Merge branch 'main' into fix(suricata)rpd_smart_desc

CybeReason/malop-json/_meta/manifest.yml

@@ -1,7 +1,7 @@
 uuid: 9f89b634-0531-437b-b060-a9d9f2d270db
 name: Cybereason EDR
 slug: cybereason-malop-json
-automation_connector_uuid: ff092b32-68dc-11ee-8c99-0242ac120002
+automation_connector_uuid: 8128d255-22df-4f4c-96af-ca6c1123f4cf
 automation_module_uuid: b96361fb-a01b-4ae7-8927-9622b9ea0acf
 
 description: >-

HarfangLab/harfanglab/tests/alert_5.json

@@ -0,0 +1,89 @@
+{
+  "input": {
+    "message": "{\"type\": \"rtlogs\", \"level\": \"medium\", \"maturity\": \"stable\", \"quarantine\": 4, \"rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n    - https://attack.mitre.org/techniques/T1098/\\n    - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n    - attack.persistence\\n    - attack.t1098\\n    - attack.privilege_escalation\\n    - attack.t1078.003\\nlogsource:\\n    product: windows\\n    service: security\\ndetection:\\n    selection:\\n        EventID: 4732\\n        GroupSid: S-1-2-3-4\\n    exclusion:\\n        - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n        - SubjectUserName|endswith: \\n    condition: selection and not exclusion\\nfalsepositives:\\n  - Legitimate administrator action\\nlevel: medium\", \"alert_time\": \"2024-11-12T08:39:14.017+00:00\", \"rule_name\": \"User Account Added to the Local Administrators Group\", \"tags\": [\"attack.persistence\", \"attack.privilege_escalation\", \"attack.t1078.003\", \"attack.t1098\"], \"level_int\": 30, \"eventlog\": {\"level\": \"log_always\", \"type\": \"wineventlog\", \"detection_timestamp\": \"2024/11/12 08:39:13.967\", \"event_id\": 4732, \"event_data\": {\"SubjectUserSid\": \"S-1-2-4-5-6\", \"SubjectDomainName\": \"NT_DOMAIN\", \"PrivilegeList\": \"-\", \"TargetDomainName\": \"Builtin\", \"TargetUserName\": \"Administrateurs\", \"MemberSid\": \"S-1-2-4-7-8\", \"MemberName\": \"NT_DOMAIN\\\\DOEJ\", \"SubjectUserName\": \"sw-suser\", \"TargetSid\": \"S-1-2-3-4\", \"SubjectLogonId\": \"0x1234567\"}, \"record_number\": 174136362, \"event_date\": \"2024-11-12T08:39:13.205Z\", \"sigma_rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n    - https://attack.mitre.org/techniques/T1098/\\n    - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n    - attack.persistence\\n    - attack.t1098\\n    - attack.privilege_escalation\\n    - attack.t1078.003\\nlogsource:\\n    product: windows\\n    service: security\\ndetection:\\n    selection:\\n        EventID: 4732\\n        GroupSid: S-1-2-3-4\\n    exclusion:\\n        - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n        - SubjectUserName|endswith: \\n    condition: selection and not exclusion\\nfalsepositives:\\n  - Legitimate administrator action\\nlevel: medium\", \"source_name\": \"Microsoft-Windows-Security-Auditing\", \"dont_create_eventlog\": true, \"user\": {\"domain\": \"\", \"name\": \"\", \"type\": \"unknown\", \"identifier\": \"\"}, \"thread_id\": 1728, \"log_name\": \"Security\", \"process_id\": 1224, \"status\": 0, \"ioc_matches\": [], \"provider_guid\": \"54849625-5478-4994-a5ba-3e3b0328c30d\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"log_type\": \"eventlog\", \"computer_name\": \"PC01.domain.com\", \"user_data\": {}, \"system_event_type\": \"event_log_event\"}, \"threat_values\": [], \"destination\": \"syslog\", \"@timestamp\": \"2024-11-12T08:39:14.017Z\", \"detection_date\": \"2024-11-12T08:39:13.967+00:00\", \"@event_create_date\": \"2024-11-12T08:39:14.017Z\", \"aggregation_key\": \"8415b902c507b98714301b4ab6633009fbf2728c0cfaf61637c5e903627e4ebb\", \"alert_type\": \"sigma\", \"rule_id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"ingestion_date\": \"2024-11-12T08:39:14.017+00:00\", \"tenant\": \"3b37ffc8520ef542\", \"threat_type\": \"new\", \"groups\": [{\"name\": \"Postes de travail\", \"id\": \"11111111-2222-3333-4444-555555555555\"}, {\"name\": \"Postes de travail : Lot 3\", \"id\": \"66666666-7777-8888-9999-000000000000\"}], \"status\": \"new\", \"execution\": 0, \"agent\": {\"agentid\": \"11111111-aaaa-2222-bbbb-333333333333\", \"domain\": null, \"osproducttype\": \"Windows 10 Enterprise\", \"ostype\": \"windows\", \"dnsdomainname\": \"domain.com\", \"distroid\": null, \"domainname\": \"NT_DOMAIN\", \"osversion\": \"10.0.19045\", \"hostname\": \"PC01\", \"version\": \"4.1.6\", \"additional_info\": {}}, \"threat_key\": \"20528\", \"mitre_cells\": [\"persistence__t1078.003\", \"persistence__t1098\", \"privilege-escalation__t1078.003\", \"privilege-escalation__t1098\"], \"alert_unique_id\": \"aaaaaaaa-1111-bbbb-2222-cccccccccccc\", \"log_type\": \"alert\", \"@version\": \"1\", \"msg\": \"Detects when a user account is added into the local Administrators group.\\n This action can be the result of a malicious activity.\", \"alert_subtype\": \"eventlog\", \"detection_origin\": \"agent\"}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "HarfangLab EDR",
+        "dialect_uuid": "3c7057d3-4689-4fae-8033-6f1f887a70f2"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"type\": \"rtlogs\", \"level\": \"medium\", \"maturity\": \"stable\", \"quarantine\": 4, \"rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n    - https://attack.mitre.org/techniques/T1098/\\n    - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n    - attack.persistence\\n    - attack.t1098\\n    - attack.privilege_escalation\\n    - attack.t1078.003\\nlogsource:\\n    product: windows\\n    service: security\\ndetection:\\n    selection:\\n        EventID: 4732\\n        GroupSid: S-1-2-3-4\\n    exclusion:\\n        - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n        - SubjectUserName|endswith: \\n    condition: selection and not exclusion\\nfalsepositives:\\n  - Legitimate administrator action\\nlevel: medium\", \"alert_time\": \"2024-11-12T08:39:14.017+00:00\", \"rule_name\": \"User Account Added to the Local Administrators Group\", \"tags\": [\"attack.persistence\", \"attack.privilege_escalation\", \"attack.t1078.003\", \"attack.t1098\"], \"level_int\": 30, \"eventlog\": {\"level\": \"log_always\", \"type\": \"wineventlog\", \"detection_timestamp\": \"2024/11/12 08:39:13.967\", \"event_id\": 4732, \"event_data\": {\"SubjectUserSid\": \"S-1-2-4-5-6\", \"SubjectDomainName\": \"NT_DOMAIN\", \"PrivilegeList\": \"-\", \"TargetDomainName\": \"Builtin\", \"TargetUserName\": \"Administrateurs\", \"MemberSid\": \"S-1-2-4-7-8\", \"MemberName\": \"NT_DOMAIN\\\\DOEJ\", \"SubjectUserName\": \"sw-suser\", \"TargetSid\": \"S-1-2-3-4\", \"SubjectLogonId\": \"0x1234567\"}, \"record_number\": 174136362, \"event_date\": \"2024-11-12T08:39:13.205Z\", \"sigma_rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n    - https://attack.mitre.org/techniques/T1098/\\n    - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n    - attack.persistence\\n    - attack.t1098\\n    - attack.privilege_escalation\\n    - attack.t1078.003\\nlogsource:\\n    product: windows\\n    service: security\\ndetection:\\n    selection:\\n        EventID: 4732\\n        GroupSid: S-1-2-3-4\\n    exclusion:\\n        - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n        - SubjectUserName|endswith: \\n    condition: selection and not exclusion\\nfalsepositives:\\n  - Legitimate administrator action\\nlevel: medium\", \"source_name\": \"Microsoft-Windows-Security-Auditing\", \"dont_create_eventlog\": true, \"user\": {\"domain\": \"\", \"name\": \"\", \"type\": \"unknown\", \"identifier\": \"\"}, \"thread_id\": 1728, \"log_name\": \"Security\", \"process_id\": 1224, \"status\": 0, \"ioc_matches\": [], \"provider_guid\": \"54849625-5478-4994-a5ba-3e3b0328c30d\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"log_type\": \"eventlog\", \"computer_name\": \"PC01.domain.com\", \"user_data\": {}, \"system_event_type\": \"event_log_event\"}, \"threat_values\": [], \"destination\": \"syslog\", \"@timestamp\": \"2024-11-12T08:39:14.017Z\", \"detection_date\": \"2024-11-12T08:39:13.967+00:00\", \"@event_create_date\": \"2024-11-12T08:39:14.017Z\", \"aggregation_key\": \"8415b902c507b98714301b4ab6633009fbf2728c0cfaf61637c5e903627e4ebb\", \"alert_type\": \"sigma\", \"rule_id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"ingestion_date\": \"2024-11-12T08:39:14.017+00:00\", \"tenant\": \"3b37ffc8520ef542\", \"threat_type\": \"new\", \"groups\": [{\"name\": \"Postes de travail\", \"id\": \"11111111-2222-3333-4444-555555555555\"}, {\"name\": \"Postes de travail : Lot 3\", \"id\": \"66666666-7777-8888-9999-000000000000\"}], \"status\": \"new\", \"execution\": 0, \"agent\": {\"agentid\": \"11111111-aaaa-2222-bbbb-333333333333\", \"domain\": null, \"osproducttype\": \"Windows 10 Enterprise\", \"ostype\": \"windows\", \"dnsdomainname\": \"domain.com\", \"distroid\": null, \"domainname\": \"NT_DOMAIN\", \"osversion\": \"10.0.19045\", \"hostname\": \"PC01\", \"version\": \"4.1.6\", \"additional_info\": {}}, \"threat_key\": \"20528\", \"mitre_cells\": [\"persistence__t1078.003\", \"persistence__t1098\", \"privilege-escalation__t1078.003\", \"privilege-escalation__t1098\"], \"alert_unique_id\": \"aaaaaaaa-1111-bbbb-2222-cccccccccccc\", \"log_type\": \"alert\", \"@version\": \"1\", \"msg\": \"Detects when a user account is added into the local Administrators group.\\n This action can be the result of a malicious activity.\", \"alert_subtype\": \"eventlog\", \"detection_origin\": \"agent\"}",
+    "event": {
+      "dataset": "alert",
+      "kind": "alert",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-12T08:39:14.017000Z",
+    "action": {
+      "properties": {
+        "MemberName": "DOEJ",
+        "SubjectDomainName": "NT_DOMAIN",
+        "SubjectLogonId": "0x1234567",
+        "SubjectUserName": "sw-suser",
+        "SubjectUserSid": "S-1-2-4-5-6",
+        "TargetDomainName": "Builtin",
+        "TargetSid": "S-1-2-3-4",
+        "TargetUserName": "Administrateurs"
+      }
+    },
+    "agent": {
+      "id": "11111111-aaaa-2222-bbbb-333333333333",
+      "name": "harfanglab"
+    },
+    "harfanglab": {
+      "aggregation_key": "8415b902c507b98714301b4ab6633009fbf2728c0cfaf61637c5e903627e4ebb",
+      "alert_subtype": "eventlog",
+      "alert_time": "2024-11-12T08:39:14.017+00:00",
+      "alert_unique_id": "aaaaaaaa-1111-bbbb-2222-cccccccccccc",
+      "execution": 0,
+      "groups": [
+        "{\"id\": \"11111111-2222-3333-4444-555555555555\", \"name\": \"Postes de travail\"}",
+        "{\"id\": \"66666666-7777-8888-9999-000000000000\", \"name\": \"Postes de travail : Lot 3\"}"
+      ],
+      "level": "medium",
+      "status": "new"
+    },
+    "host": {
+      "domain": "NT_DOMAIN",
+      "hostname": "PC01",
+      "name": "PC01",
+      "os": {
+        "full": "Windows 10 Enterprise",
+        "version": "10.0.19045"
+      }
+    },
+    "log": {
+      "hostname": "PC01"
+    },
+    "organization": {
+      "id": "3b37ffc8520ef542"
+    },
+    "related": {
+      "hosts": [
+        "PC01"
+      ],
+      "user": [
+        "sw-suser"
+      ]
+    },
+    "rule": {
+      "category": "sigma",
+      "description": "Detects when a user account is added into the local Administrators group.\n This action can be the result of a malicious activity.",
+      "id": "12345678-abcd-ef90-1234-123456abcdef",
+      "name": "User Account Added to the Local Administrators Group"
+    },
+    "user": {
+      "domain": "NT_DOMAIN",
+      "name": "sw-suser",
+      "roles": "Postesdetravail,Postesdetravail:Lot3",
+      "target": {
+        "domain": "Builtin",
+        "name": "Administrateurs"
+      }
+    }
+  }
+}

Microsoft/microsoft-365-defender/_meta/manifest.yml

@@ -1,11 +1,11 @@
 uuid: 05e6f36d-cee0-4f06-b575-9e43af779f9f
-name: Microsoft 365 Defender
+name: Microsoft Defender XDR / Microsoft 365 Defender
 slug: microsoft-365-defender
 automation_connector_uuid: 57f8f587-18ee-434b-a4ed-b5459f5b0fef
 automation_module_uuid: 525eecc0-9eee-484d-92bd-039117cf4dac
 
 description: >-
-  Microsoft 365 Defender is a entreprise defense suite that coordinates detection, prevention, investigation, and response across endpoints, identities, email, and cloud applications.
+  Microsoft Defender XDR is a entreprise defense suite that coordinates detection, prevention, investigation, and response across endpoints, identities, email, and cloud applications.
 
   Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
 

Netskope/netskope_events/ingest/parser.yml

@@ -37,6 +37,7 @@ stages:
           observer.vendor: "Netskope"
           event.dataset: "{{parsed_event.message.type}}"
           event.action: "{{parsed_event.message.activity}}"
+          action.name: "{{parsed_event.message.action or 'Allow'}}"
           event.reason: "{{parsed_event.message.audit_log_event or parsed_event.message.bypass_reason}}"
           event.duration: "{{parsed_event.message.conn_duration}}"
           user_agent.original: "{{parsed_event.message.user_agent}}"
@@ -92,6 +93,9 @@ stages:
       - set:
           file.path: "{{parsed_event.message.file_path}}"
         filter: '{{parsed_event.message.file_path not in [None, "", "NA"]}}'
+      - set:
+          file.size: "{{parsed_event.message.file_size}}"
+        filter: "{{parsed_event.message.file_size not in [None, 0]}}"
       - translate:
         dictionary:
           "yes": "alert"

Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json

@@ -16,6 +16,9 @@
       ]
     },
     "@timestamp": "2022-05-02T00:29:01Z",
+    "action": {
+      "name": "Allow"
+    },
     "netskope": {
       "events": {
         "action": {

Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json

@@ -16,6 +16,9 @@
       ]
     },
     "@timestamp": "2022-05-02T11:09:47Z",
+    "action": {
+      "name": "Allow"
+    },
     "netskope": {
       "events": {
         "action": {

Netskope/netskope_events/tests/test_audit_log_login_failed.json

@@ -16,6 +16,9 @@
       ]
     },
     "@timestamp": "2022-05-02T12:20:31Z",
+    "action": {
+      "name": "Allow"
+    },
     "netskope": {
       "events": {
         "action": {

Netskope/netskope_events/tests/test_audit_log_login_successful.json

@@ -16,6 +16,9 @@
       ]
     },
     "@timestamp": "2022-12-22T16:38:07Z",
+    "action": {
+      "name": "Allow"
+    },
     "netskope": {
       "events": {
         "action": {

Netskope/netskope_events/tests/test_audit_log_logout_successful.json

@@ -16,6 +16,9 @@
       ]
     },
     "@timestamp": "2022-12-07T10:46:07Z",
+    "action": {
+      "name": "Allow"
+    },
     "netskope": {
       "events": {
         "action": {

Netskope/netskope_events/tests/test_audit_log_password_change_successful.json

@@ -16,6 +16,9 @@
       ]
     },
     "@timestamp": "2022-05-02T11:09:47Z",
+    "action": {
+      "name": "Allow"
+    },
     "netskope": {
       "events": {
         "action": {

Netskope/netskope_events/tests/test_connection_log.json

@@ -19,6 +19,9 @@
       ]
     },
     "@timestamp": "2022-12-21T16:12:20Z",
+    "action": {
+      "name": "Allow"
+    },
     "destination": {
       "address": "5.6.7.8",
       "bytes": 0,

Netskope/netskope_events/tests/test_dlp_incident.json

@@ -16,6 +16,9 @@
       ]
     },
     "@timestamp": "2023-01-31T08:11:53Z",
+    "action": {
+      "name": "Allow"
+    },
     "cloud": {
       "instance": {
         "id": "example.org"
@@ -30,7 +33,8 @@
       "hash": {
         "md5": "68b329da9893e34099c7d8ad5cb9c940"
       },
-      "mime_type": "eicar.txt"
+      "mime_type": "eicar.txt",
+      "size": 19154
     },
     "http": {
       "request": {

Netskope/netskope_events/tests/test_malware_alert.json

@@ -17,6 +17,9 @@
       ]
     },
     "@timestamp": "2022-12-21T14:12:08Z",
+    "action": {
+      "name": "Detection"
+    },
     "destination": {
       "address": "5.6.7.8",
       "bytes": 0,
@@ -36,7 +39,8 @@
       "hash": {
         "md5": "68b329da9893e34099c7d8ad5cb9c940"
       },
-      "name": "eicarcom2.zip"
+      "name": "eicarcom2.zip",
+      "size": 308
     },
     "host": {
       "name": "MacBook Pro",