SEKOIA-IO · squioc · Dec 13, 2024 · Nov 11, 2024 · Nov 11, 2024 · Nov 12, 2024
diff --git a/OCSF/ocsf/_meta/manifest.yml b/OCSF/ocsf/_meta/manifest.yml
@@ -7,7 +7,7 @@ slug: ocsf
 description: >-
   The Open Cybersecurity Schema Framework is an open-source project, delivering an extensible framework for developing schemas, along with a vendor-agnostic core security schema.
 
-  Supported version: **1.1**
+  Supported version: **1.3**
 
 data_sources:
   File monitoring: OCSF allows collecting system activities

diff --git a/OCSF/ocsf/_meta/smart-descriptions.json b/OCSF/ocsf/_meta/smart-descriptions.json
@@ -928,5 +928,49 @@
         "field": "ocsf.activity_name"
       }
     ]
+  },
+  {
+    "value": "File Remediation Activity: {ocsf.activity_name} file {file.name}",
+    "conditions": [
+      {
+        "field": "ocsf.class_uid",
+        "value": 7002
+      },
+      {
+        "field": "ocsf.activity_name"
+      },
+      {
+        "field": "file.name"
+      }
+    ]
+  },
+  {
+    "value": "Process Remediation Activity: {ocsf.activity_name} file {file.name} by process {process.name}",
+    "conditions": [
+      {
+        "field": "ocsf.class_uid",
+        "value": 7003
+      },
+      {
+        "field": "ocsf.activity_name"
+      },
+      {
+        "field": "file.name"
+      },
+      {
+        "field": "process.name"
+      }
+    ]
+  },
+  {
+    "value": "{ocsf.class_name}: {ocsf.activity_name}",
+    "conditions": [
+      {
+        "field": "ocsf.class_name"
+      },
+      {
+        "field": "ocsf.activity_name"
+      }
+    ]
   }
 ]
diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml
@@ -79,16 +79,16 @@ pipeline:
   - name: set_common_fields
 
   - name: pipeline_object_actor
-    filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5003,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,6001,6002,6003,6004,6005,6006,6007,201001,201002,201003,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002,99937002] and parse_event.message.get('actor') != None }}"
+    filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5003,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,5020,6001,6002,6003,6004,6005,6006,6007,201001,201002,201003,201004,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002,99937002] and parse_event.message.get('actor') != None }}"
 
   - name: pipeline_object_attack
-    filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2001,2004,2005,2006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,6001,6005,201001,201002,201003,99901006,99902003,99904001,99904002,99904009,99904010] and parse_event.message.get('attacks') != None }}"
+    filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1009,1010,2001,2004,2005,2006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,6001,6005,201001,201002,201003,99901006,99902003,99904001,99904002,99904009,99904010] and parse_event.message.get('attacks') != None }}"
 
   - name: pipeline_object_network_connection_info
-    filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,5012,6006,99904009,99904010,99931006,99932007,99933005] and parse_event.message.get('connection_info') != None }}"
+    filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,5012,6006,7004,99904009,99904010,99931006,99932007,99933005] and parse_event.message.get('connection_info') != None }}"
 
   - name: pipeline_object_device
-    filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5004,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,6001,6002,6004,6007,201001,201002,201003,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002] and parse_event.message.get('device') != None }}"
+    filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5004,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,5020,6001,6002,6004,6007,201001,201002,201003,201004,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002] and parse_event.message.get('device') != None }}"
 
   - name: pipeline_object_http_request
     filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [3001,3002,3003,3004,3005,3006,4002,6001,6003,6004,6005,99937002,99938001] and parse_event.message.get('http_request') != None }}"
@@ -100,7 +100,7 @@ pipeline:
     filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1008,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4013,4014,6001,6003,6004,6005,6006,99904009,99904010,99937002,99938001] and parse_event.message.get('dst_endpoint') != None or parse_event.message.get('src_endpoint') != None }}"
 
   - name: pipeline_object_process
-    filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1004,1007,2001,5011,5012,5015,99932006,99932007,99932011,99933006,99934001,99935002] and parse_event.message.get('process') != None }}"
+    filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1004,1007,2001,5011,5012,5015,7003,99932006,99932007,99932011,99933006,99934001,99935002] and parse_event.message.get('process') != None }}"
 
   - name: pipeline_object_proxy
     filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [3006,4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,6004,99904009,99904010] and parse_event.message.get('proxy') != None }}"
@@ -115,7 +115,7 @@ pipeline:
     filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [3001,3002,3003,3005,3006,4014,5003,5018,99932017] and parse_event.message.get('user') != None }}"
 
   - name: pipeline_object_file
-    filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1008,2006,4002,4005,4006,4007,4008,4010,4011,5007,6006,99901006,99903001,99904001,99931004,99931007,99931010,99932001,99933000] and parse_event.message.get('file') != None }}"
+    filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1001,1008,2006,4002,4005,4006,4007,4008,4010,4011,5007,6006,7002,99901006,99903001,99904001,99931004,99931007,99931010,99932001,99933000] and parse_event.message.get('file') != None }}"
 
   - name: pipeline_object_system_activity_helper
     filter: "{{ parse_event.message.get('class_uid') != None and parse_event.message.class_uid in [1002,1005,1006,1007,5010,5011,99932004,99932006,99933002,99933004] }}"
@@ -454,8 +454,8 @@ stages:
           host.geo.city_name: "{{ parse_event.message.device.location.city }}"
           host.geo.continent_name: "{{ parse_event.message.device.location.continent }}"
           host.geo.country_iso_code: "{{ parse_event.message.device.location.country }}"
-          host.geo.location.lon: "{{ parse_event.message.device.location.coordinates[0] }}"
-          host.geo.location.lat: "{{ parse_event.message.device.location.coordinates[1] }}"
+          host.geo.location.lon: "{{ parse_event.message.device.location.coordinates[0] or parse_event.message.device.location.long }}"
+          host.geo.location.lat: "{{ parse_event.message.device.location.coordinates[1] or parse_event.message.device.location.lat }}"
           host.geo.name: "{{ parse_event.message.device.location.desc }}"
           host.geo.postal_code: "{{ parse_event.message.device.location.postal_code }}"
           host.geo.region_iso_code: "{{ parse_event.message.device.location.region }}"
@@ -534,7 +534,8 @@ stages:
       - set:
           source.geo.city_name: "{{ parse_event.message.src_endpoint.location.city }}"
           source.geo.continent_name: "{{ parse_event.message.src_endpoint.location.continent }}"
-          source.geo.location: "{{ parse_event.message.src_endpoint.location.coordinates }}"
+          source.geo.location.lon: "{{ parse_event.message.src_endpoint.location.coordinates[0] or parse_event.message.src_endpoint.location.long }}"
+          source.geo.location.lat: "{{ parse_event.message.src_endpoint.location.coordinates[1] or parse_event.message.src_endpoint.location.lat }}"
           source.geo.country_iso_code: "{{ parse_event.message.src_endpoint.location.country }}"
           source.geo.name: "{{ parse_event.message.src_endpoint.location.desc }}"
           source.geo.postal_code: "{{ parse_event.message.src_endpoint.location.postal_code }}"
@@ -557,8 +558,8 @@ stages:
       - set:
           destination.geo.city_name: "{{ parse_event.message.dst_endpoint.location.city }}"
           destination.geo.continent_name: "{{ parse_event.message.dst_endpoint.location.continent }}"
-          destination.geo.location.lon: "{{ parse_event.message.dst_endpoint.location.coordinates[0] }}"
-          destination.geo.location.lat: "{{ parse_event.message.dst_endpoint.location.coordinates[1] }}"
+          destination.geo.location.lon: "{{ parse_event.message.dst_endpoint.location.coordinates[0] or parse_event.message.dst_endpoint.location.long }}"
+          destination.geo.location.lat: "{{ parse_event.message.dst_endpoint.location.coordinates[1] or parse_event.message.dst_endpoint.location.lat }}"
           destination.geo.country_iso_code: "{{ parse_event.message.dst_endpoint.location.country }}"
           destination.geo.name: "{{ parse_event.message.dst_endpoint.location.desc }}"
           destination.geo.postal_code: "{{ parse_event.message.dst_endpoint.location.postal_code }}"