Sekoia Endpoint - parse dns.resolved_ip without errors

SekoiaIO/endpoint/ingest/parser.yml

@@ -53,7 +53,6 @@ stages:
           agent: "{{json.event.agent}}"
           destination: "{{json.event.destination}}"
           dll: "{{json.event.dll}}"
-          dns: "{{json.event.dns}}"
           error: "{{json.event.error}}"
           event.action: "{{json.event.event.action}}"
           event.category: "{{json.event.event.category}}"
@@ -82,6 +81,24 @@ stages:
           sekoiaio.target_process: "{{json.event.sekoiaio.target_process}}"
           sekoiaio.repeat.count: "{{json.event.sekoiaio.repeat.count}}"
 
+      - set:
+          dns.answers: "{{json.event.dns.answers}}"
+          dns.id: "{{json.event.dns.id}}"
+          dns.op_code: "{{json.event.dns.op_code}}"
+          dns.question: "{{json.event.dns.question}}"
+          dns.response_code: "{{json.event.dns.response_code}}"
+          dns.type: "{{json.event.dns.type}}"
+          dns.resolved_ip: >
+            {% set ips = [] %}
+            {%- for answer in json.event.dns.resolved_ip -%}
+            {%- if answer | is_ipaddress -%}
+            {% set ips = ips.append(answer) %}
+            {%- endif -%}
+            {%- endfor -%}
+            {%- if ips | length > 0 -%}
+            {{ips}}
+            {%- endif -%}
+
       - set:
           action.properties.TaskContentNew_Command: "{{parsed_task_content_xml.result.Task.Actions.Exec.Command}}"
           action.properties.TaskContentNew_Args: "{{parsed_task_content_xml.result.Task.Actions.Exec.Arguments}}"

SekoiaIO/endpoint/tests/dns_results.json

@@ -1,9 +1,15 @@
 {
   "input": {
-    "message": "{\"@timestamp\": \"2022-06-02T12:23:19.097868Z\", \"agent\": {\"id\": \"c7a2ee33b4ac7c46c28c597d69f4d9ad327ead3601af4375d68bc250eb62e857\", \"version\": \"0.1.0\"}, \"action\": {\"id\": 22, \"properties\": {\"Image\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \"Keywords\": \"0x8000000000000000\", \"ProcessGuid\": \"{033fb112-653e-6298-8301-000000001000}\", \"ProviderGuid\": \"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\", \"RuleName\": \"-\", \"Severity\": \"INFO\", \"SourceName\": \"Microsoft-Windows-Sysmon\", \"User\": \"TEST-PC\\\\test\", \"UtcTime\": \"2022-06-02 12:23:18.607\"}}, \"dns\": {\"answers\": [{\"name\": \"scontent.xx.fbcdn.net\", \"type\": \"CNAME\"}, {\"data\": \"157.240.21.20\", \"type\": \"A\"}, {\"data\": \"185.89.219.11\", \"type\": \"A\"}, {\"data\": \"129.134.30.11\", \"type\": \"A\"}, {\"data\": \"185.89.218.11\", \"type\": \"A\"}, {\"data\": \"129.134.31.11\", \"type\": \"A\"}, {\"data\": \"2a03:2880:f1fd:b:face:b00c:0:99\", \"type\": \"AAAA\"}, {\"data\": \"2a03:2880:f0fc:b:face:b00c:0:99\", \"type\": \"AAAA\"}, {\"data\": \"2a03:2880:f1fc:b:face:b00c:0:99\", \"type\": \"AAAA\"}, {\"data\": \"2a03:2880:f0fd:b:face:b00c:0:99\", \"type\": \"AAAA\"}], \"question\": {\"name\": \"connect.facebook.net\", \"size_in_char\": 20}, \"response_code\": \"0\"}, \"event\": {\"code\": 22, \"provider\": \"Microsoft-Windows-Sysmon\"}, \"host\": {\"hostname\": \"test-PC\"}, \"process\": {\"executable\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \"name\": \"chrome.exe\", \"pid\": 6440}, \"user\": {\"name\": \"test\", \"domain\": \"TEST-PC\"}}"
+    "message": "{\"@timestamp\":\"2022-06-02T12:23:19.097868Z\",\"agent\":{\"id\":\"c7a2ee33b4ac7c46c28c597d69f4d9ad327ead3601af4375d68bc250eb62e857\",\"version\":\"0.1.0\"},\"action\":{\"id\":22,\"properties\":{\"Image\":\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\"Keywords\":\"0x8000000000000000\",\"ProcessGuid\":\"{033fb112-653e-6298-8301-000000001000}\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"RuleName\":\"-\",\"Severity\":\"INFO\",\"SourceName\":\"Microsoft-Windows-Sysmon\",\"User\":\"TEST-PC\\\\test\",\"UtcTime\":\"2022-06-02 12:23:18.607\"}},\"dns\":{\"answers\":[{\"name\":\"scontent.xx.fbcdn.net\",\"type\":\"CNAME\"},{\"data\":\"157.240.21.20\",\"type\":\"A\"},{\"data\":\"185.89.219.11\",\"type\":\"A\"},{\"data\":\"129.134.30.11\",\"type\":\"A\"},{\"data\":\"185.89.218.11\",\"type\":\"A\"},{\"data\":\"129.134.31.11\",\"type\":\"A\"},{\"data\":\"2a03:2880:f1fd:b:face:b00c:0:99\",\"type\":\"AAAA\"},{\"data\":\"2a03:2880:f0fc:b:face:b00c:0:99\",\"type\":\"AAAA\"},{\"data\":\"2a03:2880:f1fc:b:face:b00c:0:99\",\"type\":\"AAAA\"},{\"data\":\"2a03:2880:f0fd:b:face:b00c:0:99\",\"type\":\"AAAA\"}],\"resolved_ip\":[\"157.240.21.20\",\"185.89.219.11\",\"129.134.30.11\",\"185.89.218.11\",\"129.134.31.11\",\"2a03:2880:f1fd:b:face:b00c:0:99\",\"2a03:2880:f0fc:b:face:b00c:0:99\",\"2a03:2880:f1fc:b:face:b00c:0:99\",\"2a03:2880:f0fd:b:face:b00c:0:99\"],\"question\":{\"name\":\"connect.facebook.net\",\"size_in_char\":20},\"response_code\":\"0\"},\"event\":{\"code\":22,\"provider\":\"Microsoft-Windows-Sysmon\"},\"host\":{\"hostname\":\"test-PC\"},\"process\":{\"executable\":\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\"name\":\"chrome.exe\",\"pid\":6440},\"user\":{\"name\":\"test\",\"domain\":\"TEST-PC\"}}\n",
+    "sekoiaio": {
+      "intake": {
+        "dialect": "Sekoia.io Endpoint Agent",
+        "dialect_uuid": "250e4095-fa08-4101-bb02-e72f870fcbd1"
+      }
+    }
   },
   "expected": {
-    "message": "{\"@timestamp\": \"2022-06-02T12:23:19.097868Z\", \"agent\": {\"id\": \"c7a2ee33b4ac7c46c28c597d69f4d9ad327ead3601af4375d68bc250eb62e857\", \"version\": \"0.1.0\"}, \"action\": {\"id\": 22, \"properties\": {\"Image\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \"Keywords\": \"0x8000000000000000\", \"ProcessGuid\": \"{033fb112-653e-6298-8301-000000001000}\", \"ProviderGuid\": \"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\", \"RuleName\": \"-\", \"Severity\": \"INFO\", \"SourceName\": \"Microsoft-Windows-Sysmon\", \"User\": \"TEST-PC\\\\test\", \"UtcTime\": \"2022-06-02 12:23:18.607\"}}, \"dns\": {\"answers\": [{\"name\": \"scontent.xx.fbcdn.net\", \"type\": \"CNAME\"}, {\"data\": \"157.240.21.20\", \"type\": \"A\"}, {\"data\": \"185.89.219.11\", \"type\": \"A\"}, {\"data\": \"129.134.30.11\", \"type\": \"A\"}, {\"data\": \"185.89.218.11\", \"type\": \"A\"}, {\"data\": \"129.134.31.11\", \"type\": \"A\"}, {\"data\": \"2a03:2880:f1fd:b:face:b00c:0:99\", \"type\": \"AAAA\"}, {\"data\": \"2a03:2880:f0fc:b:face:b00c:0:99\", \"type\": \"AAAA\"}, {\"data\": \"2a03:2880:f1fc:b:face:b00c:0:99\", \"type\": \"AAAA\"}, {\"data\": \"2a03:2880:f0fd:b:face:b00c:0:99\", \"type\": \"AAAA\"}], \"question\": {\"name\": \"connect.facebook.net\", \"size_in_char\": 20}, \"response_code\": \"0\"}, \"event\": {\"code\": 22, \"provider\": \"Microsoft-Windows-Sysmon\"}, \"host\": {\"hostname\": \"test-PC\"}, \"process\": {\"executable\": \"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\", \"name\": \"chrome.exe\", \"pid\": 6440}, \"user\": {\"name\": \"test\", \"domain\": \"TEST-PC\"}}",
+    "message": "{\"@timestamp\":\"2022-06-02T12:23:19.097868Z\",\"agent\":{\"id\":\"c7a2ee33b4ac7c46c28c597d69f4d9ad327ead3601af4375d68bc250eb62e857\",\"version\":\"0.1.0\"},\"action\":{\"id\":22,\"properties\":{\"Image\":\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\"Keywords\":\"0x8000000000000000\",\"ProcessGuid\":\"{033fb112-653e-6298-8301-000000001000}\",\"ProviderGuid\":\"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}\",\"RuleName\":\"-\",\"Severity\":\"INFO\",\"SourceName\":\"Microsoft-Windows-Sysmon\",\"User\":\"TEST-PC\\\\test\",\"UtcTime\":\"2022-06-02 12:23:18.607\"}},\"dns\":{\"answers\":[{\"name\":\"scontent.xx.fbcdn.net\",\"type\":\"CNAME\"},{\"data\":\"157.240.21.20\",\"type\":\"A\"},{\"data\":\"185.89.219.11\",\"type\":\"A\"},{\"data\":\"129.134.30.11\",\"type\":\"A\"},{\"data\":\"185.89.218.11\",\"type\":\"A\"},{\"data\":\"129.134.31.11\",\"type\":\"A\"},{\"data\":\"2a03:2880:f1fd:b:face:b00c:0:99\",\"type\":\"AAAA\"},{\"data\":\"2a03:2880:f0fc:b:face:b00c:0:99\",\"type\":\"AAAA\"},{\"data\":\"2a03:2880:f1fc:b:face:b00c:0:99\",\"type\":\"AAAA\"},{\"data\":\"2a03:2880:f0fd:b:face:b00c:0:99\",\"type\":\"AAAA\"}],\"resolved_ip\":[\"157.240.21.20\",\"185.89.219.11\",\"129.134.30.11\",\"185.89.218.11\",\"129.134.31.11\",\"2a03:2880:f1fd:b:face:b00c:0:99\",\"2a03:2880:f0fc:b:face:b00c:0:99\",\"2a03:2880:f1fc:b:face:b00c:0:99\",\"2a03:2880:f0fd:b:face:b00c:0:99\"],\"question\":{\"name\":\"connect.facebook.net\",\"size_in_char\":20},\"response_code\":\"0\"},\"event\":{\"code\":22,\"provider\":\"Microsoft-Windows-Sysmon\"},\"host\":{\"hostname\":\"test-PC\"},\"process\":{\"executable\":\"C:\\\\Program Files\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe\",\"name\":\"chrome.exe\",\"pid\":6440},\"user\":{\"name\":\"test\",\"domain\":\"TEST-PC\"}}\n",
     "event": {
       "code": "22",
       "provider": "Microsoft-Windows-Sysmon"
@@ -77,6 +83,17 @@
         "subdomain": "connect",
         "top_level_domain": "net"
       },
+      "resolved_ip": [
+        "129.134.30.11",
+        "129.134.31.11",
+        "157.240.21.20",
+        "185.89.218.11",
+        "185.89.219.11",
+        "2a03:2880:f0fc:b:face:b00c:0:99",
+        "2a03:2880:f0fd:b:face:b00c:0:99",
+        "2a03:2880:f1fc:b:face:b00c:0:99",
+        "2a03:2880:f1fd:b:face:b00c:0:99"
+      ],
       "response_code": "0"
     },
     "host": {
@@ -93,6 +110,17 @@
         "connect.facebook.net",
         "test-PC"
       ],
+      "ip": [
+        "129.134.30.11",
+        "129.134.31.11",
+        "157.240.21.20",
+        "185.89.218.11",
+        "185.89.219.11",
+        "2a03:2880:f0fc:b:face:b00c:0:99",
+        "2a03:2880:f0fd:b:face:b00c:0:99",
+        "2a03:2880:f1fc:b:face:b00c:0:99",
+        "2a03:2880:f1fd:b:face:b00c:0:99"
+      ],
       "user": [
         "test"
       ]

SekoiaIO/endpoint/tests/dns_results_without_ip.json

@@ -0,0 +1,91 @@
+{
+  "input": {
+    "message": "{\"destination\": {\"ip\": \"9e95:9c30:9793:ae93:1f19:7159:d3e1:303c\", \"port\": 49878}, \"dns\": {\"answers\": [{\"data\": \"self-events-data.trafficmanager.net\", \"name\": \"self.events.data.microsoft.com\", \"type\": \"CNAME\", \"ttl\": 71}], \"question\": {\"name\": \"self.events.data.microsoft.com\", \"type\": \"Unknown\", \"class\": \"IN\"}, \"response_code\": \"No Error\", \"type\": \"answer\", \"resolved_ip\": [\"<nil>\"], \"header_flags\": [\"RD\", \"RA\"], \"op_code\": \"Query\", \"id\": 19552}, \"event\": {\"action\": \"dns-query-result\", \"provider\": \"SEKOIA-IO-Endpoint\", \"outcome\": \"success\", \"category\": [\"network\"], \"type\": [\"connection\", \"protocol\"], \"code\": 22, \"start\": \"2024-12-13T07:06:37.188885Z\", \"end\": \"2024-12-13T07:06:37.188887Z\"}, \"agent\": {\"id\": \"d6285cf5d51861d13acbb34971e6b72e8e91fbcfcce44cfc5a9f1d45c8f0510c\", \"version\": \"v1.6.2+16cc9687c5b8fc0a32da4a766fa726a4df90c133\"}, \"host\": {\"os\": {\"type\": \"macos\"}, \"hostname\": \"EXAMPLE.local\", \"ip\": [\"192.0.0.2\"]}, \"network\": {\"transport\": \"udp\"}, \"source\": {\"ip\": \"0968:447b:0692:f381:0337:cafd:40e8:9123\", \"port\": 53}, \"timestamp\": \"2024-12-13T07:06:37.188887Z\", \"sekoiaio\": {\"repeat\": {\"count\": 1}}}"
+  },
+  "expected": {
+    "message": "{\"destination\": {\"ip\": \"9e95:9c30:9793:ae93:1f19:7159:d3e1:303c\", \"port\": 49878}, \"dns\": {\"answers\": [{\"data\": \"self-events-data.trafficmanager.net\", \"name\": \"self.events.data.microsoft.com\", \"type\": \"CNAME\", \"ttl\": 71}], \"question\": {\"name\": \"self.events.data.microsoft.com\", \"type\": \"Unknown\", \"class\": \"IN\"}, \"response_code\": \"No Error\", \"type\": \"answer\", \"resolved_ip\": [\"<nil>\"], \"header_flags\": [\"RD\", \"RA\"], \"op_code\": \"Query\", \"id\": 19552}, \"event\": {\"action\": \"dns-query-result\", \"provider\": \"SEKOIA-IO-Endpoint\", \"outcome\": \"success\", \"category\": [\"network\"], \"type\": [\"connection\", \"protocol\"], \"code\": 22, \"start\": \"2024-12-13T07:06:37.188885Z\", \"end\": \"2024-12-13T07:06:37.188887Z\"}, \"agent\": {\"id\": \"d6285cf5d51861d13acbb34971e6b72e8e91fbcfcce44cfc5a9f1d45c8f0510c\", \"version\": \"v1.6.2+16cc9687c5b8fc0a32da4a766fa726a4df90c133\"}, \"host\": {\"os\": {\"type\": \"macos\"}, \"hostname\": \"EXAMPLE.local\", \"ip\": [\"192.0.0.2\"]}, \"network\": {\"transport\": \"udp\"}, \"source\": {\"ip\": \"0968:447b:0692:f381:0337:cafd:40e8:9123\", \"port\": 53}, \"timestamp\": \"2024-12-13T07:06:37.188887Z\", \"sekoiaio\": {\"repeat\": {\"count\": 1}}}",
+    "event": {
+      "action": "dns-query-result",
+      "category": [
+        "network"
+      ],
+      "code": "22",
+      "end": "2024-12-13T07:06:37.188887Z",
+      "outcome": "success",
+      "provider": "SEKOIA-IO-Endpoint",
+      "start": "2024-12-13T07:06:37.188885Z",
+      "type": [
+        "connection",
+        "protocol"
+      ]
+    },
+    "action": {
+      "outcome": "success"
+    },
+    "agent": {
+      "id": "d6285cf5d51861d13acbb34971e6b72e8e91fbcfcce44cfc5a9f1d45c8f0510c",
+      "version": "v1.6.2+16cc9687c5b8fc0a32da4a766fa726a4df90c133"
+    },
+    "destination": {
+      "address": "9e95:9c30:9793:ae93:1f19:7159:d3e1:303c",
+      "ip": "9e95:9c30:9793:ae93:1f19:7159:d3e1:303c",
+      "port": 49878
+    },
+    "dns": {
+      "answers": [
+        {
+          "data": "self-events-data.trafficmanager.net",
+          "name": "self.events.data.microsoft.com",
+          "ttl": 71,
+          "type": "CNAME"
+        }
+      ],
+      "id": "19552",
+      "op_code": "Query",
+      "question": {
+        "class": "IN",
+        "name": "self.events.data.microsoft.com",
+        "registered_domain": "microsoft.com",
+        "subdomain": "self.events.data",
+        "top_level_domain": "com",
+        "type": "Unknown"
+      },
+      "response_code": "No Error",
+      "type": "answer"
+    },
+    "host": {
+      "hostname": "EXAMPLE.local",
+      "ip": [
+        "192.0.0.2"
+      ],
+      "name": "EXAMPLE.local",
+      "os": {
+        "type": "macos"
+      }
+    },
+    "network": {
+      "transport": "udp"
+    },
+    "related": {
+      "hosts": [
+        "EXAMPLE.local",
+        "self.events.data.microsoft.com"
+      ],
+      "ip": [
+        "192.0.0.2",
+        "968:447b:692:f381:337:cafd:40e8:9123",
+        "9e95:9c30:9793:ae93:1f19:7159:d3e1:303c"
+      ]
+    },
+    "sekoiaio": {
+      "repeat": {
+        "count": 1
+      }
+    },
+    "source": {
+      "address": "968:447b:692:f381:337:cafd:40e8:9123",
+      "ip": "968:447b:692:f381:337:cafd:40e8:9123",
+      "port": 53
+    }
+  }
+}