From 81af8ce7ab0e33cdb80e2a599e2a417641a45c5d Mon Sep 17 00:00:00 2001 From: Erwan Chevalier Date: Fri, 29 Nov 2024 16:20:57 +0100 Subject: [PATCH 01/12] fix(suricata): missing rdp smart description --- .../suricata/_meta/smart-descriptions.json | 16 ++++++ Suricata/suricata/tests/rdp.json | 57 +++++++++++++++++++ 2 files changed, 73 insertions(+) create mode 100644 Suricata/suricata/tests/rdp.json diff --git a/Suricata/suricata/_meta/smart-descriptions.json b/Suricata/suricata/_meta/smart-descriptions.json index fc89638e0..b330a23c1 100644 --- a/Suricata/suricata/_meta/smart-descriptions.json +++ b/Suricata/suricata/_meta/smart-descriptions.json @@ -198,6 +198,22 @@ } ] }, + { + "value": "RDP traffic from {source.ip} to {destination.ip}", + "conditions": [ + { + "field": "action.type", + "value": "rdp" + } + ], + "relationships": [ + { + "source": "source.ip", + "target": "destination.ip", + "type": "requested" + } + ] + }, { "value": "Traffic flow from {source.ip} with {user_agent.original} to {destination.ip} with {http.request.method} request to {url.original}", "conditions": [ diff --git a/Suricata/suricata/tests/rdp.json b/Suricata/suricata/tests/rdp.json new file mode 100644 index 000000000..131dd7025 --- /dev/null +++ b/Suricata/suricata/tests/rdp.json @@ -0,0 +1,57 @@ +{ + "input": { + "message": "{\"timestamp\":\"2024-11-29T15:08:06.239558+0000\",\"flow_id\":1822723333770346,\"in_iface\":\"eth0\",\"event_type\":\"rdp\",\"src_ip\":\"14.225.46.243\",\"src_port\":58953,\"dest_ip\":\"10.0.1.4\",\"dest_port\":3389,\"proto\":\"TCP\",\"community_id\":\"1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=\",\"rdp\":{\"tx_id\":2,\"event_type\":\"tls_handshake\",\"x509_serials\":[\"773dbe1ea6dc998444b4f9da1f188ba8\"]}}", + "sekoiaio": { + "intake": { + "dialect": "Suricata", + "dialect_uuid": "331fa58d-8cf9-454a-a87f-48a3dc07d4d3" + } + } + }, + "expected": { + "message": "{\"timestamp\":\"2024-11-29T15:08:06.239558+0000\",\"flow_id\":1822723333770346,\"in_iface\":\"eth0\",\"event_type\":\"rdp\",\"src_ip\":\"14.225.46.243\",\"src_port\":58953,\"dest_ip\":\"10.0.1.4\",\"dest_port\":3389,\"proto\":\"TCP\",\"community_id\":\"1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=\",\"rdp\":{\"tx_id\":2,\"event_type\":\"tls_handshake\",\"x509_serials\":[\"773dbe1ea6dc998444b4f9da1f188ba8\"]}}", + "event": { + "category": [ + "network" + ], + "type": [ + "connection" + ] + }, + "@timestamp": "2024-11-29T15:08:06.239558Z", + "action": { + "type": "rdp" + }, + "destination": { + "address": "10.0.1.4", + "ip": "10.0.1.4", + "port": 3389 + }, + "host": { + "ip": "14.225.46.243" + }, + "network": { + "community_id": "1:kyALzWxuJ/ruPpAqvO4KTLSsEaQ=", + "protocol": "TCP", + "transport": "TCP" + }, + "observer": { + "ingress": { + "interface": { + "name": "eth0" + } + } + }, + "related": { + "ip": [ + "10.0.1.4", + "14.225.46.243" + ] + }, + "source": { + "address": "14.225.46.243", + "ip": "14.225.46.243", + "port": 58953 + } + } +} \ No newline at end of file From 0aedcac5ee314aef6e255a9f7a4fe381c583f1f0 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Tue, 3 Dec 2024 17:57:02 +0100 Subject: [PATCH 02/12] chore(Microsoft): rename the Microsoft Defender XDR format --- Microsoft/microsoft-365-defender/_meta/manifest.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Microsoft/microsoft-365-defender/_meta/manifest.yml b/Microsoft/microsoft-365-defender/_meta/manifest.yml index 1c858333a..d2e9192ce 100644 --- a/Microsoft/microsoft-365-defender/_meta/manifest.yml +++ b/Microsoft/microsoft-365-defender/_meta/manifest.yml @@ -1,11 +1,11 @@ uuid: 05e6f36d-cee0-4f06-b575-9e43af779f9f -name: Microsoft 365 Defender +name: Microsoft Defender XDR / Microsoft 365 Defender slug: microsoft-365-defender automation_connector_uuid: 57f8f587-18ee-434b-a4ed-b5459f5b0fef automation_module_uuid: 525eecc0-9eee-484d-92bd-039117cf4dac description: >- - Microsoft 365 Defender is a entreprise defense suite that coordinates detection, prevention, investigation, and response across endpoints, identities, email, and cloud applications. + Microsoft Defender XDR is a entreprise defense suite that coordinates detection, prevention, investigation, and response across endpoints, identities, email, and cloud applications. Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. From c03be93f20e239d55f6dc312cc7579e47d1c92a4 Mon Sep 17 00:00:00 2001 From: rombernier Date: Wed, 4 Dec 2024 16:49:13 +0100 Subject: [PATCH 03/12] update HA procy --- HAProxy/haproxy/CHANGELOG.md | 4 +++ HAProxy/haproxy/ingest/parser.yml | 2 +- HAProxy/haproxy/tests/access4.json | 45 ++++++++++++++++++++++++++++++ 3 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 HAProxy/haproxy/tests/access4.json diff --git a/HAProxy/haproxy/CHANGELOG.md b/HAProxy/haproxy/CHANGELOG.md index 60e2c8a26..9896476a3 100644 --- a/HAProxy/haproxy/CHANGELOG.md +++ b/HAProxy/haproxy/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## 2024-12.04 - 1.0.1 + +- Add support for aktci at the end of the log + ## 2024-03.04 - 1.0.0 ### Added diff --git a/HAProxy/haproxy/ingest/parser.yml b/HAProxy/haproxy/ingest/parser.yml index 98783cd3d..e1f5a3c88 100644 --- a/HAProxy/haproxy/ingest/parser.yml +++ b/HAProxy/haproxy/ingest/parser.yml @@ -14,7 +14,7 @@ pipeline: ([0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})([0-9]) HAPROXYURL: "(%{URIPROTO:url_scheme}://)?(?:%{USER:url_username}(?::[^@]*)?@)?(?:%{URIHOST:url_domain})?(?:%{URIPATHPARAM:url_path})" TLS_PROTOCOL: "TLS" - HAPROXYHTTPBASE: '%{IP:source_ip}:%{INT:source_port} \[%{HAPROXYDATE}\] %{NOTSPACE} %{NOTSPACE}/%{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT:http_response_status_code} %{NOTSPACE:http_response_bytes} %{DATA:http_request_cookie} %{DATA:http_response_cookie} %{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT}/%{INT} (\{%{DATA:captured_request_headers}\})?( )?(\{%{DATA:captured_response_headers}\})?( )?"(|(%{WORD:http_request_method} (?:%{HAPROXYURL:url_original})?( HTTP/%{NUMBER:http_version})?))?"( %{TLS_PROTOCOL:tls_protocol}v%{NUMBER:tls_version})?' + HAPROXYHTTPBASE: '%{IP:source_ip}:%{INT:source_port} \[%{HAPROXYDATE}\] %{NOTSPACE} %{NOTSPACE}/%{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT:http_response_status_code} %{NOTSPACE:http_response_bytes} %{DATA:http_request_cookie} %{DATA:http_response_cookie} %{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT}/%{INT} (\{%{DATA:captured_request_headers}\})?( )?(\{%{DATA:captured_response_headers}\})?( )?"(|(%{WORD:http_request_method} (?:%{HAPROXYURL:url_original})?( HTTP/%{NUMBER:http_version})?))?"( %{TLS_PROTOCOL:tls_protocol}v%{NUMBER:tls_version})?( aktci:\"%{IP:aktci}\")?' - name: json filter: "{{grok.message.json_msg | length > 0}}" diff --git a/HAProxy/haproxy/tests/access4.json b/HAProxy/haproxy/tests/access4.json new file mode 100644 index 000000000..89630f6bc --- /dev/null +++ b/HAProxy/haproxy/tests/access4.json @@ -0,0 +1,45 @@ +{ + "input": { + "message": "90.83.225.109:54761 [10/Apr/2024:15:41:58.284] frontend_https~ backend_lb/LB100 1796/0/0/28/1824 200 1060 - - --VN 296/296/33/6/0 0/0 {saas.ms.example.com} \"GET /path/get/resource HTTP/1.1\" TLSv1.2 aktci:\"46.193.65.202\"\n", + "sekoiaio": { + "intake": { + "dialect": "HAProxy", + "dialect_uuid": "ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9" + } + } + }, + "expected": { + "message": "90.83.225.109:54761 [10/Apr/2024:15:41:58.284] frontend_https~ backend_lb/LB100 1796/0/0/28/1824 200 1060 - - --VN 296/296/33/6/0 0/0 {saas.ms.example.com} \"GET /path/get/resource HTTP/1.1\" TLSv1.2 aktci:\"46.193.65.202\"\n", + "event": { + "kind": "access" + }, + "http": { + "request": { + "method": "GET" + }, + "response": { + "bytes": 1060, + "status_code": 200 + }, + "version": "1.1" + }, + "related": { + "ip": [ + "90.83.225.109" + ] + }, + "source": { + "address": "90.83.225.109", + "ip": "90.83.225.109", + "port": 54761 + }, + "tls": { + "version": "1.2", + "version_protocol": "TLS" + }, + "url": { + "original": "/path/get/resource", + "path": "/path/get/resource" + } + } +} \ No newline at end of file From d6c0b58dcc4ebd765b594f8bc1121b35800a695b Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Fri, 6 Dec 2024 10:44:29 +0100 Subject: [PATCH 04/12] Fix quotes problem in reason message --- .../paloalto-ngfw/ingest/parser.yml | 2 +- .../tests/test_system_event_13.json | 74 +++++++++++++++++++ 2 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json diff --git a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml index 944713355..c6cf58abe 100644 --- a/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml +++ b/Palo Alto Networks/paloalto-ngfw/ingest/parser.yml @@ -626,7 +626,7 @@ pipeline: AUTHENTICATION_WEB: "User %{USERNAME:user} logged in via %{DATA} from %{IP:src} using %{DATA:proto}" REASON1: 'User-ID server monitor %{HOSTNAME:hostname}\(%{WORD:vsys}\) %{GREEDYDATA:message}' REASON2: "ldap cfg %{WORD:config_name} connected to server %{IP:destination_ip}:%{INT:port}, initiated by: %{IP:source_ip}" - REASON3: "When authenticating user %{WORD:user} from %{IP:source_ip}, a less secure authentication method %{WORD:auth_method} is used. Please migrate to %{WORD:recommended_methods1} or %{DATA:recommended_methods2}. Authentication Profile %{WORD:auth_profile}, vsys %{WORD:vsys}, Server Profile %{WORD:server_profile}, Server Address %{IP:destination_ip}" + REASON3: "When authenticating user '?%{WORD:user}'? from '?%{IP:source_ip}'?, a less secure authentication method %{WORD:auth_method} is used. Please migrate to %{WORD:recommended_methods1} or %{DATA:recommended_methods2}. Authentication Profile '?%{WORD:auth_profile}'?, vsys '?%{WORD:vsys}'?, Server Profile '?%{WORD:server_profile}'?, Server Address '?%{IP:destination_ip}'?" REASON4: "failed authentication for user %{WORD:user}. Reason: %{GREEDYDATA:reason} auth profile %{WORD:auth_profile}, vsys %{WORD:vsys}, server profile %{WORD:server_profile}, server address %{IP:destination_ip}, auth protocol %{WORD:auth_protocol}, From: %{IP:source_ip}" REASON5: 'authenticated for user %{WORD:user}\. auth profile %{WORD:auth_profile}, vsys %{WORD:vsys}, server profile %{DATA:server_profile}, server address %{IP:destination_ip}, auth protocol %{WORD:auth_protocol}, admin role %{WORD:admin_role}, From: %{IP:source_ip}\.' filter: '{{parsed_event.message.get("EventDescription") != None}}' diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json new file mode 100644 index 000000000..780d2a093 --- /dev/null +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json @@ -0,0 +1,74 @@ +{ + "input": { + "sekoiaio": { + "intake": { + "dialect": "Palo Alto NGFW", + "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd" + } + }, + "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00" + }, + "expected": { + "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00", + "event": { + "category": [ + "authentication" + ], + "dataset": "system", + "reason": "When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'", + "type": [ + "start" + ] + }, + "@timestamp": "2024-11-26T21:10:01.627000Z", + "action": { + "name": "auth-success", + "type": "auth" + }, + "destination": { + "address": "1.7.4.2", + "ip": "1.7.4.2" + }, + "log": { + "hostname": "FWPAN00", + "level": "informational", + "logger": "system" + }, + "observer": { + "name": "FWPAN00", + "product": "PAN-OS", + "serial_number": "02410100000000" + }, + "paloalto": { + "DGHierarchyLevel1": "0", + "DGHierarchyLevel2": "0", + "DGHierarchyLevel3": "0", + "DGHierarchyLevel4": "0", + "EventID": "auth-success", + "Threat_ContentType": "auth", + "authetification": { + "profile": "FWPA" + }, + "server": { + "profile": "RADIUS_RSA" + }, + "vsys": "shared" + }, + "related": { + "ip": [ + "1.2.5.5", + "1.7.4.2" + ], + "user": [ + "test000555" + ] + }, + "source": { + "address": "1.2.5.5", + "ip": "1.2.5.5" + }, + "user": { + "name": "test000555" + } + } +} \ No newline at end of file From 4c7891951ac1ac6dcfc605331cda92476af2c577 Mon Sep 17 00:00:00 2001 From: TOUFIKI Zakarya Date: Fri, 6 Dec 2024 10:48:35 +0100 Subject: [PATCH 05/12] Apply linter --- .../paloalto-ngfw/tests/test_system_event_13.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json index 780d2a093..b4429340a 100644 --- a/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json +++ b/Palo Alto Networks/paloalto-ngfw/tests/test_system_event_13.json @@ -1,12 +1,12 @@ { "input": { + "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00", "sekoiaio": { "intake": { "dialect": "Palo Alto NGFW", "dialect_uuid": "903ec1b8-f206-4ba5-8563-db21da09cafd" } - }, - "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00" + } }, "expected": { "message": "1,2024/11/26 22:10:01,02410100000000,SYSTEM,auth,2555,2024/11/26 22:10:01,,auth-success,FWPA,0,0,general,informational,\"When authenticating user 'test000555' from '1.2.5.5', a less secure authentication method PAP is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile 'FWPA', vsys 'shared', Server Profile 'RADIUS_RSA', Server Address '1.7.4.2'\",738970652229900000000,0x0,0,0,0,0,,FWPAN00,0,0,2024-11-26T22:10:01.627+01:00", From e7c29187f511ca9f20cce388986d707577befc53 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Tue, 10 Dec 2024 11:17:39 +0100 Subject: [PATCH 06/12] fix(HAproxy): change the way to handle additional information --- HAProxy/haproxy/ingest/parser.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HAProxy/haproxy/ingest/parser.yml b/HAProxy/haproxy/ingest/parser.yml index e1f5a3c88..557604c8a 100644 --- a/HAProxy/haproxy/ingest/parser.yml +++ b/HAProxy/haproxy/ingest/parser.yml @@ -14,7 +14,7 @@ pipeline: ([0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})([0-9]) HAPROXYURL: "(%{URIPROTO:url_scheme}://)?(?:%{USER:url_username}(?::[^@]*)?@)?(?:%{URIHOST:url_domain})?(?:%{URIPATHPARAM:url_path})" TLS_PROTOCOL: "TLS" - HAPROXYHTTPBASE: '%{IP:source_ip}:%{INT:source_port} \[%{HAPROXYDATE}\] %{NOTSPACE} %{NOTSPACE}/%{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT:http_response_status_code} %{NOTSPACE:http_response_bytes} %{DATA:http_request_cookie} %{DATA:http_response_cookie} %{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT}/%{INT} (\{%{DATA:captured_request_headers}\})?( )?(\{%{DATA:captured_response_headers}\})?( )?"(|(%{WORD:http_request_method} (?:%{HAPROXYURL:url_original})?( HTTP/%{NUMBER:http_version})?))?"( %{TLS_PROTOCOL:tls_protocol}v%{NUMBER:tls_version})?( aktci:\"%{IP:aktci}\")?' + HAPROXYHTTPBASE: '%{IP:source_ip}:%{INT:source_port} \[%{HAPROXYDATE}\] %{NOTSPACE} %{NOTSPACE}/%{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT:http_response_status_code} %{NOTSPACE:http_response_bytes} %{DATA:http_request_cookie} %{DATA:http_response_cookie} %{NOTSPACE} %{INT}/%{INT}/%{INT}/%{INT}/%{NOTSPACE} %{INT}/%{INT} (\{%{DATA:captured_request_headers}\})?( )?(\{%{DATA:captured_response_headers}\})?( )?"(|(%{WORD:http_request_method} (?:%{HAPROXYURL:url_original})?( HTTP/%{NUMBER:http_version})?))?"( %{TLS_PROTOCOL:tls_protocol}v%{NUMBER:tls_version})?%{GREEDYDATA}' - name: json filter: "{{grok.message.json_msg | length > 0}}" From b597fe1c7d554917f5fe9b702553d9a03c05a535 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Tue, 10 Dec 2024 12:31:20 +0100 Subject: [PATCH 07/12] fix(Suricata): fix smart-description --- Suricata/suricata/_meta/smart-descriptions.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Suricata/suricata/_meta/smart-descriptions.json b/Suricata/suricata/_meta/smart-descriptions.json index b330a23c1..432cf533d 100644 --- a/Suricata/suricata/_meta/smart-descriptions.json +++ b/Suricata/suricata/_meta/smart-descriptions.json @@ -151,8 +151,7 @@ "value": "query" }, { - "field": "action.type", - "value": "dns" + "field": "dns.question.name" } ], "relationships": [ From e6a207c4cb874eac232f7f121382031860ed1ed1 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Tue, 10 Dec 2024 14:16:24 +0100 Subject: [PATCH 08/12] Fis on agent.id field for harfanglab --- HarfangLab/harfanglab/ingest/parser.yml | 4 ++++ HarfangLab/harfanglab/tests/threat_critical.json | 1 + HarfangLab/harfanglab/tests/threat_log.json | 1 + 3 files changed, 6 insertions(+) diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml index 5050c7429..96338037d 100644 --- a/HarfangLab/harfanglab/ingest/parser.yml +++ b/HarfangLab/harfanglab/ingest/parser.yml @@ -142,6 +142,10 @@ stages: organization.id: "{{json_event.message.tenant}}" url.original: "{{json_event.message.details_url_request.url}}" + - set: + agent.id: "{{json_event.message.agents[0].agent_id}}" + filter: "{{json_event.message.agents | length > 0}}" + network_info: actions: - set: diff --git a/HarfangLab/harfanglab/tests/threat_critical.json b/HarfangLab/harfanglab/tests/threat_critical.json index 94e83a1fd..e9b50e3db 100644 --- a/HarfangLab/harfanglab/tests/threat_critical.json +++ b/HarfangLab/harfanglab/tests/threat_critical.json @@ -10,6 +10,7 @@ "start": "2024-03-19T09:21:00Z" }, "agent": { + "id": "af5e2f63-becd-4660-ade8-30d04c0dd044", "name": "harfanglab" }, "harfanglab": { diff --git a/HarfangLab/harfanglab/tests/threat_log.json b/HarfangLab/harfanglab/tests/threat_log.json index dcab41c28..233ffd066 100644 --- a/HarfangLab/harfanglab/tests/threat_log.json +++ b/HarfangLab/harfanglab/tests/threat_log.json @@ -10,6 +10,7 @@ "start": "2024-02-07T15:18:00Z" }, "agent": { + "id": "215fe295-905f-4a8d-8347-e9d438d4e415", "name": "harfanglab" }, "harfanglab": { From e927ad7740757db69157c57ffde80af5277eb184 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Tue, 10 Dec 2024 15:07:44 +0100 Subject: [PATCH 09/12] Pradeoo: fix on Pradeo MTD parser for application compliance --- Pradeo/pradeo-mtd/ingest/parser.yml | 20 +++---- .../tests/application_compliance_updated.json | 55 +++++++++++++++++++ 2 files changed, 65 insertions(+), 10 deletions(-) create mode 100644 Pradeo/pradeo-mtd/tests/application_compliance_updated.json diff --git a/Pradeo/pradeo-mtd/ingest/parser.yml b/Pradeo/pradeo-mtd/ingest/parser.yml index 239ce01d4..c10d3c444 100644 --- a/Pradeo/pradeo-mtd/ingest/parser.yml +++ b/Pradeo/pradeo-mtd/ingest/parser.yml @@ -176,16 +176,16 @@ stages: pradeo.device.mdmId: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.device.emmDeviceInfo.externalId}}" pradeo.device.emm: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.device.emmDeviceInfo.emm}}" pradeo.compliance.matchedResponseRules: "{{json_event.message.content.deviceApplication.compliance.matchedResponseRules}}" - pradeo.application.id: "{{json_event.message.content.deviceApplicationCompliance.application.id}}" - pradeo.application.package: "{{json_event.message.content.deviceApplicationCompliance.application.package.package}}" - pradeo.application.system: "{{json_event.message.content.deviceApplicationCompliance.application.package.system}}" - pradeo.application.version: "{{json_event.message.content.deviceApplicationCompliance.application.version}}" - pradeo.application.versionCode: "{{json_event.message.content.deviceApplicationCompliance.application.versionCode}}" - pradeo.application.name: "{{json_event.message.content.deviceApplicationCompliance.application.name}}" - pradeo.application.md5: "{{json_event.message.content.deviceApplicationCompliance.application.md5}}" - pradeo.application.sha1: "{{json_event.message.content.deviceApplicationCompliance.application.sha1}}" - pradeo.application.sha256: "{{json_event.message.content.deviceApplicationCompliance.application.sha256}}" - pradeo.detection.status: "{{json_event.message.content.deviceApplicationCompliance.status}}" + pradeo.application.id: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.id}}" + pradeo.application.package: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.package.package}}" + pradeo.application.system: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.package.system}}" + pradeo.application.version: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.version}}" + pradeo.application.versionCode: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.versionCode}}" + pradeo.application.name: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.name}}" + pradeo.application.md5: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.md5}}" + pradeo.application.sha1: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.sha1}}" + pradeo.application.sha256: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.application.sha256}}" + pradeo.detection.status: "{{json_event.message.content.deviceApplicationCompliance.deviceApplication.status}}" - filter: '{{json_event.message.type == "DeviceComplianceUpdated"}}' set: event.category: ["process"] diff --git a/Pradeo/pradeo-mtd/tests/application_compliance_updated.json b/Pradeo/pradeo-mtd/tests/application_compliance_updated.json new file mode 100644 index 000000000..916f71473 --- /dev/null +++ b/Pradeo/pradeo-mtd/tests/application_compliance_updated.json @@ -0,0 +1,55 @@ +{ + "input": { + "message": "{\n \"id\": \"1234567890\",\n \"creationDate\": \"2024-11-27T04:10:33.460Z\",\n \"source\": \"system\",\n \"category\": null,\n \"type\": \"DeviceApplicationComplianceUpdated\",\n \"content\": {\n \"deviceApplicationCompliance\": {\n \"id\": \"abcdef123456\",\n \"status\": \"Disapproved\",\n \"computed\": true,\n \"creationDate\": \"2024-11-27T04:04:26.482Z\",\n \"lastModificationDate\": \"2024-11-27T04:10:33.000Z\",\n \"deviceApplication\": {\n \"id\": \"123456789ABCDEF\",\n \"application\": {\n \"id\": \"azertyuiop\",\n \"package\": {\n \"id\": \"1234abcd\",\n \"package\": \"com.app.test\",\n \"system\": \"Android\"\n },\n \"version\": \"491.0.0.58.78\",\n \"md5\": \"0fccfdefc882c4be6d2a938001184e08\",\n \"sha1\": \"749c94cd972726ef2b3ccda7e718a2034cc9f6ac\",\n \"sha256\": \"278fde8924687bf22285d2b4415779d96ba967530cae43272029ec53ecc2eee8\",\n \"name\": \"App\",\n \"versionCode\": \"457215664\",\n \"size\": \"64262264\"\n },\n \"device\": {\n \"id\": \"device_id01\",\n \"serialNumber\": \"unknown\",\n \"imei\": null,\n \"name\": \"John\",\n \"email\": null,\n \"singleEnrollmentKey\": \"xxxxxXXXXxxXxxx\",\n \"byod\": false,\n \"lockPassword\": null,\n \"knoxVersion\": null,\n \"declaredOperatingSystem\": \"Android\",\n \"declaredOperatingSystemVersion\": \"10.0.0\",\n \"declaredOperatingSystemSecurityPatchDate\": \"2020-09-01T00:00:00.000Z\",\n \"declaredModel\": \"MODEL 01\",\n \"enrollmentStatus\": {\n \"id\": \"enrollid_12\",\n \"lastConnection\": \"2024-11-27T04:07:32.000Z\",\n \"coupled\": true\n },\n \"emmDeviceInfo\": null\n },\n \"installedAt\": \"2024-08-07T13:40:35.000Z\",\n \"uninstalledAt\": null,\n \"native\": false\n },\n \"matchedResponseRules\": [\n {\n \"id\": \"matched_response_id\",\n \"matchConditions\": [\n {\n \"type\": \"threatLevelIs\",\n \"value\": \"Red\"\n }\n ],\n \"notifyAdministrator\": false,\n \"onDeviceNotification\": false,\n \"action\": \"Disapproved\",\n \"responseRuleset\": {\n \"id\": \"yMXqFSTMT8uDn1ijwCmEGA\",\n \"name\": \"FallBack\",\n \"active\": true,\n \"type\": \"FallBack\",\n \"priority\": 0\n },\n \"priority\": 0\n }\n ]\n }\n },\n \"user\": null,\n \"device\": null,\n \"company\": {\n \"id\": \"ROhGBpGHSi2gpVagfb4FhQ\",\n \"name\": \"LAB\",\n \"creationDate\": \"2024-04-15T15:31:33.395Z\",\n \"lastModificationDate\": \"2024-08-07T13:23:42.000Z\",\n \"deletedAt\": null\n }\n}", + "sekoiaio": { + "intake": { + "dialect": "Pradeo MTD", + "dialect_uuid": "3cedbe29-02f8-42bf-9ec2-0158186c2827" + } + } + }, + "expected": { + "message": "{\n \"id\": \"1234567890\",\n \"creationDate\": \"2024-11-27T04:10:33.460Z\",\n \"source\": \"system\",\n \"category\": null,\n \"type\": \"DeviceApplicationComplianceUpdated\",\n \"content\": {\n \"deviceApplicationCompliance\": {\n \"id\": \"abcdef123456\",\n \"status\": \"Disapproved\",\n \"computed\": true,\n \"creationDate\": \"2024-11-27T04:04:26.482Z\",\n \"lastModificationDate\": \"2024-11-27T04:10:33.000Z\",\n \"deviceApplication\": {\n \"id\": \"123456789ABCDEF\",\n \"application\": {\n \"id\": \"azertyuiop\",\n \"package\": {\n \"id\": \"1234abcd\",\n \"package\": \"com.app.test\",\n \"system\": \"Android\"\n },\n \"version\": \"491.0.0.58.78\",\n \"md5\": \"0fccfdefc882c4be6d2a938001184e08\",\n \"sha1\": \"749c94cd972726ef2b3ccda7e718a2034cc9f6ac\",\n \"sha256\": \"278fde8924687bf22285d2b4415779d96ba967530cae43272029ec53ecc2eee8\",\n \"name\": \"App\",\n \"versionCode\": \"457215664\",\n \"size\": \"64262264\"\n },\n \"device\": {\n \"id\": \"device_id01\",\n \"serialNumber\": \"unknown\",\n \"imei\": null,\n \"name\": \"John\",\n \"email\": null,\n \"singleEnrollmentKey\": \"xxxxxXXXXxxXxxx\",\n \"byod\": false,\n \"lockPassword\": null,\n \"knoxVersion\": null,\n \"declaredOperatingSystem\": \"Android\",\n \"declaredOperatingSystemVersion\": \"10.0.0\",\n \"declaredOperatingSystemSecurityPatchDate\": \"2020-09-01T00:00:00.000Z\",\n \"declaredModel\": \"MODEL 01\",\n \"enrollmentStatus\": {\n \"id\": \"enrollid_12\",\n \"lastConnection\": \"2024-11-27T04:07:32.000Z\",\n \"coupled\": true\n },\n \"emmDeviceInfo\": null\n },\n \"installedAt\": \"2024-08-07T13:40:35.000Z\",\n \"uninstalledAt\": null,\n \"native\": false\n },\n \"matchedResponseRules\": [\n {\n \"id\": \"matched_response_id\",\n \"matchConditions\": [\n {\n \"type\": \"threatLevelIs\",\n \"value\": \"Red\"\n }\n ],\n \"notifyAdministrator\": false,\n \"onDeviceNotification\": false,\n \"action\": \"Disapproved\",\n \"responseRuleset\": {\n \"id\": \"yMXqFSTMT8uDn1ijwCmEGA\",\n \"name\": \"FallBack\",\n \"active\": true,\n \"type\": \"FallBack\",\n \"priority\": 0\n },\n \"priority\": 0\n }\n ]\n }\n },\n \"user\": null,\n \"device\": null,\n \"company\": {\n \"id\": \"ROhGBpGHSi2gpVagfb4FhQ\",\n \"name\": \"LAB\",\n \"creationDate\": \"2024-04-15T15:31:33.395Z\",\n \"lastModificationDate\": \"2024-08-07T13:23:42.000Z\",\n \"deletedAt\": null\n }\n}", + "event": { + "action": "DeviceApplicationComplianceUpdated", + "category": [ + "process" + ], + "type": [ + "change" + ] + }, + "@timestamp": "2024-11-27T04:10:33.460000Z", + "pradeo": { + "application": { + "id": "azertyuiop", + "md5": "0fccfdefc882c4be6d2a938001184e08", + "name": "App", + "package": "com.app.test", + "sha1": "749c94cd972726ef2b3ccda7e718a2034cc9f6ac", + "sha256": "278fde8924687bf22285d2b4415779d96ba967530cae43272029ec53ecc2eee8", + "system": "Android", + "version": "491.0.0.58.78", + "versionCode": "457215664" + }, + "device": { + "byod": false, + "coupled": true, + "declaredModel": "MODEL 01", + "declaredOperatingSystem": "Android", + "declaredOperatingSystemSecurityPatchDate": "2020-09-01T00:00:00Z", + "declaredOperatingSystemVersion": "10.0.0", + "id": "device_id01", + "lastConnection": "2024-11-27T04:07:32Z", + "name": "John", + "serialNumber": "unknown" + }, + "metadata": { + "creationDate": "2024-11-27T04:10:33.460000Z", + "id": "1234567890", + "source": "system", + "type": "DeviceApplicationComplianceUpdated" + } + } + } +} \ No newline at end of file From 6335db5a7e01d89222de436ad488b49a3bc3ae93 Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Tue, 10 Dec 2024 16:26:06 +0200 Subject: [PATCH 10/12] Fix: SentinelOne smart descriptions --- .../_meta/smart-descriptions.json | 52 ++++++++++ .../tests/process_processcreation_2.json | 96 +++++++++++++++++++ 2 files changed, 148 insertions(+) create mode 100644 SentinelOne/cloud_funnel2.0/tests/process_processcreation_2.json diff --git a/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json b/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json index 9a4b1bf43..9acf6e91d 100644 --- a/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json +++ b/SentinelOne/cloud_funnel2.0/_meta/smart-descriptions.json @@ -682,6 +682,58 @@ } ] }, + { + "value": "Process {process.command_line} was created by {process.user.name}", + "conditions": [ + { + "field": "event.action", + "value": "Process Creation" + }, + { + "field": "process.user.name" + }, + { + "field": "process.command_line" + } + ], + "relationships": [ + { + "source": "process.user.name", + "target": "process.parent.command_line", + "type": "created" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.title", + "type": "has process title" + }, + { + "source": "process.parent.command_line", + "target": "process.parent.name", + "type": "has name" + }, + { + "source": "process.command_line", + "target": "process.title", + "type": "has title" + }, + { + "source": "process.command_line", + "target": "process.name", + "type": "has name" + }, + { + "source": "process.parent.command_line", + "target": "process.command_line", + "type": "created" + }, + { + "source": "process.user.name", + "target": "host.name", + "type": "logged on" + } + ] + }, { "value": "Process {process.command_line} was created by {user.name}", "conditions": [ diff --git a/SentinelOne/cloud_funnel2.0/tests/process_processcreation_2.json b/SentinelOne/cloud_funnel2.0/tests/process_processcreation_2.json new file mode 100644 index 000000000..62320459c --- /dev/null +++ b/SentinelOne/cloud_funnel2.0/tests/process_processcreation_2.json @@ -0,0 +1,96 @@ +{ + "input": { + "message": "{\"tgt.process.displayName\":\"curl\",\"event.category\":\"process\",\"site.id\":\"1967302198659758782\",\"tgt.process.pid\":30273,\"endpoint.os\":\"osx\",\"tgt.process.name\":\"curl\",\"tgt.process.storyline.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.signedStatus\":\"signed\",\"tgt.process.isNative64Bit\":false,\"mgmt.id\":\"16205\",\"os.name\":\"OS X\",\"tgt.process.cmdline\":\"curl -H User-Agent: test.nvim v1.10.0 (+https:\\/\\/test.test\\/tttttttt\\/test.nvim) -fsSL -X GET -o \\/Users\\/test.user\\/.local\\/share\\/nvim\\/test\\/registries\\/github\\/test-org\\/test-registry\\/registry.json.zip --connect-timeout 30 https:\\/\\/test.test\\/test-org\\/test-registry\\/releases\\/download\\/2024-12-05-doting-coil\\/registry.json.zip\",\"i.version\":\"preprocess-lib-1.0\",\"process.unique.key\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.uid\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.isStorylineRoot\":false,\"mgmt.url\":\"mgm-testing-test.sentinelone.net\",\"agent.version\":\"23.3.1.7037\",\"tgt.process.subsystem\":\"SUBSYSTEM_UNKNOWN\",\"tgt.process.image.sha256\":\"8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42\",\"mgmt.osRevision\":\"14.7.1 (23H222)\",\"meta.event.name\":\"PROCESSCREATION\",\"group.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.publisher\":\"\",\"tgt.process.startTime\":1733386731479,\"tgt.process.verifiedStatus\":\"verified\",\"endpoint.type\":\"laptop\",\"tgt.process.image.path\":\"\\/usr\\/bin\\/curl\",\"i.scheme\":\"edr\",\"trace.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX\",\"tgt.process.integrityLevel\":\"INTEGRITY_LEVEL_UNKNOWN\",\"site.name\":\"LEDGER\",\"agent.uuid\":\"xxxx-XXXXXX-XXXXx-xxxxx\",\"tgt.process.image.md5\":\"fe61928bbd84ed16fc4f934307bf2f16\",\"event.time\":1733386731479,\"tgt.process.user\":\"test.user\",\"timestamp\":\"2024-12-05T08:18:51.479Z\",\"account.id\":\"1967302197074311859\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"LMFR0205\",\"packet.id\":\"949E7E9F-F1E6-4507-830F-E272AAED8F15\",\"tgt.process.sessionId\":0,\"dataSource.vendor\":\"SentinelOne\",\"dataSource.category\":\"security\",\"tgt.process.isRedirectCmdProcessor\":false,\"tgt.process.image.sha1\":\"e817c506298dc8a2dba727562b6efc60dcf4db1a\",\"account.name\":\"24 - LEDGER\",\"event.type\":\"Process Creation\",\"event.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX_77\"}" + }, + "expected": { + "message": "{\"tgt.process.displayName\":\"curl\",\"event.category\":\"process\",\"site.id\":\"1967302198659758782\",\"tgt.process.pid\":30273,\"endpoint.os\":\"osx\",\"tgt.process.name\":\"curl\",\"tgt.process.storyline.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.signedStatus\":\"signed\",\"tgt.process.isNative64Bit\":false,\"mgmt.id\":\"16205\",\"os.name\":\"OS X\",\"tgt.process.cmdline\":\"curl -H User-Agent: test.nvim v1.10.0 (+https:\\/\\/test.test\\/tttttttt\\/test.nvim) -fsSL -X GET -o \\/Users\\/test.user\\/.local\\/share\\/nvim\\/test\\/registries\\/github\\/test-org\\/test-registry\\/registry.json.zip --connect-timeout 30 https:\\/\\/test.test\\/test-org\\/test-registry\\/releases\\/download\\/2024-12-05-doting-coil\\/registry.json.zip\",\"i.version\":\"preprocess-lib-1.0\",\"process.unique.key\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.uid\":\"54EDFDFD-139E-4040-A961-59D6F9C33F63\",\"tgt.process.isStorylineRoot\":false,\"mgmt.url\":\"mgm-testing-test.sentinelone.net\",\"agent.version\":\"23.3.1.7037\",\"tgt.process.subsystem\":\"SUBSYSTEM_UNKNOWN\",\"tgt.process.image.sha256\":\"8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42\",\"mgmt.osRevision\":\"14.7.1 (23H222)\",\"meta.event.name\":\"PROCESSCREATION\",\"group.id\":\"EE9FB66D-9B03-4286-971C-7A20615D157B\",\"tgt.process.publisher\":\"\",\"tgt.process.startTime\":1733386731479,\"tgt.process.verifiedStatus\":\"verified\",\"endpoint.type\":\"laptop\",\"tgt.process.image.path\":\"\\/usr\\/bin\\/curl\",\"i.scheme\":\"edr\",\"trace.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX\",\"tgt.process.integrityLevel\":\"INTEGRITY_LEVEL_UNKNOWN\",\"site.name\":\"LEDGER\",\"agent.uuid\":\"xxxx-XXXXXX-XXXXx-xxxxx\",\"tgt.process.image.md5\":\"fe61928bbd84ed16fc4f934307bf2f16\",\"event.time\":1733386731479,\"tgt.process.user\":\"test.user\",\"timestamp\":\"2024-12-05T08:18:51.479Z\",\"account.id\":\"1967302197074311859\",\"dataSource.name\":\"SentinelOne\",\"endpoint.name\":\"LMFR0205\",\"packet.id\":\"949E7E9F-F1E6-4507-830F-E272AAED8F15\",\"tgt.process.sessionId\":0,\"dataSource.vendor\":\"SentinelOne\",\"dataSource.category\":\"security\",\"tgt.process.isRedirectCmdProcessor\":false,\"tgt.process.image.sha1\":\"e817c506298dc8a2dba727562b6efc60dcf4db1a\",\"account.name\":\"24 - LEDGER\",\"event.type\":\"Process Creation\",\"event.id\":\"XXXXXXX-XXXXXXXX-XXXXXXX_77\"}", + "event": { + "action": "Process Creation", + "category": [ + "process" + ], + "dataset": "cloud-funnel-2.0", + "type": [ + "info" + ] + }, + "@timestamp": "2024-12-05T08:18:51.479000Z", + "agent": { + "version": "23.3.1.7037" + }, + "deepvisibility": { + "agent": { + "managment_url": "mgm-testing-test.sentinelone.net", + "trace_id": "XXXXXXX-XXXXXXXX-XXXXXXX", + "uuid": "xxxx-XXXXXX-XXXXx-xxxxx" + }, + "event": { + "category": "process", + "type": "Process Creation" + }, + "host": { + "os": { + "revision": "14.7.1 (23H222)" + } + }, + "process": { + "target": { + "command_line": "curl -H User-Agent: test.nvim v1.10.0 (+https://test.test/tttttttt/test.nvim) -fsSL -X GET -o /Users/test.user/.local/share/nvim/test/registries/github/test-org/test-registry/registry.json.zip --connect-timeout 30 https://test.test/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "executable": "/usr/bin/curl", + "hash": { + "md5": "fe61928bbd84ed16fc4f934307bf2f16", + "sha1": "e817c506298dc8a2dba727562b6efc60dcf4db1a", + "sha256": "8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42" + }, + "name": "curl", + "storyline_id": "EE9FB66D-9B03-4286-971C-7A20615D157B", + "title": "curl", + "working_directory": "/usr/bin" + } + } + }, + "host": { + "name": "LMFR0205", + "os": { + "family": "osx", + "name": "OS X" + }, + "type": "laptop" + }, + "observer": { + "vendor": "SentinelOne" + }, + "process": { + "command_line": "curl -H User-Agent: test.nvim v1.10.0 (+https://test.test/tttttttt/test.nvim) -fsSL -X GET -o /Users/test.user/.local/share/nvim/test/registries/github/test-org/test-registry/registry.json.zip --connect-timeout 30 https://test.test/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "executable": "/usr/bin/curl", + "hash": { + "md5": "fe61928bbd84ed16fc4f934307bf2f16", + "sha1": "e817c506298dc8a2dba727562b6efc60dcf4db1a", + "sha256": "8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42" + }, + "name": "curl", + "pid": 30273, + "start": "2024-12-05T08:18:51.479000Z", + "title": "curl", + "user": { + "name": "test.user" + }, + "working_directory": "/usr/bin" + }, + "related": { + "hash": [ + "8577dde932584e03da0f0230dbca16a11fa4f57b3f8b91033f99e83b5a85fd42", + "e817c506298dc8a2dba727562b6efc60dcf4db1a", + "fe61928bbd84ed16fc4f934307bf2f16" + ] + }, + "url": { + "domain": "test.test", + "original": "https://test.test/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "path": "/test-org/test-registry/releases/download/2024-12-05-doting-coil/registry.json.zip", + "port": 443, + "scheme": "https", + "subdomain": "test" + } + } +} \ No newline at end of file From 061e9656533eac6955dba9be73a10123daef8bdc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9na=C3=AFg?= <126670263+LenaigKaliou@users.noreply.github.com> Date: Tue, 10 Dec 2024 16:50:08 +0100 Subject: [PATCH 11/12] Update HarfangLab/harfanglab/ingest/parser.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sébastien Quioc --- HarfangLab/harfanglab/ingest/parser.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml index 96338037d..c09e780c2 100644 --- a/HarfangLab/harfanglab/ingest/parser.yml +++ b/HarfangLab/harfanglab/ingest/parser.yml @@ -143,7 +143,7 @@ stages: url.original: "{{json_event.message.details_url_request.url}}" - set: - agent.id: "{{json_event.message.agents[0].agent_id}}" + harfanglab.agent_ids: "{{json_event.message.agents | map(attribute='agent_id') | list}" filter: "{{json_event.message.agents | length > 0}}" network_info: From cd0a5dc4c25145de4300b3c9fcfda65fd65dcbd3 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Tue, 10 Dec 2024 16:57:25 +0100 Subject: [PATCH 12/12] fixes on fields and typo --- HarfangLab/harfanglab/_meta/fields.yml | 5 +++++ HarfangLab/harfanglab/ingest/parser.yml | 2 +- HarfangLab/harfanglab/tests/threat_critical.json | 4 +++- HarfangLab/harfanglab/tests/threat_log.json | 5 ++++- 4 files changed, 13 insertions(+), 3 deletions(-) diff --git a/HarfangLab/harfanglab/_meta/fields.yml b/HarfangLab/harfanglab/_meta/fields.yml index 611f3c079..902363c55 100644 --- a/HarfangLab/harfanglab/_meta/fields.yml +++ b/HarfangLab/harfanglab/_meta/fields.yml @@ -953,6 +953,11 @@ action.properties.param9: name: action.properties.param9 type: keyword +harfanglab.agent_ids: + description: '' + name: harfanglab.agent_ids + type: keyword + harfanglab.aggregation_key: description: The key to the events aggregation name: harfanglab.aggregation_key diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml index c09e780c2..34535641b 100644 --- a/HarfangLab/harfanglab/ingest/parser.yml +++ b/HarfangLab/harfanglab/ingest/parser.yml @@ -143,7 +143,7 @@ stages: url.original: "{{json_event.message.details_url_request.url}}" - set: - harfanglab.agent_ids: "{{json_event.message.agents | map(attribute='agent_id') | list}" + harfanglab.agent_ids: "{{json_event.message.agents | map(attribute='agent_id') | list}}" filter: "{{json_event.message.agents | length > 0}}" network_info: diff --git a/HarfangLab/harfanglab/tests/threat_critical.json b/HarfangLab/harfanglab/tests/threat_critical.json index e9b50e3db..ce1d2faa4 100644 --- a/HarfangLab/harfanglab/tests/threat_critical.json +++ b/HarfangLab/harfanglab/tests/threat_critical.json @@ -10,10 +10,12 @@ "start": "2024-03-19T09:21:00Z" }, "agent": { - "id": "af5e2f63-becd-4660-ade8-30d04c0dd044", "name": "harfanglab" }, "harfanglab": { + "agent_ids": [ + "af5e2f63-becd-4660-ade8-30d04c0dd044" + ], "count": { "rules": 1, "users_impacted": 0 diff --git a/HarfangLab/harfanglab/tests/threat_log.json b/HarfangLab/harfanglab/tests/threat_log.json index 233ffd066..bed91707b 100644 --- a/HarfangLab/harfanglab/tests/threat_log.json +++ b/HarfangLab/harfanglab/tests/threat_log.json @@ -10,10 +10,13 @@ "start": "2024-02-07T15:18:00Z" }, "agent": { - "id": "215fe295-905f-4a8d-8347-e9d438d4e415", "name": "harfanglab" }, "harfanglab": { + "agent_ids": [ + "215fe295-905f-4a8d-8347-e9d438d4e415", + "999ba0c7-96b8-4c57-bf0e-63b24813c873" + ], "count": { "rules": 4, "users_impacted": 3