Azure · vakohl · Oct 9, 2024 · Oct 9, 2024 · Oct 9, 2024 · Oct 9, 2024
@@ -0,0 +1,30 @@
+Parser:
+  Title: ASIM Alert parser for <product name>
+  Version: '<parser version>'
+  LastUpdated: <MMM DD, YYYY>
+Product:
+  Name: <product name>
+Normalization:
+  Schema: Alert
+  Version: '<current schema version>'
+References:
+- Title: ASIM Alert Schema
+  Link: https://aka.ms/ASimAlertDoc
+- Title: ASIM
+  Link: https:/aka.ms/AboutASIM
+Description: |
+  This ASIM parser supports normalizing the <product name> logs to the ASIM 'Alert' normalized schema.
+ParserName: <ASimAlertProduct>
+EquivalentBuiltInParser: <_ASim_Alert_Product>
+ParserParams:
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let parser = (
+    disabled:bool = false
+  )
+  {
+    <parser query body>
+  };
+  parser (disabled = disabled)
@@ -0,0 +1,123 @@
+Parser:
+  Title: Alert ASIM parser for DarkTrace
+  Version: '0.1.0'
+  LastUpdated: Oct 13, 2024
+Product:
+  Name: DarkTrace
+Normalization:
+  Schema: Alert
+  Version: '0.1'
+References:
+- Title: ASIM Alert Schema
+  Link: https://aka.ms/ASimAlertDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+Description: |
+  This ASIM parser supports normalizing the DarkTrace alerts to the ASIM Alert normalized schema.
+ParserName: ASimAlertDarkTraceDetect
+EquivalentBuiltInParser: _ASim_Alert_DarkTraceDetect
+ParserParams:
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let EventSeverity_SystemAlertLookup = datatable(priority_s: string, EventSeverity_SystemAlert_s: string)
+    [
+    "informational", "Informational",
+    "low", "Low",
+    "medium", "Medium",
+    "high", "High",
+    "critical", "High"
+  ];
+  let parser = (
+      disabled: bool = false
+      ) {
+      darktrace_model_alerts_CL
+      // Mapping Alert Fields
+      | extend
+          AlertId = iif(dtProduct_s == "Policy Breach", tostring(threatID_d), ""),
+          AlertName = iif(dtProduct_s == "AI Analyst", title_s, iif(dtProduct_s == "System Alert", name_s, iif(dtProduct_s == "Policy Breach", tostring(modelName_s), ""))),
+          AlertDescription = iif(dtProduct_s == "AI Analyst", summary_s, iif(dtProduct_s == "Policy Breach", description_s, "")),
+          AlertStatus = iif(dtProduct_s == "System Alert", status_s, ""),
+          AlertOriginalStatus = iif(dtProduct_s == "System Alert", statusName_s, ""),
+          AttackTactics = iif(dtProduct_s == "Policy Breach", tostring(extract_all('\"tactics\":\\[\"(.*?)\"\\]', mitreTechniques_s)), ""),
+          AttackTechniques =iif(dtProduct_s == "Policy Breach", tostring(extract_all('\"technique\":\"(.*?)\",\"techniqueID\":\"(.*?)\"', mitreTechniques_s)), "")
+      // Mapping Inspection Field
+      | extend 
+          RuleNumber = iif(dtProduct_s == "Policy Breach", pid_d, real(null)),
+          ThreatId = iif(dtProduct_s == "Policy Breach", tostring(threatID_d), ""),
+          ThreatName = iif(dtProduct_s == "Policy Breach", tostring(modelName_s), ""),
+          ThreatRiskLevel = iif(dtProduct_s == "Policy Breach", toint(score_d), int(null))
+      // Mapping Device Fields
+      | extend 
+          DvcId = iif(dtProduct_s == "AI Analyst", identifier_s, iif(dtProduct_s == "Policy Breach", tostring(deviceId_d), "")),
+          DvcMacAddr = iif(dtProduct_s == "AI Analyst", mac_s, iif(dtProduct_s == "Policy Breach", sourceMac_s, "")),
+          DvcIpAddr = iif(dtProduct_s in ("AI Analyst","System Alert"), deviceIP_s, iif(dtProduct_s == "Policy Breach", SourceIP, "")),
+          DvcHostname = hostname_s,
+      // Mapping System fields
+      | extend
+          Hostname = DvcHostname,
+          IpAddr = DvcIpAddr,
+          PortNumber = iif(dtProduct_s == "Policy Breach", sourcePort_s, ""),
+          GeoLongitude = iif(dtProduct_s in ("Policy Breach", "AI Analyst"), longitude_d, real(null)),
+          GeoLatitude = iif(dtProduct_s in ("Policy Breach", "AI Analyst"), latitude_d, real(null))
+      // Mapping EventFields
+      | extend
+          EventStartTime = todatetime(replace_string(startTime_s, "th", "")),
+          EventEndTime = todatetime(replace_string(endTime_s, "th", "")),
+          EventReportUrl = iif(dtProduct_s in ("AI Analyst", "System Alert"), url_s, breachUrl_s),
+          EventSeverity_AIAnalyst_s = case(
+                                  Severity >= 9,
+                                  "High",
+                                  Severity >= 6,
+                                  "Medium",
+                                  Severity <= 5,
+                                  "Low",
+                                  ""
+                              ),
+          EventOriginalUid = iif(dtProduct_s in ("Policy Breach", "System Alert"), uuid_g, ""),
+          EventSubType_Category_s = iif(dtProduct_s == "Policy Breach", Category, ""),
+          AdditionalFields = bag_pack(
+                        "Compliance",
+                        compliance_b,
+                        "destIP",
+                        destIP_s,
+                        "destPort",
+                        destPort_s,
+                        "destHost",
+                        destHost_s,
+                        "destMac",
+                        destMac_s
+                    ),
+          EventType = "Alert",
+          EventOriginalType = dtProduct_s,
+          EventMessage = Message,
+          EventVendor = "DarkTrace",
+          EventProduct = "Detect",
+          EventSchema = "Alert",
+          EventSchemaVersion = '0.1'
+      | lookup EventSeverity_SystemAlertLookup on priority_s
+      | extend
+          EventSeverity = coalesce(EventSeverity_AIAnalyst_s, EventSeverity_SystemAlert_s),
+          EventSubType = case(
+                    EventSubType_Category_s == "Critical",
+                    "Threat",
+                    EventSubType_Category_s == "Suspicious",
+                    "Suspicious Activity",
+                    ""
+                )
+      | project-away
+          *_s,
+          *_b,
+          *_d,
+          *_g,
+          Computer,
+          RawData,
+          ManagementGroupName,
+          SourceSystem,
+          Severity,
+          Category,
+          SourceIP,
+          Message
+  };
+  parser (disabled = disabled)
@@ -0,0 +1,172 @@
+Parser:
+  Title: Alert ASIM parser for Microsoft Defender XDR
+  Version: '0.1.0'
+  LastUpdated: Oct 09, 2024
+Product:
+  Name: Microsoft Defender XDR
+Normalization:
+  Schema: Alert
+  Version: '0.1'
+References:
+- Title: ASIM Alert Schema
+  Link: https://aka.ms/ASimAlertDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+Description: |
+  This ASIM parser supports normalizing the Microsoft Defender XDR logs to the ASIM Alert normalized schema.
+ParserName: ASimAlertMicrosoftDefenderXDR
+EquivalentBuiltInParser: _ASim_Alert_MicrosoftDefenderXDR
+ParserParams:
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let IndicatorTypeLookup = datatable (EntityType: string, IndicatorType: string)
+    [
+    "User", "User",
+    "Machine", "Device",
+    "Process", "Process",
+    "File", "File",
+    "Ip", "Ip",
+    "Url", "Url",
+    "RegistryValue", "Registry",
+    "CloudLogonSession", "LogonSession",
+    "CloudApplication", "Application",
+    "Mailbox", "Mailbox",
+    "MailMessage", "MailMessage"
+  ];
+  let AlertSourceAnalyticDetailsLookup = datatable (
+      DetectionSource: string,
+      AlertSourceAnalyticDetails: string
+  )
+      [
+      "EDR", "EDR",
+      "Antivirus", "Antivirus",
+      "Microsoft Data Loss Prevention", "DataLossPrevention",
+      "Scheduled Alerts", "ScheduledAlerts",
+      "Cloud App Security", "CloudApplicationSecurity"
+  ];
+  let IndicatorAssociationLookup = datatable (EvidenceRole: string, IndicatorAssociation: string)
+      [
+      "Related", "Associated",
+      "Impacted", "Targeted"
+  ];
+  let RegistryValueTypeLookup = datatable (ValueType: string, RegistryValueType: string)
+      [
+      "ExpandString", "Reg_Expand_Sz"
+  ];
+  let AttackTacticSet = dynamic(["Exfiltration", "PrivilegeEscalation", "Persistence", "LateralMovement", "Execution", "Discovery", "InitialAccess", "CredentialAccess", "DefenseEvasion", "CommandAndControl", "Impact"]);
+  let ThreatCategorySet = dynamic(["Malware", "Ransomware", "Trojan", "Virus", "Worm", "Adware", "Spyware", "Rootkit", "Cryptominor", "Phishing", "Spam", "MaliciousUrl", "Spoofing", "Security Policy Violation", "Unknown", "SuspiciousActivity"]);
+  let parser = (disabled: bool=false) {
+      AlertEvidence
+      | where not(disabled)
+      // Mapping Alert Fields
+      | extend 
+          AlertId = AlertId,
+          AlertName = Title,
+          AlertSource = ServiceSource,
+          AlertVerdict = tostring(AdditionalFields.ThreatAnalysisSummary[0].Verdict),
+          AlertVerdictDate = todatetime(AdditionalFields.ThreatAnalysisSummary[0].AnalysisDate),
+          AttackTactics = iff(Categories has_any (AttackTacticSet), replace(@"[\[\]\""]", "", Categories), ""),
+          AlertOriginalStatus = tostring(AdditionalFields.LastRemediationState),
+          AlertStatus = iif(isnotempty(AdditionalFields.LastRemediationState), iif(AdditionalFields.LastRemediationState == "Active", "Active", "Closed"), "")
+      | lookup IndicatorTypeLookup on EntityType
+      | lookup IndicatorAssociationLookup on EvidenceRole
+      | lookup AlertSourceAnalyticDetailsLookup on DetectionSource
+      // Mapping Threat Fields
+      | extend
+          ThreatCategory = iif(Categories has_any (ThreatCategorySet), replace(@"[\[\]\""]", "", Categories), ""),
+          ThreatIsActive = iif(isnotempty(AdditionalFields.LastRemediationState), iif(tostring(AdditionalFields.LastRemediationState) == "Active", True, False), bool(null))
+      // Mapping User Entity
+      | extend 
+          UserId = coalesce(AccountObjectId, AdditionalFields.Account.AadUserId),
+          UserSid = coalesce(AccountSid, AdditionalFields.Account.Sid),
+          Username = coalesce(AccountUpn, AdditionalFields.Account.UserPrincipalName),
+          SessionId = AdditionalFields.SessionId,
+          UserScopeId = AdditionalFields.AadTenantId
+      // Mapping Device Entity
+      | extend 
+          DvcId = coalesce(DeviceId, AdditionalFields.Host.MachineId, AdditionalFields.ObservedbyDevice.MachineId),
+          DvcIpAddr = coalesce(LocalIP, AdditionalFields.Host.IpInterfaces[0].Address, AdditionalFields.ObservedByDevice.IpInterfaces[0].Address),
+          DvcOs = coalesce(AdditionalFields.OSFamily, AdditionalFields.Host.OSFamily, AdditionalFields.ObservedByDevice.OSFamily),
+          DvcOsVersion = coalesce(AdditionalFields.OSVersion, AdditionalFields.Host.OSVersion, AdditionalFields.ObservedByDevice.OSFamily),
+          DeviceName = coalesce(DeviceName, AdditionalFields.Host.NetBiosName, AdditionalFields.ObservedByDevice.NetBiosName),
+          DvcScopeId = coalesce(tostring(split(AdditionalFields.AzureID, "/")[2]), (tostring(split(AdditionalFields.ResourceId, "/")[2])))
+      | invoke _ASIM_ResolveDvcFQDN("DeviceName")
+      // Mapping IP Entity
+      | extend 
+          IpAddr = RemoteIP,
+          GeoCity = AdditionalFields.Location.City,
+          GeoCountry = AdditionalFields.Location.CountryCode,
+          GeoLatitude = AdditionalFields.Location.Latitude,
+          GeoLongitude = AdditionalFields.Location.Longitude,
+          GeoRegion = AdditionalFields.Location.State
+      // Mapping Process Entity
+      | extend 
+          ProcessId = AdditionalFields.ProcessId,
+          ProcessCommandLine,
+          ProcessName = iif(IndicatorType == "Process", iif(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\', FileName), FileName), ""),
+          ProcessFileCompany = AdditionalFields.Publisher,
+          // Parent Process Fields
+          ParentProcessId = AdditionalFields.ParentProcess.ProcessId,
+          ParentProcessCommandLine = AdditionalFields.ParentProcess.CommandLine,
+          //ParentProcessName = strcat (AdditionalFields.ParentProcess.ImageFile.Directory, "\\", AdditionalFields.ParentProcess.ImageFile.Name),
+          ParentProcessName = iif(IndicatorType == "Process", iif(isnotempty(AdditionalFields.ParentProcess.ImageFile.Directory) and isnotempty(AdditionalFields.ParentProcess.ImageFile.Name), strcat (AdditionalFields.ParentProcess.ImageFile.Directory, "\\", AdditionalFields.ParentProcess.ImageFile.Name), coalesce(AdditionalFields.ParentProcess.ImageFile.Name, AdditionalFields.ParentProcess.FriendlyName)), ""),
+          ParentProcessSHA1 = AdditionalFields.ParentProcess.ImageFile[0].SHA1,
+          ParentProcessSHA256 = AdditionalFields.ParentProcess.ImageFile[2].SHA256,
+          ParentProcessMD5 = AdditionalFields.ParentProcess.ImageFile[1].MD5
+      // Mapping File Entity
+      | extend 
+          FileName,
+          FileDirectory = FolderPath,
+          FilePath = iff(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\', FileName), FileName),
+          FileSHA1 = SHA1,
+          FileSHA256 = SHA256,
+          FileMD5 = AdditionalFields.FileHashes[1].Value,
+          FileSize = FileSize
+      // Mapping Url Entity
+      | extend 
+          Url = RemoteUrl
+      // Mapping Registry Entity
+      | extend 
+          RegistryKey,
+          RegistryValue = RegistryValueName,
+          RegistryValueData,
+          ValueType = tostring(AdditionalFields.ValueType)
+      | lookup RegistryValueTypeLookup on ValueType
+      // Mapping Application Entity
+      | extend 
+          HttpUserAgent = AdditionalFields.UserAgent,
+          AppId = ApplicationId,
+          AppName = Application
+      // Mapping Email Entity
+      | extend 
+          EmailMessageId = NetworkMessageId,
+          EmailSubject
+      // Mapping common event fields
+      | extend
+          EventSubType = "Threat", // All events in AlertEvidence contains threat info
+          EventCount = int(1),
+          EventEndTime = TimeGenerated,
+          EventStartTime = TimeGenerated,
+          EventProduct = 'Defender XDR',
+          EventVendor = 'Microsoft',
+          EventSchemaVersion = '0.1',
+          EventType = 'Alert'
+      | project-away
+          Title,
+          Categories,
+          EntityType,
+          EvidenceRole,
+          DetectionSource,
+          ServiceSource,
+          ThreatFamily,
+          RemoteIP,
+          RemoteUrl,
+          AccountName,
+          AccountDomain,
+          DeviceName,
+          LocalIP,
+          AdditionalFields
+  };
+  parser(disabled=disabled)