1.3.9

app.manifest

@@ -5,7 +5,7 @@
     "id": {
       "group": null,
       "name": "TA-microsoft-365-defender-advanced-hunting-add-on",
-      "version": "1.3.8"
+      "version": "1.3.9"
     },
     "author": [
       {

default/app.conf

@@ -7,7 +7,7 @@ build = 1
 
 [launcher]
 author = Mikael Bjerkeland
-version = 1.3.8
+version = 1.3.9
 description = Microsoft Defender for Endpoint Advanced Hunting Add-on for Splunk
 
 [ui]
@@ -20,6 +20,6 @@ id = TA-microsoft-365-defender-advanced-hunting-add-on
 
 [id]
 name = TA-microsoft-365-defender-advanced-hunting-add-on
-version = 1.3.8
+version = 1.3.9
 
 [triggers]

default/props.conf

@@ -32,7 +32,8 @@ EVAL-user = case(coalesce(category,'body.category') IN ("AdvancedHunting-DeviceP
 EVAL-vendor_product = case(coalesce('properties.ServiceSource','body.properties.ServiceSource','properties.Vendor','body.properties.Vendor','properties.NetworkAdapterVendor','body.properties.NetworkAdapterVendor') != "null" AND coalesce('properties.ServiceSource','body.properties.ServiceSource','properties.Vendor','body.properties.Vendor','properties.NetworkAdapterVendor','body.properties.NetworkAdapterVendor') != "", coalesce('properties.ServiceSource','body.properties.ServiceSource','properties.Vendor','body.properties.Vendor','properties.NetworkAdapterVendor','properties.NetworkAdapterVendor'), 1=1, "Microsoft Defender for Endpoint")
 
 EVAL-src = case(coalesce(category,'body.category')="AdvancedHunting-UrlClickEvents" AND coalesce('properties.IPAddress','body.properties.IPAddress')!="127.0.0.1" AND coalesce('properties.IPAddress','body.properties.IPAddress')!="::1" AND coalesce('properties.IPAddress','body.properties.IPAddress')!="null", coalesce('properties.IPAddress','body.properties.IPAddress'),coalesce(category,'body.category')=="AdvancedHunting-DeviceNetworkEvents", ltrim(coalesce('properties.LocalIP','body.properties.LocalIP'),"::ffff:"), coalesce(category,'body.category')=="AdvancedHunting-EmailEvents", coalesce('properties.SenderIPv4','body.properties.SenderIPv4'))
-EVAL-src_ip = case(coalesce(category,'body.category')="AdvancedHunting-UrlClickEvents" AND coalesce('properties.IPAddress','body.properties.IPAddress')!="127.0.0.1" AND coalesce('properties.IPAddress','body.properties.IPAddress')!="::1" AND coalesce('properties.IPAddress','body.properties.IPAddress')!="null", coalesce('properties.IPAddress','body.properties.IPAddress'),coalesce(category,'body.category')=="AdvancedHunting-DeviceNetworkEvents", ltrim(coalesce('properties.LocalIP','body.properties.LocalIP'),"::ffff:"), coalesce(category,'body.category')=="AdvancedHunting-EmailEvents", coalesce('properties.SenderIPv4','body.properties.SenderIPv4'))
+
+EVAL-src_ip = case(coalesce(category,'body.category')="AdvancedHunting-UrlClickEvents" AND coalesce('properties.IPAddress','body.properties.IPAddress')!="127.0.0.1" AND coalesce('properties.IPAddress','body.properties.IPAddress')!="::1" AND coalesce('properties.IPAddress','body.properties.IPAddress')!="null", coalesce('properties.IPAddress','body.properties.IPAddress'),coalesce(category,'body.category')=="AdvancedHunting-DeviceNetworkEvents" AND coalesce('properties.ActionType','body.properties.ActionType') != "ConnectionAcknowledged", ltrim(coalesce('properties.LocalIP','body.properties.LocalIP'),"::ffff:"), coalesce(category,'body.category')=="AdvancedHunting-DeviceNetworkEvents", ltrim(coalesce('properties.RemoteIP','body.properties.RemoteIP'),"::ffff:"), coalesce(category,'body.category')=="AdvancedHunting-EmailEvents", coalesce('properties.SenderIPv4','body.properties.SenderIPv4'))
 
 EVAL-file_path = case(coalesce(category,'body.category') IN ("AdvancedHunting-DeviceFileEvents", "AdvancedHunting-AlertEvidence"),coalesce('properties.FolderPath','body.properties.FolderPath'))
 EVAL-object_category = case(coalesce(category,'body.category')=="AdvancedHunting-DeviceFileEvents", "file", coalesce(category,'body.category')=="AdvancedHunting-DeviceRegistryEvents", "registry")
@@ -69,11 +70,11 @@ EVAL-subject = case(coalesce(category,'body.category')=="AdvancedHunting-EmailEv
 
 # Ports node
 # Should be properties.RemoteIP for AdvancedHunting-DeviceNetworkEvents
-EVAL-dest_ip = case(coalesce(category,'body.category')=="AdvancedHunting-DeviceNetworkEvents" AND coalesce('properties.RemoteIP','body.properties.RemoteIP') != "null", ltrim(coalesce('properties.RemoteIP','body.properties.RemoteIP'),"::ffff:"), coalesce('properties.LocalIP','body.properties.LocalIP') != "null", ltrim(coalesce('properties.LocalIP','body.properties.LocalIP'),"::ffff:"), 1==1, null())
+EVAL-dest_ip = case(coalesce(category,'body.category')=="AdvancedHunting-DeviceNetworkEvents" AND coalesce('properties.RemoteIP','body.properties.RemoteIP') != "null" AND coalesce('properties.ActionType','body.properties.ActionType') != "ConnectionAcknowledged", ltrim(coalesce('properties.RemoteIP','body.properties.RemoteIP'),"::ffff:"), coalesce('properties.LocalIP','body.properties.LocalIP') != "null", ltrim(coalesce('properties.LocalIP','body.properties.LocalIP'),"::ffff:"), 1==1, null())
 #EVAL-dest_port = coalesce('properties.LocalPort','body.properties.LocalPort')
-EVAL-dest_port = case(coalesce(category,'body.category')=="AdvancedHunting-DeviceNetworkEvents" AND coalesce('properties.RemotePort','body.properties.RemotePort') != "null", coalesce('properties.RemotePort','body.properties.RemotePort'), 1==1, coalesce('properties.LocalPort','body.properties.LocalPort'))
+EVAL-dest_port = case(coalesce(category,'body.category')=="AdvancedHunting-DeviceNetworkEvents" AND coalesce('properties.RemotePort','body.properties.RemotePort') != "null" AND coalesce('properties.ActionType','body.properties.ActionType') != "ConnectionAcknowledged", coalesce('properties.RemotePort','body.properties.RemotePort'), 1==1, coalesce('properties.LocalPort','body.properties.LocalPort'))
 #EVAL-src_port = coalesce('properties.RemotePort','body.properties.RemotePort')
-EVAL-src_port = case(coalesce(category,'body.category')=="AdvancedHunting-DeviceNetworkEvents" AND coalesce('properties.LocalPort','body.properties.LocalPort') != "null", coalesce('properties.LocalPort','body.properties.LocalPort'), 1==1, coalesce('properties.RemotePort','body.properties.RemotePort'))
+EVAL-src_port = case(coalesce(category,'body.category')=="AdvancedHunting-DeviceNetworkEvents" AND coalesce('properties.LocalPort','body.properties.LocalPort') != "null" AND coalesce('properties.ActionType','body.properties.ActionType') != "ConnectionAcknowledged", coalesce('properties.LocalPort','body.properties.LocalPort'), 1==1, coalesce('properties.RemotePort','body.properties.RemotePort'))
 EVAL-creation_time = case(coalesce(category,'body.category')=="AdvancedHunting-DeviceNetworkEvents",coalesce('properties.Timestamp','body.properties.Timestamp'))
 EVAL-state = case(coalesce(category,'body.category')=="AdvancedHunting-DeviceNetworkEvents","listening")
 EVAL-transport = lower(coalesce('properties.Protocol','body.properties.Protocol'))