From eed7373c4a9bf0c736141410fd69a99e42138789 Mon Sep 17 00:00:00 2001 From: vg-svitla Date: Wed, 15 Jan 2025 18:36:04 +0400 Subject: [PATCH] Fix comments --- .../_meta/fields.yml | 40 ------------------- .../ingest/parser.yml | 26 ++++++++---- .../test_observed_attack_technique_4.json | 2 +- .../test_observed_attack_technique_5.json | 2 +- .../test_observed_attack_technique_6.json | 2 +- 5 files changed, 21 insertions(+), 51 deletions(-) diff --git a/Trend Micro/trend-micro-vision-one-oat/_meta/fields.yml b/Trend Micro/trend-micro-vision-one-oat/_meta/fields.yml index 30f7b23aa..abdf1aea4 100644 --- a/Trend Micro/trend-micro-vision-one-oat/_meta/fields.yml +++ b/Trend Micro/trend-micro-vision-one-oat/_meta/fields.yml @@ -3,46 +3,6 @@ action.properties.ScriptBlockText: name: action.properties.ScriptBlockText type: keyword -email.attachments: - description: A list of objects describing the attachment files sent along with an - email message - name: email.attachments - type: array - -email.delivery_timestamp: - description: The date and time when the email message was received by the service - or client - name: email.delivery_timestamp - type: date - -email.from.address: - description: 'The email address of the sender, typically from the RFC 5322 From: - header field' - name: email.from.address - type: keyword - -email.local_id: - description: Unique identifier given to the email by the source that created the - event - name: email.local_id - type: keyword - -email.message_id: - description: 'Identifier from the RFC 5322 Message-ID: email header that refers - to a particular email message' - name: email.message_id - type: keyword - -email.subject: - description: A brief summary of the topic of the message - name: email.subject - type: keyword - -email.to.address: - description: The email address of recipient - name: email.to.address - type: keyword - process.parent.parent.command_line: description: '' name: process.parent.parent.command_line diff --git a/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml b/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml index 177c656f6..d53b6c859 100644 --- a/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml +++ b/Trend Micro/trend-micro-vision-one-oat/ingest/parser.yml @@ -1,5 +1,5 @@ name: trend-micro-vision-one-oat -ignored_values: [] +ignored_values: [ ] pipeline: - name: parsed_event external: @@ -9,6 +9,15 @@ pipeline: output_field: message - name: set_ecs_fields + + - name: parse_email_date + external: + name: date.parse + properties: + input_field: "{{parsed_event.message.rt_utc}}" + output_field: datetime + filter: "{{parsed_event.message.scanType in ['exchange_mailbox_realtime_detection_logs', 'realtime_mailmeta-exchange']}}" + - name: set_email_fields filter: "{{parsed_event.message.scanType in ['exchange_mailbox_realtime_detection_logs', 'realtime_mailmeta-exchange']}}" @@ -16,8 +25,8 @@ stages: set_ecs_fields: actions: - set: - event.category: ["intrusion_detection"] - event.type: ["info"] + event.category: [ "intrusion_detection" ] + event.type: [ "info" ] observer.vendor: "TrendMicro" observer.product: "Vision One" @@ -70,6 +79,9 @@ stages: process.hash.sha1: "{{parsed_event.message.detail.ObjectFileHashSha1}}" process.hash.sha256: "{{parsed_event.message.detail.ObjectFileHashSha256}}" + - set: + threat.tactic.id: "{{parsed_event.message.filters | map(attribute='mitreTacticIds') | list | sum(start = [])}}" + threat.technique.id: > {%- set ids = [] -%} {%- for item in parsed_event.message.filters | map(attribute='mitreTechniqueIds') | list | sum(start = []) -%} @@ -84,20 +96,18 @@ stages: {%- endfor -%} {%- if ids | length > 0 -%}{{ ids | tojson }}{%- endif -%} - - set: - threat.tactic.id: "{{parsed_event.message.filters | map(attribute='mitreTacticIds') | list | sum(start = [])}}" filter: "{{parsed_event.message.filters | length > 0 }}" set_email_fields: actions: - set: - event.category: ["email"] - event.type: ["info"] + event.category: [ "email" ] + event.type: [ "info" ] email.from.address: "{{ parsed_event.message.suser }}" email.to.address: "{{ parsed_event.message.duser }}" email.subject: "{{ parsed_event.message.mailMsgSubject }}" email.local_id: "{{ parsed_event.message.msgUuid }}" email.message_id: "{{ parsed_event.message.msgId }}" - email.delivery_timestamp: "{{ parsed_event.message.rt_utc }}" + email.delivery_timestamp: "{{ parse_email_date.datetime }}" email.attachments: "{{ parsed_event.message.attachment }}" diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json index 63c0b40d6..320ec1dd5 100644 --- a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_4.json @@ -13,7 +13,7 @@ ] }, "email": { - "delivery_timestamp": "2024-12-11T23:47:10.0000000Z", + "delivery_timestamp": "2024-12-11T23:47:10Z", "from": { "address": [ "XXXXXX@test.com" diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json index ab5632b7d..65cb6cc51 100644 --- a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_5.json @@ -21,7 +21,7 @@ "attachmentFileTlsh": "" } ], - "delivery_timestamp": "2024-12-11T13:52:57.0150000Z", + "delivery_timestamp": "2024-12-11T13:52:57.015000Z", "from": { "address": "XXXXX@test.com" }, diff --git a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json index a42e90b09..19cb32fc7 100644 --- a/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json +++ b/Trend Micro/trend-micro-vision-one-oat/tests/test_observed_attack_technique_6.json @@ -45,7 +45,7 @@ "attachmentFileTlsh": "" } ], - "delivery_timestamp": "2024-12-11T07:51:23.4600000Z", + "delivery_timestamp": "2024-12-11T07:51:23.460000Z", "from": { "address": [ "XXXXX@test.com"