Fix comments

SEKOIA-IO · Jan 15, 2025 · eed7373 · eed7373
1 parent 07bff90
commit eed7373
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 51 deletions.
diff --git a/Trend Micro/trend-micro-vision-one-oat/_meta/fields.yml b/Trend Micro/trend-micro-vision-one-oat/_meta/fields.yml
@@ -3,46 +3,6 @@ action.properties.ScriptBlockText:
   name: action.properties.ScriptBlockText
   type: keyword
 
-email.attachments:
-  description: A list of objects describing the attachment files sent along with an
-    email message
-  name: email.attachments
-  type: array
-
-email.delivery_timestamp:
-  description: The date and time when the email message was received by the service
-    or client
-  name: email.delivery_timestamp
-  type: date
-
-email.from.address:
-  description: 'The email address of the sender, typically from the RFC 5322 From:
-    header field'
-  name: email.from.address
-  type: keyword
-
-email.local_id:
-  description: Unique identifier given to the email by the source that created the
-    event
-  name: email.local_id
-  type: keyword
-
-email.message_id:
-  description: 'Identifier from the RFC 5322 Message-ID: email header that refers
-    to a particular email message'
-  name: email.message_id
-  type: keyword
-
-email.subject:
-  description: A brief summary of the topic of the message
-  name: email.subject
-  type: keyword
-
-email.to.address:
-  description: The email address of recipient
-  name: email.to.address
-  type: keyword
-
 process.parent.parent.command_line:
   description: ''
   name: process.parent.parent.command_line

diff --git a/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml b/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml
@@ -1,5 +1,5 @@
 name: trend-micro-vision-one-oat
-ignored_values: []
+ignored_values: [ ]
 pipeline:
   - name: parsed_event
     external:
@@ -9,15 +9,24 @@ pipeline:
         output_field: message
 
   - name: set_ecs_fields
+
+  - name: parse_email_date
+    external:
+      name: date.parse
+      properties:
+        input_field: "{{parsed_event.message.rt_utc}}"
+        output_field: datetime
+    filter: "{{parsed_event.message.scanType in ['exchange_mailbox_realtime_detection_logs', 'realtime_mailmeta-exchange']}}"
+
   - name: set_email_fields
     filter: "{{parsed_event.message.scanType in ['exchange_mailbox_realtime_detection_logs', 'realtime_mailmeta-exchange']}}"
 
 stages:
   set_ecs_fields:
     actions:
       - set:
-          event.category: ["intrusion_detection"]
-          event.type: ["info"]
+          event.category: [ "intrusion_detection" ]
+          event.type: [ "info" ]
           observer.vendor: "TrendMicro"
           observer.product: "Vision One"
 
@@ -70,6 +79,9 @@ stages:
           process.hash.sha1: "{{parsed_event.message.detail.ObjectFileHashSha1}}"
           process.hash.sha256: "{{parsed_event.message.detail.ObjectFileHashSha256}}"
 
+      - set:
+          threat.tactic.id: "{{parsed_event.message.filters | map(attribute='mitreTacticIds') | list | sum(start = [])}}"
+
           threat.technique.id: >
             {%- set ids = [] -%}
             {%- for item in parsed_event.message.filters | map(attribute='mitreTechniqueIds') | list | sum(start = []) -%}
@@ -84,20 +96,18 @@ stages:
             {%- endfor -%}
             {%- if ids | length > 0 -%}{{ ids | tojson }}{%- endif -%}
 
-      - set:
-          threat.tactic.id: "{{parsed_event.message.filters | map(attribute='mitreTacticIds') | list | sum(start = [])}}"
         filter: "{{parsed_event.message.filters | length > 0 }}"
 
   set_email_fields:
     actions:
       - set:
-          event.category: ["email"]
-          event.type: ["info"]
+          event.category: [ "email" ]
+          event.type: [ "info" ]
 
           email.from.address: "{{ parsed_event.message.suser }}"
           email.to.address: "{{ parsed_event.message.duser }}"
           email.subject: "{{ parsed_event.message.mailMsgSubject }}"
           email.local_id: "{{ parsed_event.message.msgUuid }}"
           email.message_id: "{{ parsed_event.message.msgId }}"
-          email.delivery_timestamp: "{{ parsed_event.message.rt_utc }}"
+          email.delivery_timestamp: "{{ parse_email_date.datetime }}"
           email.attachments: "{{ parsed_event.message.attachment }}"
diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json
@@ -13,7 +13,7 @@
       ]
     },
     "email": {
-      "delivery_timestamp": "2024-12-11T23:47:10.0000000Z",
+      "delivery_timestamp": "2024-12-11T23:47:10Z",
       "from": {
         "address": [
           "[email protected]"

diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json
@@ -21,7 +21,7 @@
           "attachmentFileTlsh": ""
         }
       ],
-      "delivery_timestamp": "2024-12-11T13:52:57.0150000Z",
+      "delivery_timestamp": "2024-12-11T13:52:57.015000Z",
       "from": {
         "address": "[email protected]"
       },

diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json
@@ -45,7 +45,7 @@
           "attachmentFileTlsh": ""
         }
       ],
-      "delivery_timestamp": "2024-12-11T07:51:23.4600000Z",
+      "delivery_timestamp": "2024-12-11T07:51:23.460000Z",
       "from": {
         "address": [
           "[email protected]"