From 9af7b5bba12e40cd57f70313ec793d02b4095dcf Mon Sep 17 00:00:00 2001 From: Varun Kohli <97222872+vakohl@users.noreply.github.com> Date: Thu, 7 Nov 2024 14:21:18 +0530 Subject: [PATCH] AlertSchemaParsers --- .../convertKqlFunctionYamlToArmTemplate.yaml | 1 + .../runAsimSchemaAndDataTesters.yaml | 1 + .script/getModifiedASimSchemas.ps1 | 2 +- .../asimParsersTest/ASimFilteringTest.py | 14 + .../ASimAlertTemplate.yaml | 30 ++ .../ASimAuditEventTemplate.yaml | 6 +- .../ASimAuthenticationTemplate.yaml | 6 +- .../ASimDhcpEventTemplate.yaml | 4 +- .../ASimDnsTemplate.yaml | 6 +- .../ASimFileEventTemplate.yaml | 6 +- .../ASimNetworkSessionTemplate.yaml | 6 +- .../ASimProcessEventTemplate.yaml | 6 +- .../ASimRegistryEventTemplate.yaml | 6 +- .../ASimUserManagementTemplate.yaml | 6 +- .../ASimWebSessionTemplate.yaml | 6 +- .../vimAlertTemplate.yaml | 82 ++++++ .../vimAuditEventTemplate.yaml | 6 +- .../vimAuthenticationTemplate.yaml | 6 +- .../vimDhcpEventTemplate.yaml | 4 +- .../Parser YAML templates/vimDnsTemplate.yaml | 6 +- .../vimFileEventTemplate.yaml | 6 +- .../vimNetworkSessionTemplate.yaml | 6 +- .../vimProcessEventTemplate.yaml | 6 +- .../vimRegistryEventTemplate.yaml | 6 +- .../vimUserManagementTemplate.yaml | 6 +- .../vimWebSessionTemplate.yaml | 6 +- .../Parsers/ASimAlertEvent.yaml | 36 +++ .../ASimAlertEventMicrosoftDefenderXDR.yaml | 211 ++++++++++++++ .../ASimAlertEventSentinelOneSingularity.yaml | 113 +++++++ .../ASimAlertEvent/Parsers/imAlertEvent.yaml | 78 +++++ .../Parsers/vimAlertEventEmpty.yaml | 129 ++++++++ .../vimAlertEventMicrosoftDefenderXDR.yaml | 275 ++++++++++++++++++ .../vimAlertEventSentinelOneSingularity.yaml | 176 +++++++++++ 33 files changed, 1205 insertions(+), 59 deletions(-) create mode 100644 ASIM/dev/Parser YAML templates/ASimAlertTemplate.yaml create mode 100644 ASIM/dev/Parser YAML templates/vimAlertTemplate.yaml create mode 100644 Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml create mode 100644 Parsers/ASimAlertEvent/Parsers/ASimAlertEventMicrosoftDefenderXDR.yaml create mode 100644 Parsers/ASimAlertEvent/Parsers/ASimAlertEventSentinelOneSingularity.yaml create mode 100644 Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml create mode 100644 Parsers/ASimAlertEvent/Parsers/vimAlertEventEmpty.yaml create mode 100644 Parsers/ASimAlertEvent/Parsers/vimAlertEventMicrosoftDefenderXDR.yaml create mode 100644 Parsers/ASimAlertEvent/Parsers/vimAlertEventSentinelOneSingularity.yaml diff --git a/.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml b/.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml index 37ecc164f8b..0aa38dbf804 100644 --- a/.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml +++ b/.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml @@ -15,6 +15,7 @@ on: - 'Parsers/ASimRegistryEvent/Parsers/**' - 'Parsers/ASimUserManagement/Parsers/**' - 'Parsers/ASimDhcpEvent/Parsers/**' + - 'Parsers/ASimAlertEvent/Parsers/**' env: GITHUB_APPS_ID: "${{ secrets.APPLICATION_ID }}" diff --git a/.github/workflows/runAsimSchemaAndDataTesters.yaml b/.github/workflows/runAsimSchemaAndDataTesters.yaml index 9f716006edd..42ed83b6542 100644 --- a/.github/workflows/runAsimSchemaAndDataTesters.yaml +++ b/.github/workflows/runAsimSchemaAndDataTesters.yaml @@ -17,6 +17,7 @@ on: - 'Parsers/ASimRegistryEvent/Parsers/**' - 'Parsers/ASimUserManagement/Parsers/**' - 'Parsers/ASimDhcpEvent/Parsers/**' + - 'Parsers/ASimAlertEvent/Parsers/**' # Allows you to run this workflow manually from the Actions tab workflow_dispatch: diff --git a/.script/getModifiedASimSchemas.ps1 b/.script/getModifiedASimSchemas.ps1 index c2db14a067e..279d0801fc5 100644 --- a/.script/getModifiedASimSchemas.ps1 +++ b/.script/getModifiedASimSchemas.ps1 @@ -1,5 +1,5 @@ function getModifiedAsimSchemas() { - $schemas = ("ASimDns", "ASimWebSession", "ASimNetworkSession", "ASimProcessEvent", "ASimAuditEvent", "ASimAuthentication", "ASimFileEvent", "ASimRegistryEvent","ASimUserManagement","ASimDhcpEvent") + $schemas = ("ASimDns", "ASimWebSession", "ASimNetworkSession", "ASimProcessEvent", "ASimAuditEvent", "ASimAuthentication", "ASimFileEvent", "ASimRegistryEvent","ASimUserManagement","ASimDhcpEvent","ASimAlertEvent") $modifiedSchemas = @() foreach ($schema in $schemas) { $filesThatWereChanged= Invoke-Expression "git diff origin/master --name-only -- $($PSScriptRoot)/../Parsers/$($schema)/Parsers" diff --git a/.script/tests/asimParsersTest/ASimFilteringTest.py b/.script/tests/asimParsersTest/ASimFilteringTest.py index cdfc025b76e..df6bfbb4b6e 100644 --- a/.script/tests/asimParsersTest/ASimFilteringTest.py +++ b/.script/tests/asimParsersTest/ASimFilteringTest.py @@ -843,6 +843,20 @@ def send_query(self, query_str): "targetappname_has_any" : "TargetAppName", "username_has_any" : "User" }, + "AlertEvent" : + { + "disabled" : "", + "endtime" : "EventEndTime", + "starttime" : "EventStartTime", + "ipaddr_has_any_prefix" : "DvcIpAddr", + "hostname_has_any" : "DvcHostname", + "username_has_any" : "Username", + "attacktactics_has_any" : "AttackTactics", + "attacktechniques_has_any" : "AttackTechniques", + "threatcategory_has_any" : "ThreatCategory", + "alertverdict_has_any" : "AlertVerdict", + "eventseverity_has_any" : "EventSeverity", + }, "DhcpEvent" : { "disabled" : "", diff --git a/ASIM/dev/Parser YAML templates/ASimAlertTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimAlertTemplate.yaml new file mode 100644 index 00000000000..d5f96798b19 --- /dev/null +++ b/ASIM/dev/Parser YAML templates/ASimAlertTemplate.yaml @@ -0,0 +1,30 @@ +Parser: + Title: Alert event ASIM parser for + Version: '0.1.0' + LastUpdated: +Product: + Name: +Normalization: + Schema: AlertEvent + Version: '' +References: +- Title: ASIM Alert Schema + Link: https://aka.ms/ASimAlertEventDoc +- Title: ASIM + Link: https:/aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing the logs to the ASIM 'Alert' normalized schema. +ParserName: +EquivalentBuiltInParser: <_ASim_AlertEvent_Vendor+Product> +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let parser = ( + disabled:bool = false + ) + { + + }; + parser (disabled = disabled) diff --git a/ASIM/dev/Parser YAML templates/ASimAuditEventTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimAuditEventTemplate.yaml index 2f8ec699ed3..35e359b4374 100644 --- a/ASIM/dev/Parser YAML templates/ASimAuditEventTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/ASimAuditEventTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: ASIM Audit Event parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https:/aka.ms/AboutASIM Description: | This ASIM parser supports normalizing the logs to the ASIM Audit Event normalized schema. -ParserName: -EquivalentBuiltInParser: <_ASim_AuditEvent_Product> +ParserName: +EquivalentBuiltInParser: <_ASim_AuditEvent_Vendor+Product> ParserParams: - Name: disabled Type: bool diff --git a/ASIM/dev/Parser YAML templates/ASimAuthenticationTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimAuthenticationTemplate.yaml index 44a226ee176..8e0f5393134 100644 --- a/ASIM/dev/Parser YAML templates/ASimAuthenticationTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/ASimAuthenticationTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: ASIM Authentication parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https:/aka.ms/AboutASIM Description: | This ASIM parser supports normalizing the logs to the ASIM Authentication normalized schema. -ParserName: -EquivalentBuiltInParser: <_ASim_Authentication_Product> +ParserName: +EquivalentBuiltInParser: <_ASim_Authentication_Vendor+Product> ParserParams: - Name: disabled Type: bool diff --git a/ASIM/dev/Parser YAML templates/ASimDhcpEventTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimDhcpEventTemplate.yaml index 9701611d7d3..e6d0f702dbf 100644 --- a/ASIM/dev/Parser YAML templates/ASimDhcpEventTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/ASimDhcpEventTemplate.yaml @@ -14,8 +14,8 @@ References: Link: https:/aka.ms/AboutASIM Description: | This ASIM parser supports normalizing logs to the ASIM Dhcp normalized schema. -ParserName: -EquivalentBuiltInParser: <_ASim_DhcpEvent_Product> +ParserName: +EquivalentBuiltInParser: <_ASim_DhcpEvent_Vendor+Product ParserParams: - Name: disabled Type: bool diff --git a/ASIM/dev/Parser YAML templates/ASimDnsTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimDnsTemplate.yaml index c0ce303cec3..4b528a04936 100644 --- a/ASIM/dev/Parser YAML templates/ASimDnsTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/ASimDnsTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: DNS activity ASIM parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https://aka.ms/AboutASIM Description: | This ASIM parser supports normalizing the logs to the ASIM DNS activity normalized schema. -ParserName: -EquivalentBuiltInParser: <_ASim_Dns_Product> +ParserName: +EquivalentBuiltInParser: <_ASim_Dns_Vendor+Product> ParserParams: - Name: disabled Type: bool diff --git a/ASIM/dev/Parser YAML templates/ASimFileEventTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimFileEventTemplate.yaml index 9b60011a994..feb51701aec 100644 --- a/ASIM/dev/Parser YAML templates/ASimFileEventTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/ASimFileEventTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: File events ASIM parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https://aka.ms/AboutASIM Description: | This ASIM parser supports normalizing the logs to the ASIM file activity normalized schema. -ParserName: -EquivalentBuiltInParser: <_ASim_FileEvent_Product> +ParserName: +EquivalentBuiltInParser: <_ASim_FileEvent_Vendor+Product> ParserParams: - Name: disabled Type: bool diff --git a/ASIM/dev/Parser YAML templates/ASimNetworkSessionTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimNetworkSessionTemplate.yaml index 516be25e466..9d13fe70153 100644 --- a/ASIM/dev/Parser YAML templates/ASimNetworkSessionTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/ASimNetworkSessionTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: Network Session ASIM parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https:/aka.ms/AboutASIM Description: | This ASIM parser supports normalizing logs to the ASIM Network Session normalized schema. -ParserName: -EquivalentBuiltInParser: <_ASim_NetworkSession_Product> +ParserName: +EquivalentBuiltInParser: <_ASim_NetworkSession_Vendor+Product> ParserParams: - Name: disabled Type: bool diff --git a/ASIM/dev/Parser YAML templates/ASimProcessEventTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimProcessEventTemplate.yaml index 5fb4ab297c6..4d323e6cc4b 100644 --- a/ASIM/dev/Parser YAML templates/ASimProcessEventTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/ASimProcessEventTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: Process event ASIM parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ references: Link: https:/aka.ms/AboutASIM Description: This ASIM parser supports normalizing the logs to the ASIM process event normalized schema. -ParserName: -EquivalentBuiltInParser: <_ASim_ProcessEvent_Product> +ParserName: +EquivalentBuiltInParser: <_ASim_ProcessEvent_Vendor+Product> ParserParams: - Name: disabled Type: bool diff --git a/ASIM/dev/Parser YAML templates/ASimRegistryEventTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimRegistryEventTemplate.yaml index 9b2d1aaf059..f7fc02357af 100644 --- a/ASIM/dev/Parser YAML templates/ASimRegistryEventTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/ASimRegistryEventTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: Registry Event ASIM parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https:/aka.ms/AboutASIM Description: | This ASIM parser supports normalizing logs to the ASIM Registry event normalized schema. -ParserName: -EquivalentBuiltInParser: <_ASim_RegistryEvent_Product> +ParserName: +EquivalentBuiltInParser: <_ASim_RegistryEvent_Vendor+Product> ParserParams: - Name: disabled Type: bool diff --git a/ASIM/dev/Parser YAML templates/ASimUserManagementTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimUserManagementTemplate.yaml index 25aee7cfddd..20e8ffbac02 100644 --- a/ASIM/dev/Parser YAML templates/ASimUserManagementTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/ASimUserManagementTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: User Management activity ASIM parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https://aka.ms/AboutASIM Description: | This ASIM parser supports normalizing the logs to the ASIM User Management activity normalized schema. -ParserName: -EquivalentBuiltInParser: <_ASim_UserManagement_Product> +ParserName: +EquivalentBuiltInParser: <_ASim_UserManagement_Vendor+Product> ParserParams: - Name: disabled Type: bool diff --git a/ASIM/dev/Parser YAML templates/ASimWebSessionTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimWebSessionTemplate.yaml index abbeb912d92..ce935389811 100644 --- a/ASIM/dev/Parser YAML templates/ASimWebSessionTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/ASimWebSessionTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: Web Session ASIM parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https:/aka.ms/AboutASIM Description: | This ASIM parser supports normalizing logs to the ASIM Web Session normalized schema. -ParserName: -EquivalentBuiltInParser: <_ASim_WebSession_Product> +ParserName: +EquivalentBuiltInParser: <_ASim_WebSession_Vendor+Product ParserParams: - Name: disabled Type: bool diff --git a/ASIM/dev/Parser YAML templates/vimAlertTemplate.yaml b/ASIM/dev/Parser YAML templates/vimAlertTemplate.yaml new file mode 100644 index 00000000000..f82271cfa02 --- /dev/null +++ b/ASIM/dev/Parser YAML templates/vimAlertTemplate.yaml @@ -0,0 +1,82 @@ +Parser: + Title: Alert Event ASIM filtering parser for + Version: '0.1.0' + LastUpdated: +Product: + Name: +Normalization: + Schema: AlertEvent + Version: '' +References: +- Title: ASIM Alert Schema + Link: https://aka.ms/ASimAlertEventDoc +- Title: ASIM + Link: https:/aka.ms/AboutASIM +Description: | + This ASIM filtering parser supports normalizing the logs to the ASIM Alert normalized schema. +ParserName: +EquivalentBuiltInParser: <_Im_AlertEvent_Vendor+Product> +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: ipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: hostname_has_any + Type: dynamic + Default: dynamic([]) + - Name: username_has_any + Type: dynamic + Default: dynamic([]) + - Name: attacktactics_has_any + Type: dynamic + Default: dynamic([]) + - Name: attacktechniques_has_any + Type: dynamic + Default: dynamic([]) + - Name: threatcategory_has_any + Type: dynamic + Default: dynamic([]) + - Name: alertverdict_has_any + Type: dynamic + Default: dynamic([]) + - Name: eventseverity_has_any + Type: dynamic + Default: dynamic([]) + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let parser = ( + starttime: datetime=datetime(null), + endtime: datetime=datetime(null), + ipaddr_has_any_prefix: dynamic=dynamic([]), + hostname_has_any: dynamic=dynamic([]), + username_has_any: dynamic=dynamic([]), + attacktactics_has_any: dynamic=dynamic([]), + attacktechniques_has_any: dynamic=dynamic([]), + threatcategory_has_any: dynamic=dynamic([]), + alertverdict_has_any: dynamic=dynamic([]), + eventseverity_has_any: dynamic=dynamic([]), + disabled:bool=false + ) + { + + }; + parser ( + starttime = starttime, + endtime = endtime, + ipaddr_has_any_prefix = ipaddr_has_any_prefix, + hostname_has_any = hostname_has_any, + username_has_any = username_has_any, + attacktactics_has_any = attacktactics_has_any, + attacktechniques_has_any = attacktechniques_has_any, + threatcategory_has_any = threatcategory_has_any, + alertverdict_has_any = alertverdict_has_any, + eventseverity_has_any = eventseverity_has_any, + disabled = disabled + ) diff --git a/ASIM/dev/Parser YAML templates/vimAuditEventTemplate.yaml b/ASIM/dev/Parser YAML templates/vimAuditEventTemplate.yaml index 3b4a2fc7d01..28fbaca7695 100644 --- a/ASIM/dev/Parser YAML templates/vimAuditEventTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/vimAuditEventTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: Audit Event ASIM filtering parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https:/aka.ms/AboutASIM Description: | This ASIM filtering parser supports normalizing the logs to the ASIM Audit Event normalized schema. -ParserName: -EquivalentBuiltInParser: <_Im_AuditEvent_Product> +ParserName: +EquivalentBuiltInParser: <_Im_AuditEvent_Vendor+Product> ParserParams: - Name: starttime Type: datetime diff --git a/ASIM/dev/Parser YAML templates/vimAuthenticationTemplate.yaml b/ASIM/dev/Parser YAML templates/vimAuthenticationTemplate.yaml index 5df2091d903..b9f093f108b 100644 --- a/ASIM/dev/Parser YAML templates/vimAuthenticationTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/vimAuthenticationTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: Authentication ASIM filtering parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https:/aka.ms/AboutASIM Description: | This ASIM filtering parser supports filtering and normalizing the logs to the ASIM authentication normalized schema. -ParserName: -EquivalentBuiltInParser: <_Im_Authentication_Product> +ParserName: +EquivalentBuiltInParser: <_Im_Authentication_Vendor+Product> ParserParams: - Name: starttime Type: datetime diff --git a/ASIM/dev/Parser YAML templates/vimDhcpEventTemplate.yaml b/ASIM/dev/Parser YAML templates/vimDhcpEventTemplate.yaml index 4a10b9ee264..a07c0f1a862 100644 --- a/ASIM/dev/Parser YAML templates/vimDhcpEventTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/vimDhcpEventTemplate.yaml @@ -14,8 +14,8 @@ References: Link: https:/aka.ms/AboutASIM Description: | This ASIM filtering parser supports filtering and normalizing the logs to the ASIM authentication normalized schema. -ParserName: -EquivalentBuiltInParser: <_Im_DhcpEvent_Product> +ParserName: +EquivalentBuiltInParser: <_Im_DhcpEvent_Vendor+Product> ParserParams: - Name: starttime Type: datetime diff --git a/ASIM/dev/Parser YAML templates/vimDnsTemplate.yaml b/ASIM/dev/Parser YAML templates/vimDnsTemplate.yaml index 8d85587e4f2..bb4cdd22515 100644 --- a/ASIM/dev/Parser YAML templates/vimDnsTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/vimDnsTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: DNS activity ASIM filtering parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https://aka.ms/AboutASIM Description: | This ASIM filtering parser supports filtering and normalizing the logs to the ASIM DNS activity normalized schema. -ParserName: -EquivalentBuiltInParser: <_Im_Dns_Product> +ParserName: +EquivalentBuiltInParser: <_Im_Dns_Vendor+Product> ParserParams: - Name: starttime Type: datetime diff --git a/ASIM/dev/Parser YAML templates/vimFileEventTemplate.yaml b/ASIM/dev/Parser YAML templates/vimFileEventTemplate.yaml index d153ea2c5f1..c3fa3de879e 100644 --- a/ASIM/dev/Parser YAML templates/vimFileEventTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/vimFileEventTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: File events ASIM filtering parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https://aka.ms/AboutASIM Description: | This ASIM filtering parser supports normalizing the logs to the ASIM file activity normalized schema. -ParserName: -EquivalentBuiltInParser: <_Im_FileEvent_Product> +ParserName: +EquivalentBuiltInParser: <_Im_FileEvent_Vendor+Product> ParserParams: - Name: starttime Type: datetime diff --git a/ASIM/dev/Parser YAML templates/vimNetworkSessionTemplate.yaml b/ASIM/dev/Parser YAML templates/vimNetworkSessionTemplate.yaml index 43cb268866d..8d238ca37a3 100644 --- a/ASIM/dev/Parser YAML templates/vimNetworkSessionTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/vimNetworkSessionTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: Network Session ASIM filtering parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https:/aka.ms/AboutASIM Description: | This ASIM filtering parser supports filtering and normalizing logs to the ASIM Network Session normalized schema. -ParserName: -EquivalentBuiltInParser: <_Im_NetworkSession_Product> +ParserName: +EquivalentBuiltInParser: <_Im_NetworkSession_Vendor+Product> ParserParams: - Name: starttime Type: datetime diff --git a/ASIM/dev/Parser YAML templates/vimProcessEventTemplate.yaml b/ASIM/dev/Parser YAML templates/vimProcessEventTemplate.yaml index 6d29557cbdf..23f09bdace1 100644 --- a/ASIM/dev/Parser YAML templates/vimProcessEventTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/vimProcessEventTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: Process event ASIM filtering parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ references: Link: https:/aka.ms/AboutASIM Description: This ASIM filtering parser supports normalizing the logs to the ASIM process event normalized schema. -ParserName: -EquivalentBuiltInParser: <_Im_ProcessEvent_Product> +ParserName: +EquivalentBuiltInParser: <_Im_ProcessEvent_Vendor+Product> ParserParams: - Name: starttime Type: datetime diff --git a/ASIM/dev/Parser YAML templates/vimRegistryEventTemplate.yaml b/ASIM/dev/Parser YAML templates/vimRegistryEventTemplate.yaml index 0c3c985f48d..1b5b8142965 100644 --- a/ASIM/dev/Parser YAML templates/vimRegistryEventTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/vimRegistryEventTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: Registry Event ASIM filtering parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https:/aka.ms/AboutASIM Description: | This ASIM filtering parser supports normalizing logs to the ASIM Registry event normalized schema. -ParserName: -EquivalentBuiltInParser: <_Im_RegistryEvent_Product> +ParserName: +EquivalentBuiltInParser: <_Im_RegistryEvent_Vendor+Product> ParserParams: - Name: starttime Type: datetime diff --git a/ASIM/dev/Parser YAML templates/vimUserManagementTemplate.yaml b/ASIM/dev/Parser YAML templates/vimUserManagementTemplate.yaml index fcbc9181939..4d13c60d852 100644 --- a/ASIM/dev/Parser YAML templates/vimUserManagementTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/vimUserManagementTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: User Management activity ASIM filtering parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https://aka.ms/AboutASIM Description: | This ASIM filtering parser supports normalizing the logs to the ASIM User Management activity normalized schema. -ParserName: -EquivalentBuiltInParser: <_Im_UserManagement_Product> +ParserName: +EquivalentBuiltInParser: <_Im_UserManagement_Vendor+Product> ParserParams: - Name: starttime Type: datetime diff --git a/ASIM/dev/Parser YAML templates/vimWebSessionTemplate.yaml b/ASIM/dev/Parser YAML templates/vimWebSessionTemplate.yaml index a2291be6ded..b958e0e61b9 100644 --- a/ASIM/dev/Parser YAML templates/vimWebSessionTemplate.yaml +++ b/ASIM/dev/Parser YAML templates/vimWebSessionTemplate.yaml @@ -1,6 +1,6 @@ Parser: Title: Web Session ASIM filtering parser for - Version: '' + Version: '0.1.0' LastUpdated: Product: Name: @@ -14,8 +14,8 @@ References: Link: https:/aka.ms/AboutASIM Description: | This ASIM filtering parser supports filtering and normalizing logs to the ASIM Web Session normalized schema. -ParserName: -EquivalentBuiltInParser: <_Im_WebSession_Product> +ParserName: +EquivalentBuiltInParser: <_Im_WebSession_Vendor+Product> ParserParams: - Name: starttime Type: datetime diff --git a/Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml b/Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml new file mode 100644 index 00000000000..c2a89f06e56 --- /dev/null +++ b/Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml @@ -0,0 +1,36 @@ +Parser: + Title: Alert Event ASIM parser + Version: '0.1.0' + LastUpdated: Oct 18, 2024 +Product: + Name: Source agnostic +Normalization: + Schema: AlertEvent + Version: '0.1' +References: +- Title: ASIM Alert Schema + Link: https://aka.ms/ASimAlertEventDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing Alert logs from all supported sources to the ASIM Alert normalized schema. +ParserName: ASimAlertEvent +EquivalentBuiltInParser: _ASim_AlertEvent +Parsers: + - _Im_AlertEvent_Empty + - _ASim_AlertEvent_MicrosoftDefenderXDR + - _ASim_AlertEvent_SentinelOneSingularity +ParserParams: + - Name: pack + Type: bool + Default: false +ParserQuery: | + let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAlertEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser)); + let ASimBuiltInDisabled=toscalar('ExcludeASimAlertEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); + let parser=(pack:bool=false){ + union isfuzzy=true + vimAlertEventEmpty, + ASimAlertEventMicrosoftDefenderXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventMicrosoftDefenderXDR' in (DisabledParsers)))), + ASimAlertEventSentinelOneSingularity (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventSentinelOneSingularity' in (DisabledParsers)))) + }; + parser (pack=pack) diff --git a/Parsers/ASimAlertEvent/Parsers/ASimAlertEventMicrosoftDefenderXDR.yaml b/Parsers/ASimAlertEvent/Parsers/ASimAlertEventMicrosoftDefenderXDR.yaml new file mode 100644 index 00000000000..00b2d8ca3f7 --- /dev/null +++ b/Parsers/ASimAlertEvent/Parsers/ASimAlertEventMicrosoftDefenderXDR.yaml @@ -0,0 +1,211 @@ +Parser: + Title: Alert Event ASIM parser for Microsoft Defender XDR + Version: '0.1.0' + LastUpdated: Oct 09, 2024 +Product: + Name: Microsoft Defender XDR +Normalization: + Schema: AlertEvent + Version: '0.1' +References: +- Title: ASIM Alert Schema + Link: https://aka.ms/ASimAlertEventDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing the Microsoft Defender XDR logs to the ASIM Alert normalized schema. +ParserName: ASimAlertEventMicrosoftDefenderXDR +EquivalentBuiltInParser: _ASim_AlertEvent_MicrosoftDefenderXDR +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let IndicatorTypeLookup = datatable (EntityType: string, IndicatorType: string) + [ + "User", "User", + "Machine", "Host", + "Process", "Process", + "File", "File", + "Ip", "Ip", + "Url", "Url", + "RegistryValue", "Registry", + "CloudLogonSession", "LogonSession", + "CloudApplication", "Application", + "Mailbox", "Mailbox", + "MailMessage", "Email", + "CloudResource", "Cloud Resource" + ]; + let IndicatorAssociationLookup = datatable (EvidenceRole: string, IndicatorAssociation: string) + [ + "Related", "Associated", + "Impacted", "Targeted" + ]; + let RegistryValueTypeLookup = datatable (ValueType: string, RegistryValueType: string) + [ + "ExpandString", "Reg_Expand_Sz" + ]; + let AlertVerdictLookup = datatable (AlertVerdict_Custom: string, AlertVerdict: string) + [ + "Malicious", "True Positive", + "Suspicious", "True Positive", + "NoThreatsFound", "Benign Positive" + ]; + let AttackTacticSet = dynamic(["Exfiltration", "PrivilegeEscalation", "Persistence", "LateralMovement", "Execution", "Discovery", "InitialAccess", "CredentialAccess", "DefenseEvasion", "CommandAndControl", "Impact"]); + let ThreatCategorySet = dynamic(["Malware", "Ransomware", "Trojan", "Virus", "Worm", "Adware", "Spyware", "Rootkit", "Cryptominor", "Phishing", "Spam", "MaliciousUrl", "Spoofing", "Security Policy Violation", "Unknown", "SuspiciousActivity"]); + let parser = ( + disabled: bool=false) { + AlertEvidence + | where not(disabled) + // Mapping Inspection Fields + | extend + EventUid = AlertId, + AlertName = Title, + AlertVerdict_Custom = tostring(AdditionalFields.ThreatAnalysisSummary[0].Verdict), + AlertVerdictDate_s = todatetime(AdditionalFields.ThreatAnalysisSummary[0].AnalysisDate), + AttackTactics = iff(Categories has_any (AttackTacticSet), replace(@"[\[\]\""]", "", Categories), ""), + AlertOriginalStatus = tostring(AdditionalFields.LastRemediationState), + AlertStatus = iif(isnotempty(AdditionalFields.LastRemediationState), iif(AdditionalFields.LastRemediationState == "Active", "Active", "Closed"), ""), + DetectionMethod = DetectionSource + | lookup AlertVerdictLookup on AlertVerdict_Custom + | lookup IndicatorTypeLookup on EntityType + | lookup IndicatorAssociationLookup on EvidenceRole + // Mapping Threat Fields + | extend + ThreatCategory = iif(Categories has_any (ThreatCategorySet), replace(@"[\[\]\""]", "", Categories), "") + // Mapping User Entity + | extend + UserId = coalesce(AccountObjectId, tostring(AdditionalFields.Account.AadUserId)), + UserSid = coalesce(AccountSid, tostring(AdditionalFields.Account.Sid)), + Username = coalesce(AccountUpn, tostring(AdditionalFields.Account.UserPrincipalName)), + UserSessionId = tostring(AdditionalFields.SessionId), + UserScopeId = tostring(AdditionalFields.AadTenantId), + HttpUserAgent_s = tostring(AdditionalFields.UserAgent) + | extend + UserIdType = iif(isnotempty(UserId), "EntraUserID", iif(isnotempty(UserSid), "SID", "")), + UserId = coalesce(UserId, UserSid), + UserType = _ASIM_GetUserType(Username, UserSid), + UsernameType = _ASIM_GetUsernameType(Username) + // Mapping Device Entity + | extend + DvcId = coalesce(DeviceId, tostring(AdditionalFields.Host.MachineId)), + DvcIpAddr = coalesce(LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address), RemoteIP), + DvcOs = tostring(coalesce(AdditionalFields.OSFamily, AdditionalFields.Host.OSFamily)), + DvcOsVersion = tostring(coalesce(AdditionalFields.OSVersion, AdditionalFields.Host.OSVersion)), + DeviceName = coalesce(DeviceName, tostring(AdditionalFields.Host.NetBiosName)), + DvcScopeId = coalesce(tostring(split(AdditionalFields.AzureID, "/")[2]), (tostring(split(AdditionalFields.ResourceId, "/")[2]))) + | extend DvcIdType = iif(isnotempty(DvcId), "MDEid", "") + | invoke _ASIM_ResolveDvcFQDN("DeviceName") + // Mapping Additional Fields + | extend + GeoCity_s = AdditionalFields.Location.City, + GeoCountry_s = AdditionalFields.Location.CountryCode, + GeoLatitude_s = AdditionalFields.Location.Latitude, + GeoLongitude_s = AdditionalFields.Location.Longitude, + GeoRegion_s = AdditionalFields.Location.State + // Mapping Process Entity + | extend + ProcessId = AdditionalFields.ProcessId, + ProcessCommandLine, + ProcessName = iif(IndicatorType == "Process", iif(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\', FileName), FileName), ""), + ProcessFileCompany = AdditionalFields.Publisher, + // Parent Process Fields + ParentProcessId_s = AdditionalFields.ParentProcess.ProcessId, + ParentProcessCommandLine_s = AdditionalFields.ParentProcess.CommandLine, + ParentProcessName_s = iif(IndicatorType == "Process", iif(isnotempty(AdditionalFields.ParentProcess.ImageFile.Directory) and isnotempty(AdditionalFields.ParentProcess.ImageFile.Name), strcat (AdditionalFields.ParentProcess.ImageFile.Directory, "\\", AdditionalFields.ParentProcess.ImageFile.Name), coalesce(AdditionalFields.ParentProcess.ImageFile.Name, AdditionalFields.ParentProcess.FriendlyName)), ""), + ParentProcessSHA1_s = AdditionalFields.ParentProcess.ImageFile[0].SHA1, + ParentProcessSHA256_s = AdditionalFields.ParentProcess.ImageFile[2].SHA256, + ParentProcessMD5_s = AdditionalFields.ParentProcess.ImageFile[1].MD5 + // Mapping File Entity + | extend + FileName, + FileDirectory = FolderPath, + FilePath = iff(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\', FileName), FileName), + FileSHA1 = SHA1, + FileSHA256 = SHA256, + FileMD5 = AdditionalFields.FileHashes[1].Value, + FileSize = FileSize + // Mapping Url Entity + | extend + Url = RemoteUrl + // Mapping Registry Entity + | extend + RegistryKey, + RegistryValue = RegistryValueName, + RegistryValueData, + ValueType = tostring(AdditionalFields.ValueType) + | lookup RegistryValueTypeLookup on ValueType + // Mapping Application Entity + | extend + AppId_s = ApplicationId, + AppName_s = Application + // Mapping Email Entity + | extend + EmailMessageId = NetworkMessageId, + EmailSubject + | extend AdditionalFields = bag_pack( + "AlertVerdictDate", + AlertVerdictDate_s, + "HttpUserAgent", + HttpUserAgent_s, + "GeoCity", + GeoCity_s, + "GeoCountry", + GeoCountry_s, + "GeoLatitude", + GeoLatitude_s, + "GeoLongitude", + GeoLongitude_s, + "GeoRegion", + GeoRegion_s, + "ParentProcessId", + ParentProcessId_s, + "ParentProcessCommandLine", + ParentProcessCommandLine_s, + "ParentProcessName", + ParentProcessName_s, + "ParentProcessSHA256", + ParentProcessSHA256_s, + "ParentProcessMD5", + ParentProcessMD5_s + ) + // Mapping common event fields + | extend + EventSubType = "Threat", // All events in AlertEvidence contains threat info + EventEndTime = TimeGenerated, + EventStartTime = TimeGenerated, + EventProduct = ServiceSource, + EventVendor = 'Microsoft', + EventSchema = 'AlertEvent', + EventSchemaVersion = '0.1', + EventType = 'Alert', + EventCount = int(1) + // MApping Alias + | extend + IpAddr = DvcIpAddr, + Hostname = DvcHostname, + User = Username + | project-away + Title, + Categories, + EntityType, + EvidenceRole, + DetectionSource, + ServiceSource, + ThreatFamily, + RemoteIP, + RemoteUrl, + AccountName, + AccountDomain, + DeviceName, + LocalIP, + AlertVerdict_Custom, + EvidenceDirection, + Account*, + ApplicationId, + Application, + *_s + }; + parser( + disabled = disabled + ) \ No newline at end of file diff --git a/Parsers/ASimAlertEvent/Parsers/ASimAlertEventSentinelOneSingularity.yaml b/Parsers/ASimAlertEvent/Parsers/ASimAlertEventSentinelOneSingularity.yaml new file mode 100644 index 00000000000..dbd8a8ce831 --- /dev/null +++ b/Parsers/ASimAlertEvent/Parsers/ASimAlertEventSentinelOneSingularity.yaml @@ -0,0 +1,113 @@ +Parser: + Title: Alert Event ASIM parser for SentinelOne Singularity platform + Version: '0.1.0' + LastUpdated: Oct 09, 2024 +Product: + Name: SentinelOne +Normalization: + Schema: AlertEvent + Version: '0.1' +References: +- Title: ASIM Alert Schema + Link: https://aka.ms/ASimAlertEventDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing the SentinelOne alerts to the ASIM Alert normalized schema. +ParserName: ASimAlertEventSentinelOneSingularity +EquivalentBuiltInParser: _ASim_AlertEvent_SentinelOneSingularity +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let AlertVerdictLookup = datatable (analystVerdict_s: string, AlertVerdict: string) + [ + "Undefined", "Unknown", + "true_positive", "True Positive", + "suspicious", "True Positive", + "false_positive", "False Positive" + ]; + let ThreatCategoryArray = dynamic(["Malware", "Ransomware", "Trojan", "Virus", "Worm", "Adware", "Spyware", "Rootkit", "Cryptominor", "Phishing", "Spam", "MaliciousUrl", "Spoofing", "Security Policy Violation", "Unknown", "SuspiciousActivity"]); + let DetectionMethodLookup = datatable ( + threatInfo_engines_s: string, + DetectionMethod: string + ) + [ + "Intrusion Detection", "Intrusion Detection", + "User-Defined Blocklist", "User Defined Blocked List", + "Reputation", "Reputation" + ]; + let parser = ( + disabled: bool=false) { + SentinelOne_CL + | where not(disabled) + | where event_name_s in ("Threats.") + // Mapping Inspection Fields + | extend + AlertId = threatInfo_threatId_s, + AlertName = threatInfo_threatName_s, + AlertStatus = iif(threatInfo_incidentStatus_s == "resolved", "Closed", "Active"), + AlertOriginalStatus = threatInfo_incidentStatus_s, + Names = extract_all('"name":"([^"]+)"', dynamic([1]), indicators_s), + ThreatId = threatInfo_threatId_s, + ThreatName = threatInfo_threatName_s, + ThreatFirstReportedTime = threatInfo_identifiedAt_t, + ThreatLastReportedTime = threatInfo_updatedAt_t, + ThreatCategory = iif(threatInfo_classification_s in (ThreatCategoryArray), threatInfo_classification_s, ""), + ThreatOriginalCategory = threatInfo_classification_s + | extend + AttackTechniques = tostring(extract_all('"(T[0-9]+\\.[0-9]+|T[0-9]+)"', dynamic([1]), tostring(Names))), + AttackTactics = tostring(extract_all('"([^T][^0-9]+)"', dynamic([1]), tostring(Names))) + | project-away Names + | lookup DetectionMethodLookup on threatInfo_engines_s + | extend analystVerdict_s = threatInfo_analystVerdict_s + | lookup AlertVerdictLookup on analystVerdict_s + // Mapping Dvc Fields + | extend + DvcHostname = agentRealtimeInfo_agentComputerName_s, + DvcOs = agentRealtimeInfo_agentOsName_s, + DvcOsVersion = agentRealtimeInfo_agentOsRevision_s, + DvcId = agentRealtimeInfo_agentId_s, + DvcIdType = "Other", + DvcDomain = agentRealtimeInfo_agentDomain_s, + DvcDomainType = "Windows", + DvcIpAddr = agentDetectionInfo_agentIpV4_s + // Mapping Process Entity + | extend + ProcessCommandLine = threatInfo_maliciousProcessArguments_s, + ProcessName = threatInfo_originatorProcess_s + // Mapping File Fields + | extend + FileMD5 = threatInfo_md5_g, + FileSHA1 = threatInfo_sha1_s, + FileSHA256 = threatInfo_sha256_s, + FilePath=threatInfo_filePath_s, + FileSize = threatInfo_fileSize_d + // Mapping User Fields + | extend + Username = coalesce(agentDetectionInfo_agentLastLoggedInUpn_s, threatInfo_processUser_s) + | extend UsernameType = _ASIM_GetUsernameType(Username) + // Event Fields + | extend + EventType = 'Alert', + EventOriginalType = event_name_s, + EventUid = threatInfo_threatId_s, + EventCount = int(1), + EventEndTime = TimeGenerated, + EventStartTime = TimeGenerated, + EventProduct = 'Singularity', + EventVendor = 'SentinelOne', + EventSchemaVersion = '0.1', + EventSchema = "AlertEvent" + | extend EventSubType = "Threat" + // Aliases + | extend + IpAddr = DvcIpAddr, + User = Username, + Hostname = DvcHostname + | project-away *_s, *_g, SourceSystem, ManagementGroupName, Computer, RawData, *_t, *_b, *_d + }; + parser ( + disabled = disabled + ) \ No newline at end of file diff --git a/Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml b/Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml new file mode 100644 index 00000000000..37661c6cc2b --- /dev/null +++ b/Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml @@ -0,0 +1,78 @@ +Parser: + Title: Alert Event ASIM filtering parser + Version: '0.1.0' + LastUpdated: Mar 11 2024 +Product: + Name: Source agnostic +Normalization: + Schema: AlertEvent + Version: '0.1' +References: +- Title: ASIM Alert Schema + Link: https://aka.ms/ASimAlertEventDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports filtering and normalizing Alert logs from all supported sources to the ASIM 'Alert' normalized schema. +ParserName: imAlertEvent +EquivalentBuiltInParser: _Im_AlertEvent +Parsers: + - _Im_AlertEvent_Empty + - _Im_AlertEvent_MicrosoftDefenderXDR + - _Im_AlertEvent_SentinelOneSingularity +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: ipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: hostname_has_any + Type: dynamic + Default: dynamic([]) + - Name: username_has_any + Type: dynamic + Default: dynamic([]) + - Name: attacktactics_has_any + Type: dynamic + Default: dynamic([]) + - Name: attacktechniques_has_any + Type: dynamic + Default: dynamic([]) + - Name: threatcategory_has_any + Type: dynamic + Default: dynamic([]) + - Name: alertverdict_has_any + Type: dynamic + Default: dynamic([]) + - Name: eventseverity_has_any + Type: dynamic + Default: dynamic([]) + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAlertEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser)); + let vimBuiltInDisabled=toscalar('ExcludevimAlertEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); + let parser=( + starttime: datetime=datetime(null), + endtime: datetime=datetime(null), + ipaddr_has_any_prefix: dynamic=dynamic([]), + hostname_has_any: dynamic=dynamic([]), + username_has_any: dynamic=dynamic([]), + attacktactics_has_any: dynamic=dynamic([]), + attacktechniques_has_any: dynamic=dynamic([]), + threatcategory_has_any: dynamic=dynamic([]), + alertverdict_has_any: dynamic=dynamic([]), + eventseverity_has_any: dynamic=dynamic([]), + pack:bool=false) + { + union isfuzzy=true + vimAlertEventEmpty, + vimAlertEventMicrosoftDefenderXDR (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertMicrosoftDefenderXDR' in (DisabledParsers))), + vimAlertEventSentinelOneSingularity (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertSentinelOneSingularity' in (DisabledParsers)))) + }; + parser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, pack=pack) diff --git a/Parsers/ASimAlertEvent/Parsers/vimAlertEventEmpty.yaml b/Parsers/ASimAlertEvent/Parsers/vimAlertEventEmpty.yaml new file mode 100644 index 00000000000..9f0bfe2d900 --- /dev/null +++ b/Parsers/ASimAlertEvent/Parsers/vimAlertEventEmpty.yaml @@ -0,0 +1,129 @@ +Parser: + Title: Alert Event ASIM schema function + Version: '0.1.0' + LastUpdated: Oct 18 2024 +Product: + Name: Microsoft +Normalization: + Schema: AlertEvent + Version: '0.1' +References: +- Title: ASIM Alert Schema + Link: https://aka.ms/ASimAlertEventDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This function returns an empty ASIM Dhcp Event schema. +ParserName: vimAlertEventEmpty +EquivalentBuiltInParser: _Im_AlertEvent_Empty +ParserQuery: | + let EmptyAlertEvents =datatable ( + TimeGenerated:datetime + , _ResourceId:string + , Type:string + // ****** Event fields ****** + , AdditionalFields:dynamic + , EventCount:int + , EventType:string + , EventProduct:string + , EventProductVersion:string + , EvenMessage:string + , EventVendor:string + , EventSchema:string + , EventSchemaVersion:string + , EventSeverity:string + , EventOriginalSeverity:string + , EventSubType:string + , EventOriginalUid:string + , EventOwner:string + , EventOriginalType:string + , EventOriginalSubType:string + , EventEndTime:datetime + , EventReportUrl:string + , EventResult:string + , EventStartTime:datetime + , EventUid:string + //****** Device fields ****** + , DvcAction:string, + , DvcDescription:string + , DvcId:string + , DvcIdType:string, + , DvcInterface:string + , DvcHostname:string + , DvcDomain:string + , DvcDomainType:string + , DvcIpAddr:string + , DvcOs:string + , DvcOsVersion:string + , DvcMacAddr:string + , DvcOriginalAction:string + , DvcScope:string + , DvcScopeId:string + , DvcFQDN:string + , DvcZone:string + //****** Inspection fields ****** + , AlertId:string + , AlertName:string + , AlertDescription:string + , AlertStatus:string + , AlertOriginalStatus:string + , AlertVerdict:string + , AttackTactics:string + , AttackTechniques:string + , AttackRemediationSteps:string + , IndicatorType:string + , IndicatorAssociation:string + , DetectionMethod:string + , Rule: string + , RuleNumber:int + , RuleName:string + , RuleDescription:string + , ThreatId:string + , ThreatName:string + , ThreatFirstReportedTime:datetime + , ThreatLastReportedTime:datetime + , ThreatCategory:string + , ThreatOriginalCategory:string + , ThreatIsActive:bool + , ThreatRiskLevel:int + , ThreatOriginalRiskLevel:string + , ThreatConfidence:int + , ThreatOriginalConfidence:string + //****** Source User fields ****** + , UserId:string + , UserTdType:string + , Username:string + , UsernameType:string + , UserType:string + , OriginalUserType:string + , SessionId:string + , UserScopeId:string + , UserScope:string + //****** Process fields ****** + , ProcessId:string + , ProcessName:string + , ProcessCommandLine:string + , ProcessFileCompany:string + //****** File fields ****** + , FileName:string + , FilePath:string + , FileSHA1:string + , FileMD5:string + , FileSHA256:string + , FileSize:int + //****** Registry fields ****** + , RegistryKey:string + , RegistryValue:string + , RegistryValueType:string + , RegistryValueData:string + //****** Email fields ****** + , EmailSubject:string + , EmailMessageId:string + //****** Url fields ****** + , Url:string + //****** Aliases ****** + , IpAddr:string + , Hostname:string + , User:string + )[]; + EmptyAlertEvents \ No newline at end of file diff --git a/Parsers/ASimAlertEvent/Parsers/vimAlertEventMicrosoftDefenderXDR.yaml b/Parsers/ASimAlertEvent/Parsers/vimAlertEventMicrosoftDefenderXDR.yaml new file mode 100644 index 00000000000..b494510f4cf --- /dev/null +++ b/Parsers/ASimAlertEvent/Parsers/vimAlertEventMicrosoftDefenderXDR.yaml @@ -0,0 +1,275 @@ +Parser: + Title: Alert Event ASIM filtering parser for Microsoft Defender XDR + Version: '0.1.0' + LastUpdated: Oct 09, 2024 +Product: + Name: Microsoft Defender XDR +Normalization: + Schema: AlertEvent + Version: '0.1' +References: +- Title: ASIM Alert Schema + Link: https://aka.ms/ASimAlertEventDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing and filtering the Microsoft Defender XDR logs to the ASIM Alert normalized schema. +ParserName: vimAlertEventMicrosoftDefenderXDR +EquivalentBuiltInParser: _Im_AlertEvent_MicrosoftDefenderXDR +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: ipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: hostname_has_any + Type: dynamic + Default: dynamic([]) + - Name: username_has_any + Type: dynamic + Default: dynamic([]) + - Name: attacktactics_has_any + Type: dynamic + Default: dynamic([]) + - Name: attacktechniques_has_any + Type: dynamic + Default: dynamic([]) + - Name: threatcategory_has_any + Type: dynamic + Default: dynamic([]) + - Name: alertverdict_has_any + Type: dynamic + Default: dynamic([]) + - Name: eventseverity_has_any + Type: dynamic + Default: dynamic([]) + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let IndicatorTypeLookup = datatable (EntityType: string, IndicatorType: string) + [ + "User", "User", + "Machine", "Host", + "Process", "Process", + "File", "File", + "Ip", "Ip", + "Url", "Url", + "RegistryValue", "Registry", + "CloudLogonSession", "LogonSession", + "CloudApplication", "Application", + "Mailbox", "Mailbox", + "MailMessage", "Email", + "CloudResource", "Cloud Resource" + ]; + let IndicatorAssociationLookup = datatable (EvidenceRole: string, IndicatorAssociation: string) + [ + "Related", "Associated", + "Impacted", "Targeted" + ]; + let RegistryValueTypeLookup = datatable (ValueType: string, RegistryValueType: string) + [ + "ExpandString", "Reg_Expand_Sz" + ]; + let AlertVerdictLookup = datatable (AlertVerdict_Custom: string, AlertVerdict: string) + [ + "Malicious", "True Positive", + "Suspicious", "True Positive", + "NoThreatsFound", "Benign Positive" + ]; + let AttackTacticSet = dynamic(["Exfiltration", "PrivilegeEscalation", "Persistence", "LateralMovement", "Execution", "Discovery", "InitialAccess", "CredentialAccess", "DefenseEvasion", "CommandAndControl", "Impact"]); + let ThreatCategorySet = dynamic(["Malware", "Ransomware", "Trojan", "Virus", "Worm", "Adware", "Spyware", "Rootkit", "Cryptominor", "Phishing", "Spam", "MaliciousUrl", "Spoofing", "Security Policy Violation", "Unknown", "SuspiciousActivity"]); + let parser = ( + starttime: datetime=datetime(null), + endtime: datetime=datetime(null), + ipaddr_has_any_prefix: dynamic=dynamic([]), + hostname_has_any: dynamic=dynamic([]), + username_has_any: dynamic=dynamic([]), + attacktactics_has_any: dynamic=dynamic([]), + attacktechniques_has_any: dynamic=dynamic([]), + threatcategory_has_any: dynamic=dynamic([]), + alertverdict_has_any: dynamic=dynamic([]), + eventseverity_has_any: dynamic=dynamic([]), + disabled: bool=false) { + AlertEvidence + | where not(disabled) + | where (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + and ((array_length(ipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(LocalIP, ipaddr_has_any_prefix)) or (has_any_ipv4_prefix(tostring(AdditionalFields.Host.IpInterfaces[0].Address), ipaddr_has_any_prefix)) or (has_any_ipv4_prefix(RemoteIP, ipaddr_has_any_prefix))) + and ((array_length(hostname_has_any) == 0) or (DeviceName has_any (hostname_has_any)) or (tostring(AdditionalFields.Host.NetBiosName) has_any (hostname_has_any))) + and ((array_length(username_has_any) == 0) or (AccountUpn has_any (username_has_any)) or (tostring(AdditionalFields.Account.UserPrincipalName) has_any (username_has_any))) + and ((array_length(attacktactics_has_any) == 0) or (Categories has_any (attacktactics_has_any))) + and ((array_length(attacktechniques_has_any) == 0) or (AttackTechniques has_any (attacktechniques_has_any))) + // ThreatCategory filtering done later in the parser + // AlertVerdict filtering done later in the parser + and ((array_length(eventseverity_has_any) == 0)) // EventSeverity detail not available in this parser. + // Mapping Inspection Fields + | extend + EventUid = AlertId, + AlertName = Title, + AlertVerdict_Custom = tostring(AdditionalFields.ThreatAnalysisSummary[0].Verdict), + AlertVerdictDate_s = todatetime(AdditionalFields.ThreatAnalysisSummary[0].AnalysisDate), + AttackTactics = iff(Categories has_any (AttackTacticSet), replace(@"[\[\]\""]", "", Categories), ""), + AlertOriginalStatus = tostring(AdditionalFields.LastRemediationState), + AlertStatus = iif(isnotempty(AdditionalFields.LastRemediationState), iif(AdditionalFields.LastRemediationState == "Active", "Active", "Closed"), ""), + DetectionMethod = DetectionSource + | lookup AlertVerdictLookup on AlertVerdict_Custom + // Filter for AlertVerdict + | where ((array_length(alertverdict_has_any) == 0) or (AlertVerdict has_any (alertverdict_has_any))) + | lookup IndicatorTypeLookup on EntityType + | lookup IndicatorAssociationLookup on EvidenceRole + // Mapping Threat Fields + | extend + ThreatCategory = iif(Categories has_any (ThreatCategorySet), replace(@"[\[\]\""]", "", Categories), "") + // Filter for ThreatCategory + | where ((array_length(threatcategory_has_any) == 0) or (ThreatCategory has_any (threatcategory_has_any))) + // Mapping User Entity + | extend + UserId = coalesce(AccountObjectId, tostring(AdditionalFields.Account.AadUserId)), + UserSid = coalesce(AccountSid, tostring(AdditionalFields.Account.Sid)), + Username = coalesce(AccountUpn, tostring(AdditionalFields.Account.UserPrincipalName)), + UserSessionId = tostring(AdditionalFields.SessionId), + UserScopeId = tostring(AdditionalFields.AadTenantId), + HttpUserAgent_s = tostring(AdditionalFields.UserAgent) + | extend + UserIdType = iif(isnotempty(UserId), "EntraUserID", iif(isnotempty(UserSid), "SID", "")), + UserId = coalesce(UserId, UserSid), + UserType = _ASIM_GetUserType(Username, UserSid), + UsernameType = _ASIM_GetUsernameType(Username) + // Mapping Device Entity + | extend + DvcId = coalesce(DeviceId, tostring(AdditionalFields.Host.MachineId)), + DvcIpAddr = coalesce(LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address), RemoteIP), + DvcOs = tostring(coalesce(AdditionalFields.OSFamily, AdditionalFields.Host.OSFamily)), + DvcOsVersion = tostring(coalesce(AdditionalFields.OSVersion, AdditionalFields.Host.OSVersion)), + DeviceName = coalesce(DeviceName, tostring(AdditionalFields.Host.NetBiosName)), + DvcScopeId = coalesce(tostring(split(AdditionalFields.AzureID, "/")[2]), (tostring(split(AdditionalFields.ResourceId, "/")[2]))) + | extend DvcIdType = iif(isnotempty(DvcId), "MDEid", "") + | invoke _ASIM_ResolveDvcFQDN("DeviceName") + // Mapping Additional Fields + | extend + GeoCity_s = AdditionalFields.Location.City, + GeoCountry_s = AdditionalFields.Location.CountryCode, + GeoLatitude_s = AdditionalFields.Location.Latitude, + GeoLongitude_s = AdditionalFields.Location.Longitude, + GeoRegion_s = AdditionalFields.Location.State + // Mapping Process Entity + | extend + ProcessId = AdditionalFields.ProcessId, + ProcessCommandLine, + ProcessName = iif(IndicatorType == "Process", iif(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\', FileName), FileName), ""), + ProcessFileCompany = AdditionalFields.Publisher, + // Parent Process Fields + ParentProcessId_s = AdditionalFields.ParentProcess.ProcessId, + ParentProcessCommandLine_s = AdditionalFields.ParentProcess.CommandLine, + ParentProcessName_s = iif(IndicatorType == "Process", iif(isnotempty(AdditionalFields.ParentProcess.ImageFile.Directory) and isnotempty(AdditionalFields.ParentProcess.ImageFile.Name), strcat (AdditionalFields.ParentProcess.ImageFile.Directory, "\\", AdditionalFields.ParentProcess.ImageFile.Name), coalesce(AdditionalFields.ParentProcess.ImageFile.Name, AdditionalFields.ParentProcess.FriendlyName)), ""), + ParentProcessSHA1_s = AdditionalFields.ParentProcess.ImageFile[0].SHA1, + ParentProcessSHA256_s = AdditionalFields.ParentProcess.ImageFile[2].SHA256, + ParentProcessMD5_s = AdditionalFields.ParentProcess.ImageFile[1].MD5 + // Mapping File Entity + | extend + FileName, + FileDirectory = FolderPath, + FilePath = iff(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\', FileName), FileName), + FileSHA1 = SHA1, + FileSHA256 = SHA256, + FileMD5 = AdditionalFields.FileHashes[1].Value, + FileSize = FileSize + // Mapping Url Entity + | extend + Url = RemoteUrl + // Mapping Registry Entity + | extend + RegistryKey, + RegistryValue = RegistryValueName, + RegistryValueData, + ValueType = tostring(AdditionalFields.ValueType) + | lookup RegistryValueTypeLookup on ValueType + // Mapping Application Entity + | extend + AppId_s = ApplicationId, + AppName_s = Application + // Mapping Email Entity + | extend + EmailMessageId = NetworkMessageId, + EmailSubject + | extend AdditionalFields = bag_pack( + "AlertVerdictDate", + AlertVerdictDate_s, + "HttpUserAgent", + HttpUserAgent_s, + "GeoCity", + GeoCity_s, + "GeoCountry", + GeoCountry_s, + "GeoLatitude", + GeoLatitude_s, + "GeoLongitude", + GeoLongitude_s, + "GeoRegion", + GeoRegion_s, + "ParentProcessId", + ParentProcessId_s, + "ParentProcessCommandLine", + ParentProcessCommandLine_s, + "ParentProcessName", + ParentProcessName_s, + "ParentProcessSHA256", + ParentProcessSHA256_s, + "ParentProcessMD5", + ParentProcessMD5_s + ) + // Mapping common event fields + | extend + EventSubType = "Threat", // All events in AlertEvidence contains threat info + EventEndTime = TimeGenerated, + EventStartTime = TimeGenerated, + EventProduct = ServiceSource, + EventVendor = 'Microsoft', + EventSchema = 'AlertEvent', + EventSchemaVersion = '0.1', + EventType = 'Alert', + EventCount = int(1) + // MApping Alias + | extend + IpAddr = DvcIpAddr, + Hostname = DvcHostname, + User = Username + | project-away + Title, + Categories, + EntityType, + EvidenceRole, + DetectionSource, + ServiceSource, + ThreatFamily, + RemoteIP, + RemoteUrl, + AccountName, + AccountDomain, + DeviceName, + LocalIP, + AlertVerdict_Custom, + EvidenceDirection, + Account*, + ApplicationId, + Application, + *_s + }; + parser( + starttime = starttime, + endtime = endtime, + ipaddr_has_any_prefix = ipaddr_has_any_prefix, + hostname_has_any = hostname_has_any, + username_has_any = username_has_any, + attacktactics_has_any = attacktactics_has_any, + attacktechniques_has_any = attacktechniques_has_any, + threatcategory_has_any = threatcategory_has_any, + alertverdict_has_any = alertverdict_has_any, + eventseverity_has_any = eventseverity_has_any, + disabled = disabled + ) diff --git a/Parsers/ASimAlertEvent/Parsers/vimAlertEventSentinelOneSingularity.yaml b/Parsers/ASimAlertEvent/Parsers/vimAlertEventSentinelOneSingularity.yaml new file mode 100644 index 00000000000..564c4d88696 --- /dev/null +++ b/Parsers/ASimAlertEvent/Parsers/vimAlertEventSentinelOneSingularity.yaml @@ -0,0 +1,176 @@ +Parser: + Title: Alert Event ASIM filtering parser for SentinelOne Singularity platform + Version: '0.1.0' + LastUpdated: Oct 09, 2024 +Product: + Name: SentinelOne +Normalization: + Schema: AlertEvent + Version: '0.1' +References: +- Title: ASIM Alert Schema + Link: https://aka.ms/ASimAlertEventDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing and filtering the SentinelOne alerts to the ASIM Alert normalized schema. +ParserName: vimAlertEventSentinelOneSingularity +EquivalentBuiltInParser: _Im_AlertEvent_SentinelOneSingularity +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: ipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: hostname_has_any + Type: dynamic + Default: dynamic([]) + - Name: username_has_any + Type: dynamic + Default: dynamic([]) + - Name: attacktactics_has_any + Type: dynamic + Default: dynamic([]) + - Name: attacktechniques_has_any + Type: dynamic + Default: dynamic([]) + - Name: threatcategory_has_any + Type: dynamic + Default: dynamic([]) + - Name: alertverdict_has_any + Type: dynamic + Default: dynamic([]) + - Name: eventseverity_has_any + Type: dynamic + Default: dynamic([]) + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let AlertVerdictLookup = datatable (analystVerdict_s: string, AlertVerdict: string) + [ + "Undefined", "Unknown", + "true_positive", "True Positive", + "suspicious", "True Positive", + "false_positive", "False Positive" + ]; + let ThreatCategoryArray = dynamic(["Malware", "Ransomware", "Trojan", "Virus", "Worm", "Adware", "Spyware", "Rootkit", "Cryptominor", "Phishing", "Spam", "MaliciousUrl", "Spoofing", "Security Policy Violation", "Unknown", "SuspiciousActivity"]); + let DetectionMethodLookup = datatable ( + threatInfo_engines_s: string, + DetectionMethod: string + ) + [ + "Intrusion Detection", "Intrusion Detection", + "User-Defined Blocklist", "User Defined Blocked List", + "Reputation", "Reputation" + ]; + let parser = (starttime: datetime=datetime(null), + endtime: datetime=datetime(null), + ipaddr_has_any_prefix: dynamic=dynamic([]), + hostname_has_any: dynamic=dynamic([]), + username_has_any: dynamic=dynamic([]), + attacktactics_has_any: dynamic=dynamic([]), + attacktechniques_has_any: dynamic=dynamic([]), + threatcategory_has_any: dynamic=dynamic([]), + alertverdict_has_any: dynamic=dynamic([]), + eventseverity_has_any: dynamic=dynamic([]), + disabled: bool=false) { + SentinelOne_CL + | where not(disabled) + | where event_name_s in ("Threats.") + | where (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + and ((array_length(ipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(agentDetectionInfo_agentIpV4_s, ipaddr_has_any_prefix))) + and ((array_length(hostname_has_any) == 0) or (agentRealtimeInfo_agentComputerName_s has_any (hostname_has_any))) + //and ((array_length(username_has_any) == 0) or (agentDetectionInfo_agentLastLoggedInUpn_s has_any (username_has_any)) or (threatInfo_processUser_s has_any (username_has_any))) + and ((array_length(attacktactics_has_any) == 0) or (indicators_s has_any (attacktactics_has_any))) + and ((array_length(attacktechniques_has_any) == 0) or (indicators_s has_any (attacktechniques_has_any))) + // ThreatCategory filtering done later in the parser + // AlertVerdict filtering done later in the parser + and (array_length(eventseverity_has_any) == 0) // EventSeverity details not coming from source + // Mapping Inspection Fields + | extend + AlertId = threatInfo_threatId_s, + AlertName = threatInfo_threatName_s, + AlertStatus = iif(threatInfo_incidentStatus_s == "resolved", "Closed", "Active"), + AlertOriginalStatus = threatInfo_incidentStatus_s, + Names = extract_all('"name":"([^"]+)"', dynamic([1]), indicators_s), + ThreatId = threatInfo_threatId_s, + ThreatName = threatInfo_threatName_s, + ThreatFirstReportedTime = threatInfo_identifiedAt_t, + ThreatLastReportedTime = threatInfo_updatedAt_t, + ThreatCategory = iif(threatInfo_classification_s in (ThreatCategoryArray), threatInfo_classification_s, ""), + ThreatOriginalCategory = threatInfo_classification_s + // Filter for ThreatCategory + | where ((array_length(threatcategory_has_any) == 0) or (ThreatCategory has_any (threatcategory_has_any))) + | extend + AttackTechniques = tostring(extract_all('"(T[0-9]+\\.[0-9]+|T[0-9]+)"', dynamic([1]), tostring(Names))), + AttackTactics = tostring(extract_all('"([^T][^0-9]+)"', dynamic([1]), tostring(Names))) + | project-away Names + | lookup DetectionMethodLookup on threatInfo_engines_s + | extend analystVerdict_s = threatInfo_analystVerdict_s + | lookup AlertVerdictLookup on analystVerdict_s + // Filter for AlertVerdict + | where ((array_length(alertverdict_has_any) == 0) or (AlertVerdict has_any (alertverdict_has_any))) + // Mapping Dvc Fields + | extend + DvcHostname = agentRealtimeInfo_agentComputerName_s, + DvcOs = agentRealtimeInfo_agentOsName_s, + DvcOsVersion = agentRealtimeInfo_agentOsRevision_s, + DvcId = agentRealtimeInfo_agentId_s, + DvcIdType = "Other", + DvcDomain = agentRealtimeInfo_agentDomain_s, + DvcDomainType = "Windows", + DvcIpAddr = agentDetectionInfo_agentIpV4_s + // Mapping Process Entity + | extend + ProcessCommandLine = threatInfo_maliciousProcessArguments_s, + ProcessName = threatInfo_originatorProcess_s + // Mapping File Fields + | extend + FileMD5 = threatInfo_md5_g, + FileSHA1 = threatInfo_sha1_s, + FileSHA256 = threatInfo_sha256_s, + FilePath=threatInfo_filePath_s, + FileSize = threatInfo_fileSize_d + // Mapping User Fields + | extend + Username = coalesce(agentDetectionInfo_agentLastLoggedInUpn_s, threatInfo_processUser_s) + | extend UsernameType = _ASIM_GetUsernameType(Username) + // Event Fields + | extend + EventType = 'Alert', + EventOriginalType = event_name_s, + EventUid = threatInfo_threatId_s, + EventCount = int(1), + EventEndTime = TimeGenerated, + EventStartTime = TimeGenerated, + EventProduct = 'Singularity', + EventVendor = 'SentinelOne', + EventSchemaVersion = '0.1', + EventSchema = "AlertEvent" + | extend EventSubType = "Threat" + // Aliases + | extend + IpAddr = DvcIpAddr, + User = Username, + Hostname = DvcHostname + | project-away *_s, *_g, SourceSystem, ManagementGroupName, Computer, RawData, *_t, *_b, *_d + }; + parser ( + starttime = starttime, + endtime = endtime, + ipaddr_has_any_prefix = ipaddr_has_any_prefix, + hostname_has_any = hostname_has_any, + username_has_any = username_has_any, + attacktactics_has_any = attacktactics_has_any, + attacktechniques_has_any = attacktechniques_has_any, + threatcategory_has_any = threatcategory_has_any, + alertverdict_has_any = alertverdict_has_any, + eventseverity_has_any = eventseverity_has_any, + disabled = disabled + )