\n \"version\": \"ATT&CK v11\"\n }\n ],\n \"desc\": \"This event is generated when a DCSync attack is detected.\",\n \"first_seen_time\": \"1733922708487\",\n \"internal_uid\": \"d2dfca23-c7c7-409d-840c-cc0702ef7eb7\",\n \"kill_chain\": [\n {\n \"phase_id\": 2\n }\n ],\n \"last_seen_time\": \"1733922708487\",\n \"related_events\": [\n {\n \"message\": \"An authorized session has been detected with a certain privilege which could be result of an privilege escalation.\",\n \"severity_id\": 5,\n \"time\": \"1733922708487\",\n \"type\": \"Authorize Session: Other\",\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\"\n }\n ],\n \"title\": \"DCSync Attack Detected\",\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\"\n },\n \"message\": \"This event is generated when a DCSync attack is detected.\",\n \"metadata\": {\n \"extension\": {\n \"name\": \"s1\",\n \"uid\": \"996\",\n \"version\": \"0.1.0\"\n },\n \"product\": {\n \"name\": \"Identity\",\n \"vendor_name\": \"SentinelOne\"\n },\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\",\n \"version\": \"1.1.0-dev\"\n },\n \"raw_data\": \"5001802:Attacker IP=1.2.3.4 Source Port=49970 Target IP=5.6.7.8 Target Port=49155 Severity=14 Domain=LAB userName=john.doe dc_host=VM00001 CA_STATUS=ALERT client_id=xxxxxxx-xxxxxx-xxxx-xxxxxxx subscriberId:6666\",\n \"resources\": [\n {\n \"internal_uid\": \"11111111111111111111111111\",\n \"name\": \"VM0001.LAB\",\n \"s1_metadata\": {\n \"account_id\": \"123123123123123123\",\n \"account_name\": \"EXAMPLE CORP\",\n \"group_id\": \"1234567890\",\n \"group_name\": \"Default Group\",\n \"mgmt_id\": 123123,\n \"scope_id\": \"1234567890\",\n \"scope_level\": \"Group\",\n \"site_id\": \"1234567890\",\n \"site_name\": \"Sekoia.io\"\n },\n \"type\": \"server::other_server::windows_server\",\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\",\n \"version\": \"Microsoft Windows Server 2012 R2 Standard 64-bit\"\n }\n ],\n \"s1_classification_id\": 0,\n \"severity_id\": 5,\n \"status_id\": 1,\n \"time\": \"1733922708487\",\n \"type_name\": \"\",\n \"type_uid\": \"9960200101\",\n \"unmapped\": {},\n \"verdict_detail_id\": 0,\n \"verdict_id\": 0\n },\n \"result\": null,\n \"status\": \"NEW\",\n \"storylineId\": null\n}" + }, + "expected": { + "message": "{\n \"analystVerdict\": \"UNDEFINED\",\n \"analytics\": {\n \"category\": \"ADSecure-DC\"\n },\n \"asset\": {\n \"agentUuid\": \"123123123123123\",\n \"agentVersion\": \"AgentVersion1\",\n \"category\": \"Server\",\n \"name\": \"VM0001.LAB\",\n \"osType\": \"UNKNOWN\",\n \"osVersion\": \"1.1\",\n \"subcategory\": \"Other Server\",\n \"type\": \"UNKNOWN\"\n },\n \"assignee\": null,\n \"attackSurfaces\": [\n \"IDENTITY\"\n ],\n \"classification\": \"UNKNOWN\",\n \"confidenceLevel\": \"MALICIOUS\",\n \"description\": \"This event is generated when a DCSync attack is detected.\",\n \"detectedAt\": \"2024-12-11T13:11:48.487Z\",\n \"detectionSource\": {\n \"product\": \"Identity\"\n },\n \"firstSeenAt\": \"2024-12-11T13:11:48.487Z\",\n \"id\": \"19b5cab4-9fdc-49f9-9641-dae9ed9b1c3b\",\n \"lastSeenAt\": \"2024-12-11T13:11:48.487Z\",\n \"name\": \"DCSync Attack Detected\",\n \"process\": null,\n \"rawData\": {\n \"activity_id\": 2,\n \"activity_name\": \"Update\",\n \"attack_surface_ids\": [\n 4\n ],\n \"category_uid\": 2,\n \"class_uid\": 99602001,\n \"confidence_id\": 3,\n \"evidences\": [\n {\n \"actor\": {\n \"user\": {\n\"name\":\"test_user\", \"domain\": \"LAB\"\n }\n },\n \"dst_endpoint\": {\n \"hostname\": \"VM0001\",\n \"ip\": \"5.6.7.8\",\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\"\n },\n \"src_endpoint\": {\n \"hostname\":\"tes.test\", \"ip\": \"1.2.3.4\"\n }\n }\n ],\n \"finding_info\": {\n \"analytic\": {\n \"category\": \"ADSecure-DC\",\n \"type_id\": 1,\n \"uid\": \"ADSecure-DC\"\n },\n \"attacks\": [\n {\n \"tactics\": [\n {\n \"name\": \"Credential Access\",\n \"uid\": \"TA006\"\n }\n ],\n \"technique\": {\n \"name\": \"OS Credential Dumping\",\n \"uid\": \"T1003\"\n },\n \"version\": \"ATT&CK v11\"\n }\n ],\n \"desc\": \"This event is generated when a DCSync attack is detected.\",\n \"first_seen_time\": \"1733922708487\",\n \"internal_uid\": \"d2dfca23-c7c7-409d-840c-cc0702ef7eb7\",\n \"kill_chain\": [\n {\n \"phase_id\": 2\n }\n ],\n \"last_seen_time\": \"1733922708487\",\n \"related_events\": [\n {\n \"message\": \"An authorized session has been detected with a certain privilege which could be result of an privilege escalation.\",\n \"severity_id\": 5,\n \"time\": \"1733922708487\",\n \"type\": \"Authorize Session: Other\",\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\"\n }\n ],\n \"title\": \"DCSync Attack Detected\",\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\"\n },\n \"message\": \"This event is generated when a DCSync attack is detected.\",\n \"metadata\": {\n \"extension\": {\n \"name\": \"s1\",\n \"uid\": \"996\",\n \"version\": \"0.1.0\"\n },\n \"product\": {\n \"name\": \"Identity\",\n \"vendor_name\": \"SentinelOne\"\n },\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\",\n \"version\": \"1.1.0-dev\"\n },\n \"raw_data\": \"5001802:Attacker IP=1.2.3.4 Source Port=49970 Target IP=5.6.7.8 Target Port=49155 Severity=14 Domain=LAB userName=john.doe dc_host=VM00001 CA_STATUS=ALERT client_id=xxxxxxx-xxxxxx-xxxx-xxxxxxx subscriberId:6666\",\n \"resources\": [\n {\n \"internal_uid\": \"11111111111111111111111111\",\n \"name\": \"VM0001.LAB\",\n \"s1_metadata\": {\n \"account_id\": \"123123123123123123\",\n \"account_name\": \"EXAMPLE CORP\",\n \"group_id\": \"1234567890\",\n \"group_name\": \"Default Group\",\n \"mgmt_id\": 123123,\n \"scope_id\": \"1234567890\",\n \"scope_level\": \"Group\",\n \"site_id\": \"1234567890\",\n \"site_name\": \"Sekoia.io\"\n },\n \"type\": \"server::other_server::windows_server\",\n \"uid\": \"xxxxx-xxxxx-xxxxx-xxxxxxxxxxx\",\n \"version\": \"Microsoft Windows Server 2012 R2 Standard 64-bit\"\n }\n ],\n \"s1_classification_id\": 0,\n \"severity_id\": 5,\n \"status_id\": 1,\n \"time\": \"1733922708487\",\n \"type_name\": \"\",\n \"type_uid\": \"9960200101\",\n \"unmapped\": {},\n \"verdict_detail_id\": 0,\n \"verdict_id\": 0\n },\n \"result\": null,\n \"status\": \"NEW\",\n \"storylineId\": null\n}", + "event": { + "category": "intrusion_detection", + "end": "2024-12-11T13:11:48.487000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is generated when a DCSync attack is detected.", + "start": "2024-12-11T13:11:48.487000Z", + "type": "info" + }, + "@timestamp": "2024-12-11T13:11:48.487000Z", + "agent": { + "id": "123123123123123", + "version": "AgentVersion1" + }, + "destination": { + "address": "VM0001", + "domain": "VM0001", + "ip": "5.6.7.8" + }, + "host": { + "name": "VM0001.LAB", + "os": { + "family": "UNKNOWN", + "version": "1.1" + } + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "organization": { + "id": "123123123123123123", + "name": "EXAMPLE CORP" + }, + "related": { + "hosts": [ + "VM0001", + "tes.test" + ], + "ip": [ + "1.2.3.4", + "5.6.7.8" + ], + "user": [ + "test_user" + ] + }, + "sentinelone": { + "identity": { + "analystVerdict": "UNDEFINED", + "analyticsCategory": "ADSecure-DC", + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "19b5cab4-9fdc-49f9-9641-dae9ed9b1c3b", + "name": "DCSync Attack Detected", + "siteId": "1234567890", + "siteName": "Sekoia.io", + "status": "NEW" + } + }, + "source": { + "address": "tes.test", + "domain": "tes.test", + "ip": "1.2.3.4", + "subdomain": "tes" + }, + "threat": { + "tactic": { + "id": [ + "TA006" + ], + "name": [ + "Credential Access" + ] + } + }, + "user": { + "name": "test_user" + } + } +} \ No newline at end of file diff --git a/SentinelOne/identity/tests/test_alert_2_detailed.json b/SentinelOne/identity/tests/test_alert_2_detailed.json new file mode 100644 index 000000000..fed8c7e68 --- /dev/null +++ b/SentinelOne/identity/tests/test_alert_2_detailed.json @@ -0,0 +1,58 @@ +{ + "input": { + "message": "{\n \"analystVerdict\": \"UNDEFINED\",\n \"analytics\": {\n \"category\": \"ThreatPath\"\n },\n \"asset\": {\n \"agentUuid\": null,\n \"agentVersion\": null,\n \"category\": \"Workstation\",\n \"name\": \"Unknown\",\n \"osType\": \"UNKNOWN\",\n \"osVersion\": \"\",\n \"subcategory\": \"Other Workstation\",\n \"type\": \"UNKNOWN\"\n },\n \"assignee\": null,\n \"attackSurfaces\": [\n \"IDENTITY\"\n ],\n \"classification\": \"UNKNOWN\",\n \"confidenceLevel\": \"MALICIOUS\",\n \"description\": \"This event is triggered when a new Privilege Account has been detected in the Active Directory.\",\n \"detectedAt\": \"2024-12-24T05:47:33.726Z\",\n \"detectionSource\": {\n \"product\": \"Identity\"\n },\n \"firstSeenAt\": \"2024-12-24T05:47:33.726Z\",\n \"id\": \"0193f734-d130-773a-815c-fbfe892a2635\",\n \"lastSeenAt\": \"2024-12-24T05:47:33.726Z\",\n \"name\": \"New AD Privilege Accounts Detected\",\n \"process\": null,\n \"rawData\": {\n \"activity_id\": 2,\n \"activity_name\": \"Update\",\n \"attack_surface_ids\": [\n 4\n ],\n \"category_uid\": 2,\n \"class_uid\": 99602001,\n \"confidence_id\": 3,\n \"evidences\": [\n {\n \"actor\": {\n \"user\": {}\n },\n \"dst_endpoint\": {},\n \"src_endpoint\": {}\n }\n ],\n \"finding_info\": {\n \"analytic\": {\n \"category\": \"ThreatPath\",\n \"type_id\": 1,\n \"uid\": \"ThreatPath\"\n },\n \"attacks\": [\n {\n \"tactics\": [\n {\n \"id\": \"xxx-xxx-xxxx\", \"name\": \"Credential Access\",\n \"uid\": \"TA006\"\n }\n ],\n \"technique\": {\n \"name\": \"Exploitation for Credential Access\",\n \"uid\": \"T1212\"\n },\n \"version\": \"ATT&CK v11\"\n }\n ],\n \"desc\": \"This event is triggered when a new Privilege Account has been detected in the Active Directory.\",\n \"first_seen_time\": \"1735026290990\",\n \"internal_uid\": \"316e8d31-9bc5-49b6-a0e2-49f9795bf9e9\",\n \"kill_chain\": [\n {\n \"phase_id\": 0\n }\n ],\n \"last_seen_time\": \"1735026290990\",\n \"title\": \"New AD Privilege Accounts Detected\",\n \"uid\": \"316e8d31-9bc5-49b6-a0e2-49f9795bf9e9\"\n },\n \"message\": \"This event is triggered when a new Privilege Account has been detected in the Active Directory.\",\n \"metadata\": {\n \"extension\": {\n \"name\": \"s1\",\n \"uid\": \"996\",\n \"version\": \"0.1.0\"\n },\n \"product\": {\n \"name\": \"Identity\",\n \"vendor_name\": \"SentinelOne\"\n },\n \"uid\": \"316e8d31-9bc5-49b6-a0e2-49f9795bf9e9\",\n \"version\": \"1.1.0-dev\"\n },\n \"raw_data\": \"5006406:AD Privilege Accounts credentials(S1-Local-Admin) detected in domain:LAB, ip:vm00001.lab at timestamp:1733309067716 of severity:8 subscriberId:6666\",\n \"resources\": [\n {\n \"internal_uid\": \"11111111111111111111111111\",\n \"name\": \"VM0001.LAB\",\n \"s1_metadata\": {\n \"account_id\": \"617755838952421242\",\n \"account_name\": \"EXAMPLE CORP\",\n \"group_id\": \"1107851598374945694\",\n \"group_name\": \"Default Group\",\n \"mgmt_id\": 86061,\n \"scope_id\": \"1107851598374945694\",\n \"scope_level\": \"Group\",\n \"site_id\": \"1107851598374945694\",\n \"site_name\": \"Sekoia.io\"\n },\n \"type\": \"server::other_server::windows_server\",\n \"uid\": \"70629f7d-e514-4a71-b88d-28a466d0fa02VM0001\",\n \"version\": \"Microsoft Windows Server 2012 R2 Standard 64-bit\"\n }\n ],\n \"s1_classification_id\": 0,\n \"severity_id\": 3,\n \"status_id\": 1,\n \"time\": \"1735026290990\",\n \"type_name\": \"\",\n \"type_uid\": \"9960200101\",\n \"unmapped\": {},\n \"verdict_detail_id\": 0,\n \"verdict_id\": 0\n },\n \"result\": null,\n \"status\": \"NEW\",\n \"storylineId\": null}" + }, + "expected": { + "message": "{\n \"analystVerdict\": \"UNDEFINED\",\n \"analytics\": {\n \"category\": \"ThreatPath\"\n },\n \"asset\": {\n \"agentUuid\": null,\n \"agentVersion\": null,\n \"category\": \"Workstation\",\n \"name\": \"Unknown\",\n \"osType\": \"UNKNOWN\",\n \"osVersion\": \"\",\n \"subcategory\": \"Other Workstation\",\n \"type\": \"UNKNOWN\"\n },\n \"assignee\": null,\n \"attackSurfaces\": [\n \"IDENTITY\"\n ],\n \"classification\": \"UNKNOWN\",\n \"confidenceLevel\": \"MALICIOUS\",\n \"description\": \"This event is triggered when a new Privilege Account has been detected in the Active Directory.\",\n \"detectedAt\": \"2024-12-24T05:47:33.726Z\",\n \"detectionSource\": {\n \"product\": \"Identity\"\n },\n \"firstSeenAt\": \"2024-12-24T05:47:33.726Z\",\n \"id\": \"0193f734-d130-773a-815c-fbfe892a2635\",\n \"lastSeenAt\": \"2024-12-24T05:47:33.726Z\",\n \"name\": \"New AD Privilege Accounts Detected\",\n \"process\": null,\n \"rawData\": {\n \"activity_id\": 2,\n \"activity_name\": \"Update\",\n \"attack_surface_ids\": [\n 4\n ],\n \"category_uid\": 2,\n \"class_uid\": 99602001,\n \"confidence_id\": 3,\n \"evidences\": [\n {\n \"actor\": {\n \"user\": {}\n },\n \"dst_endpoint\": {},\n \"src_endpoint\": {}\n }\n ],\n \"finding_info\": {\n \"analytic\": {\n \"category\": \"ThreatPath\",\n \"type_id\": 1,\n \"uid\": \"ThreatPath\"\n },\n \"attacks\": [\n {\n \"tactics\": [\n {\n \"id\": \"xxx-xxx-xxxx\", \"name\": \"Credential Access\",\n \"uid\": \"TA006\"\n }\n ],\n \"technique\": {\n \"name\": \"Exploitation for Credential Access\",\n \"uid\": \"T1212\"\n },\n \"version\": \"ATT&CK v11\"\n }\n ],\n \"desc\": \"This event is triggered when a new Privilege Account has been detected in the Active Directory.\",\n \"first_seen_time\": \"1735026290990\",\n \"internal_uid\": \"316e8d31-9bc5-49b6-a0e2-49f9795bf9e9\",\n \"kill_chain\": [\n {\n \"phase_id\": 0\n }\n ],\n \"last_seen_time\": \"1735026290990\",\n \"title\": \"New AD Privilege Accounts Detected\",\n \"uid\": \"316e8d31-9bc5-49b6-a0e2-49f9795bf9e9\"\n },\n \"message\": \"This event is triggered when a new Privilege Account has been detected in the Active Directory.\",\n \"metadata\": {\n \"extension\": {\n \"name\": \"s1\",\n \"uid\": \"996\",\n \"version\": \"0.1.0\"\n },\n \"product\": {\n \"name\": \"Identity\",\n \"vendor_name\": \"SentinelOne\"\n },\n \"uid\": \"316e8d31-9bc5-49b6-a0e2-49f9795bf9e9\",\n \"version\": \"1.1.0-dev\"\n },\n \"raw_data\": \"5006406:AD Privilege Accounts credentials(S1-Local-Admin) detected in domain:LAB, ip:vm00001.lab at timestamp:1733309067716 of severity:8 subscriberId:6666\",\n \"resources\": [\n {\n \"internal_uid\": \"11111111111111111111111111\",\n \"name\": \"VM0001.LAB\",\n \"s1_metadata\": {\n \"account_id\": \"617755838952421242\",\n \"account_name\": \"EXAMPLE CORP\",\n \"group_id\": \"1107851598374945694\",\n \"group_name\": \"Default Group\",\n \"mgmt_id\": 86061,\n \"scope_id\": \"1107851598374945694\",\n \"scope_level\": \"Group\",\n \"site_id\": \"1107851598374945694\",\n \"site_name\": \"Sekoia.io\"\n },\n \"type\": \"server::other_server::windows_server\",\n \"uid\": \"70629f7d-e514-4a71-b88d-28a466d0fa02VM0001\",\n \"version\": \"Microsoft Windows Server 2012 R2 Standard 64-bit\"\n }\n ],\n \"s1_classification_id\": 0,\n \"severity_id\": 3,\n \"status_id\": 1,\n \"time\": \"1735026290990\",\n \"type_name\": \"\",\n \"type_uid\": \"9960200101\",\n \"unmapped\": {},\n \"verdict_detail_id\": 0,\n \"verdict_id\": 0\n },\n \"result\": null,\n \"status\": \"NEW\",\n \"storylineId\": null}", + "event": { + "category": "intrusion_detection", + "end": "2024-12-24T05:47:33.726000Z", + "kind": "alert", + "provider": "Identity", + "reason": "This event is triggered when a new Privilege Account has been detected in the Active Directory.", + "start": "2024-12-24T05:47:33.726000Z", + "type": "info" + }, + "@timestamp": "2024-12-24T05:47:33.726000Z", + "host": { + "name": "VM0001.LAB", + "os": { + "family": "UNKNOWN" + } + }, + "observer": { + "product": "Singularity Identity", + "vendor": "SentinelOne" + }, + "organization": { + "id": "617755838952421242", + "name": "EXAMPLE CORP" + }, + "sentinelone": { + "identity": { + "analystVerdict": "UNDEFINED", + "analyticsCategory": "ThreatPath", + "attackSurfaces": [ + "IDENTITY" + ], + "classification": "UNKNOWN", + "confidenceLevel": "MALICIOUS", + "id": "0193f734-d130-773a-815c-fbfe892a2635", + "name": "New AD Privilege Accounts Detected", + "siteId": "1107851598374945694", + "siteName": "Sekoia.io", + "status": "NEW" + } + }, + "threat": { + "tactic": { + "id": [ + "TA006" + ], + "name": [ + "Credential Access" + ] + } + } + } +} \ No newline at end of file diff --git a/utils/pyproject.toml b/utils/pyproject.toml index bcf1fce97..6993a83c9 100644 --- a/utils/pyproject.toml +++ b/utils/pyproject.toml @@ -3,6 +3,7 @@ name = "intake-formats" version = "0.1.0" description = "Sekoia.io Intake Formats" authors = [] +package-mode = false [tool.poetry.dependencies] python = "^3.10"