diff --git a/ASIM/dev/Parser YAML templates/ASimAlertTemplate.yaml b/ASIM/dev/Parser YAML templates/ASimAlertTemplate.yaml new file mode 100644 index 00000000000..74011d9ede8 --- /dev/null +++ b/ASIM/dev/Parser YAML templates/ASimAlertTemplate.yaml @@ -0,0 +1,30 @@ +Parser: + Title: ASIM Alert parser for + Version: '' + LastUpdated: +Product: + Name: +Normalization: + Schema: Alert + Version: '' +References: +- Title: ASIM Alert Schema + Link: https://aka.ms/ASimAlertDoc +- Title: ASIM + Link: https:/aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing the logs to the ASIM 'Alert' normalized schema. +ParserName: +EquivalentBuiltInParser: <_ASim_Alert_Product> +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let parser = ( + disabled:bool = false + ) + { + + }; + parser (disabled = disabled) diff --git a/Parsers/ASimAlert/Parsers/ASimAlertDarkTraceDetect.yaml b/Parsers/ASimAlert/Parsers/ASimAlertDarkTraceDetect.yaml new file mode 100644 index 00000000000..d31c0b8d968 --- /dev/null +++ b/Parsers/ASimAlert/Parsers/ASimAlertDarkTraceDetect.yaml @@ -0,0 +1,123 @@ +Parser: + Title: Alert ASIM parser for DarkTrace + Version: '0.1.0' + LastUpdated: Oct 13, 2024 +Product: + Name: DarkTrace +Normalization: + Schema: Alert + Version: '0.1' +References: +- Title: ASIM Alert Schema + Link: https://aka.ms/ASimAlertDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing the DarkTrace alerts to the ASIM Alert normalized schema. +ParserName: ASimAlertDarkTraceDetect +EquivalentBuiltInParser: _ASim_Alert_DarkTraceDetect +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let EventSeverity_SystemAlertLookup = datatable(priority_s: string, EventSeverity_SystemAlert_s: string) + [ + "informational", "Informational", + "low", "Low", + "medium", "Medium", + "high", "High", + "critical", "High" + ]; + let parser = ( + disabled: bool = false + ) { + darktrace_model_alerts_CL + // Mapping Alert Fields + | extend + AlertId = iif(dtProduct_s == "Policy Breach", tostring(threatID_d), ""), + AlertName = iif(dtProduct_s == "AI Analyst", title_s, iif(dtProduct_s == "System Alert", name_s, iif(dtProduct_s == "Policy Breach", tostring(modelName_s), ""))), + AlertDescription = iif(dtProduct_s == "AI Analyst", summary_s, iif(dtProduct_s == "Policy Breach", description_s, "")), + AlertStatus = iif(dtProduct_s == "System Alert", status_s, ""), + AlertOriginalStatus = iif(dtProduct_s == "System Alert", statusName_s, ""), + AttackTactics = iif(dtProduct_s == "Policy Breach", tostring(extract_all('\"tactics\":\\[\"(.*?)\"\\]', mitreTechniques_s)), ""), + AttackTechniques =iif(dtProduct_s == "Policy Breach", tostring(extract_all('\"technique\":\"(.*?)\",\"techniqueID\":\"(.*?)\"', mitreTechniques_s)), "") + // Mapping Inspection Field + | extend + RuleNumber = iif(dtProduct_s == "Policy Breach", pid_d, real(null)), + ThreatId = iif(dtProduct_s == "Policy Breach", tostring(threatID_d), ""), + ThreatName = iif(dtProduct_s == "Policy Breach", tostring(modelName_s), ""), + ThreatRiskLevel = iif(dtProduct_s == "Policy Breach", toint(score_d), int(null)) + // Mapping Device Fields + | extend + DvcId = iif(dtProduct_s == "AI Analyst", identifier_s, iif(dtProduct_s == "Policy Breach", tostring(deviceId_d), "")), + DvcMacAddr = iif(dtProduct_s == "AI Analyst", mac_s, iif(dtProduct_s == "Policy Breach", sourceMac_s, "")), + DvcIpAddr = iif(dtProduct_s in ("AI Analyst","System Alert"), deviceIP_s, iif(dtProduct_s == "Policy Breach", SourceIP, "")), + DvcHostname = hostname_s, + // Mapping System fields + | extend + Hostname = DvcHostname, + IpAddr = DvcIpAddr, + PortNumber = iif(dtProduct_s == "Policy Breach", sourcePort_s, ""), + GeoLongitude = iif(dtProduct_s in ("Policy Breach", "AI Analyst"), longitude_d, real(null)), + GeoLatitude = iif(dtProduct_s in ("Policy Breach", "AI Analyst"), latitude_d, real(null)) + // Mapping EventFields + | extend + EventStartTime = todatetime(replace_string(startTime_s, "th", "")), + EventEndTime = todatetime(replace_string(endTime_s, "th", "")), + EventReportUrl = iif(dtProduct_s in ("AI Analyst", "System Alert"), url_s, breachUrl_s), + EventSeverity_AIAnalyst_s = case( + Severity >= 9, + "High", + Severity >= 6, + "Medium", + Severity <= 5, + "Low", + "" + ), + EventOriginalUid = iif(dtProduct_s in ("Policy Breach", "System Alert"), uuid_g, ""), + EventSubType_Category_s = iif(dtProduct_s == "Policy Breach", Category, ""), + AdditionalFields = bag_pack( + "Compliance", + compliance_b, + "destIP", + destIP_s, + "destPort", + destPort_s, + "destHost", + destHost_s, + "destMac", + destMac_s + ), + EventType = "Alert", + EventOriginalType = dtProduct_s, + EventMessage = Message, + EventVendor = "DarkTrace", + EventProduct = "Detect", + EventSchema = "Alert", + EventSchemaVersion = '0.1' + | lookup EventSeverity_SystemAlertLookup on priority_s + | extend + EventSeverity = coalesce(EventSeverity_AIAnalyst_s, EventSeverity_SystemAlert_s), + EventSubType = case( + EventSubType_Category_s == "Critical", + "Threat", + EventSubType_Category_s == "Suspicious", + "Suspicious Activity", + "" + ) + | project-away + *_s, + *_b, + *_d, + *_g, + Computer, + RawData, + ManagementGroupName, + SourceSystem, + Severity, + Category, + SourceIP, + Message + }; + parser (disabled = disabled) diff --git a/Parsers/ASimAlert/Parsers/ASimAlertMicrosoftDefenderXDR.yaml b/Parsers/ASimAlert/Parsers/ASimAlertMicrosoftDefenderXDR.yaml new file mode 100644 index 00000000000..cb038856313 --- /dev/null +++ b/Parsers/ASimAlert/Parsers/ASimAlertMicrosoftDefenderXDR.yaml @@ -0,0 +1,172 @@ +Parser: + Title: Alert ASIM parser for Microsoft Defender XDR + Version: '0.1.0' + LastUpdated: Oct 09, 2024 +Product: + Name: Microsoft Defender XDR +Normalization: + Schema: Alert + Version: '0.1' +References: +- Title: ASIM Alert Schema + Link: https://aka.ms/ASimAlertDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing the Microsoft Defender XDR logs to the ASIM Alert normalized schema. +ParserName: ASimAlertMicrosoftDefenderXDR +EquivalentBuiltInParser: _ASim_Alert_MicrosoftDefenderXDR +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let IndicatorTypeLookup = datatable (EntityType: string, IndicatorType: string) + [ + "User", "User", + "Machine", "Device", + "Process", "Process", + "File", "File", + "Ip", "Ip", + "Url", "Url", + "RegistryValue", "Registry", + "CloudLogonSession", "LogonSession", + "CloudApplication", "Application", + "Mailbox", "Mailbox", + "MailMessage", "MailMessage" + ]; + let AlertSourceAnalyticDetailsLookup = datatable ( + DetectionSource: string, + AlertSourceAnalyticDetails: string + ) + [ + "EDR", "EDR", + "Antivirus", "Antivirus", + "Microsoft Data Loss Prevention", "DataLossPrevention", + "Scheduled Alerts", "ScheduledAlerts", + "Cloud App Security", "CloudApplicationSecurity" + ]; + let IndicatorAssociationLookup = datatable (EvidenceRole: string, IndicatorAssociation: string) + [ + "Related", "Associated", + "Impacted", "Targeted" + ]; + let RegistryValueTypeLookup = datatable (ValueType: string, RegistryValueType: string) + [ + "ExpandString", "Reg_Expand_Sz" + ]; + let AttackTacticSet = dynamic(["Exfiltration", "PrivilegeEscalation", "Persistence", "LateralMovement", "Execution", "Discovery", "InitialAccess", "CredentialAccess", "DefenseEvasion", "CommandAndControl", "Impact"]); + let ThreatCategorySet = dynamic(["Malware", "Ransomware", "Trojan", "Virus", "Worm", "Adware", "Spyware", "Rootkit", "Cryptominor", "Phishing", "Spam", "MaliciousUrl", "Spoofing", "Security Policy Violation", "Unknown", "SuspiciousActivity"]); + let parser = (disabled: bool=false) { + AlertEvidence + | where not(disabled) + // Mapping Alert Fields + | extend + AlertId = AlertId, + AlertName = Title, + AlertSource = ServiceSource, + AlertVerdict = tostring(AdditionalFields.ThreatAnalysisSummary[0].Verdict), + AlertVerdictDate = todatetime(AdditionalFields.ThreatAnalysisSummary[0].AnalysisDate), + AttackTactics = iff(Categories has_any (AttackTacticSet), replace(@"[\[\]\""]", "", Categories), ""), + AlertOriginalStatus = tostring(AdditionalFields.LastRemediationState), + AlertStatus = iif(isnotempty(AdditionalFields.LastRemediationState), iif(AdditionalFields.LastRemediationState == "Active", "Active", "Closed"), "") + | lookup IndicatorTypeLookup on EntityType + | lookup IndicatorAssociationLookup on EvidenceRole + | lookup AlertSourceAnalyticDetailsLookup on DetectionSource + // Mapping Threat Fields + | extend + ThreatCategory = iif(Categories has_any (ThreatCategorySet), replace(@"[\[\]\""]", "", Categories), ""), + ThreatIsActive = iif(isnotempty(AdditionalFields.LastRemediationState), iif(tostring(AdditionalFields.LastRemediationState) == "Active", True, False), bool(null)) + // Mapping User Entity + | extend + UserId = coalesce(AccountObjectId, AdditionalFields.Account.AadUserId), + UserSid = coalesce(AccountSid, AdditionalFields.Account.Sid), + Username = coalesce(AccountUpn, AdditionalFields.Account.UserPrincipalName), + SessionId = AdditionalFields.SessionId, + UserScopeId = AdditionalFields.AadTenantId + // Mapping Device Entity + | extend + DvcId = coalesce(DeviceId, AdditionalFields.Host.MachineId, AdditionalFields.ObservedbyDevice.MachineId), + DvcIpAddr = coalesce(LocalIP, AdditionalFields.Host.IpInterfaces[0].Address, AdditionalFields.ObservedByDevice.IpInterfaces[0].Address), + DvcOs = coalesce(AdditionalFields.OSFamily, AdditionalFields.Host.OSFamily, AdditionalFields.ObservedByDevice.OSFamily), + DvcOsVersion = coalesce(AdditionalFields.OSVersion, AdditionalFields.Host.OSVersion, AdditionalFields.ObservedByDevice.OSFamily), + DeviceName = coalesce(DeviceName, AdditionalFields.Host.NetBiosName, AdditionalFields.ObservedByDevice.NetBiosName), + DvcScopeId = coalesce(tostring(split(AdditionalFields.AzureID, "/")[2]), (tostring(split(AdditionalFields.ResourceId, "/")[2]))) + | invoke _ASIM_ResolveDvcFQDN("DeviceName") + // Mapping IP Entity + | extend + IpAddr = RemoteIP, + GeoCity = AdditionalFields.Location.City, + GeoCountry = AdditionalFields.Location.CountryCode, + GeoLatitude = AdditionalFields.Location.Latitude, + GeoLongitude = AdditionalFields.Location.Longitude, + GeoRegion = AdditionalFields.Location.State + // Mapping Process Entity + | extend + ProcessId = AdditionalFields.ProcessId, + ProcessCommandLine, + ProcessName = iif(IndicatorType == "Process", iif(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\', FileName), FileName), ""), + ProcessFileCompany = AdditionalFields.Publisher, + // Parent Process Fields + ParentProcessId = AdditionalFields.ParentProcess.ProcessId, + ParentProcessCommandLine = AdditionalFields.ParentProcess.CommandLine, + //ParentProcessName = strcat (AdditionalFields.ParentProcess.ImageFile.Directory, "\\", AdditionalFields.ParentProcess.ImageFile.Name), + ParentProcessName = iif(IndicatorType == "Process", iif(isnotempty(AdditionalFields.ParentProcess.ImageFile.Directory) and isnotempty(AdditionalFields.ParentProcess.ImageFile.Name), strcat (AdditionalFields.ParentProcess.ImageFile.Directory, "\\", AdditionalFields.ParentProcess.ImageFile.Name), coalesce(AdditionalFields.ParentProcess.ImageFile.Name, AdditionalFields.ParentProcess.FriendlyName)), ""), + ParentProcessSHA1 = AdditionalFields.ParentProcess.ImageFile[0].SHA1, + ParentProcessSHA256 = AdditionalFields.ParentProcess.ImageFile[2].SHA256, + ParentProcessMD5 = AdditionalFields.ParentProcess.ImageFile[1].MD5 + // Mapping File Entity + | extend + FileName, + FileDirectory = FolderPath, + FilePath = iff(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\', FileName), FileName), + FileSHA1 = SHA1, + FileSHA256 = SHA256, + FileMD5 = AdditionalFields.FileHashes[1].Value, + FileSize = FileSize + // Mapping Url Entity + | extend + Url = RemoteUrl + // Mapping Registry Entity + | extend + RegistryKey, + RegistryValue = RegistryValueName, + RegistryValueData, + ValueType = tostring(AdditionalFields.ValueType) + | lookup RegistryValueTypeLookup on ValueType + // Mapping Application Entity + | extend + HttpUserAgent = AdditionalFields.UserAgent, + AppId = ApplicationId, + AppName = Application + // Mapping Email Entity + | extend + EmailMessageId = NetworkMessageId, + EmailSubject + // Mapping common event fields + | extend + EventSubType = "Threat", // All events in AlertEvidence contains threat info + EventCount = int(1), + EventEndTime = TimeGenerated, + EventStartTime = TimeGenerated, + EventProduct = 'Defender XDR', + EventVendor = 'Microsoft', + EventSchemaVersion = '0.1', + EventType = 'Alert' + | project-away + Title, + Categories, + EntityType, + EvidenceRole, + DetectionSource, + ServiceSource, + ThreatFamily, + RemoteIP, + RemoteUrl, + AccountName, + AccountDomain, + DeviceName, + LocalIP, + AdditionalFields + }; + parser(disabled=disabled) diff --git a/Parsers/ASimAlert/Parsers/ASimAlertSentinelOneSingularity.yaml b/Parsers/ASimAlert/Parsers/ASimAlertSentinelOneSingularity.yaml new file mode 100644 index 00000000000..e1dc76f59fc --- /dev/null +++ b/Parsers/ASimAlert/Parsers/ASimAlertSentinelOneSingularity.yaml @@ -0,0 +1,137 @@ +Parser: + Title: Alert ASIM parser for SentinelOne + Version: '0.1.0' + LastUpdated: Oct 09, 2024 +Product: + Name: SentinelOne +Normalization: + Schema: Alert + Version: '0.1' +References: +- Title: ASIM Alert Schema + Link: https://aka.ms/ASimAlertDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing the SentinelOne alerts to the ASIM Alert normalized schema. +ParserName: ASimAlertSentinelOneSingularity +EquivalentBuiltInParser: _ASim_Alert_SentinelOneSingularity +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let AlertVerdictLookup = datatable (analystVerdict_s: string, AlertVerdict: string) + [ + "Undefined", "Unknown", + "true_positive", "Malicious", + "suspicious", "Suspicious", + "false_positive", "False Positive" + ]; + let EventSubTypeLookup = datatable (ruleInfo_treatAsThreat_s: string, EventSubType: string) + [ + "Malicious", "Threat", + "Suspicious", "Suspicious Activity" + ]; + let ThreatCategoryArray = dynamic(["Malware", "Ransomware", "Trojan", "Virus", "Worm", "Adware", "Spyware", "Rootkit", "Cryptominor", "Phishing", "Spam", "MaliciousUrl", "Spoofing", "Security Policy Violation", "Unknown", "SuspiciousActivity"]); + let AlertSourceAnalyticDetailsLookup = datatable ( + threatInfo_engines_s: string, + AlertSourceAnalyticDetails: string + ) + [ + "Intrusion Detection", "Intrusion Detection", + "User-Defined Blocklist", "User Defined Blocked List", + "Reputation", "Reputation" + ]; + let parser = ( + disabled: bool = false + ) { + SentinelOne_CL + | where event_name_s in ("Alerts.", "Threats.") + // Mapping Alert Fields + | extend + AlertId = iif(event_name_s == "Alerts.", alertInfo_alertId_s, threatInfo_threatId_s), + AlertName = iif(event_name_s == "Threats.", threatInfo_threatName_s, ""), + AlertStatus = iif(event_name_s == "Alerts.", iif(alertInfo_incidentStatus_s == "Unresolved", "Active", ""), iif(threatInfo_incidentStatus_s == "resolved", "Closed", "Active")), + AlertOriginalStatus = iif(event_name_s == "Alerts.", alertInfo_incidentStatus_s, threatInfo_incidentStatus_s), + AlertDescription = alertInfo_indicatorDescription_s, + Names = extract_all('"name":"([^"]+)"', dynamic([1]), indicators_s) + | extend + AttackTechniques = tostring(extract_all('"(T[0-9]+\\.[0-9]+|T[0-9]+)"', dynamic([1]), tostring(Names))), + AttackTactics = extract_all('"([^T][^0-9]+)"', dynamic([1]), tostring(Names)) + | project-away Names + | lookup AlertSourceAnalyticDetailsLookup on threatInfo_engines_s + | extend analystVerdict_s = iif(event_name_s == "Alerts.", alertInfo_analystVerdict_s, threatInfo_analystVerdict_s) + | lookup AlertVerdictLookup on analystVerdict_s + // Mapping Inspection Fields + | extend + ThreatId = threatInfo_threatId_s, + ThreatName = threatInfo_threatName_s, + ThreatIsActive = agentRealtimeInfo_infected_b, + ThreatFirstReportedTime = iif(event_name_s == "Alerts.", alertInfo_reportedAt_t, threatInfo_identifiedAt_t), + ThreatLastUpdatedTime = iif(event_name_s == "Alerts.", alertInfo_updatedAt_t, threatInfo_updatedAt_t), + ThreatCategory = iif(threatInfo_classification_s in (ThreatCategoryArray), threatInfo_classification_s, ""), + ThreatOriginalCategory = threatInfo_classification_s, + RuleNumber = toint(ruleInfo_id_s), + RuleName = ruleInfo_name_s, + RuleDescription = ruleInfo_description_s + // Mapping Dvc Fields + | extend + DvcHostname = coalesce(agentDetectionInfo_name_s, agentRealtimeInfo_agentComputerName_s), + DvcOs = coalesce(agentDetectionInfo_osName_s, agentRealtimeInfo_agentOsName_s), + DvcOsVersion = coalesce(agentDetectionInfo_osRevision_s, agentRealtimeInfo_agentOsRevision_s), + DvcId = coalesce(agentRealtimeInfo_id_s, agentRealtimeInfo_agentId_s), + DvcDomain = agentRealtimeInfo_agentDomain_s, + DvcIpAddr = coalesce(agentDetectionInfo_agentIpV4_s, alertInfo_srcIp_s) + // Mapping IP Entity + | extend + IpAddr = DvcIpAddr, + PortNumber = alertInfo_srcPort_s + // Mapping Process Entity + | extend + // Mapping Process Fields + ProcessCommandLine = sourceProcessInfo_commandline_s, + ProcessName = iif(event_name_s == "Alerts.", sourceProcessInfo_filePath_s, threatInfo_originatorProcess_s), + ProcessFileCompany = sourceProcessInfo_fileSignerIdentity_s, + ProcessId = sourceProcessInfo_pid_s + // Mapping File Fields + | extend + FileMD5 = coalesce(threatInfo_md5_g,sourceProcessInfo_fileHashMd5_g), + FileSHA1 = coalesce(threatInfo_sha1_s,sourceProcessInfo_fileHashSha1_s), + FileSHA256 = coalesce(threatInfo_sha256_s,sourceProcessInfo_fileHashSha256_s), + FilePath=threatInfo_filePath_s, + FileSize = threatInfo_fileSize_d + // Mapping User Fields + | extend + Username = agentDetectionInfo_agentLastLoggedInUpn_s + // Event Fields + | extend + EventOriginalType = event_name_s, + EventOriginalUid = alertInfo_dvEventId_s, + EventOriginalSubType = alertInfo_eventType_s, + EventSeverity = iif(ruleInfo_severity_s == "Critical", "High", ruleInfo_severity_s), + EventCount = int(1), + EventEndTime = TimeGenerated, + EventStartTime = TimeGenerated, + EventProduct = 'Singularity', + EventVendor = 'SentinelOne', + EventSchemaVersion = '0.1', + EventType = 'Alert', + AdditionalFields = bag_pack( + "ParentProcessCommandLine" = sourceParentProcessInfo_commandline_s, + "ParentProcessMD5" = sourceParentProcessInfo_fileHashMd5_g, + "ParentProcessSHA1" = sourceParentProcessInfo_fileHashSha1_s, + "ParentProcessSHA256" = sourceParentProcessInfo_fileHashSha256_s, + "ParentProcessName" = sourceParentProcessInfo_filePath_s, + "ParentProcessFileCompany" = sourceParentProcessInfo_fileSignerIdentity_s, + "ParentProcessIntegrityLevel" = sourceParentProcessInfo_integrityLevel_s, + "ParentProcessId" = sourceParentProcessInfo_pid_s, + "ParentProcessCreationTime" = sourceParentProcessInfo_pidStarttime_t, + "ProcessIntegrityLevel" = sourceProcessInfo_integrityLevel_s, + "ProcessCreationTime" = sourceProcessInfo_pidStarttime_t + ) + | lookup EventSubTypeLookup on ruleInfo_treatAsThreat_s + | extend EventSubType = iif(event_name_s == "Threats.", "Threat", EventSubType) + | project-away *_s, *_g, SourceSystem, ManagementGroupName, Computer, RawData, *_t, *_b, *_d + }; + parser (disabled = disabled)