Skip to content

Commit

Permalink
Merge pull request #1389 from SEKOIA-IO/fix/cybereason_extract_fields
Browse files Browse the repository at this point in the history 
Fix: Extract more fields for Cybereason (311)
  • Loading branch information
@squioc
squioc authored Dec 11, 2024
2 parents f6b8b85 + 6ebec57 commit d3de885
Show file tree
Hide file tree
Showing 3 changed files with 82 additions and 2 deletions.
33 changes: 33 additions & 0 deletions CybeReason/malop-json/ingest/parser.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,19 +61,43 @@ stages:
- set:
observer.vendor: "Cybereason"
observer.product: "Cybereason"

handle_malop:
actions:
- set:
"@timestamp": "{{parsed_timestamp.datetime}}"
filter: "{{parsed_event.message.lastUpdateTime != null}}"

- set:
file.name: "{{parsed_event.message.primaryRootCauseName}}"
file.hash.sha1: "{{parsed_event.message.rootCauseElementHashes}}"
filter: '{{parsed_event.message.rootCauseElementType == "File"}}'

- set:
process.name: "{{parsed_event.message.primaryRootCauseName}}"
process.hash.sha1: "{{parsed_event.message.rootCauseElementHashes}}"
filter: '{{parsed_event.message.rootCauseElementType == "Process"}}'

- set:
host.os.type: "{{parsed_event.message.machines[0].get('osType', '').lower()}}"
host.name: "{{parsed_event.message.machines[0].get('displayName')}}"
host.domain: "{{parsed_event.message.machines[0].get('adDNSHostName')}}"
cybereason.malop.host.id: "{{parsed_event.message.machines[0].get('guid')}}"
cybereason.malop.host.is_online: "{{parsed_event.message.machines[0].get('connected')}}"
cybereason.malop.host.is_isolated: "{{parsed_event.message.machines[0].get('isolated')}}"
filter: "{{parsed_event.message.get('machines', []) != []}}"

- set:
user.name: "{{parsed_event.message.users[0].get('displayName')}}"
cybereason.malop.user.id: "{{parsed_event.message.users[0].get('guid')}}"
cybereason.malop.user.is_admin: "{{parsed_event.message.users[0].get('admin')}}"
filter: "{{parsed_event.message.get('users', []) != []}}"

- set:
user.name: '{{parsed_event.message.users[0].displayName.split("\\")[1]}}'
user.domain: '{{parsed_event.message.users[0].displayName.split("\\")[0]}}'
filter: '{{parsed_event.message.get("users", []) != [] and "\\" in parsed_event.message.users[0].get("displayName")}}'

- set:
event.kind: "alert"
event.category: ["malware"]
Expand All @@ -88,22 +112,28 @@ stages:
cybereason.malop.root_cause.type: "{{parsed_event.message.rootCauseElementType}}"
cybereason.malop.root_cause.name: "{{parsed_event.message.primaryRootCauseName}}"
cybereason.malop.is_edr: "{{parsed_event.message.edr}}"

- set:
cybereason.malop.created_at: "{{parsed_creation_time.datetime}}"
filter: "{{parsed_event.message.malopCloseTime != null}}"

- set:
cybereason.malop.modified_at: "{{parsed_timestamp.datetime}}"
filter: "{{parsed_event.message.creationTime != null}}"

- set:
cybereason.malop.closed_at: "{{parsed_closing_time.datetime}}"
filter: "{{parsed_event.message.malopCloseTime != null}}"

handle_model:
actions:
- set:
"@timestamp": "{{parsed_timestamp.datetime}}"
filter: "{{parsed_event.message.metadata.timestamp != null}}"

- set:
cybereason.malop.id: "{{parsed_event.message.metadata.malopGuid}}"

handle_machine_model:
actions:
- set:
Expand All @@ -118,6 +148,7 @@ stages:
- set:
host.os.type: "{{parsed_event.message.osType.lower()}}"
filter: "{{parsed_event.message.osType != null}}"

handle_user_model:
actions:
- set:
Expand All @@ -127,10 +158,12 @@ stages:
user.name: "{{parsed_event.message.displayName}}"
cybereason.malop.user.id: "{{parsed_event.message.guid}}"
cybereason.malop.user.is_admin: "{{parsed_event.message.admin}}"

- set:
user.name: '{{parsed_event.message.displayName.split("\\")[1]}}'
user.domain: '{{parsed_event.message.displayName.split("\\")[0]}}'
filter: '{{parsed_event.message.displayName != null and "\\" in parsed_event.message.displayName}}'

handle_file_suspect_model:
actions:
- set:
Expand Down
26 changes: 25 additions & 1 deletion CybeReason/malop-json/tests/test_malop.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,11 @@
],
"type": "CUSTOM_RULE"
},
"host": {
"id": "-576002811.1198775089551518743",
"is_isolated": false,
"is_online": true
},
"id": "11.-6654920844431693523",
"is_edr": "true",
"modified_at": "2022-11-20T12:02:17.625000Z",
Expand All @@ -33,7 +38,17 @@
"type": "Process"
},
"severity": "High",
"status": "Active"
"status": "Active",
"user": {
"id": "0.2548072792133848559",
"is_admin": true
}
}
},
"host": {
"name": "win-cybereason",
"os": {
"type": "windows"
}
},
"observer": {
Expand All @@ -42,6 +57,15 @@
},
"process": {
"name": "cymulateagent.exe"
},
"related": {
"user": [
"administrator"
]
},
"user": {
"domain": "win-cybereason",
"name": "administrator"
}
}
}
25 changes: 24 additions & 1 deletion CybeReason/malop-json/tests/test_malop_detail.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,11 @@
],
"type": "KNOWN_MALWARE"
},
"host": {
"id": "-576002811.1198775089551518743",
"is_isolated": false,
"is_online": false
},
"id": "11.7498520112250262440",
"is_edr": "false",
"modified_at": "2022-11-14T02:19:45.000000Z",
Expand All @@ -33,7 +38,11 @@
"type": "File"
},
"severity": "Low",
"status": "Closed"
"status": "Closed",
"user": {
"id": "0.2548072792133848559",
"is_admin": false
}
}
},
"file": {
Expand All @@ -42,14 +51,28 @@
},
"name": "kprocesshacker.sys"
},
"host": {
"domain": "desktop-aaaaaa.example.org",
"name": "desktop-aaaaaa",
"os": {
"type": "windows"
}
},
"observer": {
"product": "Cybereason",
"vendor": "Cybereason"
},
"related": {
"hash": [
"adc83b19e793491b1c6ea0fd8b46cd9f32e592fc"
],
"user": [
"system"
]
},
"user": {
"domain": "desktop-aaaaa",
"name": "system"
}
}
}

0 comments on commit d3de885

Please sign in to comment.