From 57d71bee716c3470d98d2c4a9c392530e1fac0dd Mon Sep 17 00:00:00 2001 From: lvoloshyn-sekoia Date: Tue, 17 Dec 2024 10:46:41 +0200 Subject: [PATCH 1/2] Sekoia Endpoint - parse `dns.resolved_ip` without errors --- SekoiaIO/endpoint/ingest/parser.yml | 13 ++- .../tests/dns_results_without_ip.json | 91 +++++++++++++++++++ 2 files changed, 103 insertions(+), 1 deletion(-) create mode 100644 SekoiaIO/endpoint/tests/dns_results_without_ip.json diff --git a/SekoiaIO/endpoint/ingest/parser.yml b/SekoiaIO/endpoint/ingest/parser.yml index 873db4f0b..014bdc5ad 100644 --- a/SekoiaIO/endpoint/ingest/parser.yml +++ b/SekoiaIO/endpoint/ingest/parser.yml @@ -53,7 +53,6 @@ stages: agent: "{{json.event.agent}}" destination: "{{json.event.destination}}" dll: "{{json.event.dll}}" - dns: "{{json.event.dns}}" error: "{{json.event.error}}" event.action: "{{json.event.event.action}}" event.category: "{{json.event.event.category}}" @@ -82,6 +81,18 @@ stages: sekoiaio.target_process: "{{json.event.sekoiaio.target_process}}" sekoiaio.repeat.count: "{{json.event.sekoiaio.repeat.count}}" + - set: + dns.answers: "{{json.event.dns.answers}}" + dns.id: "{{json.event.dns.id}}" + dns.op_code: "{{json.event.dns.op_code}}" + dns.question: "{{json.event.dns.question}}" + dns.response_code: "{{json.event.dns.response_code}}" + dns.type: "{{json.event.dns.type}}" + + - set: + dns.resolved_ip: "{{json.event.dns.resolved_ip}}" + filter: "{{json.event.dns.resolved_ip | is_ipaddress}}" + - set: action.properties.TaskContentNew_Command: "{{parsed_task_content_xml.result.Task.Actions.Exec.Command}}" action.properties.TaskContentNew_Args: "{{parsed_task_content_xml.result.Task.Actions.Exec.Arguments}}" diff --git a/SekoiaIO/endpoint/tests/dns_results_without_ip.json b/SekoiaIO/endpoint/tests/dns_results_without_ip.json new file mode 100644 index 000000000..f1054a0ac --- /dev/null +++ b/SekoiaIO/endpoint/tests/dns_results_without_ip.json @@ -0,0 +1,91 @@ +{ + "input": { + "message": "{\"destination\": {\"ip\": \"9e95:9c30:9793:ae93:1f19:7159:d3e1:303c\", \"port\": 49878}, \"dns\": {\"answers\": [{\"data\": \"self-events-data.trafficmanager.net\", \"name\": \"self.events.data.microsoft.com\", \"type\": \"CNAME\", \"ttl\": 71}], \"question\": {\"name\": \"self.events.data.microsoft.com\", \"type\": \"Unknown\", \"class\": \"IN\"}, \"response_code\": \"No Error\", \"type\": \"answer\", \"resolved_ip\": [\"\"], \"header_flags\": [\"RD\", \"RA\"], \"op_code\": \"Query\", \"id\": 19552}, \"event\": {\"action\": \"dns-query-result\", \"provider\": \"SEKOIA-IO-Endpoint\", \"outcome\": \"success\", \"category\": [\"network\"], \"type\": [\"connection\", \"protocol\"], \"code\": 22, \"start\": \"2024-12-13T07:06:37.188885Z\", \"end\": \"2024-12-13T07:06:37.188887Z\"}, \"agent\": {\"id\": \"d6285cf5d51861d13acbb34971e6b72e8e91fbcfcce44cfc5a9f1d45c8f0510c\", \"version\": \"v1.6.2+16cc9687c5b8fc0a32da4a766fa726a4df90c133\"}, \"host\": {\"os\": {\"type\": \"macos\"}, \"hostname\": \"EXAMPLE.local\", \"ip\": [\"192.0.0.2\"]}, \"network\": {\"transport\": \"udp\"}, \"source\": {\"ip\": \"0968:447b:0692:f381:0337:cafd:40e8:9123\", \"port\": 53}, \"timestamp\": \"2024-12-13T07:06:37.188887Z\", \"sekoiaio\": {\"repeat\": {\"count\": 1}}}" + }, + "expected": { + "message": "{\"destination\": {\"ip\": \"9e95:9c30:9793:ae93:1f19:7159:d3e1:303c\", \"port\": 49878}, \"dns\": {\"answers\": [{\"data\": \"self-events-data.trafficmanager.net\", \"name\": \"self.events.data.microsoft.com\", \"type\": \"CNAME\", \"ttl\": 71}], \"question\": {\"name\": \"self.events.data.microsoft.com\", \"type\": \"Unknown\", \"class\": \"IN\"}, \"response_code\": \"No Error\", \"type\": \"answer\", \"resolved_ip\": [\"\"], \"header_flags\": [\"RD\", \"RA\"], \"op_code\": \"Query\", \"id\": 19552}, \"event\": {\"action\": \"dns-query-result\", \"provider\": \"SEKOIA-IO-Endpoint\", \"outcome\": \"success\", \"category\": [\"network\"], \"type\": [\"connection\", \"protocol\"], \"code\": 22, \"start\": \"2024-12-13T07:06:37.188885Z\", \"end\": \"2024-12-13T07:06:37.188887Z\"}, \"agent\": {\"id\": \"d6285cf5d51861d13acbb34971e6b72e8e91fbcfcce44cfc5a9f1d45c8f0510c\", \"version\": \"v1.6.2+16cc9687c5b8fc0a32da4a766fa726a4df90c133\"}, \"host\": {\"os\": {\"type\": \"macos\"}, \"hostname\": \"EXAMPLE.local\", \"ip\": [\"192.0.0.2\"]}, \"network\": {\"transport\": \"udp\"}, \"source\": {\"ip\": \"0968:447b:0692:f381:0337:cafd:40e8:9123\", \"port\": 53}, \"timestamp\": \"2024-12-13T07:06:37.188887Z\", \"sekoiaio\": {\"repeat\": {\"count\": 1}}}", + "event": { + "action": "dns-query-result", + "category": [ + "network" + ], + "code": "22", + "end": "2024-12-13T07:06:37.188887Z", + "outcome": "success", + "provider": "SEKOIA-IO-Endpoint", + "start": "2024-12-13T07:06:37.188885Z", + "type": [ + "connection", + "protocol" + ] + }, + "action": { + "outcome": "success" + }, + "agent": { + "id": "d6285cf5d51861d13acbb34971e6b72e8e91fbcfcce44cfc5a9f1d45c8f0510c", + "version": "v1.6.2+16cc9687c5b8fc0a32da4a766fa726a4df90c133" + }, + "destination": { + "address": "9e95:9c30:9793:ae93:1f19:7159:d3e1:303c", + "ip": "9e95:9c30:9793:ae93:1f19:7159:d3e1:303c", + "port": 49878 + }, + "dns": { + "answers": [ + { + "data": "self-events-data.trafficmanager.net", + "name": "self.events.data.microsoft.com", + "ttl": 71, + "type": "CNAME" + } + ], + "id": "19552", + "op_code": "Query", + "question": { + "class": "IN", + "name": "self.events.data.microsoft.com", + "registered_domain": "microsoft.com", + "subdomain": "self.events.data", + "top_level_domain": "com", + "type": "Unknown" + }, + "response_code": "No Error", + "type": "answer" + }, + "host": { + "hostname": "EXAMPLE.local", + "ip": [ + "192.0.0.2" + ], + "name": "EXAMPLE.local", + "os": { + "type": "macos" + } + }, + "network": { + "transport": "udp" + }, + "related": { + "hosts": [ + "EXAMPLE.local", + "self.events.data.microsoft.com" + ], + "ip": [ + "192.0.0.2", + "968:447b:692:f381:337:cafd:40e8:9123", + "9e95:9c30:9793:ae93:1f19:7159:d3e1:303c" + ] + }, + "sekoiaio": { + "repeat": { + "count": 1 + } + }, + "source": { + "address": "968:447b:692:f381:337:cafd:40e8:9123", + "ip": "968:447b:692:f381:337:cafd:40e8:9123", + "port": 53 + } + } +} \ No newline at end of file From ba36359b0ebf64fc764d5d91bd12290082fac11a Mon Sep 17 00:00:00 2001 From: Sebastien Quioc Date: Tue, 17 Dec 2024 10:41:32 +0100 Subject: [PATCH 2/2] fix(Sekoia.io): fix dns.resolved_ip --- SekoiaIO/endpoint/ingest/parser.yml | 14 ++++++++--- SekoiaIO/endpoint/tests/dns_results.json | 32 ++++++++++++++++++++++-- 2 files changed, 40 insertions(+), 6 deletions(-) diff --git a/SekoiaIO/endpoint/ingest/parser.yml b/SekoiaIO/endpoint/ingest/parser.yml index 014bdc5ad..a6d0982ca 100644 --- a/SekoiaIO/endpoint/ingest/parser.yml +++ b/SekoiaIO/endpoint/ingest/parser.yml @@ -88,10 +88,16 @@ stages: dns.question: "{{json.event.dns.question}}" dns.response_code: "{{json.event.dns.response_code}}" dns.type: "{{json.event.dns.type}}" - - - set: - dns.resolved_ip: "{{json.event.dns.resolved_ip}}" - filter: "{{json.event.dns.resolved_ip | is_ipaddress}}" + dns.resolved_ip: > + {% set ips = [] %} + {%- for answer in json.event.dns.resolved_ip -%} + {%- if answer | is_ipaddress -%} + {% set ips = ips.append(answer) %} + {%- endif -%} + {%- endfor -%} + {%- if ips | length > 0 -%} + {{ips}} + {%- endif -%} - set: action.properties.TaskContentNew_Command: "{{parsed_task_content_xml.result.Task.Actions.Exec.Command}}" diff --git a/SekoiaIO/endpoint/tests/dns_results.json b/SekoiaIO/endpoint/tests/dns_results.json index 0023193c7..9e77aab4f 100644 --- a/SekoiaIO/endpoint/tests/dns_results.json +++ b/SekoiaIO/endpoint/tests/dns_results.json @@ -1,9 +1,15 @@ { "input": { - "message": "{\"@timestamp\": \"2022-06-02T12:23:19.097868Z\", \"agent\": {\"id\": \"c7a2ee33b4ac7c46c28c597d69f4d9ad327ead3601af4375d68bc250eb62e857\", \"version\": \"0.1.0\"}, \"action\": {\"id\": 22, \"properties\": {\"Image\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \"Keywords\": \"0x8000000000000000\", \"ProcessGuid\": \"{033fb112-653e-6298-8301-000000001000}\", \"ProviderGuid\": \"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\", \"RuleName\": \"-\", \"Severity\": \"INFO\", \"SourceName\": \"Microsoft-Windows-Sysmon\", \"User\": \"TEST-PC\\\\test\", \"UtcTime\": \"2022-06-02 12:23:18.607\"}}, \"dns\": {\"answers\": [{\"name\": \"scontent.xx.fbcdn.net\", \"type\": \"CNAME\"}, {\"data\": \"157.240.21.20\", \"type\": \"A\"}, {\"data\": \"185.89.219.11\", \"type\": \"A\"}, {\"data\": \"129.134.30.11\", \"type\": \"A\"}, {\"data\": \"185.89.218.11\", \"type\": \"A\"}, {\"data\": \"129.134.31.11\", \"type\": \"A\"}, {\"data\": \"2a03:2880:f1fd:b:face:b00c:0:99\", \"type\": \"AAAA\"}, {\"data\": \"2a03:2880:f0fc:b:face:b00c:0:99\", \"type\": \"AAAA\"}, {\"data\": \"2a03:2880:f1fc:b:face:b00c:0:99\", \"type\": \"AAAA\"}, {\"data\": \"2a03:2880:f0fd:b:face:b00c:0:99\", \"type\": \"AAAA\"}], \"question\": {\"name\": \"connect.facebook.net\", \"size_in_char\": 20}, \"response_code\": \"0\"}, \"event\": {\"code\": 22, \"provider\": \"Microsoft-Windows-Sysmon\"}, \"host\": {\"hostname\": \"test-PC\"}, \"process\": {\"executable\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \"name\": \"chrome.exe\", \"pid\": 6440}, \"user\": {\"name\": \"test\", \"domain\": \"TEST-PC\"}}" + "message": "{\"@timestamp\":\"2022-06-02T12:23:19.097868Z\",\"agent\":{\"id\":\"c7a2ee33b4ac7c46c28c597d69f4d9ad327ead3601af4375d68bc250eb62e857\",\"version\":\"0.1.0\"},\"action\":{\"id\":22,\"properties\":{\"Image\":\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\"Keywords\":\"0x8000000000000000\",\"ProcessGuid\":\"{033fb112-653e-6298-8301-000000001000}\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"RuleName\":\"-\",\"Severity\":\"INFO\",\"SourceName\":\"Microsoft-Windows-Sysmon\",\"User\":\"TEST-PC\\\\test\",\"UtcTime\":\"2022-06-02 12:23:18.607\"}},\"dns\":{\"answers\":[{\"name\":\"scontent.xx.fbcdn.net\",\"type\":\"CNAME\"},{\"data\":\"157.240.21.20\",\"type\":\"A\"},{\"data\":\"185.89.219.11\",\"type\":\"A\"},{\"data\":\"129.134.30.11\",\"type\":\"A\"},{\"data\":\"185.89.218.11\",\"type\":\"A\"},{\"data\":\"129.134.31.11\",\"type\":\"A\"},{\"data\":\"2a03:2880:f1fd:b:face:b00c:0:99\",\"type\":\"AAAA\"},{\"data\":\"2a03:2880:f0fc:b:face:b00c:0:99\",\"type\":\"AAAA\"},{\"data\":\"2a03:2880:f1fc:b:face:b00c:0:99\",\"type\":\"AAAA\"},{\"data\":\"2a03:2880:f0fd:b:face:b00c:0:99\",\"type\":\"AAAA\"}],\"resolved_ip\":[\"157.240.21.20\",\"185.89.219.11\",\"129.134.30.11\",\"185.89.218.11\",\"129.134.31.11\",\"2a03:2880:f1fd:b:face:b00c:0:99\",\"2a03:2880:f0fc:b:face:b00c:0:99\",\"2a03:2880:f1fc:b:face:b00c:0:99\",\"2a03:2880:f0fd:b:face:b00c:0:99\"],\"question\":{\"name\":\"connect.facebook.net\",\"size_in_char\":20},\"response_code\":\"0\"},\"event\":{\"code\":22,\"provider\":\"Microsoft-Windows-Sysmon\"},\"host\":{\"hostname\":\"test-PC\"},\"process\":{\"executable\":\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\"name\":\"chrome.exe\",\"pid\":6440},\"user\":{\"name\":\"test\",\"domain\":\"TEST-PC\"}}\n", + "sekoiaio": { + "intake": { + "dialect": "Sekoia.io Endpoint Agent", + "dialect_uuid": "250e4095-fa08-4101-bb02-e72f870fcbd1" + } + } }, "expected": { - "message": "{\"@timestamp\": \"2022-06-02T12:23:19.097868Z\", \"agent\": {\"id\": \"c7a2ee33b4ac7c46c28c597d69f4d9ad327ead3601af4375d68bc250eb62e857\", \"version\": \"0.1.0\"}, \"action\": {\"id\": 22, \"properties\": {\"Image\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \"Keywords\": \"0x8000000000000000\", \"ProcessGuid\": \"{033fb112-653e-6298-8301-000000001000}\", \"ProviderGuid\": \"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\", \"RuleName\": \"-\", \"Severity\": \"INFO\", \"SourceName\": \"Microsoft-Windows-Sysmon\", \"User\": \"TEST-PC\\\\test\", \"UtcTime\": \"2022-06-02 12:23:18.607\"}}, \"dns\": {\"answers\": [{\"name\": \"scontent.xx.fbcdn.net\", \"type\": \"CNAME\"}, {\"data\": \"157.240.21.20\", \"type\": \"A\"}, {\"data\": \"185.89.219.11\", \"type\": \"A\"}, {\"data\": \"129.134.30.11\", \"type\": \"A\"}, {\"data\": \"185.89.218.11\", \"type\": \"A\"}, {\"data\": \"129.134.31.11\", \"type\": \"A\"}, {\"data\": \"2a03:2880:f1fd:b:face:b00c:0:99\", \"type\": \"AAAA\"}, {\"data\": \"2a03:2880:f0fc:b:face:b00c:0:99\", \"type\": \"AAAA\"}, {\"data\": \"2a03:2880:f1fc:b:face:b00c:0:99\", \"type\": \"AAAA\"}, {\"data\": \"2a03:2880:f0fd:b:face:b00c:0:99\", \"type\": \"AAAA\"}], \"question\": {\"name\": \"connect.facebook.net\", \"size_in_char\": 20}, \"response_code\": \"0\"}, \"event\": {\"code\": 22, \"provider\": \"Microsoft-Windows-Sysmon\"}, \"host\": {\"hostname\": \"test-PC\"}, \"process\": {\"executable\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \"name\": \"chrome.exe\", \"pid\": 6440}, \"user\": {\"name\": \"test\", \"domain\": \"TEST-PC\"}}", + "message": "{\"@timestamp\":\"2022-06-02T12:23:19.097868Z\",\"agent\":{\"id\":\"c7a2ee33b4ac7c46c28c597d69f4d9ad327ead3601af4375d68bc250eb62e857\",\"version\":\"0.1.0\"},\"action\":{\"id\":22,\"properties\":{\"Image\":\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\"Keywords\":\"0x8000000000000000\",\"ProcessGuid\":\"{033fb112-653e-6298-8301-000000001000}\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"RuleName\":\"-\",\"Severity\":\"INFO\",\"SourceName\":\"Microsoft-Windows-Sysmon\",\"User\":\"TEST-PC\\\\test\",\"UtcTime\":\"2022-06-02 12:23:18.607\"}},\"dns\":{\"answers\":[{\"name\":\"scontent.xx.fbcdn.net\",\"type\":\"CNAME\"},{\"data\":\"157.240.21.20\",\"type\":\"A\"},{\"data\":\"185.89.219.11\",\"type\":\"A\"},{\"data\":\"129.134.30.11\",\"type\":\"A\"},{\"data\":\"185.89.218.11\",\"type\":\"A\"},{\"data\":\"129.134.31.11\",\"type\":\"A\"},{\"data\":\"2a03:2880:f1fd:b:face:b00c:0:99\",\"type\":\"AAAA\"},{\"data\":\"2a03:2880:f0fc:b:face:b00c:0:99\",\"type\":\"AAAA\"},{\"data\":\"2a03:2880:f1fc:b:face:b00c:0:99\",\"type\":\"AAAA\"},{\"data\":\"2a03:2880:f0fd:b:face:b00c:0:99\",\"type\":\"AAAA\"}],\"resolved_ip\":[\"157.240.21.20\",\"185.89.219.11\",\"129.134.30.11\",\"185.89.218.11\",\"129.134.31.11\",\"2a03:2880:f1fd:b:face:b00c:0:99\",\"2a03:2880:f0fc:b:face:b00c:0:99\",\"2a03:2880:f1fc:b:face:b00c:0:99\",\"2a03:2880:f0fd:b:face:b00c:0:99\"],\"question\":{\"name\":\"connect.facebook.net\",\"size_in_char\":20},\"response_code\":\"0\"},\"event\":{\"code\":22,\"provider\":\"Microsoft-Windows-Sysmon\"},\"host\":{\"hostname\":\"test-PC\"},\"process\":{\"executable\":\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\"name\":\"chrome.exe\",\"pid\":6440},\"user\":{\"name\":\"test\",\"domain\":\"TEST-PC\"}}\n", "event": { "code": "22", "provider": "Microsoft-Windows-Sysmon" @@ -77,6 +83,17 @@ "subdomain": "connect", "top_level_domain": "net" }, + "resolved_ip": [ + "129.134.30.11", + "129.134.31.11", + "157.240.21.20", + "185.89.218.11", + "185.89.219.11", + "2a03:2880:f0fc:b:face:b00c:0:99", + "2a03:2880:f0fd:b:face:b00c:0:99", + "2a03:2880:f1fc:b:face:b00c:0:99", + "2a03:2880:f1fd:b:face:b00c:0:99" + ], "response_code": "0" }, "host": { @@ -93,6 +110,17 @@ "connect.facebook.net", "test-PC" ], + "ip": [ + "129.134.30.11", + "129.134.31.11", + "157.240.21.20", + "185.89.218.11", + "185.89.219.11", + "2a03:2880:f0fc:b:face:b00c:0:99", + "2a03:2880:f0fd:b:face:b00c:0:99", + "2a03:2880:f1fc:b:face:b00c:0:99", + "2a03:2880:f1fd:b:face:b00c:0:99" + ], "user": [ "test" ]