Merge pull request #1355 from SEKOIA-IO/fix/OCSFNetworkActivity

OCSF: fix destination.ip
SEKOIA-IO · Nov 14, 2024 · d4259d9 · d4259d9
2 parents cab3f8f + b2374d1
commit d4259d9
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 1 deletion.
diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml
@@ -567,9 +567,11 @@ stages:
           destination.domain: "{{ parse_event.message.dst_endpoint.hostname }}"
         filter: "{{ parse_event.message.dst_endpoint.get('hostname') != None }}"
       - set:
-          destination.ip: "{{ parse_event.message.dst_endpoint.ip }}"
           destination.mac: "{{ parse_event.message.dst_endpoint.mac }}"
           destination.port: "{{ parse_event.message.dst_endpoint.port }}"
+      - set:
+          destination.ip: "{{ parse_event.message.dst_endpoint.ip }}"
+        filter: "{{ parse_event.message.dst_endpoint.ip | is_ipaddress }}"
       - set:
           network.application: "{{ parse_event.message.dst_endpoint.svc_name }}"
         filter: "{{ parse_event.message.dst_endpoint.get('svc_name') != None }}"

diff --git a/OCSF/ocsf/tests/test_network_activity_7.json b/OCSF/ocsf/tests/test_network_activity_7.json
@@ -0,0 +1,42 @@
+{
+  "input": {
+    "message": "{\"metadata\":{\"product\":{\"version\":\"5\",\"name\":\"Amazon VPC\",\"feature\":{\"name\":\"Flowlogs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"zone\":\"euw3-az1\",\"provider\":\"AWS\"},\"src_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":\"eni-11111111111111111\",\"vpc_uid\":\"vpc-11111111111111111\",\"instance_uid\":\"-\",\"subnet_uid\":\"subnet-11111111111111111\"},\"dst_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":null,\"vpc_uid\":null,\"instance_uid\":null,\"subnet_uid\":null},\"connection_info\":{\"protocol_num\":null,\"tcp_flags\":null,\"protocol_ver\":\"-\",\"boundary_id\":99,\"boundary\":null,\"direction_id\":99,\"direction\":\"-\"},\"traffic\":null,\"time\":1731529427000,\"time_dt\":1731529427000,\"start_time_dt\":1731529427000,\"end_time_dt\":1731529458000,\"status_code\":\"NODATA\",\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"Network Activity\",\"class_uid\":4001,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_name\":\"Unknown\",\"activity_id\":0,\"action\":\"-\",\"action_id\":99,\"disposition\":\"-\",\"type_uid\":400100,\"type_name\":\"Network Activity: Unknown\",\"accountid\":null,\"region\":null,\"asl_version\":null,\"unmapped\":[[\"sublocation_id\",\"-\"],[\"sublocation_type\",\"-\"]],\"observables\":null}\n",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "OCSF [BETA]",
+        "dialect_uuid": "a9c959ac-78ec-47a4-924e-8156a77cebf5"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"metadata\":{\"product\":{\"version\":\"5\",\"name\":\"Amazon VPC\",\"feature\":{\"name\":\"Flowlogs\"},\"vendor_name\":\"AWS\"},\"profiles\":[\"cloud\",\"security_control\",\"datetime\"],\"version\":\"1.1.0\"},\"cloud\":{\"account\":{\"uid\":\"111111111111\"},\"region\":\"eu-west-3\",\"zone\":\"euw3-az1\",\"provider\":\"AWS\"},\"src_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":\"eni-11111111111111111\",\"vpc_uid\":\"vpc-11111111111111111\",\"instance_uid\":\"-\",\"subnet_uid\":\"subnet-11111111111111111\"},\"dst_endpoint\":{\"port\":null,\"svc_name\":\"-\",\"ip\":\"-\",\"intermediate_ips\":null,\"interface_uid\":null,\"vpc_uid\":null,\"instance_uid\":null,\"subnet_uid\":null},\"connection_info\":{\"protocol_num\":null,\"tcp_flags\":null,\"protocol_ver\":\"-\",\"boundary_id\":99,\"boundary\":null,\"direction_id\":99,\"direction\":\"-\"},\"traffic\":null,\"time\":1731529427000,\"time_dt\":1731529427000,\"start_time_dt\":1731529427000,\"end_time_dt\":1731529458000,\"status_code\":\"NODATA\",\"severity_id\":1,\"severity\":\"Informational\",\"class_name\":\"Network Activity\",\"class_uid\":4001,\"category_name\":\"Network Activity\",\"category_uid\":4,\"activity_name\":\"Unknown\",\"activity_id\":0,\"action\":\"-\",\"action_id\":99,\"disposition\":\"-\",\"type_uid\":400100,\"type_name\":\"Network Activity: Unknown\",\"accountid\":null,\"region\":null,\"asl_version\":null,\"unmapped\":[[\"sublocation_id\",\"-\"],[\"sublocation_type\",\"-\"]],\"observables\":null}\n",
+    "event": {
+      "action": "unknown",
+      "category": [
+        "network"
+      ],
+      "end": "2024-11-13T20:24:18Z",
+      "kind": "event",
+      "severity": 1,
+      "start": "2024-11-13T20:23:47Z",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-13T20:23:47Z",
+    "cloud": {
+      "account": {
+        "id": "111111111111"
+      },
+      "availability_zone": "euw3-az1",
+      "provider": "AWS",
+      "region": "eu-west-3"
+    },
+    "ocsf": {
+      "activity_id": 0,
+      "activity_name": "Unknown",
+      "class_name": "Network Activity",
+      "class_uid": 4001
+    }
+  }
+}