Skip to content

Commit

Permalink
Harfanglab - normalize user.name
Browse files Browse the repository at this point in the history
  • Loading branch information
@lvoloshyn-sekoia
lvoloshyn-sekoia committed Dec 11, 2024
1 parent 27fe310 commit ffe0e63
Show file tree
Hide file tree
Showing 17 changed files with 130 additions and 39 deletions.
8 changes: 7 additions & 1 deletion HarfangLab/harfanglab/CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

### 2024-10-01
### 2024-12-11 - 1.3.0

### Changed

- Split username into `user.name` and `user.domain`

### 2024-10-01 - 1.2.0

### Added

Expand Down
83 changes: 76 additions & 7 deletions HarfangLab/harfanglab/ingest/parser.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -171,7 +171,16 @@ stages:

process.pid: "{{json_event.message.pid}}"
process.executable: "{{json_event.message.image_name}}"
user.name: "{{json_event.message.username}}"
user.name: >
{%- if '\\' not in json_event.message.username -%}
{{ json_event.message.username }}
{%- else -%}
{{ json_event.message.username.split('\\')[1] }}
{%- endif -%}
user.domain: >
{%- if '\\' in json_event.message.username -%}
{{ json_event.message.username.split('\\')[0] }}
{%- endif -%}
event.category: ["network"]
event.type: ["connection"]
Expand All @@ -192,7 +201,6 @@ stages:
process.pe.company: "{{json_event.message.pe_info.company_name}}"
process.pe.product: "{{json_event.message.pe_info.product_name}}"
process.executable: "{{json_event.message.image_name}}"
user.name: "{{json_event.message.username}}"
process.parent.executable: "{{json_event.message.parent_image}}"
process.parent.command_line: "{{json_event.message.parent_commandline}}"
process.parent.name: '{{json_event.message.parent_image.split("\\") | last}}'
Expand All @@ -202,6 +210,17 @@ stages:
harfanglab.grandparent.process.command_line: "{{json_event.message.parent_commandline}}"
harfanglab.grandparent.process.ancestors: "{{json_event.message.ancestors.split('|')}}"

user.name: >
{%- if '\\' not in json_event.message.username -%}
{{ json_event.message.username }}
{%- else -%}
{{ json_event.message.username.split('\\')[1] }}
{%- endif -%}
user.domain: >
{%- if '\\' in json_event.message.username -%}
{{ json_event.message.username.split('\\')[0] }}
{%- endif -%}
event.category: ["process"]
event.type: ["start"]
- set:
Expand Down Expand Up @@ -261,7 +280,17 @@ stages:
process.pe.product: "{{json_event.message.process.pe_info.product_name}}"

process.executable: "{{json_event.message.process.image_name}}"
user.name: "{{json_event.message.process.username}}"

user.name: >
{%- if '\\' not in json_event.message.process.username -%}
{{ json_event.message.process.username }}
{%- else -%}
{{ json_event.message.process.username.split('\\')[1] }}
{%- endif -%}
user.domain: >
{%- if '\\' in json_event.message.process.username -%}
{{ json_event.message.process.username.split('\\')[0] }}
{%- endif -%}
process.parent.executable: "{{json_event.message.process.parent_image}}"
process.parent.command_line: "{{json_event.message.process.parent_commandline}}"
Expand Down Expand Up @@ -726,9 +755,29 @@ stages:
event.code: "{{json_event.message.windows.event_id}}"
event.action: "{{json_event.message.object_type}}"
user.id: "{{json_event.message.windows.source_sid}}"
user.name: "{{json_event.message.source_username}}"
user.target.id: "{{json_event.message.windows.target_sid}}"
user.target.name: "{{json_event.message.target_username}}"

user.name: >
{%- if '\\' not in json_event.message.source_username -%}
{{ json_event.message.source_username }}
{%- else -%}
{{ json_event.message.source_username.split('\\')[1] }}
{%- endif -%}
user.domain: >
{%- if '\\' in json_event.message.source_username -%}
{{ json_event.message.source_username.split('\\')[0] }}
{%- endif -%}
user.target.name: >
{%- if '\\' not in json_event.message.target_username -%}
{{ json_event.message.target_username }}
{%- else -%}
{{ json_event.message.target_username.split('\\')[1] }}
{%- endif -%}
user.target.domain: >
{%- if '\\' in json_event.message.target_username -%}
{{ json_event.message.target_username.split('\\')[0] }}
{%- endif -%}
dns_info:
actions:
Expand All @@ -737,10 +786,20 @@ stages:
event.type: ["info"]
process.pid: "{{json_event.message.pid}}"
process.executable: "{{json_event.message.process_image_path}}"
user.name: "{{json_event.message.username}}"
dns.question.type: "{{json_event.message.query_type}}"
dns.question.name: "{{json_event.message.requested_name}}"

user.name: >
{%- if '\\' not in json_event.message.username -%}
{{ json_event.message.username }}
{%- else -%}
{{ json_event.message.username.split('\\')[1] }}
{%- endif -%}
user.domain: >
{%- if '\\' in json_event.message.username -%}
{{ json_event.message.username.split('\\')[0] }}
{%- endif -%}
auditlog_info:
actions:
- set:
Expand All @@ -750,11 +809,21 @@ stages:
http.response.status_code: "{{json_event.message.response_status_code}}"
url.path: "{{json_event.message.request_path}}"
user_agent.original: "{{json_event.message.user_agent}}"
user.name: "{{json_event.message.username}}"
source.ip: "{{json_event.message.ip_address}}"
event.reason: "{{json_event.message.log_description}}"
event.action: "{{json_event.message.log_slug}}"

user.name: >
{%- if '\\' not in json_event.message.username -%}
{{ json_event.message.username }}
{%- else -%}
{{ json_event.message.username.split('\\')[1] }}
{%- endif -%}
user.domain: >
{%- if '\\' in json_event.message.username -%}
{{ json_event.message.username.split('\\')[0] }}
{%- endif -%}
agentlog_info:
actions:
- set:
Expand Down
5 changes: 3 additions & 2 deletions HarfangLab/harfanglab/tests/alert.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@
"REDACTED"
],
"user": [
"REDACTED\\valves"
"valves"
]
},
"rule": {
Expand All @@ -86,7 +86,8 @@
"name": "YARA binary check"
},
"user": {
"name": "REDACTED\\valves"
"domain": "REDACTED",
"name": "valves"
}
}
}
5 changes: 3 additions & 2 deletions HarfangLab/harfanglab/tests/alert_1.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@
"PL-3049"
],
"user": [
"EXAMPLE\\jdoe"
"jdoe"
]
},
"rule": {
Expand All @@ -87,7 +87,8 @@
"name": "File Added/Modified in Startup Directory"
},
"user": {
"name": "EXAMPLE\\jdoe"
"domain": "EXAMPLE",
"name": "jdoe"
}
}
}
5 changes: 3 additions & 2 deletions HarfangLab/harfanglab/tests/alert_2.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@
"PL3024"
],
"user": [
"EXAMPLE\\jdoe"
"jdoe"
]
},
"rule": {
Expand All @@ -93,7 +93,8 @@
"name": "Registry Autorun Key Added"
},
"user": {
"name": "EXAMPLE\\jdoe",
"domain": "EXAMPLE",
"name": "jdoe",
"roles": "EXAMPLE"
}
}
Expand Down
5 changes: 3 additions & 2 deletions HarfangLab/harfanglab/tests/alert_3.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@
"SRV001"
],
"user": [
"EXAMPLE\\j.doe"
"j.doe"
]
},
"rule": {
Expand All @@ -94,7 +94,8 @@
"name": "PowerShellInvoke-CommandExecutedonRemoteHost"
},
"user": {
"name": "EXAMPLE\\j.doe",
"domain": "EXAMPLE",
"name": "j.doe",
"roles": "Servers"
}
}
Expand Down
5 changes: 3 additions & 2 deletions HarfangLab/harfanglab/tests/alert_4.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@
"HOST01"
],
"user": [
"DOMAINSI\\JDOE"
"JDOE"
]
},
"rule": {
Expand All @@ -105,7 +105,8 @@
"top_level_domain": "com"
},
"user": {
"name": "DOMAINSI\\JDOE",
"domain": "DOMAINSI",
"name": "JDOE",
"roles": "DOMAIN_Postes_de_travail_Windows"
}
}
Expand Down
5 changes: 3 additions & 2 deletions HarfangLab/harfanglab/tests/alert_false_positive.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@
"pc123"
],
"user": [
"XXX\\XXX"
"XXX"
]
},
"rule": {
Expand All @@ -86,7 +86,8 @@
"name": "Discovery: Process list"
},
"user": {
"name": "XXX\\XXX"
"domain": "XXX",
"name": "XXX"
}
}
}
8 changes: 5 additions & 3 deletions HarfangLab/harfanglab/tests/authentication.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@
"127.0.0.1"
],
"user": [
"test-domain\\work-laptop$"
"work-laptop$"
]
},
"sekoiaio": {
Expand All @@ -78,12 +78,14 @@
"ip": "127.0.0.1"
},
"user": {
"domain": "test-domain",
"id": "S-1-5-18",
"name": "test-domain\\work-laptop$",
"name": "work-laptop$",
"roles": "custom-group",
"target": {
"domain": "work-laptop",
"id": "S-1-0-0",
"name": "work-laptop\\administrateur"
"name": "administrateur"
}
}
}
Expand Down
5 changes: 3 additions & 2 deletions HarfangLab/harfanglab/tests/dns.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,11 +57,12 @@
"work-laptop"
],
"user": [
"test-domain\\john.doe"
"john.doe"
]
},
"user": {
"name": "test-domain\\john.doe",
"domain": "test-domain",
"name": "john.doe",
"roles": "custom-group"
}
}
Expand Down
5 changes: 3 additions & 2 deletions HarfangLab/harfanglab/tests/network.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@
"192.168.120.41"
],
"user": [
"NT AUTHORITY\\SYSTEM"
"SYSTEM"
]
},
"source": {
Expand All @@ -59,7 +59,8 @@
"port": 21955
},
"user": {
"name": "NT AUTHORITY\\SYSTEM"
"domain": "NT AUTHORITY",
"name": "SYSTEM"
}
}
}
5 changes: 3 additions & 2 deletions HarfangLab/harfanglab/tests/network2.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@
"185.202.2.238"
],
"user": [
"NT AUTHORITY\\NETWORK SERVICE"
"NETWORK SERVICE"
]
},
"source": {
Expand All @@ -60,7 +60,8 @@
"port": 42221
},
"user": {
"name": "NT AUTHORITY\\NETWORK SERVICE"
"domain": "NT AUTHORITY",
"name": "NETWORK SERVICE"
}
}
}
5 changes: 3 additions & 2 deletions HarfangLab/harfanglab/tests/process-event.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,11 +81,12 @@
"SFRTAOA"
],
"user": [
"NT AUTHORITY\\SYSTEM"
"SYSTEM"
]
},
"user": {
"name": "NT AUTHORITY\\SYSTEM",
"domain": "NT AUTHORITY",
"name": "SYSTEM",
"roles": "Group1"
}
}
Expand Down
5 changes: 3 additions & 2 deletions HarfangLab/harfanglab/tests/process.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,11 +74,12 @@
"EXCHANGE"
],
"user": [
"NT AUTHORITY\\SYSTEM"
"SYSTEM"
]
},
"user": {
"name": "NT AUTHORITY\\SYSTEM"
"domain": "NT AUTHORITY",
"name": "SYSTEM"
}
}
}
Loading

0 comments on commit ffe0e63

Please sign in to comment.