Merge branch 'main' into fix/add_raise_error_false

SEKOIA-IO · Dec 2, 2024 · fca8183 · fca8183
2 parents 4021572 + 30da70b
commit fca8183
Show file tree

Hide file tree

Showing 30 changed files with 1,049 additions and 33 deletions.
diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml
diff --git a/HarfangLab/harfanglab/tests/alert_4.json b/HarfangLab/harfanglab/tests/alert_4.json
diff --git a/HarfangLab/harfanglab/tests/alert_5.json b/HarfangLab/harfanglab/tests/alert_5.json
@@ -0,0 +1,89 @@
+{
+  "input": {
+    "message": "{\"type\": \"rtlogs\", \"level\": \"medium\", \"maturity\": \"stable\", \"quarantine\": 4, \"rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n    - https://attack.mitre.org/techniques/T1098/\\n    - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n    - attack.persistence\\n    - attack.t1098\\n    - attack.privilege_escalation\\n    - attack.t1078.003\\nlogsource:\\n    product: windows\\n    service: security\\ndetection:\\n    selection:\\n        EventID: 4732\\n        GroupSid: S-1-2-3-4\\n    exclusion:\\n        - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n        - SubjectUserName|endswith: \\n    condition: selection and not exclusion\\nfalsepositives:\\n  - Legitimate administrator action\\nlevel: medium\", \"alert_time\": \"2024-11-12T08:39:14.017+00:00\", \"rule_name\": \"User Account Added to the Local Administrators Group\", \"tags\": [\"attack.persistence\", \"attack.privilege_escalation\", \"attack.t1078.003\", \"attack.t1098\"], \"level_int\": 30, \"eventlog\": {\"level\": \"log_always\", \"type\": \"wineventlog\", \"detection_timestamp\": \"2024/11/12 08:39:13.967\", \"event_id\": 4732, \"event_data\": {\"SubjectUserSid\": \"S-1-2-4-5-6\", \"SubjectDomainName\": \"NT_DOMAIN\", \"PrivilegeList\": \"-\", \"TargetDomainName\": \"Builtin\", \"TargetUserName\": \"Administrateurs\", \"MemberSid\": \"S-1-2-4-7-8\", \"MemberName\": \"NT_DOMAIN\\\\DOEJ\", \"SubjectUserName\": \"sw-suser\", \"TargetSid\": \"S-1-2-3-4\", \"SubjectLogonId\": \"0x1234567\"}, \"record_number\": 174136362, \"event_date\": \"2024-11-12T08:39:13.205Z\", \"sigma_rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n    - https://attack.mitre.org/techniques/T1098/\\n    - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n    - attack.persistence\\n    - attack.t1098\\n    - attack.privilege_escalation\\n    - attack.t1078.003\\nlogsource:\\n    product: windows\\n    service: security\\ndetection:\\n    selection:\\n        EventID: 4732\\n        GroupSid: S-1-2-3-4\\n    exclusion:\\n        - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n        - SubjectUserName|endswith: \\n    condition: selection and not exclusion\\nfalsepositives:\\n  - Legitimate administrator action\\nlevel: medium\", \"source_name\": \"Microsoft-Windows-Security-Auditing\", \"dont_create_eventlog\": true, \"user\": {\"domain\": \"\", \"name\": \"\", \"type\": \"unknown\", \"identifier\": \"\"}, \"thread_id\": 1728, \"log_name\": \"Security\", \"process_id\": 1224, \"status\": 0, \"ioc_matches\": [], \"provider_guid\": \"54849625-5478-4994-a5ba-3e3b0328c30d\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"log_type\": \"eventlog\", \"computer_name\": \"PC01.domain.com\", \"user_data\": {}, \"system_event_type\": \"event_log_event\"}, \"threat_values\": [], \"destination\": \"syslog\", \"@timestamp\": \"2024-11-12T08:39:14.017Z\", \"detection_date\": \"2024-11-12T08:39:13.967+00:00\", \"@event_create_date\": \"2024-11-12T08:39:14.017Z\", \"aggregation_key\": \"8415b902c507b98714301b4ab6633009fbf2728c0cfaf61637c5e903627e4ebb\", \"alert_type\": \"sigma\", \"rule_id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"ingestion_date\": \"2024-11-12T08:39:14.017+00:00\", \"tenant\": \"3b37ffc8520ef542\", \"threat_type\": \"new\", \"groups\": [{\"name\": \"Postes de travail\", \"id\": \"11111111-2222-3333-4444-555555555555\"}, {\"name\": \"Postes de travail : Lot 3\", \"id\": \"66666666-7777-8888-9999-000000000000\"}], \"status\": \"new\", \"execution\": 0, \"agent\": {\"agentid\": \"11111111-aaaa-2222-bbbb-333333333333\", \"domain\": null, \"osproducttype\": \"Windows 10 Enterprise\", \"ostype\": \"windows\", \"dnsdomainname\": \"domain.com\", \"distroid\": null, \"domainname\": \"NT_DOMAIN\", \"osversion\": \"10.0.19045\", \"hostname\": \"PC01\", \"version\": \"4.1.6\", \"additional_info\": {}}, \"threat_key\": \"20528\", \"mitre_cells\": [\"persistence__t1078.003\", \"persistence__t1098\", \"privilege-escalation__t1078.003\", \"privilege-escalation__t1098\"], \"alert_unique_id\": \"aaaaaaaa-1111-bbbb-2222-cccccccccccc\", \"log_type\": \"alert\", \"@version\": \"1\", \"msg\": \"Detects when a user account is added into the local Administrators group.\\n This action can be the result of a malicious activity.\", \"alert_subtype\": \"eventlog\", \"detection_origin\": \"agent\"}",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "HarfangLab EDR",
+        "dialect_uuid": "3c7057d3-4689-4fae-8033-6f1f887a70f2"
+      }
+    }
+  },
+  "expected": {
+    "message": "{\"type\": \"rtlogs\", \"level\": \"medium\", \"maturity\": \"stable\", \"quarantine\": 4, \"rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n    - https://attack.mitre.org/techniques/T1098/\\n    - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n    - attack.persistence\\n    - attack.t1098\\n    - attack.privilege_escalation\\n    - attack.t1078.003\\nlogsource:\\n    product: windows\\n    service: security\\ndetection:\\n    selection:\\n        EventID: 4732\\n        GroupSid: S-1-2-3-4\\n    exclusion:\\n        - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n        - SubjectUserName|endswith: \\n    condition: selection and not exclusion\\nfalsepositives:\\n  - Legitimate administrator action\\nlevel: medium\", \"alert_time\": \"2024-11-12T08:39:14.017+00:00\", \"rule_name\": \"User Account Added to the Local Administrators Group\", \"tags\": [\"attack.persistence\", \"attack.privilege_escalation\", \"attack.t1078.003\", \"attack.t1098\"], \"level_int\": 30, \"eventlog\": {\"level\": \"log_always\", \"type\": \"wineventlog\", \"detection_timestamp\": \"2024/11/12 08:39:13.967\", \"event_id\": 4732, \"event_data\": {\"SubjectUserSid\": \"S-1-2-4-5-6\", \"SubjectDomainName\": \"NT_DOMAIN\", \"PrivilegeList\": \"-\", \"TargetDomainName\": \"Builtin\", \"TargetUserName\": \"Administrateurs\", \"MemberSid\": \"S-1-2-4-7-8\", \"MemberName\": \"NT_DOMAIN\\\\DOEJ\", \"SubjectUserName\": \"sw-suser\", \"TargetSid\": \"S-1-2-3-4\", \"SubjectLogonId\": \"0x1234567\"}, \"record_number\": 174136362, \"event_date\": \"2024-11-12T08:39:13.205Z\", \"sigma_rule_content\": \"title: User Account Added to the Local Administrators Group\\nid: 12345678-abcd-ef90-1234-123456abcdef\\ndescription: \\\"Detects when a user account is added into the local Administrators group.\\\\n\\nThis action can be the result of a malicious activity.\\\"\\nreferences:\\n    - https://attack.mitre.org/techniques/T1098/\\n    - https://attack.mitre.org/techniques/T1078/003/\\nstatus: stable\\ndate: 2021/04/28\\nmodified: 2021/01/10\\nauthor: HarfangLab\\ntags:\\n    - attack.persistence\\n    - attack.t1098\\n    - attack.privilege_escalation\\n    - attack.t1078.003\\nlogsource:\\n    product: windows\\n    service: security\\ndetection:\\n    selection:\\n        EventID: 4732\\n        GroupSid: S-1-2-3-4\\n    exclusion:\\n        - MemberSid: S-1-2-4-*-512 # avoid detection when a computer joined a domain (domain admins sid)\\n        - SubjectUserName|endswith: \\n    condition: selection and not exclusion\\nfalsepositives:\\n  - Legitimate administrator action\\nlevel: medium\", \"source_name\": \"Microsoft-Windows-Security-Auditing\", \"dont_create_eventlog\": true, \"user\": {\"domain\": \"\", \"name\": \"\", \"type\": \"unknown\", \"identifier\": \"\"}, \"thread_id\": 1728, \"log_name\": \"Security\", \"process_id\": 1224, \"status\": 0, \"ioc_matches\": [], \"provider_guid\": \"54849625-5478-4994-a5ba-3e3b0328c30d\", \"keywords\": [\"AuditSuccess\", \"ReservedKeyword63\"], \"log_type\": \"eventlog\", \"computer_name\": \"PC01.domain.com\", \"user_data\": {}, \"system_event_type\": \"event_log_event\"}, \"threat_values\": [], \"destination\": \"syslog\", \"@timestamp\": \"2024-11-12T08:39:14.017Z\", \"detection_date\": \"2024-11-12T08:39:13.967+00:00\", \"@event_create_date\": \"2024-11-12T08:39:14.017Z\", \"aggregation_key\": \"8415b902c507b98714301b4ab6633009fbf2728c0cfaf61637c5e903627e4ebb\", \"alert_type\": \"sigma\", \"rule_id\": \"12345678-abcd-ef90-1234-123456abcdef\", \"ingestion_date\": \"2024-11-12T08:39:14.017+00:00\", \"tenant\": \"3b37ffc8520ef542\", \"threat_type\": \"new\", \"groups\": [{\"name\": \"Postes de travail\", \"id\": \"11111111-2222-3333-4444-555555555555\"}, {\"name\": \"Postes de travail : Lot 3\", \"id\": \"66666666-7777-8888-9999-000000000000\"}], \"status\": \"new\", \"execution\": 0, \"agent\": {\"agentid\": \"11111111-aaaa-2222-bbbb-333333333333\", \"domain\": null, \"osproducttype\": \"Windows 10 Enterprise\", \"ostype\": \"windows\", \"dnsdomainname\": \"domain.com\", \"distroid\": null, \"domainname\": \"NT_DOMAIN\", \"osversion\": \"10.0.19045\", \"hostname\": \"PC01\", \"version\": \"4.1.6\", \"additional_info\": {}}, \"threat_key\": \"20528\", \"mitre_cells\": [\"persistence__t1078.003\", \"persistence__t1098\", \"privilege-escalation__t1078.003\", \"privilege-escalation__t1098\"], \"alert_unique_id\": \"aaaaaaaa-1111-bbbb-2222-cccccccccccc\", \"log_type\": \"alert\", \"@version\": \"1\", \"msg\": \"Detects when a user account is added into the local Administrators group.\\n This action can be the result of a malicious activity.\", \"alert_subtype\": \"eventlog\", \"detection_origin\": \"agent\"}",
+    "event": {
+      "dataset": "alert",
+      "kind": "alert",
+      "type": [
+        "info"
+      ]
+    },
+    "@timestamp": "2024-11-12T08:39:14.017000Z",
+    "action": {
+      "properties": {
+        "MemberName": "DOEJ",
+        "SubjectDomainName": "NT_DOMAIN",
+        "SubjectLogonId": "0x1234567",
+        "SubjectUserName": "sw-suser",
+        "SubjectUserSid": "S-1-2-4-5-6",
+        "TargetDomainName": "Builtin",
+        "TargetSid": "S-1-2-3-4",
+        "TargetUserName": "Administrateurs"
+      }
+    },
+    "agent": {
+      "id": "11111111-aaaa-2222-bbbb-333333333333",
+      "name": "harfanglab"
+    },
+    "harfanglab": {
+      "aggregation_key": "8415b902c507b98714301b4ab6633009fbf2728c0cfaf61637c5e903627e4ebb",
+      "alert_subtype": "eventlog",
+      "alert_time": "2024-11-12T08:39:14.017+00:00",
+      "alert_unique_id": "aaaaaaaa-1111-bbbb-2222-cccccccccccc",
+      "execution": 0,
+      "groups": [
+        "{\"id\": \"11111111-2222-3333-4444-555555555555\", \"name\": \"Postes de travail\"}",
+        "{\"id\": \"66666666-7777-8888-9999-000000000000\", \"name\": \"Postes de travail : Lot 3\"}"
+      ],
+      "level": "medium",
+      "status": "new"
+    },
+    "host": {
+      "domain": "NT_DOMAIN",
+      "hostname": "PC01",
+      "name": "PC01",
+      "os": {
+        "full": "Windows 10 Enterprise",
+        "version": "10.0.19045"
+      }
+    },
+    "log": {
+      "hostname": "PC01"
+    },
+    "organization": {
+      "id": "3b37ffc8520ef542"
+    },
+    "related": {
+      "hosts": [
+        "PC01"
+      ],
+      "user": [
+        "sw-suser"
+      ]
+    },
+    "rule": {
+      "category": "sigma",
+      "description": "Detects when a user account is added into the local Administrators group.\n This action can be the result of a malicious activity.",
+      "id": "12345678-abcd-ef90-1234-123456abcdef",
+      "name": "User Account Added to the Local Administrators Group"
+    },
+    "user": {
+      "domain": "NT_DOMAIN",
+      "name": "sw-suser",
+      "roles": "Postesdetravail,Postesdetravail:Lot3",
+      "target": {
+        "domain": "Builtin",
+        "name": "Administrateurs"
+      }
+    }
+  }
+}
diff --git a/Netskope/netskope_events/ingest/parser.yml b/Netskope/netskope_events/ingest/parser.yml
@@ -37,6 +37,7 @@ stages:
           observer.vendor: "Netskope"
           event.dataset: "{{parsed_event.message.type}}"
           event.action: "{{parsed_event.message.activity}}"
+          action.name: "{{parsed_event.message.action or 'Allow'}}"
           event.reason: "{{parsed_event.message.audit_log_event or parsed_event.message.bypass_reason}}"
           event.duration: "{{parsed_event.message.conn_duration}}"
           user_agent.original: "{{parsed_event.message.user_agent}}"
@@ -92,6 +93,9 @@ stages:
       - set:
           file.path: "{{parsed_event.message.file_path}}"
         filter: '{{parsed_event.message.file_path not in [None, "", "NA"]}}'
+      - set:
+          file.size: "{{parsed_event.message.file_size}}"
+        filter: "{{parsed_event.message.file_size not in [None, 0]}}"
       - translate:
         dictionary:
           "yes": "alert"

diff --git a/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json b/Netskope/netskope_events/tests/test_audit_log_deleted_inline_policy.json
@@ -16,6 +16,9 @@
       ]
     },
     "@timestamp": "2022-05-02T00:29:01Z",
+    "action": {
+      "name": "Allow"
+    },
     "netskope": {
       "events": {
         "action": {

diff --git a/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json b/Netskope/netskope_events/tests/test_audit_log_edit_admin_record.json
@@ -16,6 +16,9 @@
       ]
     },
     "@timestamp": "2022-05-02T11:09:47Z",
+    "action": {
+      "name": "Allow"
+    },
     "netskope": {
       "events": {
         "action": {

diff --git a/Netskope/netskope_events/tests/test_audit_log_login_failed.json b/Netskope/netskope_events/tests/test_audit_log_login_failed.json
@@ -16,6 +16,9 @@
       ]
     },
     "@timestamp": "2022-05-02T12:20:31Z",
+    "action": {
+      "name": "Allow"
+    },
     "netskope": {
       "events": {
         "action": {

diff --git a/Netskope/netskope_events/tests/test_audit_log_login_successful.json b/Netskope/netskope_events/tests/test_audit_log_login_successful.json
@@ -16,6 +16,9 @@
       ]
     },
     "@timestamp": "2022-12-22T16:38:07Z",
+    "action": {
+      "name": "Allow"
+    },
     "netskope": {
       "events": {
         "action": {

diff --git a/Netskope/netskope_events/tests/test_audit_log_logout_successful.json b/Netskope/netskope_events/tests/test_audit_log_logout_successful.json
@@ -16,6 +16,9 @@
       ]
     },
     "@timestamp": "2022-12-07T10:46:07Z",
+    "action": {
+      "name": "Allow"
+    },
     "netskope": {
       "events": {
         "action": {

diff --git a/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json b/Netskope/netskope_events/tests/test_audit_log_password_change_successful.json
@@ -16,6 +16,9 @@
       ]
     },
     "@timestamp": "2022-05-02T11:09:47Z",
+    "action": {
+      "name": "Allow"
+    },
     "netskope": {
       "events": {
         "action": {

diff --git a/Netskope/netskope_events/tests/test_connection_log.json b/Netskope/netskope_events/tests/test_connection_log.json
@@ -19,6 +19,9 @@
       ]
     },
     "@timestamp": "2022-12-21T16:12:20Z",
+    "action": {
+      "name": "Allow"
+    },
     "destination": {
       "address": "5.6.7.8",
       "bytes": 0,

diff --git a/Netskope/netskope_events/tests/test_dlp_incident.json b/Netskope/netskope_events/tests/test_dlp_incident.json
@@ -16,6 +16,9 @@
       ]
     },
     "@timestamp": "2023-01-31T08:11:53Z",
+    "action": {
+      "name": "Allow"
+    },
     "cloud": {
       "instance": {
         "id": "example.org"
@@ -30,7 +33,8 @@
       "hash": {
         "md5": "68b329da9893e34099c7d8ad5cb9c940"
       },
-      "mime_type": "eicar.txt"
+      "mime_type": "eicar.txt",
+      "size": 19154
     },
     "http": {
       "request": {

diff --git a/Netskope/netskope_events/tests/test_malware_alert.json b/Netskope/netskope_events/tests/test_malware_alert.json
@@ -17,6 +17,9 @@
       ]
     },
     "@timestamp": "2022-12-21T14:12:08Z",
+    "action": {
+      "name": "Detection"
+    },
     "destination": {
       "address": "5.6.7.8",
       "bytes": 0,
@@ -36,7 +39,8 @@
       "hash": {
         "md5": "68b329da9893e34099c7d8ad5cb9c940"
       },
-      "name": "eicarcom2.zip"
+      "name": "eicarcom2.zip",
+      "size": 308
     },
     "host": {
       "name": "MacBook Pro",