diff --git a/Bitdefender/gravityzone/_meta/fields.yml b/Bitdefender/gravityzone/_meta/fields.yml index 52fd0cc6a..cad225376 100644 --- a/Bitdefender/gravityzone/_meta/fields.yml +++ b/Bitdefender/gravityzone/_meta/fields.yml @@ -1,3 +1,23 @@ +bitdefender.gravityzone.application_control.block_type: + description: Type of block detected by Bitdefender GravityZone Application Control. + name: bitdefender.gravityzone.application_control.block_type + type: keyword + +bitdefender.gravityzone.application_control.detection_count: + description: Number of detections by Bitdefender GravityZone Application Control. + name: bitdefender.gravityzone.application_control.detection_count + type: long + +bitdefender.gravityzone.application_control.type: + description: Type of application control detected by Bitdefender GravityZone. + name: bitdefender.gravityzone.application_control.type + type: keyword + +bitdefender.gravityzone.data.categories: + description: Data categories detected by Bitdefender GravityZone. + name: bitdefender.gravityzone.data.categories + type: keyword + bitdefender.gravityzone.exploit.type: description: Exploit type detected by Bitdefender GravityZone. name: bitdefender.gravityzone.exploit.type diff --git a/Bitdefender/gravityzone/_meta/manifest.yml b/Bitdefender/gravityzone/_meta/manifest.yml index 51df52c6b..2cc4311b5 100644 --- a/Bitdefender/gravityzone/_meta/manifest.yml +++ b/Bitdefender/gravityzone/_meta/manifest.yml @@ -9,3 +9,4 @@ data_sources: Authentication logs: Network device logs: File monitoring: +automation_module_uuid: 26277889-b91b-46d0-8bac-7f6b2f6fb9a3 diff --git a/Bitdefender/gravityzone/ingest/parser.yml b/Bitdefender/gravityzone/ingest/parser.yml index b6af1ad11..e2593c886 100644 --- a/Bitdefender/gravityzone/ingest/parser.yml +++ b/Bitdefender/gravityzone/ingest/parser.yml @@ -8,7 +8,7 @@ pipeline: external: name: date.parse properties: - input_field: "{{parse_event.message.eventdate or parse_event.message.BitdefenderGZDetectionTime}}" + input_field: "{{parse_event.message.eventdate or parse_event.message.BitdefenderGZDetectionTime or parse_event.message.end or parse_event.message.start}}" output_field: datetime - name: set_event_fields @@ -67,6 +67,7 @@ stages: "device-control": ["host"] "ransomware-mitigation": ["intrusion_detection"] "new-incident": ["process"] + "uc": ["web"] mapping: parse_event.message.BitdefenderGZModule: event.category filter: "{{parse_event.message.BitdefenderGZModule != None}}" @@ -74,7 +75,6 @@ stages: set_ecs_fields: actions: - set: - "@timestamp": "{{parsed_date.datetime}}" host.ip: "{{parse_event.message.dvc}}" host.name: "{{parse_event.message.BitdefenderGZComputerFQDN or parse_event.message.dvchost}}" destination.user.name: "{{parse_event.message.duser}}" @@ -94,8 +94,24 @@ stages: observer.vendor: "{{parse_event.message.DeviceVendor}}" observer.product: "{{parse_event.message.DeviceProduct}}" observer.version: "{{parse_event.message.DeviceVersion}}" + bitdefender.gravityzone.application_control.block_type: "{{parse_event.message.BitdefenderGZApplicationControlBlockType}}" + bitdefender.gravityzone.application_control.type: "{{parse_event.message.BitdefenderGZApplicationControlType}}" + bitdefender.gravityzone.application_control.detection_count: "{{parse_event.message.cnt}}" + bitdefender.gravityzone.data.categories: "{{parse_event.message.BitdefenderGZDataCategories}}" bitdefender.gravityzone.exploit.type: "{{parse_event.message.BitdefenderGZExploitType}}" + - set: + "@timestamp": "{{parsed_date.datetime}}" + filter: "{{parse_event.message.get('eventdate') != None or parse_event.message.get('BitdefenderGZDetectionTime') != None}}" + + - set: + event.start: "{{parsed_date.datetime}}" + filter: "{{parse_event.message.get('start') != None}}" + + - set: + event.end: "{{parsed_date.datetime}}" + filter: "{{parse_event.message.get('end') != None}}" + - set: file.path: "{{parse_event.message.filePath}}" filter: "{{parse_event.message.get('BitdefenderGZMalwareType') == None or parse_event.message.BitdefenderGZMalwareType.lower() != 'file'}}" diff --git a/Bitdefender/gravityzone/tests/login_1.json b/Bitdefender/gravityzone/tests/login_1.json index ddf96c93f..c6b345332 100644 --- a/Bitdefender/gravityzone/tests/login_1.json +++ b/Bitdefender/gravityzone/tests/login_1.json @@ -9,6 +9,7 @@ "authentication" ], "severity": 3, + "start": "2024-06-11T11:34:56Z", "type": [ "start" ] diff --git a/Bitdefender/gravityzone/tests/uc_event.json b/Bitdefender/gravityzone/tests/uc_event.json new file mode 100644 index 000000000..68751f9b2 --- /dev/null +++ b/Bitdefender/gravityzone/tests/uc_event.json @@ -0,0 +1,65 @@ +{ + "input": { + "message": "CEF:0|Bitdefender|GravityZone|6.40.1-1|1000|Web Control|9|BitdefenderGZModule=uc dvchost=example BitdefenderGZComputerFQDN=example.test.local dvc=1.2.3.4 deviceExternalId=1234567890abcdef12345678 BitdefenderGZApplicationControlType=http request=external-content.domain.com/ip3/www.test_request.com BitdefenderGZApplicationControlBlockType=http_categories BitdefenderGZDataCategories=Ads act=uc_site_blocked end=Dec 16 2024 12:34:33 Z cnt=1 suser=john.doe@test.local suid=S-1-5-21-1111111111-222222222-3333333333-500", + "sekoiaio": { + "intake": { + "dialect": "Bitdefender GravityZone [BETA]", + "dialect_uuid": "d11df984-840d-4c29-a6dc-b9195c3a24e3" + } + } + }, + "expected": { + "message": "CEF:0|Bitdefender|GravityZone|6.40.1-1|1000|Web Control|9|BitdefenderGZModule=uc dvchost=example BitdefenderGZComputerFQDN=example.test.local dvc=1.2.3.4 deviceExternalId=1234567890abcdef12345678 BitdefenderGZApplicationControlType=http request=external-content.domain.com/ip3/www.test_request.com BitdefenderGZApplicationControlBlockType=http_categories BitdefenderGZDataCategories=Ads act=uc_site_blocked end=Dec 16 2024 12:34:33 Z cnt=1 suser=john.doe@test.local suid=S-1-5-21-1111111111-222222222-3333333333-500", + "event": { + "action": "uc_site_blocked", + "category": [ + "web" + ], + "end": "2024-12-16T12:34:33Z", + "module": "uc", + "severity": 9, + "type": [ + "info" + ] + }, + "bitdefender": { + "gravityzone": { + "application_control": { + "block_type": "http_categories", + "detection_count": 1, + "type": "http" + }, + "data": { + "categories": "Ads" + } + } + }, + "host": { + "ip": "1.2.3.4", + "name": "example.test.local" + }, + "observer": { + "product": "GravityZone", + "vendor": "Bitdefender", + "version": "6.40.1-1" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe@test.local" + ] + }, + "source": { + "user": { + "id": "S-1-5-21-1111111111-222222222-3333333333-500", + "name": "john.doe@test.local" + } + }, + "url": { + "original": "external-content.domain.com/ip3/www.test_request.com", + "path": "external-content.domain.com/ip3/www.test_request.com" + } + } +} \ No newline at end of file diff --git a/GateWatcher/aioniq_ecs/_meta/manifest.yml b/GateWatcher/aioniq_ecs/_meta/manifest.yml index a1e0c5867..1b4efda9d 100644 --- a/GateWatcher/aioniq_ecs/_meta/manifest.yml +++ b/GateWatcher/aioniq_ecs/_meta/manifest.yml @@ -8,4 +8,4 @@ description: >- data_sources: Network intrusion detection system: AIONIQ identify suspicious behaviors Network protocol analysis: AIONIQ analyze traffic protocol - +automation_module_uuid: 65d0b877-3e3c-4ce8-b184-1db084a1acd3 diff --git a/Palo Alto Networks/paloalto-prisma-access/_meta/manifest.yml b/Palo Alto Networks/paloalto-prisma-access/_meta/manifest.yml index aefbc2559..8b0a6c22f 100644 --- a/Palo Alto Networks/paloalto-prisma-access/_meta/manifest.yml +++ b/Palo Alto Networks/paloalto-prisma-access/_meta/manifest.yml @@ -1,4 +1,4 @@ -uuid: ea265b9d-fb48-4e92-9c26-dcfbf937b630 +uuid: ea265b9d-fb48-4e92-9c26-dcfbf937b630 name: Palo Alto Prisma access slug: paloalto-prisma-access description: >- @@ -10,3 +10,4 @@ data_sources: Authentication logs: Prisma Access monitor authentications to resources Web logs: Prisma Access monitor and logs HTTP requests Web application firewall logs: Prisma Access monitor and logs network traffic +automation_module_uuid: 64a3b634-605d-4d69-a203-3a53c0474cae