From 9a7087745ae0050df08de752ef32f34e8f9595dd Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 18 Dec 2024 18:07:48 +0100 Subject: [PATCH 1/4] fix(PaloAlto): add automation module uuid to the format --- Palo Alto Networks/paloalto-prisma-access/_meta/manifest.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Palo Alto Networks/paloalto-prisma-access/_meta/manifest.yml b/Palo Alto Networks/paloalto-prisma-access/_meta/manifest.yml index aefbc2559..8b0a6c22f 100644 --- a/Palo Alto Networks/paloalto-prisma-access/_meta/manifest.yml +++ b/Palo Alto Networks/paloalto-prisma-access/_meta/manifest.yml @@ -1,4 +1,4 @@ -uuid: ea265b9d-fb48-4e92-9c26-dcfbf937b630 +uuid: ea265b9d-fb48-4e92-9c26-dcfbf937b630 name: Palo Alto Prisma access slug: paloalto-prisma-access description: >- @@ -10,3 +10,4 @@ data_sources: Authentication logs: Prisma Access monitor authentications to resources Web logs: Prisma Access monitor and logs HTTP requests Web application firewall logs: Prisma Access monitor and logs network traffic +automation_module_uuid: 64a3b634-605d-4d69-a203-3a53c0474cae From 148801df485002824cfe84ca93b4918bd526dbd6 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 18 Dec 2024 18:08:03 +0100 Subject: [PATCH 2/4] fix(Gatewatcher): add automation module uuid to the format --- GateWatcher/aioniq_ecs/_meta/manifest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/GateWatcher/aioniq_ecs/_meta/manifest.yml b/GateWatcher/aioniq_ecs/_meta/manifest.yml index a1e0c5867..1b4efda9d 100644 --- a/GateWatcher/aioniq_ecs/_meta/manifest.yml +++ b/GateWatcher/aioniq_ecs/_meta/manifest.yml @@ -8,4 +8,4 @@ description: >- data_sources: Network intrusion detection system: AIONIQ identify suspicious behaviors Network protocol analysis: AIONIQ analyze traffic protocol - +automation_module_uuid: 65d0b877-3e3c-4ce8-b184-1db084a1acd3 From a64d5556def6d2791b0dec89a64a3289b7a51330 Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Wed, 18 Dec 2024 18:10:15 +0100 Subject: [PATCH 3/4] fix(BitDefender): add automation module uuid to the format --- Bitdefender/gravityzone/_meta/manifest.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/Bitdefender/gravityzone/_meta/manifest.yml b/Bitdefender/gravityzone/_meta/manifest.yml index 51df52c6b..2cc4311b5 100644 --- a/Bitdefender/gravityzone/_meta/manifest.yml +++ b/Bitdefender/gravityzone/_meta/manifest.yml @@ -9,3 +9,4 @@ data_sources: Authentication logs: Network device logs: File monitoring: +automation_module_uuid: 26277889-b91b-46d0-8bac-7f6b2f6fb9a3 From 339e5b25f2bcf08caf3ab79850516273979c0325 Mon Sep 17 00:00:00 2001 From: LenaigKaliou Date: Fri, 20 Dec 2024 11:04:29 +0100 Subject: [PATCH 4/4] Bitdefender : enhanced parser for uc events --- Bitdefender/gravityzone/_meta/fields.yml | 20 +++++++ Bitdefender/gravityzone/ingest/parser.yml | 20 ++++++- Bitdefender/gravityzone/tests/login_1.json | 1 + Bitdefender/gravityzone/tests/uc_event.json | 65 +++++++++++++++++++++ 4 files changed, 104 insertions(+), 2 deletions(-) create mode 100644 Bitdefender/gravityzone/tests/uc_event.json diff --git a/Bitdefender/gravityzone/_meta/fields.yml b/Bitdefender/gravityzone/_meta/fields.yml index 52fd0cc6a..cad225376 100644 --- a/Bitdefender/gravityzone/_meta/fields.yml +++ b/Bitdefender/gravityzone/_meta/fields.yml @@ -1,3 +1,23 @@ +bitdefender.gravityzone.application_control.block_type: + description: Type of block detected by Bitdefender GravityZone Application Control. + name: bitdefender.gravityzone.application_control.block_type + type: keyword + +bitdefender.gravityzone.application_control.detection_count: + description: Number of detections by Bitdefender GravityZone Application Control. + name: bitdefender.gravityzone.application_control.detection_count + type: long + +bitdefender.gravityzone.application_control.type: + description: Type of application control detected by Bitdefender GravityZone. + name: bitdefender.gravityzone.application_control.type + type: keyword + +bitdefender.gravityzone.data.categories: + description: Data categories detected by Bitdefender GravityZone. + name: bitdefender.gravityzone.data.categories + type: keyword + bitdefender.gravityzone.exploit.type: description: Exploit type detected by Bitdefender GravityZone. name: bitdefender.gravityzone.exploit.type diff --git a/Bitdefender/gravityzone/ingest/parser.yml b/Bitdefender/gravityzone/ingest/parser.yml index b6af1ad11..e2593c886 100644 --- a/Bitdefender/gravityzone/ingest/parser.yml +++ b/Bitdefender/gravityzone/ingest/parser.yml @@ -8,7 +8,7 @@ pipeline: external: name: date.parse properties: - input_field: "{{parse_event.message.eventdate or parse_event.message.BitdefenderGZDetectionTime}}" + input_field: "{{parse_event.message.eventdate or parse_event.message.BitdefenderGZDetectionTime or parse_event.message.end or parse_event.message.start}}" output_field: datetime - name: set_event_fields @@ -67,6 +67,7 @@ stages: "device-control": ["host"] "ransomware-mitigation": ["intrusion_detection"] "new-incident": ["process"] + "uc": ["web"] mapping: parse_event.message.BitdefenderGZModule: event.category filter: "{{parse_event.message.BitdefenderGZModule != None}}" @@ -74,7 +75,6 @@ stages: set_ecs_fields: actions: - set: - "@timestamp": "{{parsed_date.datetime}}" host.ip: "{{parse_event.message.dvc}}" host.name: "{{parse_event.message.BitdefenderGZComputerFQDN or parse_event.message.dvchost}}" destination.user.name: "{{parse_event.message.duser}}" @@ -94,8 +94,24 @@ stages: observer.vendor: "{{parse_event.message.DeviceVendor}}" observer.product: "{{parse_event.message.DeviceProduct}}" observer.version: "{{parse_event.message.DeviceVersion}}" + bitdefender.gravityzone.application_control.block_type: "{{parse_event.message.BitdefenderGZApplicationControlBlockType}}" + bitdefender.gravityzone.application_control.type: "{{parse_event.message.BitdefenderGZApplicationControlType}}" + bitdefender.gravityzone.application_control.detection_count: "{{parse_event.message.cnt}}" + bitdefender.gravityzone.data.categories: "{{parse_event.message.BitdefenderGZDataCategories}}" bitdefender.gravityzone.exploit.type: "{{parse_event.message.BitdefenderGZExploitType}}" + - set: + "@timestamp": "{{parsed_date.datetime}}" + filter: "{{parse_event.message.get('eventdate') != None or parse_event.message.get('BitdefenderGZDetectionTime') != None}}" + + - set: + event.start: "{{parsed_date.datetime}}" + filter: "{{parse_event.message.get('start') != None}}" + + - set: + event.end: "{{parsed_date.datetime}}" + filter: "{{parse_event.message.get('end') != None}}" + - set: file.path: "{{parse_event.message.filePath}}" filter: "{{parse_event.message.get('BitdefenderGZMalwareType') == None or parse_event.message.BitdefenderGZMalwareType.lower() != 'file'}}" diff --git a/Bitdefender/gravityzone/tests/login_1.json b/Bitdefender/gravityzone/tests/login_1.json index ddf96c93f..c6b345332 100644 --- a/Bitdefender/gravityzone/tests/login_1.json +++ b/Bitdefender/gravityzone/tests/login_1.json @@ -9,6 +9,7 @@ "authentication" ], "severity": 3, + "start": "2024-06-11T11:34:56Z", "type": [ "start" ] diff --git a/Bitdefender/gravityzone/tests/uc_event.json b/Bitdefender/gravityzone/tests/uc_event.json new file mode 100644 index 000000000..68751f9b2 --- /dev/null +++ b/Bitdefender/gravityzone/tests/uc_event.json @@ -0,0 +1,65 @@ +{ + "input": { + "message": "CEF:0|Bitdefender|GravityZone|6.40.1-1|1000|Web Control|9|BitdefenderGZModule=uc dvchost=example BitdefenderGZComputerFQDN=example.test.local dvc=1.2.3.4 deviceExternalId=1234567890abcdef12345678 BitdefenderGZApplicationControlType=http request=external-content.domain.com/ip3/www.test_request.com BitdefenderGZApplicationControlBlockType=http_categories BitdefenderGZDataCategories=Ads act=uc_site_blocked end=Dec 16 2024 12:34:33 Z cnt=1 suser=john.doe@test.local suid=S-1-5-21-1111111111-222222222-3333333333-500", + "sekoiaio": { + "intake": { + "dialect": "Bitdefender GravityZone [BETA]", + "dialect_uuid": "d11df984-840d-4c29-a6dc-b9195c3a24e3" + } + } + }, + "expected": { + "message": "CEF:0|Bitdefender|GravityZone|6.40.1-1|1000|Web Control|9|BitdefenderGZModule=uc dvchost=example BitdefenderGZComputerFQDN=example.test.local dvc=1.2.3.4 deviceExternalId=1234567890abcdef12345678 BitdefenderGZApplicationControlType=http request=external-content.domain.com/ip3/www.test_request.com BitdefenderGZApplicationControlBlockType=http_categories BitdefenderGZDataCategories=Ads act=uc_site_blocked end=Dec 16 2024 12:34:33 Z cnt=1 suser=john.doe@test.local suid=S-1-5-21-1111111111-222222222-3333333333-500", + "event": { + "action": "uc_site_blocked", + "category": [ + "web" + ], + "end": "2024-12-16T12:34:33Z", + "module": "uc", + "severity": 9, + "type": [ + "info" + ] + }, + "bitdefender": { + "gravityzone": { + "application_control": { + "block_type": "http_categories", + "detection_count": 1, + "type": "http" + }, + "data": { + "categories": "Ads" + } + } + }, + "host": { + "ip": "1.2.3.4", + "name": "example.test.local" + }, + "observer": { + "product": "GravityZone", + "vendor": "Bitdefender", + "version": "6.40.1-1" + }, + "related": { + "ip": [ + "1.2.3.4" + ], + "user": [ + "john.doe@test.local" + ] + }, + "source": { + "user": { + "id": "S-1-5-21-1111111111-222222222-3333333333-500", + "name": "john.doe@test.local" + } + }, + "url": { + "original": "external-content.domain.com/ip3/www.test_request.com", + "path": "external-content.domain.com/ip3/www.test_request.com" + } + } +} \ No newline at end of file