diff --git a/OCSF/README.md b/OCSF/README.md new file mode 100644 index 000000000..f27b1e647 --- /dev/null +++ b/OCSF/README.md @@ -0,0 +1,9 @@ +# OCSF + +## Description + +OCSF + +## Intakes + +- diff --git a/OCSF/_meta/logo.png b/OCSF/_meta/logo.png new file mode 100644 index 000000000..3bf9ac73e Binary files /dev/null and b/OCSF/_meta/logo.png differ diff --git a/OCSF/_meta/manifest.yml b/OCSF/_meta/manifest.yml new file mode 100644 index 000000000..fcbd450e0 --- /dev/null +++ b/OCSF/_meta/manifest.yml @@ -0,0 +1,5 @@ +uuid: 01f0e9a1-2c78-4118-8a70-0e86ed285a31 +name: OCSF +slug: "ocsf" +description: >- + OCSF diff --git a/OCSF/ocsf/CHANGELOG.md b/OCSF/ocsf/CHANGELOG.md new file mode 100644 index 000000000..11bddf32c --- /dev/null +++ b/OCSF/ocsf/CHANGELOG.md @@ -0,0 +1,8 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## [Unreleased] diff --git a/OCSF/ocsf/_meta/fields.yml b/OCSF/ocsf/_meta/fields.yml new file mode 100644 index 000000000..081424c29 --- /dev/null +++ b/OCSF/ocsf/_meta/fields.yml @@ -0,0 +1,81 @@ +ocsf.activity_id: + description: The normalized identifier of the activity that triggered the event. + name: ocsf.activity_id + type: long + +ocsf.activity_name: + description: The event activity name, as defined by the activity_id. + name: ocsf.activity_name + type: keyword + +ocsf.class_name: + description: 'The event class name, as defined by class_uid value: Security Finding.' + name: ocsf.class_name + type: keyword + +ocsf.class_uid: + description: The unique identifier of a class. A Class describes the attributes + available in an event.2001 Security FindingSecurity Finding events describe findings, + detections, anomalies, alerts and/or actions performed by security products. + name: ocsf.class_uid + type: long + +process.group.id: + description: '' + name: process.group.id + type: keyword + +process.group.name: + description: '' + name: process.group.name + type: keyword + +process.parent.user.domain: + description: '' + name: process.parent.user.domain + type: keyword + +process.parent.user.email: + description: '' + name: process.parent.user.email + type: keyword + +process.parent.user.full_name: + description: '' + name: process.parent.user.full_name + type: keyword + +process.parent.user.group.id: + description: '' + name: process.parent.user.group.id + type: keyword + +process.parent.user.group.name: + description: '' + name: process.parent.user.group.name + type: keyword + +process.user.domain: + description: '' + name: process.user.domain + type: keyword + +process.user.email: + description: '' + name: process.user.email + type: keyword + +process.user.full_name: + description: '' + name: process.user.full_name + type: keyword + +process.user.group.id: + description: '' + name: process.user.group.id + type: keyword + +process.user.group.name: + description: '' + name: process.user.group.name + type: keyword diff --git a/OCSF/ocsf/_meta/logo.png b/OCSF/ocsf/_meta/logo.png new file mode 100644 index 000000000..3bf9ac73e Binary files /dev/null and b/OCSF/ocsf/_meta/logo.png differ diff --git a/OCSF/ocsf/_meta/manifest.yml b/OCSF/ocsf/_meta/manifest.yml new file mode 100644 index 000000000..931c78599 --- /dev/null +++ b/OCSF/ocsf/_meta/manifest.yml @@ -0,0 +1,11 @@ +uuid: a9c959ac-78ec-47a4-924e-8156a77cebf5 +name: OCSF +slug: ocsf + +description: >- + The Open Cybersecurity Schema Framework is an open-source project, delivering an extensible framework for developing schemas, along with a vendor-agnostic core security schema. + +data_sources: + File monitoring: + Network device logs: + Process monitoring: diff --git a/OCSF/ocsf/_meta/smart-descriptions.json b/OCSF/ocsf/_meta/smart-descriptions.json new file mode 100644 index 000000000..d03bc41fb --- /dev/null +++ b/OCSF/ocsf/_meta/smart-descriptions.json @@ -0,0 +1,932 @@ +[ + { + "value": "File System Activity: {ocsf.activity_name} file {file.name} by {user.name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 1001 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "file.name" + }, + { + "field": "user.name" + } + ] + }, + { + "value": "Kernel Extension Activity: {ocsf.activity_name} file {file.name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 1002 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "file.name" + } + ] + }, + { + "value": "Kernel Activity: {ocsf.activity_name} file {file.name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 1003 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "file.name" + } + ] + }, + { + "value": "Memory Activity: {ocsf.activity_name} file {file.name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 1004 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "file.name" + } + ] + }, + { + "value": "Module Activity: {ocsf.activity_name} file {file.name} by process {process.name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 1005 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "file.name" + }, + { + "field": "process.name" + } + ] + }, + { + "value": "Scheduled Job Activity: {ocsf.activity_name} file {file.name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 1006 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "file.name" + } + ] + }, + { + "value": "Process Activity: process {process.pid} - {event.reason}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 1007 + }, + { + "field": "event.reason" + }, + { + "field": "process.pid" + } + ] + }, + { + "value": "Windows Resource Activity: {event.reason}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 1010 + }, + { + "field": "event.reason" + } + ] + }, + { + "value": "Security Finding: {ocsf.activity_name} finding {event.reason}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 2001 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "event.reason" + } + ] + }, + { + "value": "Vulnerability Finding: {ocsf.activity_name} vulnerability {vulnerability.id}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 2002 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "vulnerability.id" + } + ] + }, + { + "value": "Compliance Finding", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 2003 + } + ] + }, + { + "value": "Detection Finding", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 2004 + } + ] + }, + { + "value": "Incident Finding: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 2005 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "Data Security Finding: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 2006 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "Account Change: {ocsf.activity_name} user {user.id}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 3001 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "user.id" + } + ] + }, + { + "value": "Authentication: user {user.name} {ocsf.activity_name} on {host.name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 3002 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "user.name" + }, + { + "field": "host.name" + } + ] + }, + { + "value": "Authentication: user {user.name} {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 3002 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "user.name" + } + ] + }, + { + "value": "Authentication: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 3002 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "Authorize Session: {ocsf.activity_name} to {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 3003 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "host.ip" + } + ] + }, + { + "value": "Entity Management: {ocsf.activity_name} to {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 3004 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "host.ip" + } + ] + }, + { + "value": "User Access Management: {ocsf.activity_name} user {user.target.name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 3005 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "user.target.name" + } + ] + }, + { + "value": "Group Management: {ocsf.activity_name} user {user.target.name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 3006 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "user.target.name" + } + ] + }, + { + "value": "Network Activity: {ocsf.activity_name} from {source.ip} to {destination.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4001 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "source.ip" + }, + { + "field": "destination.ip" + } + ] + }, + { + "value": "Network Activity: connection from {source.ip} to {destination.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4001 + }, + { + "field": "source.ip" + }, + { + "field": "destination.ip" + } + ] + }, + { + "value": "HTTP Activity: {ocsf.activity_name} {url.path} from {source.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4002 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "url.path" + }, + { + "field": "source.ip" + } + ] + }, + { + "value": "DNS Activity: {ocsf.activity_name} from {source.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4003 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "source.ip" + } + ] + }, + { + "value": "DHCP Activity: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4004 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "RDP Activity: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4005 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "SMB Activity: {ocsf.activity_name} {file.name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4006 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "file.name" + } + ] + }, + { + "value": "SSH Activity: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4007 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "FTP Activity: {ocsf.activity_name} to {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4008 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "host.ip" + } + ] + }, + { + "value": "Email Activity: {ocsf.activity_name} to {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4009 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "host.ip" + } + ] + }, + { + "value": "Network File Activity: {ocsf.activity_name} file {file.name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4010 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "file.name" + } + ] + }, + { + "value": "Email File Activity: {ocsf.activity_name} to {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4011 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "host.ip" + } + ] + }, + { + "value": "Email URL Activity: {ocsf.activity_name} to {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4012 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "host.ip" + } + ] + }, + { + "value": "NTP Activity: {ocsf.activity_name} to {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4013 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "host.ip" + } + ] + }, + { + "value": "Tunnel Activity: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 4014 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "Device Inventory Info: {ocsf.activity_name} on device {host.mac}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5001 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "host.mac" + } + ] + }, + { + "value": "Device Config State: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5002 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "User Inventory Info: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5003 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "Operating System Patch State: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5004 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "Kernel Object Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5006 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "File Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5007 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "Folder Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5008 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "Admin Group Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5009 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "Job Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5010 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "Module Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5011 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "Network Connection Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5012 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "Networks Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5013 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "Peripheral Device Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5014 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "Process Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5015 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "Service Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5016 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "User Session Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5017 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "User Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5018 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "Device Config State Change: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 5019 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "Web Resources Activity: {ocsf.activity_name} from {source.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 6001 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "source.ip" + } + ] + }, + { + "value": "Application Lifecycle: {ocsf.activity_name} application {ocsf.app.name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 6002 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "ocsf.app.name" + } + ] + }, + { + "value": "API Activity: {ocsf.activity_name} from user {user.name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 6003 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "user.name" + } + ] + }, + { + "value": "Web Resource Access Activity: {ocsf.activity_name} to {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 6004 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "host.ip" + } + ] + }, + { + "value": "Datastore Activity: {ocsf.activity_name} to {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 6005 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "host.ip" + } + ] + }, + { + "value": "File Hosting Activity: {ocsf.activity_name} from {source.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 6006 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "source.ip" + } + ] + }, + { + "value": "Scan Activity: {ocsf.activity_name} to {host.ip}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 6007 + }, + { + "field": "ocsf.activity_name" + }, + { + "field": "source.ip" + } + ] + }, + { + "value": "Registry Key Activity: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 201001 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "Registry Value Activity: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 201002 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "Windows Resource Activity: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 201003 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "Registry Key Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 205004 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "Registry Value Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 205005 + }, + { + "field": "ocsf.activity_name" + } + ] + }, + { + "value": "Prefetch Query: {ocsf.activity_name}", + "conditions": [ + { + "field": "ocsf.class_uid", + "value": 205019 + }, + { + "field": "ocsf.activity_name" + } + ] + } +] diff --git a/OCSF/ocsf/ingest/parser.yml b/OCSF/ocsf/ingest/parser.yml new file mode 100644 index 000000000..91d9dd4e0 --- /dev/null +++ b/OCSF/ocsf/ingest/parser.yml @@ -0,0 +1,1006 @@ +name: ocsf +ignored_values: ["-"] +pipeline: + - name: parse_event + external: + name: json.parse-json + properties: + input_field: "{{original.message}}" + output_field: message + + - name: parse_date_end_time_dt + external: + name: date.parse + properties: + input_field: "{{ parse_event.message.end_time_dt }}" + output_field: datetime + filter: "{{ parse_event.message.end_time_dt != null and parse_event.message.end_time_dt != '' }}" + + - name: parse_date_end_time + external: + name: date.parse + properties: + input_field: "{{ parse_event.message.end_time }}" + output_field: datetime + filter: "{{ parse_event.message.end_time != null and parse_event.message.end_time != '' }}" + + - name: parse_date_timestamp_from_time_dt + external: + name: date.parse + properties: + input_field: "{{ parse_event.message.time_dt }}" + output_field: datetime + filter: "{{ parse_event.message.time_dt != null and parse_event.message.time_dt != '' }}" + + - name: parse_date_timestamp_from_time + external: + name: date.parse + properties: + input_field: "{{ parse_event.message.time }}" + output_field: datetime + filter: "{{ parse_event.message.time != null and parse_event.message.time != '' }}" + + - name: parse_date_time_dt + external: + name: date.parse + properties: + input_field: "{{ parse_event.message.time_dt }}" + output_field: datetime + filter: "{{ parse_event.message.time_dt != null and parse_event.message.time_dt != '' }}" + + - name: parse_date_time + external: + name: date.parse + properties: + input_field: "{{ parse_event.message.time }}" + output_field: datetime + filter: "{{ parse_event.message.time != null and parse_event.message.time != '' }}" + + - name: parse_date_start_time_dt + external: + name: date.parse + properties: + input_field: "{{ parse_event.message.start_time_dt }}" + output_field: datetime + filter: "{{ parse_event.message.start_time_dt != null and parse_event.message.start_time_dt != '' }}" + + - name: parse_date_start_time + external: + name: date.parse + properties: + input_field: "{{ parse_event.message.start_time }}" + output_field: datetime + filter: "{{ parse_event.message.start_time != null and parse_event.message.start_time != '' }}" + + - name: set_timestamp + - name: set_event_kind + - name: set_event_category + - name: set_event_type + - name: set_common_fields + + - name: pipeline_object_actor + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5003,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,6001,6002,6003,6004,6005,6006,6007,201001,201002,201003,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002,99937002] and parse_event.message.actor != null }}" + + - name: pipeline_object_attack + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2001,2004,2005,2006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,6001,6005,201001,201002,201003,99901006,99902003,99904001,99904002,99904009,99904010] and parse_event.message.attacks != null }}" + + - name: pipeline_object_network_connection_info + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,5012,6006,99904009,99904010,99931006,99932007,99933005] and parse_event.message.connection_info != null }}" + + - name: pipeline_object_device + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2002,2003,2004,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,5001,5002,5004,5006,5007,5008,5009,5010,5011,5012,5013,5014,5015,5016,5017,5018,5019,6001,6002,6004,6007,201001,201002,201003,205004,205005,205019,99901006,99903001,99904001,99904002,99904009,99904010,99936001,99936002] and parse_event.message.device != null }}" + + - name: pipeline_object_http_request + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [3001,3002,3003,3004,3005,3006,4002,6001,6003,6004,6005,99937002,99938001] and parse_event.message.http_request != null }}" + + - name: pipeline_object_malware + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,2001,2004,2006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,4013,4014,6001,6005,201001,201002,201003,99901006,99904001,99904002,99904009,99904010] and parse_event.message.malware != null }}" + + - name: pipeline_object_network_endpoint + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1008,2006,3001,3002,3003,3004,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4013,4014,6001,6003,6004,6005,6006,99904009,99904010,99937002,99938001] and parse_event.message.dst_endpoint != null or parse_event.message.src_endpoint != null }}" + + - name: pipeline_object_process + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1004,1007,2001,5011,5012,5015,99932006,99932007,99932011,99933006,99934001,99935002] and parse_event.message.process != null }}" + + - name: pipeline_object_proxy + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [3006,4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,6004,99904009,99904010] and parse_event.message.proxy != null }}" + + - name: pipeline_object_tls + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [3006,4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,6001,6004,99904009,99904010] and parse_event.message.tls != null }}" + + - name: pipeline_object_traffic + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [4001,4002,4003,4004,4005,4006,4007,4008,4010,4013,4014,99904009,99904010] and parse_event.message.traffic != null }}" + + - name: pipeline_object_user + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [3001,3002,3003,3005,3006,4014,5003,5018,99932017] and parse_event.message.user != null }}" + + - name: pipeline_object_file + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1001,1008,2006,4002,4005,4006,4007,4008,4010,4011,5007,6006,99901006,99903001,99904001,99931004,99931007,99931010,99932001,99933000] and parse_event.message.file != null }}" + + - name: pipeline_object_system_activity_helper + filter: "{{ parse_event.message.class_uid != null and parse_event.message.class_uid in [1002,1005,1006,1007,5010,5011,99932004,99932006,99933002,99933004] }}" + + - name: pipeline_category_system_activity + filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == 1 }}" + + - name: pipeline_category_findings + filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == 2 }}" + + - name: pipeline_category_identity_and_access_management + filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == 3 }}" + + - name: pipeline_category_network_activity + filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == 4 }}" + + - name: pipeline_category_application_activity + filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == 6 }}" + + - name: pipeline_category_discovery + filter: "{{ parse_event.message.category_uid != null and parse_event.message.category_uid == 5 }}" + +stages: + set_timestamp: + actions: + - set: + "@timestamp": "{{ parse_date_time.datetime }}" + filter: "{{ parse_date_time.datetime != None }}" + + - set: + "@timestamp": "{{ parse_date_time_dt.datetime }}" + filter: "{{ parse_date_time_dt.datetime != None }}" + + set_event_kind: + actions: + - set: + event.kind: "event" + filter: "{{parse_event.message.class_uid in [1001,1002,1003,1004,1005,1006,1007,3001,3002,3003,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,5001,5002,6001,6002,6003,6004]}}" + + - set: + event.kind: "alert" + filter: "{{parse_event.message.class_uid == 2001}}" + + set_event_category: + actions: + - set: + event.category: > + [ + {%- if parse_event.message.class_uid == 2001 and parse_event.message.malware != null -%}'malware',{%- endif -%} + {%- if parse_event.message.class_uid == 2001 and parse_event.message.vulnerabilities != null -%}'vulnerability',{%- endif -%} + {%- if parse_event.message.class_uid in [3001, 3005, 3006] -%}'iam',{%- endif -%} + {%- if parse_event.message.class_uid == 3002 -%}'authentication',{%- endif -%} + {%- if parse_event.message.class_uid == 3003 -%}'session',{%- endif -%} + {%- if parse_event.message.class_uid in [4001, 4003, 4004, 4005, 4007, 4008, 4010] -%}'network',{%- endif -%} + {%- if parse_event.message.class_uid in [4002, 4006] -%}'api',{%- endif -%} + {%- if parse_event.message.class_uid in [1001, 4006, 4008, 4010, 4011] -%}'file',{%- endif -%} + {%- if parse_event.message.class_uid in [4009, 4011, 4012] -%}'email',{%- endif -%} + {%- if parse_event.message.class_uid in [6003, 6004] -%}'web',{%- endif -%} + {%- if parse_event.message.class_uid == 6002 -%}'package',{%- endif -%} + {%- if parse_event.message.class_uid == 5002 -%}'configuration',{%- endif -%} + {%- if parse_event.message.class_uid in [1002, 1003] -%}'driver',{%- endif -%} + {%- if parse_event.message.class_uid == 1007 -%}'process',{%- endif -%} + ] + + set_event_type: + actions: + - set: + event.type: > + [ + {%- if parse_event.message.class_uid in [1001,1002,1003,1007,2001,3001,3002,3003,3005,3006,4001,4002,4003,4004,4005,4006,4007,4008,4009,4010,4011,4012,5001,5002,6002,6003,6004] -%}'info',{%- endif -%} + {%- if parse_event.message.class_uid in [3001, 3006] -%}'user',{%- endif -%} + {%- if parse_event.message.class_uid in [3005] -%}'group',{%- endif -%} + {%- if parse_event.message.class_uid in [4003,4004,4005,4007,4008] -%}'protocol',{%- endif -%} + {%- if parse_event.message.class_uid in [1001,3001,4006,5002] and parse_event.message.activity_name in ['Create','File Create','Log'] -%}'creation',{%- endif -%} + {%- if parse_event.message.class_uid in [1001,4006,4010,5002,6004] and parse_event.message.activity_name in ['Read','File Open','Preview','Open','Access Grant','Access Deny','Access Revoke','Access Error','Log'] -%}'access',{%- endif -%} + {%- if parse_event.message.class_uid in [1001,3001,4010,6002] and parse_event.message.activity_name in ['Delete','Remove'] -%}'deletion',{%- endif -%} + {%- if parse_event.message.class_uid in [1007,3002,4001,4007,6002] and parse_event.message.activity_name in ['Launch','Logon','Open','Start'] -%}'start',{%- endif -%} + {%- if parse_event.message.class_uid in [1007,3002,4001,4007,6002] and parse_event.message.activity_name in ['Terminate','Logoff','Close','Stop'] -%}'end',{%- endif -%} + {%- if parse_event.message.class_uid in [4001, 4003, 4004, 4007] and parse_event.message.activity_name in ['Refuse','Decline'] -%}'denied',{%- endif -%} + {%- if parse_event.message.class_uid in [4004] and parse_event.message.activity_name in ['Ack'] -%}'allowed',{%- endif -%} + {%- if parse_event.message.class_uid in [1001, 4006, 4010] and parse_event.message.activity_name in ['Update','File Supersede','File Overwrite','Update','Rename'] -%}'change',{%- endif -%} + {%- if parse_event.message.class_uid in [4005] and parse_event.message.activity_name in ['Connect Request','Connect Response'] -%}'connection',{%- endif -%} + {%- if parse_event.message.class_uid in [6002] and parse_event.message.activity_name in ['Install'] -%}'installation',{%- endif -%} + {%- if parse_event.message.class_uid in [6004] and parse_event.message.activity_name in ['Access Error'] -%}'error',{%- endif -%} + ] + + set_common_fields: + actions: + - set: + ocsf.activity_id: "{{parse_event.message.activity_id}}" + ocsf.activity_name: "{{parse_event.message.activity_name}}" + + ocsf.class_uid: "{{parse_event.message.class_uid}}" + ocsf.class_name: "{{parse_event.message.class_name}}" + + organization.id: "{{parse_event.message.cloud.org.uid}}" + organization.name: "{{parse_event.message.cloud.org.name}}" + + cloud.account.id: "{{parse_event.message.cloud.account.uid}}" + cloud.account.name: "{{parse_event.message.cloud.account.name}}" + cloud.availability_zone: "{{parse_event.message.cloud.zone}}" + cloud.project.id: "{{parse_event.message.cloud.project_uid}}" + cloud.provider: "{{parse_event.message.cloud.provider}}" + cloud.region: "{{parse_event.message.cloud.region}}" + + event.action: "{{parse_event.message.activity_name.lower().replace(': ', '-')}}" + event.code: "{{parse_event.message.metadata.event_code}}" + event.duration: "{{parse_event.message.duration * 1_000_000}}" # in nanoseconds + event.provider: "{{parse_event.message.metadata.log_provider}}" + event.sequence: "{{parse_event.message.metadata.sequence}}" + + event.severity: "{{parse_event.message.severity_id}}" + event.reason: "{{parse_event.message.message}}" + + - set: + event.provider: "{{parse_event.message.metadata.product.vendor_name}}" + filter: "{{parse_event.message.metadata.log_provider == None}}" + + - set: + event.end: "{{parse_date_end_time_dt.datetime}}" + filter: "{{parse_date_end_time_dt.datetime != null}}" + + - set: + event.end: "{{parse_date_end_time.datetime}}" + filter: "{{parse_date_end_time.datetime != null}}" + + - set: + event.start: "{{parse_date_start_time_dt.datetime}}" + filter: "{{parse_date_start_time_dt.datetime != null}}" + + - set: + event.start: "{{parse_date_start_time.datetime}}" + filter: "{{parse_date_start_time.datetime != null}}" + + - translate: + dictionary: + 0: "unknown" + 1: "success" + 2: "failure" + mapping: + parse_event.message.status_id: event.outcome + + pipeline_object_actor: + actions: + - set: + container.id: "{{ parse_event.message.actor.process.container.uid }}" + container.image.name: "{{ parse_event.message.actor.process.container.image.name }}" + - set: + container.image.tag: + - "{{ parse_event.message.actor.process.container.image.tag }}" + filter: "{{ parse_event.message.actor.process.container.image.tag != null }}" + - set: + orchestrator.type: "{{ parse_event.message.actor.process.container.orchestrator }}" + #container.labels: "{{ parse_event.message.actor.process.container.image.labels }}" # @todo should be a dict? + container.name: "{{ parse_event.message.actor.process.container.name }}" + container.runtime: "{{ parse_event.message.actor.process.container.runtime }}" + file.accessed: "{{ parse_event.message.actor.process.file.accessed_time_dt or parse_event.message.actor.process.file.accessed_time | to_rfc3339 }}" + file.created: "{{ parse_event.message.actor.process.file.created_time_dt or parse_event.message.actor.process.file.created_time | to_rfc3339 }}" + file.directory: "{{ parse_event.message.actor.process.file.parent_folder }}" + file.inode: "{{ parse_event.message.actor.process.file.uid }}" + file.mime_type: "{{ parse_event.message.actor.process.file.mime_type }}" + file.mtime: "{{ parse_event.message.actor.process.file.modified_time_dt or parse_event.message.actor.process.file.modified_time | to_rfc3339 }}" + file.name: "{{ parse_event.message.actor.process.file.name }}" + file.owner: "{{ parse_event.message.actor.process.file.owner.name }}" + file.path: "{{ parse_event.message.actor.process.file.path }}" + file.size: "{{ parse_event.message.actor.process.file.size }}" + file.type: "{{ parse_event.message.actor.process.file.type }}" + file.uid: "{{ parse_event.message.actor.process.file.owner.uid }}" + file.x509.issuer.distinguished_name: "{{ parse_event.message.actor.process.file.signature.certificate.issuer }}" + file.x509.not_after: "{{ parse_event.message.actor.process.file.signature.certificate.expiration_time_dt or parse_event.message.actor.process.file.signature.certificate.expiration_time | to_rfc3339 }}" + file.x509.serial_number: "{{ parse_event.message.actor.process.file.signature.certificate.serial_number }}" + file.x509.subject.distinguished_name: "{{ parse_event.message.actor.process.file.signature.certificate.subject }}" + file.x509.version_number: "{{ parse_event.message.actor.process.file.signature.certificate.version }}" + process.command_line: "{{ parse_event.message.actor.process.cmd_line }}" + process.end: "{{ parse_event.message.actor.process.terminated_tim | to_rfc3339 }}" + - set: + file.hash.md5: > + {%- for item in parse_event.message.actor.process.file.hashes -%}{%- if item.algorithm == 'MD5' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha1: > + {%- for item in parse_event.message.actor.process.file.hashes -%}{%- if item.algorithm == 'SHA-1' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha256: > + {%- for item in parse_event.message.actor.process.file.hashes -%}{%- if item.algorithm == 'SHA-256' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha512: > + {%- for item in parse_event.message.actor.process.file.hashes -%}{%- if item.algorithm == 'SHA-512' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.ssdeep: > + {%- for item in parse_event.message.actor.process.file.hashes -%}{%- if item.algorithm == 'CTPH' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.tlsh: > + {%- for item in parse_event.message.actor.process.file.hashes -%}{%- if item.algorithm == 'TLSH' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + + - set: + process.group.id: + - "{{ parse_event.message.actor.process.egid }}" + filter: "{{ parse_event.message.actor.process.egid != null }}" + - set: + process.group.id: + - "{{ parse_event.message.actor.process.group.uid }}" + filter: "{{ parse_event.message.actor.process.group.uid != null }}" + - set: + process.group.name: "{{ parse_event.message.actor.process.group.name }}" + process.name: "{{ parse_event.message.actor.process.name }}" + process.pid: "{{ parse_event.message.actor.process.pid }}" + process.start: "{{ parse_event.message.actor.process.created_time | to_rfc3339 }}" + process.thread.id: "{{ parse_event.message.actor.process.tid }}" + process.entity_id: "{{ parse_event.message.actor.process.uid }}" + process.user.domain: "{{ parse_event.message.actor.process.user.domain }}" + process.user.email: "{{ parse_event.message.actor.process.user.email_addr }}" + process.user.full_name: "{{ parse_event.message.actor.process.user.full_name }}" + - set: + process.user.id: + - "{{ parse_event.message.actor.process.euid }}" + filter: "{{ parse_event.message.actor.process.euid != null }}" + - set: + process.user.id: + - "{{ parse_event.message.actor.process.user.uid }}" + filter: "{{ parse_event.message.actor.process.user.uid != null }}" + - set: + process.user.group.id: > + [{%- for item in parse_event.message.actor.process.user.groups -%}{%- if item.uid -%}'{{item.uid}}',{%- endif -%}{%- endfor -%}] + + process.user.group.name: > + [{%- for item in parse_event.message.actor.process.user.groups -%}{%- if item.name -%}'{{item.name}}',{%- endif -%}{%- endfor -%}] + + user.group.id: > + [{%- for item in parse_event.message.actor.user.groups -%}{%- if item.uid -%}'{{item.uid}}',{%- endif -%}{%- endfor -%}] + + user.group.name: > + [{%- for item in parse_event.message.actor.user.groups -%}{%- if item.name -%}'{{item.name}}',{%- endif -%}{%- endfor -%}] + + process.parent.user.group.id: > + [{%- for item in parse_event.message.actor.process.parent_process.user.groups -%}{%- if item.uid -%}'{{item.uid}}',{%- endif -%}{%- endfor -%}] + + process.parent.user.group.name: > + [{%- for item in parse_event.message.actor.process.parent_process.user.groups -%}{%- if item.name -%}'{{item.name}}',{%- endif -%}{%- endfor -%}] + + - set: + process.user.name: "{{ parse_event.message.actor.process.user.name }}" + user.domain: "{{ parse_event.message.actor.user.domain }}" + user.email: "{{ parse_event.message.actor.user.email_addr }}" + user.full_name: "{{ parse_event.message.actor.user.full_name }}" + user.id: "{{ parse_event.message.actor.user.uid }}" + user.name: "{{ parse_event.message.actor.user.name }}" + process.parent.command_line: "{{ parse_event.message.actor.process.parent_process.cmd_line }}" + process.parent.end: "{{ parse_event.message.actor.process.parent_process.terminated_time | to_rfc3339 }}" + - set: + process.parent.group.id: + - "{{ parse_event.message.actor.process.parent_process.egid }}" + filter: "{{ parse_event.message.actor.process.parent_process.egid != null }}" + - set: + process.parent.group.id: + - "{{ parse_event.message.actor.process.parent_process.group.uid }}" + filter: "{{ parse_event.message.actor.process.parent_process.group.uid != null }}" + - set: + process.parent.group.name: "{{ parse_event.message.actor.process.parent_process.group.name }}" + process.parent.name: "{{ parse_event.message.actor.process.parent_process.name }}" + process.parent.pid: "{{ parse_event.message.actor.process.parent_process.pid }}" + process.parent.start: "{{ parse_event.message.actor.process.parent_process.created_time | to_rfc3339 }}" + process.parent.thread.id: "{{ parse_event.message.actor.process.parent_process.tid }}" + process.parent.entity_id: "{{ parse_event.message.actor.process.parent_process.uid }}" + process.parent.user.domain: "{{ parse_event.message.actor.process.parent_process.user.domain }}" + process.parent.user.email: "{{ parse_event.message.actor.process.parent_process.user.email_addr }}" + process.parent.user.full_name: "{{ parse_event.message.actor.process.parent_process.user.full_name }}" + - set: + process.parent.user.id: + - "{{ parse_event.message.actor.process.parent_process.euid }}" + filter: "{{ parse_event.message.actor.process.parent_process.euid != null }}" + - set: + process.parent.user.id: + - "{{ parse_event.message.actor.process.parent_process.user.uid }}" + filter: "{{ parse_event.message.actor.process.parent_process.user.uid != null }}" + - set: + process.parent.user.name: "{{ parse_event.message.actor.process.parent_process.user.name }}" + + pipeline_object_attack: + actions: + - set: + threat.technique.name: > + [{%- for item in parse_event.message.attacks -%}{%- if item.technique.name -%}'{{item.technique.name}}',{%- endif -%}{%- endfor -%}] + threat.technique.id: > + [{%- for item in parse_event.message.attacks -%}{%- if item.technique.uid -%}'{{item.technique.uid}}',{%- endif -%}{%- endfor -%}] + + pipeline_object_network_connection_info: + actions: + - set: + network.iana_number: "{{ parse_event.message.connection_info.protocol_num }}" + - set: + network.direction: + - internal + filter: "{{ parse_event.message.connection_info.boundary != null and parse_event.message.connection_info.boundary == 'Internal' }}" + - set: + network.direction: + - external + filter: "{{ parse_event.message.connection_info.boundary != null and parse_event.message.connection_info.boundary == 'External' }}" + - set: + network.direction: + - inbound + filter: "{{ parse_event.message.connection_info.direction != null and parse_event.message.connection_info.direction == 'Inbound' }}" + - set: + network.direction: + - outbound + filter: "{{ parse_event.message.connection_info.direction != null and parse_event.message.connection_info.direction == 'Outbound' }}" + - set: + network.direction: + - unknown + filter: "{{ parse_event.message.connection_info.direction != null and parse_event.message.connection_info.direction == 'Unknown' or parse_event.message.connection_info.boundary != null and parse_event.message.connection_info.boundary == 'Unknown' }}" + + pipeline_object_device: + actions: + - set: + host.domain: "{{ parse_event.message.device.domain }}" + host.geo.city_name: "{{ parse_event.message.device.location.city }}" + host.geo.continent_name: "{{ parse_event.message.device.location.continent }}" + host.geo.country_iso_code: "{{ parse_event.message.device.location.country }}" + host.geo.location.lon: "{{ parse_event.message.device.location.coordinates[0] }}" + host.geo.location.lat: "{{ parse_event.message.device.location.coordinates[1] }}" + host.geo.name: "{{ parse_event.message.device.location.desc }}" + host.geo.postal_code: "{{ parse_event.message.device.location.postal_code }}" + host.geo.region_iso_code: "{{ parse_event.message.device.location.region }}" + host.hostname: "{{ parse_event.message.device.hostname }}" + host.id: "{{ parse_event.message.device.uid }}" + - set: + host.ip: ["{{ parse_event.message.device.ip }}"] + filter: "{{ parse_event.message.device.ip | is_ipaddress }}" + - set: + host.mac: ["{{ parse_event.message.device.mac }}"] + filter: "{{ parse_event.message.device.mac != null }}" + - set: + host.os.name: "{{ parse_event.message.device.os.name }}" + - set: + host.os.type: "{{ parse_event.message.device.os.type }}" + filter: "{{ parse_event.message.device.os.type != null and parse_event.message.device.os.type in ['Linux','Windows','Android','macOS','iOS'] }}" + - set: + host.os.version: "{{ parse_event.message.device.os.build }}" + host.risk.static_level: "{{ parse_event.message.device.risk_level }}" + host.risk.static_score: "{{ parse_event.message.device.risk_score }}" + host.type: "{{ parse_event.message.device.type }}" + network.vlan.id: "{{ parse_event.message.device.vlan_uid }}" + + pipeline_object_http_request: + actions: + - set: + http.request.id: "{{ parse_event.message.http_request.uid }}" + http.request.method: "{{ parse_event.message.http_request.http_method }}" + http.request.referrer: "{{ parse_event.message.http_request.referrer }}" + http.version: "{{ parse_event.message.http_request.version }}" + url.domain: "{{ parse_event.message.http_request.url.hostname }}" + url.original: "{{ parse_event.message.http_request.url.url_string }}" + url.path: "{{ parse_event.message.http_request.url.path }}" + url.port: "{{ parse_event.message.http_request.url.port }}" + url.query: "{{ parse_event.message.http_request.url.query_string }}" + url.scheme: "{{ parse_event.message.http_request.url.scheme }}" + url.subdomain: "{{ parse_event.message.http_request.url.subdomain }}" + user_agent.original: "{{ parse_event.message.http_request.user_agent }}" + + pipeline_object_malware: + actions: + - set: + vulnerability.category: > + [ + {%- for item in parse_event.message.malware -%} + {%- for cls in item.classifications -%}"{{cls}}"{%- endfor -%} + {%- endfor %} + ] + + - set: + vulnerability.id: > + [ + {%- for item in parse_event.message.malware -%} + {%- for cv in item.cvs -%}"{{cv.uid}}"{%- endfor -%} + {%- endfor -%} + ] + vulnerability.score.base: > + [ + {%- for item in parse_event.message.malware -%} + {%- for cv in item.cvs -%}"{{cv.cvss.base_score}}"{%- endfor -%} + {%- endfor -%} + ] + vulnerability.score.version: > + [ + {%- for item in parse_event.message.malware -%} + {%- for cv in item.cvs -%}"{{cv.cvss.version}}"{%- endfor -%} + {%- endfor -%} + ] + filter: "{{ parse_event.message.class_uid != 2001 }}" + + pipeline_object_network_endpoint: + actions: + - set: + source.domain: "{{ parse_event.message.src_endpoint.domain }}" + filter: "{{ parse_event.message.src_endpoint.domain != null }}" + - set: + source.geo.city_name: "{{ parse_event.message.src_endpoint.location.city }}" + source.geo.continent_name: "{{ parse_event.message.src_endpoint.location.continent }}" + source.geo.location: "{{ parse_event.message.src_endpoint.location.coordinates }}" + source.geo.country_iso_code: "{{ parse_event.message.src_endpoint.location.country }}" + source.geo.name: "{{ parse_event.message.src_endpoint.location.desc }}" + source.geo.postal_code: "{{ parse_event.message.src_endpoint.location.postal_code }}" + source.geo.region_iso_code: "{{ parse_event.message.src_endpoint.location.region }}" + - set: + source.domain: "{{ parse_event.message.src_endpoint.hostname }}" + filter: "{{ parse_event.message.src_endpoint.hostname != null }}" + - set: + source.ip: "{{ parse_event.message.src_endpoint.ip }}" + filter: "{{ parse_event.message.src_endpoint.ip | is_ipaddress }}" + - set: + source.mac: "{{ parse_event.message.src_endpoint.mac }}" + source.port: "{{ parse_event.message.src_endpoint.port }}" + - set: + network.application: "{{ parse_event.message.src_endpoint.svc_name }}" + filter: "{{ parse_event.message.src_endpoint.svc_name != null }}" + - set: + destination.domain: "{{ parse_event.message.dst_endpoint.domain }}" + filter: "{{ parse_event.message.dst_endpoint.domain != null }}" + - set: + destination.geo.city_name: "{{ parse_event.message.dst_endpoint.location.city }}" + destination.geo.continent_name: "{{ parse_event.message.dst_endpoint.location.continent }}" + destination.geo.location.lon: "{{ parse_event.message.dst_endpoint.location.coordinates[0] }}" + destination.geo.location.lat: "{{ parse_event.message.dst_endpoint.location.coordinates[1] }}" + destination.geo.country_iso_code: "{{ parse_event.message.dst_endpoint.location.country }}" + destination.geo.name: "{{ parse_event.message.dst_endpoint.location.desc }}" + destination.geo.postal_code: "{{ parse_event.message.dst_endpoint.location.postal_code }}" + destination.geo.region_iso_code: "{{ parse_event.message.dst_endpoint.location.region }}" + - set: + destination.domain: "{{ parse_event.message.dst_endpoint.hostname }}" + filter: "{{ parse_event.message.dst_endpoint.hostname != null }}" + - set: + destination.ip: "{{ parse_event.message.dst_endpoint.ip }}" + destination.mac: "{{ parse_event.message.dst_endpoint.mac }}" + destination.port: "{{ parse_event.message.dst_endpoint.port }}" + - set: + network.application: "{{ parse_event.message.dst_endpoint.svc_name }}" + filter: "{{ parse_event.message.dst_endpoint.svc_name != null }}" + + pipeline_object_process: + actions: + - set: + container.id: "{{ parse_event.message.process.container.uid }}" + container.image.name: "{{ parse_event.message.process.container.image.name }}" + - set: + container.image.tag: + - "{{ parse_event.message.process.container.image.tag }}" + filter: "{{ parse_event.message.process.container.image.tag != null }}" + - set: + container.labels: "{{ parse_event.message.process.container.image.labels }}" + orchestrator.type: "{{ parse_event.message.process.container.orchestrator }}" + container.name: "{{ parse_event.message.process.container.name }}" + container.runtime: "{{ parse_event.message.process.container.runtime }}" + file.accessed: "{{ parse_event.message.process.file.accessed_time_dt or parse_event.message.process.file.accessed_time | to_rfc3339 }}" + file.created: "{{ parse_event.message.process.file.created_time_dt or parse_event.message.process.file.created_time | to_rfc3339 }}" + file.directory: "{{ parse_event.message.process.file.parent_folder }}" + file.inode: "{{ parse_event.message.process.file.uid }}" + file.mime_type: "{{ parse_event.message.process.file.mime_type }}" + file.mtime: "{{ parse_event.message.process.file.modified_time_dt or parse_event.message.process.file.modified_time | to_rfc3339 }}" + file.name: "{{ parse_event.message.process.file.name }}" + file.owner: "{{ parse_event.message.process.file.owner.name }}" + file.path: "{{ parse_event.message.process.file.path }}" + file.size: "{{ parse_event.message.process.file.size }}" + file.type: "{{ parse_event.message.process.file.type }}" + file.uid: "{{ parse_event.message.process.file.owner.uid }}" + file.x509.issuer.distinguished_name: "{{ parse_event.message.process.file.signature.certificate.issuer }}" + file.x509.not_after: "{{ parse_event.message.process.file.signature.certificate.expiration_time_dt or parse_event.message.process.file.signature.certificate.expiration_time | to_rfc3339 }}" + file.x509.serial_number: "{{ parse_event.message.process.file.signature.certificate.serial_number }}" + file.x509.subject.distinguished_name: "{{ parse_event.message.process.file.signature.certificate.subject }}" + file.x509.version_number: "{{ parse_event.message.process.file.signature.certificate.version }}" + process.command_line: "{{ parse_event.message.process.cmd_line }}" + process.end: "{{ parse_event.message.process.terminated_time | to_rfc3339 }}" + - set: + file.hash.md5: > + {%- for item in parse_event.message.process.file.hashes -%}{%- if item.algorithm == 'MD5' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha1: > + {%- for item in parse_event.message.process.file.hashes -%}{%- if item.algorithm == 'SHA-1' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha256: > + {%- for item in parse_event.message.process.file.hashes -%}{%- if item.algorithm == 'SHA-256' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha512: > + {%- for item in parse_event.message.process.file.hashes -%}{%- if item.algorithm == 'SHA-512' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.ssdeep: > + {%- for item in parse_event.message.process.file.hashes -%}{%- if item.algorithm == 'CTPH' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.tlsh: > + {%- for item in parse_event.message.process.file.hashes -%}{%- if item.algorithm == 'TLSH' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + + - set: + process.group.id: + - "{{ parse_event.message.process.egid }}" + filter: "{{ parse_event.message.process.egid != null }}" + - set: + process.group.id: + - "{{ parse_event.message.process.group.uid }}" + filter: "{{ parse_event.message.process.group.uid != null }}" + - set: + process.group.name: "{{ parse_event.message.process.group.name }}" + process.name: "{{ parse_event.message.process.name }}" + process.pid: "{{ parse_event.message.process.pid }}" + process.start: "{{ parse_event.message.process.created_time | to_rfc3339 }}" + process.thread.id: "{{ parse_event.message.process.tid }}" + process.entity_id: "{{ parse_event.message.process.uid }}" + process.user.domain: "{{ parse_event.message.process.user.domain }}" + process.user.email: "{{ parse_event.message.process.user.email_addr }}" + process.user.full_name: "{{ parse_event.message.process.user.full_name }}" + - set: + process.user.id: + - "{{ parse_event.message.process.euid }}" + filter: "{{ parse_event.message.process.euid != null }}" + - set: + process.user.id: + - "{{ parse_event.message.process.user.uid }}" + filter: "{{ parse_event.message.process.user.uid != null }}" + - set: + process.user.group.id: > + [{%- for item in parse_event.message.process.user.groups -%}{%- if item.uid -%}'{{item.uid}}',{%- endif -%}{%- endfor -%}] + process.user.group.name: > + [{%- for item in parse_event.message.process.user.groups -%}{%- if item.name -%}'{{item.name}}',{%- endif -%}{%- endfor -%}] + + - set: + process.user.name: "{{ parse_event.message.process.user.name }}" + process.parent.command_line: "{{ parse_event.message.process.parent_process.cmd_line }}" + process.parent.end: "{{ parse_event.message.process.parent_process.terminated_time | to_rfc3339 }}" + - set: + process.parent.group.id: + - "{{ parse_event.message.process.parent_process.egid }}" + filter: "{{ parse_event.message.process.parent_process.egid != null }}" + - set: + process.parent.group.id: + - "{{ parse_event.message.process.parent_process.group.uid }}" + filter: "{{ parse_event.message.process.parent_process.group.uid != null }}" + - set: + process.parent.group.name: "{{ parse_event.message.process.parent_process.group.name }}" + process.parent.name: "{{ parse_event.message.process.parent_process.name }}" + process.parent.pid: "{{ parse_event.message.process.parent_process.pid }}" + process.parent.start: "{{ parse_event.message.process.parent_process.created_time | to_rfc3339 }}" + process.parent.thread.id: "{{ parse_event.message.process.parent_process.tid }}" + process.parent.entity_id: "{{ parse_event.message.process.parent_process.uid }}" + process.parent.user.domain: "{{ parse_event.message.process.parent_process.user.domain }}" + process.parent.user.email: "{{ parse_event.message.process.parent_process.user.email_addr }}" + process.parent.user.full_name: "{{ parse_event.message.process.parent_process.user.full_name }}" + - set: + process.parent.user.id: + - "{{ parse_event.message.process.parent_process.euid }}" + filter: "{{ parse_event.message.process.parent_process.euid != null }}" + - set: + process.parent.user.id: + - "{{ parse_event.message.process.parent_process.user.uid }}" + filter: "{{ parse_event.message.process.parent_process.user.uid != null }}" + - set: + process.parent.user.name: "{{ parse_event.message.process.parent_process.user.name }}" + - set: + process.parent.user.group.id: > + [{%- for item in parse_event.message.process.parent_process.user.groups -%}{%- if item.uid -%}'{{item.uid}}',{%- endif -%}{%- endfor -%}] + process.parent.user.group.name: > + [{%- for item in parse_event.message.process.parent_process.user.groups -%}{%- if item.name -%}'{{item.name}}',{%- endif -%}{%- endfor -%}] + + pipeline_object_proxy: + actions: [] + + pipeline_object_tls: + actions: + - set: + tls.cipher: "{{ parse_event.message.tls.cipher }}" + tls.client.ja3: "{{ parse_event.message.tls.ja3_hash.value }}" + tls.client.server_name: "{{ parse_event.message.tls.sni }}" + tls.client.x509.issuer.distinguished_name: "{{ parse_event.message.tls.certificate.issuer }}" + tls.client.x509.not_after: "{{ parse_event.message.tls.certificate.expiration_time | to_rfc3339 }}" + tls.client.x509.serial_number: "{{ parse_event.message.tls.certificate.serial_number }}" + tls.client.x509.subject.distinguished_name: "{{ parse_event.message.tls.certificate.subject }}" + tls.client.x509.version_number: "{{ parse_event.message.tls.certificate.version }}" + tls.server.ja3s: "{{ parse_event.message.tls.ja3s_hash.value }}" + tls.version: "{{ parse_event.message.tls.version }}" + + - set: + tls.client.supported_ciphers: "{{ parse_event.message.tls.client_ciphers }}" + tls.client.x509.alternative_names: > + [{% for item in parse_event.message.tls.sans %}'{{item.name}}',{% endfor %}] + + pipeline_object_traffic: + actions: + - set: + destination.bytes: "{{ parse_event.message.traffic.bytes_in }}" + source.bytes: "{{ parse_event.message.traffic.bytes_out }}" + destination.packets: "{{ parse_event.message.traffic.packets_in }}" + source.packets: "{{ parse_event.message.traffic.packets_out }}" + network.bytes: "{{ parse_event.message.traffic.bytes }}" + network.packets: "{{ parse_event.message.traffic.packets }}" + + pipeline_object_user: + actions: + - set: + user.target.domain: "{{ parse_event.message.user.domain }}" + user.target.email: "{{ parse_event.message.user.email_addr }}" + user.target.full_name: "{{ parse_event.message.user.full_name }}" + user.target.id: "{{ parse_event.message.user.uid }}" + user.target.name: "{{ parse_event.message.user.name }}" + + - set: + user.target.group.id: > + [{%- for item in parse_event.message.user.groups -%}{%- if item.uid -%}'{{item.uid}}',{%- endif -%}{%- endfor -%}] + + user.target.group.name: > + [{%- for item in parse_event.message.user.groups -%}{%- if item.name -%}'{{item.name}}',{%- endif -%}{%- endfor -%}] + + pipeline_object_file: + actions: + - set: + file.accessed: "{{ parse_event.message.file.accessed_time_dt or parse_event.message.file.accessed_time | to_rfc3339 }}" + file.created: "{{ parse_event.message.file.created_time_dt or parse_event.message.file.created_time | to_rfc3339 }}" + file.directory: "{{ parse_event.message.file.parent_folder }}" + file.inode: "{{ parse_event.message.file.uid }}" + file.mime_type: "{{ parse_event.message.file.mime_type }}" + file.mtime: "{{ parse_event.message.file.modified_time_dt or parse_event.message.file.modified_time | to_rfc3339 }}" + file.name: "{{ parse_event.message.file.name }}" + file.owner: "{{ parse_event.message.file.owner.name }}" + file.path: "{{ parse_event.message.file.path }}" + file.size: "{{ parse_event.message.file.size }}" + file.type: "{{ parse_event.message.file.type }}" + file.uid: "{{ parse_event.message.file.owner.uid }}" + file.x509.issuer.distinguished_name: "{{ parse_event.message.file.signature.certificate.issuer }}" + file.x509.not_after: "{{ parse_event.message.file.signature.certificate.expiration_time_dt or parse_event.message.file.signature.certificate.expiration_time | to_rfc3339 }}" + file.x509.serial_number: "{{ parse_event.message.file.signature.certificate.serial_number }}" + file.x509.subject.distinguished_name: "{{ parse_event.message.file.signature.certificate.subject }}" + file.x509.version_number: "{{ parse_event.message.file.signature.certificate.version }}" + - set: + file.hash.md5: > + {%- for item in parse_event.message.file.hashes -%}{%- if item.algorithm == 'MD5' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha1: > + {%- for item in parse_event.message.file.hashes -%}{%- if item.algorithm == 'SHA-1' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha256: > + {%- for item in parse_event.message.file.hashes -%}{%- if item.algorithm == 'SHA-256' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha512: > + {%- for item in parse_event.message.file.hashes -%}{%- if item.algorithm == 'SHA-512' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.ssdeep: > + {%- for item in parse_event.message.file.hashes -%}{%- if item.algorithm == 'CTPH' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.tlsh: > + {%- for item in parse_event.message.file.hashes -%}{%- if item.algorithm == 'TLSH' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + + pipeline_object_system_activity_helper: + actions: + - set: + file.accessed: "{{ parse_event.message.driver.file.accessed_time_dt or parse_event.message.driver.file.accessed_time | to_rfc3339 }}" + file.created: "{{ parse_event.message.driver.file.created_time_dt or parse_event.message.driver.file.created_time | to_rfc3339 }}" + file.directory: "{{ parse_event.message.driver.file.parent_folder }}" + file.inode: "{{ parse_event.message.driver.file.uid }}" + file.mime_type: "{{ parse_event.message.driver.file.mime_type }}" + file.mtime: "{{ parse_event.message.driver.file.modified_time_dt or parse_event.message.driver.file.modified_time | to_rfc3339 }}" + file.name: "{{ parse_event.message.driver.file.name }}" + file.owner: "{{ parse_event.message.driver.file.owner.name }}" + file.path: "{{ parse_event.message.driver.file.path }}" + file.size: "{{ parse_event.message.driver.file.size }}" + file.type: "{{ parse_event.message.driver.file.type }}" + file.uid: "{{ parse_event.message.driver.file.owner.uid }}" + file.x509.issuer.distinguished_name: "{{ parse_event.message.driver.file.signature.certificate.issuer }}" + file.x509.not_after: "{{ parse_event.message.driver.file.signature.certificate.expiration_time_dt or parse_event.message.driver.file.signature.certificate.expiration_time | to_rfc3339 }}" + file.x509.serial_number: "{{ parse_event.message.driver.file.signature.certificate.serial_number }}" + file.x509.subject.distinguished_name: "{{ parse_event.message.driver.file.signature.certificate.subject }}" + file.x509.version_number: "{{ parse_event.message.driver.file.signature.certificate.version }}" + filter: "{{ parse_event.message.driver.file != null }}" + + - set: + file.hash.md5: > + {%- for item in parse_event.message.driver.file.hashes -%}{%- if item.algorithm == 'MD5' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha1: > + {%- for item in parse_event.message.driver.file.hashes -%}{%- if item.algorithm == 'SHA-1' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha256: > + {%- for item in parse_event.message.driver.file.hashes -%}{%- if item.algorithm == 'SHA-256' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha512: > + {%- for item in parse_event.message.driver.file.hashes -%}{%- if item.algorithm == 'SHA-512' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.ssdeep: > + {%- for item in parse_event.message.driver.file.hashes -%}{%- if item.algorithm == 'CTPH' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.tlsh: > + {%- for item in parse_event.message.driver.file.hashes -%}{%- if item.algorithm == 'TLSH' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + filter: "{{ parse_event.message.driver.file != null }}" + + - set: + file.accessed: "{{ parse_event.message.job.file.accessed_time_dt or parse_event.message.job.file.accessed_time | to_rfc3339 }}" + file.created: "{{ parse_event.message.job.file.created_time_dt or parse_event.message.job.file.created_time | to_rfc3339 }}" + file.directory: "{{ parse_event.message.job.file.parent_folder }}" + file.inode: "{{ parse_event.message.job.file.uid }}" + file.mime_type: "{{ parse_event.message.job.file.mime_type }}" + file.mtime: "{{ parse_event.message.job.file.modified_time_dt or parse_event.message.job.file.modified_time | to_rfc3339 }}" + file.name: "{{ parse_event.message.job.file.name }}" + file.owner: "{{ parse_event.message.job.file.owner.name }}" + file.path: "{{ parse_event.message.job.file.path }}" + file.size: "{{ parse_event.message.job.file.size }}" + file.type: "{{ parse_event.message.job.file.type }}" + file.uid: "{{ parse_event.message.job.file.owner.uid }}" + file.x509.issuer.distinguished_name: "{{ parse_event.message.job.file.signature.certificate.issuer }}" + file.x509.not_after: "{{ parse_event.message.job.file.signature.certificate.expiration_time_dt or parse_event.message.job.file.signature.certificate.expiration_time | to_rfc3339 }}" + file.x509.serial_number: "{{ parse_event.message.job.file.signature.certificate.serial_number }}" + file.x509.subject.distinguished_name: "{{ parse_event.message.job.file.signature.certificate.subject }}" + file.x509.version_number: "{{ parse_event.message.job.file.signature.certificate.version }}" + filter: "{{ parse_event.message.job.file != null }}" + + - set: + file.hash.md5: > + {%- for item in parse_event.message.job.file.hashes -%}{%- if item.algorithm == 'MD5' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha1: > + {%- for item in parse_event.message.job.file.hashes -%}{%- if item.algorithm == 'SHA-1' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha256: > + {%- for item in parse_event.message.job.file.hashes -%}{%- if item.algorithm == 'SHA-256' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha512: > + {%- for item in parse_event.message.job.file.hashes -%}{%- if item.algorithm == 'SHA-512' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.ssdeep: > + {%- for item in parse_event.message.job.file.hashes -%}{%- if item.algorithm == 'CTPH' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.tlsh: > + {%- for item in parse_event.message.job.file.hashes -%}{%- if item.algorithm == 'TLSH' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + filter: "{{ parse_event.message.job.file != null }}" + + - set: + file.accessed: "{{ parse_event.message.module.file.accessed_time_dt or parse_event.message.module.file.accessed_time | to_rfc3339 }}" + file.created: "{{ parse_event.message.module.file.created_time_dt or parse_event.message.module.file.created_time | to_rfc3339 }}" + file.directory: "{{ parse_event.message.module.file.parent_folder }}" + file.inode: "{{ parse_event.message.module.file.uid }}" + file.mime_type: "{{ parse_event.message.module.file.mime_type }}" + file.mtime: "{{ parse_event.message.module.file.modified_time_dt or parse_event.message.module.file.modified_time | to_rfc3339 }}" + file.name: "{{ parse_event.message.module.file.name }}" + file.owner: "{{ parse_event.message.module.file.owner.name }}" + file.path: "{{ parse_event.message.module.file.path }}" + file.size: "{{ parse_event.message.module.file.size }}" + file.type: "{{ parse_event.message.module.file.type }}" + file.uid: "{{ parse_event.message.module.file.owner.uid }}" + file.x509.issuer.distinguished_name: "{{ parse_event.message.module.file.signature.certificate.issuer }}" + file.x509.not_after: "{{ parse_event.message.module.file.signature.certificate.expiration_time_dt or parse_event.message.module.file.signature.certificate.expiration_time | to_rfc3339 }}" + file.x509.serial_number: "{{ parse_event.message.module.file.signature.certificate.serial_number }}" + file.x509.subject.distinguished_name: "{{ parse_event.message.module.file.signature.certificate.subject }}" + file.x509.version_number: "{{ parse_event.message.module.file.signature.certificate.version }}" + filter: "{{ parse_event.message.module.file != null }}" + + - set: + file.hash.md5: > + {%- for item in parse_event.message.module.file.hashes -%}{%- if item.algorithm == 'MD5' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha1: > + {%- for item in parse_event.message.module.file.hashes -%}{%- if item.algorithm == 'SHA-1' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha256: > + {%- for item in parse_event.message.module.file.hashes -%}{%- if item.algorithm == 'SHA-256' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.sha512: > + {%- for item in parse_event.message.module.file.hashes -%}{%- if item.algorithm == 'SHA-512' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.ssdeep: > + {%- for item in parse_event.message.module.file.hashes -%}{%- if item.algorithm == 'CTPH' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + file.hash.tlsh: > + {%- for item in parse_event.message.module.file.hashes -%}{%- if item.algorithm == 'TLSH' -%}{{ item.value }}{%- endif -%}{%- endfor -%} + filter: "{{ parse_event.message.module.file != null }}" + + pipeline_category_system_activity: + actions: + - set: + user.target.domain: "{{ parse_event.message.job.user.domain }}" + user.target.email: "{{ parse_event.message.job.user.email_addr }}" + user.target.full_name: "{{ parse_event.message.job.user.full_name }}" + user.target.id: "{{ parse_event.message.job.user.uid }}" + user.target.name: "{{ parse_event.message.job.user.name }}" + process.exit_code: "{{ parse_event.message.exit_code }}" + + - set: + user.target.group.id: > + [{%- for item in parse_event.message.job.user.groups -%}{%- if item.uid -%}'{{item.uid}}',{%- endif -%}{%- endfor -%}] + + user.target.group.name: > + [{%- for item in parse_event.message.job.user.groups -%}{%- if item.name -%}'{{item.name}}',{%- endif -%}{%- endfor -%}] + + pipeline_category_findings: + actions: + - set: + event.reference: "{{ parse_event.message.finding.src_url }}" + event.risk_score: "{{ parse_event.message.risk_score }}" + event.reason: "{{parse_event.message.finding.title}}" + + - set: + vulnerability.id: > + [{%- for item in parse_event.message.vulnerabilities -%}'{{item.cve.uid}}',{%- endfor -%}] + vulnerability.score.version: > + [{%- for item in parse_event.message.vulnerabilities -%}'{{item.cve.cvss.version}}',{%- endfor -%}] + vulnerability.description: > + [{%- for item in parse_event.message.vulnerabilities -%}'{{item.desc}}',{%- endfor -%}] + vulnerability.score.base: > + [{%- for item in parse_event.message.vulnerabilities -%}'{{item.cve.cvss.base_score | float}}',{%- endfor -%}] + vulnerability.severity: > + [{%- for item in parse_event.message.vulnerabilities -%}'{{item.severity}}',{%- endfor -%}] + vulnerability.scanner.vendor: > + [{%- for item in parse_event.message.vulnerabilities -%}'{{item.vendor_name}}',{%- endfor -%}] + filter: "{{parse_event.message.vulnerabilities != null}}" + + pipeline_category_identity_and_access_management: + actions: + - set: + user.changes.domain: "{{ parse_event.message.user_result.domain }}" + user.changes.email: "{{ parse_event.message.user_result.email_addr }}" + user.changes.full_name: "{{ parse_event.message.user_result.full_name }}" + user.changes.id: "{{ parse_event.message.user_result.uid }}" + user.changes.name: "{{ parse_event.message.user_result.name }}" + service.name: "{{ parse_event.message.service.name }}" + service.id: "{{ parse_event.message.service.uid }}" + service.version: "{{ parse_event.message.service.version }}" + group.name: "{{ parse_event.message.group.name }}" + group.id: "{{ parse_event.message.group.uid }}" + + - set: + user.changes.group.id: > + [{%- for item in parse_event.message.user_result.groups -%}{%- if item.uid -%}'{{item.uid}}',{%- endif -%}{%- endfor -%}] + + user.changes.group.name: > + [{%- for item in parse_event.message.user_result.groups -%}{%- if item.name -%}'{{item.name}}',{%- endif -%}{%- endfor -%}] + + pipeline_category_network_activity: + actions: + - set: + dns.question.name: "{{ parse_event.message.query.hostname }}" + - set: + dns.id: > + [ + {%- for item in parse_event.message.answers -%}{% if item.packed_uid %}'{{item.packet_uid}}',{% endif %}{%- endfor -%} + {% if parse_event.message.query.packet_uid != null %}'{{ parse_event.message.query.packet_uid }}'{% endif %} + ] + dns.answers.class: > + [{%- for item in parse_event.message.answers -%}{%- if item.class -%}'{{item.class}}',{%- endif -%}{%- endfor -%}] + dns.answers.type: > + [{%- for item in parse_event.message.answers -%}{%- if item.type -%}'{{item.type}}',{%- endif -%}{%- endfor -%}] + dns.answers.ttl: > + [{%- for item in parse_event.message.answers -%}{%- if item.ttl -%}'{{item.ttl}}',{%- endif -%}{%- endfor -%}] + filter: "{{ parse_event.message.answers != null }}" + - set: + dns.question.class: + - "{{ parse_event.message.query.class }}" + filter: "{{ parse_event.message.query.class != null }}" + - set: + dns.question.type: + - "{{ parse_event.message.query.type }}" + filter: "{{ parse_event.message.query.type != null }}" + - set: + dns.response_code: "{{ parse_event.message.rcode }}" + http.response.status_code: "{{ parse_event.message.response.code }}" + http.response.body.bytes: "{{ parse_event.message.http_response.length }}" + http.response.body.content: "{{ parse_event.message.http_response.message }}" + observer.hostname: "{{ parse_event.message.relay.hostname }}" + observer.ip: "{{ parse_event.message.relay.ip }}" + observer.mac: "{{ parse_event.message.relay.mac }}" + observer.name: "{{ parse_event.message.relay.name }}" + observer.type: "{{ parse_event.message.relay.type }}" + http.request.id: "{{ parse_event.message.request.uid }}" + tls.server.certificate_chain: "{{ parse_event.message.certificate_chain }}" + email.cc.address: "{{ parse_event.message.email.cc }}" + email.local_id: "{{ parse_event.message.email.uid }}" + - set: + email.from.address: + - "{{ parse_event.message.email.from }}" + filter: "{{ parse_event.message.email.from != null }}" + - set: + email.message_id: "{{ parse_event.message.email.message_uid }}" + - set: + email.reply_to.address: + - "{{ parse_event.message.email.reply_to }}" + filter: "{{ parse_event.message.email.reply_to != null }}" + - set: + email.subject: "{{ parse_event.message.email.subject }}" + email.to.address: "{{ parse_event.message.email.to }}" + email.local_id: "{{ parse_event.message.email_uid }}" + url.query: "{{ parse_event.message.url.query_string }}" + url.domain: "{{ parse_event.message.url.hostname }}" + url.path: "{{ parse_event.message.url.path }}" + url.port: "{{ parse_event.message.url.port }}" + url.scheme: "{{ parse_event.message.url.scheme }}" + url.subdomain: "{{ parse_event.message.url.subdomain }}" + url.original: "{{ parse_event.message.url.url_string }}" + - set: + email.attachments.file.size: "{{ parse_event.message.file.size }}" + filter: "{{ parse_event.message.file.size != null }}" + - set: + email.attachments.file.name: "{{ parse_event.message.file.name }}" + filter: "{{ parse_event.message.file.name != null }}" + + pipeline_category_application_activity: + actions: + - set: + package.description: > + [{%- for item in parse_event.message.web_resources -%}{%- if item.desc -%}'{{item.desc}}',{%- endif -%}{%- endfor -%}] + package.name: > + [{%- for item in parse_event.message.web_resources -%}{%- if item.name -%}'{{item.name}}',{%- endif -%}{%- endfor -%}] + package.type: > + [{%- for item in parse_event.message.web_resources -%}{%- if item.type -%}'{{item.type}}',{%- endif -%}{%- endfor -%}] + + - set: + http.response.status_code: "{{ parse_event.message.http_response.code }}" + http.response.body.bytes: "{{ parse_event.message.http_response.length }}" + http.response.body.content: "{{ parse_event.message.http_response.message }}" + + pipeline_category_discovery: + actions: + - set: + rule.category: "{{ parse_event.message.cis_benchmark_result.rule.category }}" + rule.description: "{{ parse_event.message.cis_benchmark_result.rule.desc }}" + rule.name: "{{ parse_event.message.cis_benchmark_result.rule.name }}" + rule.uuid: "{{ parse_event.message.cis_benchmark_result.rule.uid }}" + rule.version: "{{ parse_event.message.cis_benchmark_result.rule.version }}" diff --git a/OCSF/ocsf/tests/test_account_change_1.json b/OCSF/ocsf/tests/test_account_change_1.json new file mode 100644 index 000000000..9a09eed7b --- /dev/null +++ b/OCSF/ocsf/tests/test_account_change_1.json @@ -0,0 +1,67 @@ +{ + "input": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Create\", \"actor\": {\"idp\": {\"name\": null}, \"invoked_by\": null, \"session\": {\"created_time\": 1700239437000, \"created_time_dt\": \"2023-11-17T16:43:57Z\", \"is_mfa\": false, \"issuer\": \"arn:aws:iam::112233445566:role/Admin\"}, \"user\": {\"account\": {\"uid\": \"112233445566\"}, \"credential_uid\": null, \"type\": \"AssumedRole\", \"uid\": \"arn:aws:sts::112233445566:assumed-role/Admin/Admin-user\", \"uid_alt\": \"AROA2W7SOKHEXAMPLE:Admin-user\"}}, \"api\": {\"operation\": \"CreateUser\", \"request\": {\"data\": {\"userName\": \"test_user2\"}, \"uid\": \"c99bf9da-e0bd-4bf7-bb32-example\"}, \"response\": {\"data\": {\"user\": {\"arn\": \"arn:aws:iam::112233445566:user/test_user2\", \"createDate\": \"Mar 17, 2023 5:07:59 PM\", \"path\": \"/\", \"userId\": \"AIDA2W7SOKHEXAMPLE\", \"userName\": \"test_user2\"}}, \"error\": null, \"message\": null}, \"service\": {\"name\": \"iam.amazonaws.com\"}, \"version\": null}, \"category_name\": \"Identity & Access Management Category\", \"category_uid\": 3, \"class_name\": \"Account Change\", \"class_uid\": 3001, \"cloud\": {\"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"http_request\": {\"user_agent\": \"AWS Internal\"}, \"metadata\": {\"log_name\": \"AwsApiCall\", \"log_provider\": \"CloudTrail\", \"product\": {\"feature\": {\"name\": \"Management\"}, \"name\": \"CloudTrail\", \"vendor_name\": \"AWS\", \"version\": \"1.08\"}, \"profiles\": [\"cloud\", \"datetime\"], \"uid\": \"7dd15a89-ae0f-4340-8e6c-example\", \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"user.name\", \"type\": \"User\", \"type_id\": 4, \"value\": \"test_user2\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"52.95.4.21\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"52.95.4.21\", \"uid\": null}, \"time\": 1679072879000, \"time_dt\": \"2023-03-17T17:07:59Z\", \"type_name\": \"Account Change: Create\", \"type_uid\": 300101, \"unmapped\": {\"eventType\": \"AwsApiCall\", \"managementEvent\": true, \"readOnly\": false, \"recipientAccountId\": \"112233445566\", \"requestParameters\": {\"userName\": \"test_user2\"}, \"responseElements\": {\"user\": {\"arn\": \"arn:aws:iam::112233445566:user/test_user2\", \"createDate\": \"Mar 17, 2023 5:07:59 PM\", \"path\": \"/\", \"userId\": \"AIDA2W7SOKHEXAMPLE\", \"userName\": \"test_user2\"}}, \"sessionCredentialFromConsole\": \"true\", \"userIdentity\": {\"sessionContext\": {\"attributes\": {\"mfaAuthenticated\": \"false\"}, \"sessionIssuer\": {\"accountId\": \"112233445566\", \"principalId\": \"AROA2W7SOKHEXAMPLE\", \"type\": \"Role\"}, \"webIdFederationData\": {}}}}, \"user\": {\"name\": \"test_user2\", \"uid\": \"AROA2W7SOKHEXAMPLE:Admin-user\"}}" + }, + "expected": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Create\", \"actor\": {\"idp\": {\"name\": null}, \"invoked_by\": null, \"session\": {\"created_time\": 1700239437000, \"created_time_dt\": \"2023-11-17T16:43:57Z\", \"is_mfa\": false, \"issuer\": \"arn:aws:iam::112233445566:role/Admin\"}, \"user\": {\"account\": {\"uid\": \"112233445566\"}, \"credential_uid\": null, \"type\": \"AssumedRole\", \"uid\": \"arn:aws:sts::112233445566:assumed-role/Admin/Admin-user\", \"uid_alt\": \"AROA2W7SOKHEXAMPLE:Admin-user\"}}, \"api\": {\"operation\": \"CreateUser\", \"request\": {\"data\": {\"userName\": \"test_user2\"}, \"uid\": \"c99bf9da-e0bd-4bf7-bb32-example\"}, \"response\": {\"data\": {\"user\": {\"arn\": \"arn:aws:iam::112233445566:user/test_user2\", \"createDate\": \"Mar 17, 2023 5:07:59 PM\", \"path\": \"/\", \"userId\": \"AIDA2W7SOKHEXAMPLE\", \"userName\": \"test_user2\"}}, \"error\": null, \"message\": null}, \"service\": {\"name\": \"iam.amazonaws.com\"}, \"version\": null}, \"category_name\": \"Identity & Access Management Category\", \"category_uid\": 3, \"class_name\": \"Account Change\", \"class_uid\": 3001, \"cloud\": {\"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"http_request\": {\"user_agent\": \"AWS Internal\"}, \"metadata\": {\"log_name\": \"AwsApiCall\", \"log_provider\": \"CloudTrail\", \"product\": {\"feature\": {\"name\": \"Management\"}, \"name\": \"CloudTrail\", \"vendor_name\": \"AWS\", \"version\": \"1.08\"}, \"profiles\": [\"cloud\", \"datetime\"], \"uid\": \"7dd15a89-ae0f-4340-8e6c-example\", \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"user.name\", \"type\": \"User\", \"type_id\": 4, \"value\": \"test_user2\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"52.95.4.21\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"52.95.4.21\", \"uid\": null}, \"time\": 1679072879000, \"time_dt\": \"2023-03-17T17:07:59Z\", \"type_name\": \"Account Change: Create\", \"type_uid\": 300101, \"unmapped\": {\"eventType\": \"AwsApiCall\", \"managementEvent\": true, \"readOnly\": false, \"recipientAccountId\": \"112233445566\", \"requestParameters\": {\"userName\": \"test_user2\"}, \"responseElements\": {\"user\": {\"arn\": \"arn:aws:iam::112233445566:user/test_user2\", \"createDate\": \"Mar 17, 2023 5:07:59 PM\", \"path\": \"/\", \"userId\": \"AIDA2W7SOKHEXAMPLE\", \"userName\": \"test_user2\"}}, \"sessionCredentialFromConsole\": \"true\", \"userIdentity\": {\"sessionContext\": {\"attributes\": {\"mfaAuthenticated\": \"false\"}, \"sessionIssuer\": {\"accountId\": \"112233445566\", \"principalId\": \"AROA2W7SOKHEXAMPLE\", \"type\": \"Role\"}, \"webIdFederationData\": {}}}}, \"user\": {\"name\": \"test_user2\", \"uid\": \"AROA2W7SOKHEXAMPLE:Admin-user\"}}", + "event": { + "action": "create", + "category": [ + "iam" + ], + "kind": "event", + "provider": "CloudTrail", + "severity": 1, + "type": [ + "creation", + "info", + "user" + ] + }, + "@timestamp": "2023-03-17T17:07:59Z", + "cloud": { + "provider": "AWS", + "region": "us-east-1" + }, + "ocsf": { + "activity_id": 1, + "activity_name": "Create", + "class_name": "Account Change", + "class_uid": 3001 + }, + "related": { + "ip": [ + "52.95.4.21" + ] + }, + "source": { + "address": "52.95.4.21", + "ip": "52.95.4.21" + }, + "user": { + "group": { + "id": [], + "name": [] + }, + "id": "arn:aws:sts::112233445566:assumed-role/Admin/Admin-user", + "target": { + "group": { + "id": [], + "name": [] + }, + "id": "AROA2W7SOKHEXAMPLE:Admin-user", + "name": "test_user2" + } + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "AWS Internal", + "os": { + "name": "Other" + } + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_api_activity_1.json b/OCSF/ocsf/tests/test_api_activity_1.json new file mode 100644 index 000000000..1c78111ee --- /dev/null +++ b/OCSF/ocsf/tests/test_api_activity_1.json @@ -0,0 +1,68 @@ +{ + "input": { + "message": "{\"activity_id\": 2, \"activity_name\": \"Read\", \"actor\": {\"idp\": {\"name\": null}, \"invoked_by\": null, \"session\": {\"created_time\": 0, \"created_time_dt\": null, \"issuer\": null}, \"user\": {\"account\": {\"uid\": \"1111111111111\"}, \"credential_uid\": \"AKIA3Z2XBVEXAMPLE\", \"name\": \"Level6\", \"type\": \"IAMUser\", \"uid\": \"arn:aws:iam::1111111111111:user/Level6\", \"uid_alt\": \"AIDADO2GQEXAMPLE\"}}, \"api\": {\"operation\": \"DescribeDirectConnectGateways\", \"request\": {\"data\": null, \"uid\": \"1c8a6220-4263-4763-b526-example\"}, \"response\": {\"data\": {\"directConnectGateways\": []}, \"error\": null, \"message\": null}, \"service\": {\"name\": \"directconnect.amazonaws.com\"}, \"version\": null}, \"category_name\": \"Application Activity\", \"category_uid\": 6, \"class_name\": \"API Activity\", \"class_uid\": 6003, \"cloud\": {\"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"http_request\": {\"user_agent\": \"Boto3/1.15.2 Python/3.8.2 Linux/5.6.3-arch1-1 Botocore/1.18.2\"}, \"metadata\": {\"log_name\": \"AwsApiCall\", \"log_provider\": \"CloudTrail\", \"product\": {\"feature\": {\"name\": null}, \"name\": \"CloudTrail\", \"vendor_name\": \"AWS\", \"version\": \"1.05\"}, \"profiles\": [\"cloud\", \"datetime\"], \"uid\": \"71c88be9-ea5c-43c7-8c82-example\", \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"actor.user.name\", \"type\": \"User\", \"type_id\": 4, \"value\": \"Level6\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"205.8.181.128\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"205.8.181.128\"}, \"status\": null, \"status_id\": 99, \"time\": 1695334972000, \"time_dt\": \"2023-09-21T22:22:52Z\", \"type_name\": \"API Activity: Read\", \"type_uid\": 600302, \"unmapped\": {\"eventType\": \"AwsApiCall\", \"recipientAccountId\": \"1111111111111\", \"requestParameters\": null, \"responseElements\": {\"directConnectGateways\": []}, \"userIdentity\": {}}}" + }, + "expected": { + "message": "{\"activity_id\": 2, \"activity_name\": \"Read\", \"actor\": {\"idp\": {\"name\": null}, \"invoked_by\": null, \"session\": {\"created_time\": 0, \"created_time_dt\": null, \"issuer\": null}, \"user\": {\"account\": {\"uid\": \"1111111111111\"}, \"credential_uid\": \"AKIA3Z2XBVEXAMPLE\", \"name\": \"Level6\", \"type\": \"IAMUser\", \"uid\": \"arn:aws:iam::1111111111111:user/Level6\", \"uid_alt\": \"AIDADO2GQEXAMPLE\"}}, \"api\": {\"operation\": \"DescribeDirectConnectGateways\", \"request\": {\"data\": null, \"uid\": \"1c8a6220-4263-4763-b526-example\"}, \"response\": {\"data\": {\"directConnectGateways\": []}, \"error\": null, \"message\": null}, \"service\": {\"name\": \"directconnect.amazonaws.com\"}, \"version\": null}, \"category_name\": \"Application Activity\", \"category_uid\": 6, \"class_name\": \"API Activity\", \"class_uid\": 6003, \"cloud\": {\"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"http_request\": {\"user_agent\": \"Boto3/1.15.2 Python/3.8.2 Linux/5.6.3-arch1-1 Botocore/1.18.2\"}, \"metadata\": {\"log_name\": \"AwsApiCall\", \"log_provider\": \"CloudTrail\", \"product\": {\"feature\": {\"name\": null}, \"name\": \"CloudTrail\", \"vendor_name\": \"AWS\", \"version\": \"1.05\"}, \"profiles\": [\"cloud\", \"datetime\"], \"uid\": \"71c88be9-ea5c-43c7-8c82-example\", \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"actor.user.name\", \"type\": \"User\", \"type_id\": 4, \"value\": \"Level6\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"205.8.181.128\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"205.8.181.128\"}, \"status\": null, \"status_id\": 99, \"time\": 1695334972000, \"time_dt\": \"2023-09-21T22:22:52Z\", \"type_name\": \"API Activity: Read\", \"type_uid\": 600302, \"unmapped\": {\"eventType\": \"AwsApiCall\", \"recipientAccountId\": \"1111111111111\", \"requestParameters\": null, \"responseElements\": {\"directConnectGateways\": []}, \"userIdentity\": {}}}", + "event": { + "action": "read", + "category": [ + "web" + ], + "kind": "event", + "provider": "CloudTrail", + "severity": 1, + "type": [ + "info" + ] + }, + "@timestamp": "2023-09-21T22:22:52Z", + "cloud": { + "provider": "AWS", + "region": "us-east-1" + }, + "ocsf": { + "activity_id": 2, + "activity_name": "Read", + "class_name": "API Activity", + "class_uid": 6003 + }, + "package": { + "description": [], + "name": [], + "type": [] + }, + "related": { + "ip": [ + "205.8.181.128" + ], + "user": [ + "Level6" + ] + }, + "source": { + "address": "205.8.181.128", + "ip": "205.8.181.128" + }, + "user": { + "group": { + "id": [], + "name": [] + }, + "id": "arn:aws:iam::1111111111111:user/Level6", + "name": "Level6" + }, + "user_agent": { + "device": { + "name": "Spider" + }, + "name": "Boto3", + "original": "Boto3/1.15.2 Python/3.8.2 Linux/5.6.3-arch1-1 Botocore/1.18.2", + "os": { + "name": "Linux", + "version": "5.6.3" + }, + "version": "1.15.2" + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_api_activity_2.json b/OCSF/ocsf/tests/test_api_activity_2.json new file mode 100644 index 000000000..d53c7b8a7 --- /dev/null +++ b/OCSF/ocsf/tests/test_api_activity_2.json @@ -0,0 +1,69 @@ +{ + "input": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Create\", \"actor\": {\"session\": {\"credential_uid\": \"EXAMPLEUIDTEST\", \"issuer\": \"arn:aws:iam::123456789012:role/example-test-161366663-NodeInstanceRole-abc12345678912\", \"uid\": \"i-12345678901\"}, \"user\": {\"groups\": [{\"name\": \"system:bootstrappers\"}, {\"name\": \"system:nodes\"}, {\"name\": \"system:authenticated\"}], \"name\": \"system:node:ip-192-001-02-03.ec2.internal\", \"type_id\": 0, \"uid\": \"heptio-authenticator-aws:123456789012:ABCD1234567890EXAMPLE\"}}, \"api\": {\"operation\": \"create\", \"request\": {\"uid\": \"f47c68f2-d3ac-4f96-b2f4-5d497bf79b64\"}, \"response\": {\"code\": 201}, \"version\": \"v1\"}, \"category_name\": \"Application Activity\", \"category_uid\": 6, \"class_name\": \"API Activity\", \"class_uid\": 6003, \"cloud\": {\"account\": {\"uid\": \"arn:aws:sts::123456789012:assumed-role/example-test-161366663-NodeInstanceRole-abc12345678912/i-12345678901\"}, \"provider\": \"AWS\"}, \"http_request\": {\"url\": {\"path\": \"/api/v1/nodes\"}, \"user_agent\": \"kubelet/v1.21.2 (linux/amd64) kubernetes/729bdfc\"}, \"message\": \"ResponseComplete\", \"metadata\": {\"log_level\": \"RequestResponse\", \"product\": {\"feature\": {\"name\": \"Elastic Kubernetes Service\"}, \"name\": \"Amazon EKS\", \"vendor_name\": \"AWS\", \"version\": \"audit.k8s.io/v1\"}, \"profiles\": [\"cloud\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"actor.user.name\", \"type\": \"User Name\", \"type_id\": 4, \"value\": \"system:node:ip-192-001-02-03.ec2.internal\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"12.000.22.33\"}, {\"name\": \"http_request.url.path\", \"type\": \"URL String\", \"type_id\": 6, \"value\": \"/api/v1/nodes\"}], \"resources\": [{\"name\": \"ip-192-001-02-03.ec2.internal\", \"type\": \"nodes\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"12.000.22.33\"}, \"start_time_dt\": \"2021-09-07 20:37:30.502000\", \"time\": 1631047050642, \"time_dt\": \"2021-09-07 20:37:30.642000\", \"type_name\": \"API Activity: Create\", \"type_uid\": 600301, \"unmapped\": {\"responseObject.status.capacity.cpu\": \"4\", \"annotations.authorization.k8s.io/reason\": \"\", \"requestObject.metadata.annotations.volumes.kubernetes.io/controller-managed-attach-detach\": \"true\", \"responseObject.metadata.labels.kubernetes.io/hostname\": \"ip-192-001-02-03.ec2.internal\", \"requestObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateVersion\": \"1\", \"responseObject.metadata.labels.alpha.eksctl.io/cluster-name\": \"ABCD1234567890EXAMPLE\", \"responseObject.metadata.labels.eks.amazonaws.com/nodegroup-image\": \"ami-0193ebf9573ebc9f7\", \"responseObject.metadata.managedFields[].time\": \"2021-09-07T20:37:30Z\", \"responseObject.status.nodeInfo.kubeletVersion\": \"v1.21.2-eks-55daa9d\", \"responseObject.status.nodeInfo.kubeProxyVersion\": \"v1.21.2-eks-55daa9d\", \"requestObject.status.capacity.hugepages-1Gi\": \"0\", \"responseObject.metadata.managedFields[].manager\": \"kubelet\", \"annotations.authorization.k8s.io/decision\": \"allow\", \"requestObject.status.nodeInfo.systemUUID\": \"ec2483c6-33b0-e271-f36c-e14e45a361b8\", \"responseObject.metadata.name\": \"ip-192-001-02-03.ec2.internal\", \"responseObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateVersion\": \"1\", \"responseObject.apiVersion\": \"v1\", \"requestObject.metadata.labels.kubernetes.io/arch\": \"amd64\", \"requestObject.status.allocatable.hugepages-2Mi\": \"0\", \"requestObject.metadata.labels.alpha.eksctl.io/cluster-name\": \"ABCD1234567890EXAMPLE\", \"responseObject.status.allocatable.memory\": \"15076868Ki\", \"responseObject.status.conditions[].lastHeartbeatTime\": \"2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z\", \"responseObject.spec.providerID\": \"aws:///us-east-1f/i-12345678901\", \"requestObject.status.nodeInfo.architecture\": \"amd64\", \"responseObject.status.nodeInfo.kernelVersion\": \"5.4.141-67.229.amzn2.x86_64\", \"responseObject.status.allocatable.pods\": \"58\", \"requestObject.status.conditions[].status\": \"False,False,False,False\", \"requestObject.metadata.labels.failure-domain.beta.kubernetes.io/region\": \"us-east-1\", \"responseObject.metadata.labels.beta.kubernetes.io/os\": \"linux\", \"responseObject.metadata.labels.kubernetes.io/os\": \"linux\", \"requestObject.status.addresses[].address\": \"192.000.22.33,12.000.22.33,ip-192-001-02-03.ec2.internal,ip-192-001-02-03.ec2.internal,ec2-12.000.22.33.compute-1.amazonaws.com\", \"responseObject.status.capacity.hugepages-1Gi\": \"0\", \"responseObject.status.conditions[].reason\": \"KubeletHasSufficientMemory,KubeletHasNoDiskPressure,KubeletHasSufficientPID,KubeletNotReady\", \"requestObject.apiVersion\": \"v1\", \"requestObject.status.capacity.cpu\": \"4\", \"requestObject.metadata.labels.node.kubernetes.io/instance-type\": \"m5.xlarge\", \"requestObject.metadata.labels.eks.amazonaws.com/nodegroup-image\": \"ami-0193ebf9573ebc9f7\", \"responseObject.metadata.labels.node.kubernetes.io/instance-type\": \"m5.xlarge\", \"responseObject.status.allocatable.hugepages-2Mi\": \"0\", \"responseObject.status.allocatable.attachable-volumes-aws-ebs\": \"25\", \"requestObject.status.nodeInfo.containerRuntimeVersion\": \"docker://19.3.13\", \"requestObject.status.allocatable.attachable-volumes-aws-ebs\": \"25\", \"responseObject.status.conditions[].lastTransitionTime\": \"2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z\", \"responseObject.metadata.creationTimestamp\": \"2021-09-07T20:37:30Z\", \"requestObject.metadata.labels.kubernetes.io/hostname\": \"ip-192-001-02-03.ec2.internal\", \"requestObject.status.nodeInfo.bootID\": \"0d0dd4f2-8829-4b03-9f29-794f4908281b\", \"requestObject.status.nodeInfo.kubeProxyVersion\": \"v1.21.2-eks-55daa9d\", \"responseObject.kind\": \"Node\", \"requestObject.status.nodeInfo.osImage\": \"Amazon Linux 2\", \"requestObject.status.conditions[].type\": \"MemoryPressure,DiskPressure,PIDPressure,Ready\", \"requestObject.status.daemonEndpoints.kubeletEndpoint.Port\": \"10250\", \"responseObject.metadata.labels.kubernetes.io/arch\": \"amd64\", \"responseObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateId\": \"lt-0f20d6f901007611e\", \"requestObject.status.capacity.attachable-volumes-aws-ebs\": \"25\", \"responseObject.status.conditions[].message\": \"kubelet has sufficient memory available,kubelet has no disk pressure,kubelet has sufficient PID available,[container runtime status check may not have completed yet, container runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized, CSINode is not yet initialized, missing node capacity for resources: ephemeral-storage]\", \"responseObject.status.nodeInfo.operatingSystem\": \"linux\", \"requestObject.metadata.labels.alpha.eksctl.io/nodegroup-name\": \"ng-5fe434eb\", \"responseObject.status.capacity.memory\": \"16093700Ki\", \"requestObject.metadata.labels.beta.kubernetes.io/arch\": \"amd64\", \"requestObject.metadata.labels.eks.amazonaws.com/capacityType\": \"ON_DEMAND\", \"requestObject.status.allocatable.memory\": \"15076868Ki\", \"requestObject.status.conditions[].lastHeartbeatTime\": \"2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z\", \"responseObject.status.capacity.attachable-volumes-aws-ebs\": \"25\", \"responseObject.status.nodeInfo.osImage\": \"Amazon Linux 2\", \"responseObject.metadata.labels.beta.kubernetes.io/instance-type\": \"m5.xlarge\", \"responseObject.metadata.labels.alpha.eksctl.io/nodegroup-name\": \"ng-5fe434eb\", \"requestObject.metadata.labels.beta.kubernetes.io/instance-type\": \"m5.xlarge\", \"responseObject.status.nodeInfo.architecture\": \"amd64\", \"responseObject.metadata.labels.topology.kubernetes.io/zone\": \"us-east-1f\", \"requestObject.status.capacity.hugepages-2Mi\": \"0\", \"requestObject.status.conditions[].message\": \"kubelet has sufficient memory available,kubelet has no disk pressure,kubelet has sufficient PID available,[container runtime status check may not have completed yet, container runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized, CSINode is not yet initialized, missing node capacity for resources: ephemeral-storage]\", \"responseObject.metadata.labels.failure-domain.beta.kubernetes.io/region\": \"us-east-1\", \"requestObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateId\": \"lt-0f20d6f901007611e\", \"responseObject.spec.taints[].effect\": \"NoSchedule\", \"requestObject.metadata.labels.topology.kubernetes.io/region\": \"us-east-1\", \"requestObject.metadata.name\": \"ip-192-001-02-03.ec2.internal\", \"responseObject.status.nodeInfo.machineID\": \"ec2483c633b0e271f36ce14e45a361b8\", \"kind\": \"Event\", \"responseObject.metadata.annotations.volumes.kubernetes.io/controller-managed-attach-detach\": \"true\", \"responseObject.status.nodeInfo.bootID\": \"0d0dd4f2-8829-4b03-9f29-794f4908281b\", \"responseObject.status.conditions[].status\": \"False,False,False,False\", \"requestObject.metadata.labels.beta.kubernetes.io/os\": \"linux\", \"requestObject.status.allocatable.hugepages-1Gi\": \"0\", \"requestObject.status.addresses[].type\": \"InternalIP,ExternalIP,Hostname,InternalDNS,ExternalDNS\", \"requestObject.metadata.labels.failure-domain.beta.kubernetes.io/zone\": \"us-east-1f\", \"requestObject.status.allocatable.cpu\": \"3920m\", \"requestObject.metadata.labels.kubernetes.io/os\": \"linux\", \"requestObject.status.nodeInfo.operatingSystem\": \"linux\", \"responseObject.status.daemonEndpoints.kubeletEndpoint.Port\": \"10250\", \"responseObject.status.nodeInfo.systemUUID\": \"ec2483c6-33b0-e271-f36c-e14e45a361b8\", \"responseObject.metadata.labels.failure-domain.beta.kubernetes.io/zone\": \"us-east-1f\", \"requestObject.metadata.labels.topology.kubernetes.io/zone\": \"us-east-1f\", \"responseObject.status.nodeInfo.containerRuntimeVersion\": \"docker://19.3.13\", \"requestObject.status.nodeInfo.kernelVersion\": \"5.4.141-67.229.amzn2.x86_64\", \"requestObject.kind\": \"Node\", \"requestObject.spec.providerID\": \"aws:///us-east-1f/i-12345678901\", \"responseObject.metadata.uid\": \"4ecf628a-1b50-47ed-932c-bb1df89dad10\", \"responseObject.status.capacity.hugepages-2Mi\": \"0\", \"responseObject.metadata.managedFields[].fieldsType\": \"FieldsV1\", \"responseObject.metadata.labels.topology.kubernetes.io/region\": \"us-east-1\", \"responseObject.status.capacity.pods\": \"58\", \"requestObject.status.capacity.memory\": \"16093700Ki\", \"responseObject.metadata.managedFields[].apiVersion\": \"v1\", \"responseObject.status.allocatable.hugepages-1Gi\": \"0\", \"responseObject.metadata.resourceVersion\": \"67933403\", \"responseObject.status.addresses[].address\": \"192.000.22.33,12.000.22.33,ip-192-001-02-03.ec2.internal,ip-192-001-02-03.ec2.internal,ec2-12.000.22.33.compute-1.amazonaws.com\", \"requestObject.status.conditions[].lastTransitionTime\": \"2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z\", \"requestObject.status.nodeInfo.kubeletVersion\": \"v1.21.2-eks-55daa9d\", \"responseObject.metadata.labels.eks.amazonaws.com/nodegroup\": \"ng-5fe434eb\", \"requestObject.metadata.labels.eks.amazonaws.com/nodegroup\": \"ng-5fe434eb\", \"requestObject.status.conditions[].reason\": \"KubeletHasSufficientMemory,KubeletHasNoDiskPressure,KubeletHasSufficientPID,KubeletNotReady\", \"responseObject.metadata.labels.eks.amazonaws.com/capacityType\": \"ON_DEMAND\", \"requestObject.status.nodeInfo.machineID\": \"ec2483c633b0e271f36ce14e45a361b8\", \"responseObject.status.addresses[].type\": \"InternalIP,ExternalIP,Hostname,InternalDNS,ExternalDNS\", \"responseObject.metadata.labels.beta.kubernetes.io/arch\": \"amd64\", \"responseObject.metadata.managedFields[].operation\": \"Update\", \"responseObject.status.allocatable.cpu\": \"3920m\", \"responseObject.status.conditions[].type\": \"MemoryPressure,DiskPressure,PIDPressure,Ready\", \"responseObject.spec.taints[].key\": \"node.kubernetes.io/not-ready\", \"sourceIPs[]\": \"12.000.22.33\", \"requestObject.status.capacity.pods\": \"58\", \"requestObject.status.allocatable.pods\": \"58\"}}" + }, + "expected": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Create\", \"actor\": {\"session\": {\"credential_uid\": \"EXAMPLEUIDTEST\", \"issuer\": \"arn:aws:iam::123456789012:role/example-test-161366663-NodeInstanceRole-abc12345678912\", \"uid\": \"i-12345678901\"}, \"user\": {\"groups\": [{\"name\": \"system:bootstrappers\"}, {\"name\": \"system:nodes\"}, {\"name\": \"system:authenticated\"}], \"name\": \"system:node:ip-192-001-02-03.ec2.internal\", \"type_id\": 0, \"uid\": \"heptio-authenticator-aws:123456789012:ABCD1234567890EXAMPLE\"}}, \"api\": {\"operation\": \"create\", \"request\": {\"uid\": \"f47c68f2-d3ac-4f96-b2f4-5d497bf79b64\"}, \"response\": {\"code\": 201}, \"version\": \"v1\"}, \"category_name\": \"Application Activity\", \"category_uid\": 6, \"class_name\": \"API Activity\", \"class_uid\": 6003, \"cloud\": {\"account\": {\"uid\": \"arn:aws:sts::123456789012:assumed-role/example-test-161366663-NodeInstanceRole-abc12345678912/i-12345678901\"}, \"provider\": \"AWS\"}, \"http_request\": {\"url\": {\"path\": \"/api/v1/nodes\"}, \"user_agent\": \"kubelet/v1.21.2 (linux/amd64) kubernetes/729bdfc\"}, \"message\": \"ResponseComplete\", \"metadata\": {\"log_level\": \"RequestResponse\", \"product\": {\"feature\": {\"name\": \"Elastic Kubernetes Service\"}, \"name\": \"Amazon EKS\", \"vendor_name\": \"AWS\", \"version\": \"audit.k8s.io/v1\"}, \"profiles\": [\"cloud\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"actor.user.name\", \"type\": \"User Name\", \"type_id\": 4, \"value\": \"system:node:ip-192-001-02-03.ec2.internal\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"12.000.22.33\"}, {\"name\": \"http_request.url.path\", \"type\": \"URL String\", \"type_id\": 6, \"value\": \"/api/v1/nodes\"}], \"resources\": [{\"name\": \"ip-192-001-02-03.ec2.internal\", \"type\": \"nodes\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"12.000.22.33\"}, \"start_time_dt\": \"2021-09-07 20:37:30.502000\", \"time\": 1631047050642, \"time_dt\": \"2021-09-07 20:37:30.642000\", \"type_name\": \"API Activity: Create\", \"type_uid\": 600301, \"unmapped\": {\"responseObject.status.capacity.cpu\": \"4\", \"annotations.authorization.k8s.io/reason\": \"\", \"requestObject.metadata.annotations.volumes.kubernetes.io/controller-managed-attach-detach\": \"true\", \"responseObject.metadata.labels.kubernetes.io/hostname\": \"ip-192-001-02-03.ec2.internal\", \"requestObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateVersion\": \"1\", \"responseObject.metadata.labels.alpha.eksctl.io/cluster-name\": \"ABCD1234567890EXAMPLE\", \"responseObject.metadata.labels.eks.amazonaws.com/nodegroup-image\": \"ami-0193ebf9573ebc9f7\", \"responseObject.metadata.managedFields[].time\": \"2021-09-07T20:37:30Z\", \"responseObject.status.nodeInfo.kubeletVersion\": \"v1.21.2-eks-55daa9d\", \"responseObject.status.nodeInfo.kubeProxyVersion\": \"v1.21.2-eks-55daa9d\", \"requestObject.status.capacity.hugepages-1Gi\": \"0\", \"responseObject.metadata.managedFields[].manager\": \"kubelet\", \"annotations.authorization.k8s.io/decision\": \"allow\", \"requestObject.status.nodeInfo.systemUUID\": \"ec2483c6-33b0-e271-f36c-e14e45a361b8\", \"responseObject.metadata.name\": \"ip-192-001-02-03.ec2.internal\", \"responseObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateVersion\": \"1\", \"responseObject.apiVersion\": \"v1\", \"requestObject.metadata.labels.kubernetes.io/arch\": \"amd64\", \"requestObject.status.allocatable.hugepages-2Mi\": \"0\", \"requestObject.metadata.labels.alpha.eksctl.io/cluster-name\": \"ABCD1234567890EXAMPLE\", \"responseObject.status.allocatable.memory\": \"15076868Ki\", \"responseObject.status.conditions[].lastHeartbeatTime\": \"2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z\", \"responseObject.spec.providerID\": \"aws:///us-east-1f/i-12345678901\", \"requestObject.status.nodeInfo.architecture\": \"amd64\", \"responseObject.status.nodeInfo.kernelVersion\": \"5.4.141-67.229.amzn2.x86_64\", \"responseObject.status.allocatable.pods\": \"58\", \"requestObject.status.conditions[].status\": \"False,False,False,False\", \"requestObject.metadata.labels.failure-domain.beta.kubernetes.io/region\": \"us-east-1\", \"responseObject.metadata.labels.beta.kubernetes.io/os\": \"linux\", \"responseObject.metadata.labels.kubernetes.io/os\": \"linux\", \"requestObject.status.addresses[].address\": \"192.000.22.33,12.000.22.33,ip-192-001-02-03.ec2.internal,ip-192-001-02-03.ec2.internal,ec2-12.000.22.33.compute-1.amazonaws.com\", \"responseObject.status.capacity.hugepages-1Gi\": \"0\", \"responseObject.status.conditions[].reason\": \"KubeletHasSufficientMemory,KubeletHasNoDiskPressure,KubeletHasSufficientPID,KubeletNotReady\", \"requestObject.apiVersion\": \"v1\", \"requestObject.status.capacity.cpu\": \"4\", \"requestObject.metadata.labels.node.kubernetes.io/instance-type\": \"m5.xlarge\", \"requestObject.metadata.labels.eks.amazonaws.com/nodegroup-image\": \"ami-0193ebf9573ebc9f7\", \"responseObject.metadata.labels.node.kubernetes.io/instance-type\": \"m5.xlarge\", \"responseObject.status.allocatable.hugepages-2Mi\": \"0\", \"responseObject.status.allocatable.attachable-volumes-aws-ebs\": \"25\", \"requestObject.status.nodeInfo.containerRuntimeVersion\": \"docker://19.3.13\", \"requestObject.status.allocatable.attachable-volumes-aws-ebs\": \"25\", \"responseObject.status.conditions[].lastTransitionTime\": \"2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z\", \"responseObject.metadata.creationTimestamp\": \"2021-09-07T20:37:30Z\", \"requestObject.metadata.labels.kubernetes.io/hostname\": \"ip-192-001-02-03.ec2.internal\", \"requestObject.status.nodeInfo.bootID\": \"0d0dd4f2-8829-4b03-9f29-794f4908281b\", \"requestObject.status.nodeInfo.kubeProxyVersion\": \"v1.21.2-eks-55daa9d\", \"responseObject.kind\": \"Node\", \"requestObject.status.nodeInfo.osImage\": \"Amazon Linux 2\", \"requestObject.status.conditions[].type\": \"MemoryPressure,DiskPressure,PIDPressure,Ready\", \"requestObject.status.daemonEndpoints.kubeletEndpoint.Port\": \"10250\", \"responseObject.metadata.labels.kubernetes.io/arch\": \"amd64\", \"responseObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateId\": \"lt-0f20d6f901007611e\", \"requestObject.status.capacity.attachable-volumes-aws-ebs\": \"25\", \"responseObject.status.conditions[].message\": \"kubelet has sufficient memory available,kubelet has no disk pressure,kubelet has sufficient PID available,[container runtime status check may not have completed yet, container runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized, CSINode is not yet initialized, missing node capacity for resources: ephemeral-storage]\", \"responseObject.status.nodeInfo.operatingSystem\": \"linux\", \"requestObject.metadata.labels.alpha.eksctl.io/nodegroup-name\": \"ng-5fe434eb\", \"responseObject.status.capacity.memory\": \"16093700Ki\", \"requestObject.metadata.labels.beta.kubernetes.io/arch\": \"amd64\", \"requestObject.metadata.labels.eks.amazonaws.com/capacityType\": \"ON_DEMAND\", \"requestObject.status.allocatable.memory\": \"15076868Ki\", \"requestObject.status.conditions[].lastHeartbeatTime\": \"2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z\", \"responseObject.status.capacity.attachable-volumes-aws-ebs\": \"25\", \"responseObject.status.nodeInfo.osImage\": \"Amazon Linux 2\", \"responseObject.metadata.labels.beta.kubernetes.io/instance-type\": \"m5.xlarge\", \"responseObject.metadata.labels.alpha.eksctl.io/nodegroup-name\": \"ng-5fe434eb\", \"requestObject.metadata.labels.beta.kubernetes.io/instance-type\": \"m5.xlarge\", \"responseObject.status.nodeInfo.architecture\": \"amd64\", \"responseObject.metadata.labels.topology.kubernetes.io/zone\": \"us-east-1f\", \"requestObject.status.capacity.hugepages-2Mi\": \"0\", \"requestObject.status.conditions[].message\": \"kubelet has sufficient memory available,kubelet has no disk pressure,kubelet has sufficient PID available,[container runtime status check may not have completed yet, container runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized, CSINode is not yet initialized, missing node capacity for resources: ephemeral-storage]\", \"responseObject.metadata.labels.failure-domain.beta.kubernetes.io/region\": \"us-east-1\", \"requestObject.metadata.labels.eks.amazonaws.com/sourceLaunchTemplateId\": \"lt-0f20d6f901007611e\", \"responseObject.spec.taints[].effect\": \"NoSchedule\", \"requestObject.metadata.labels.topology.kubernetes.io/region\": \"us-east-1\", \"requestObject.metadata.name\": \"ip-192-001-02-03.ec2.internal\", \"responseObject.status.nodeInfo.machineID\": \"ec2483c633b0e271f36ce14e45a361b8\", \"kind\": \"Event\", \"responseObject.metadata.annotations.volumes.kubernetes.io/controller-managed-attach-detach\": \"true\", \"responseObject.status.nodeInfo.bootID\": \"0d0dd4f2-8829-4b03-9f29-794f4908281b\", \"responseObject.status.conditions[].status\": \"False,False,False,False\", \"requestObject.metadata.labels.beta.kubernetes.io/os\": \"linux\", \"requestObject.status.allocatable.hugepages-1Gi\": \"0\", \"requestObject.status.addresses[].type\": \"InternalIP,ExternalIP,Hostname,InternalDNS,ExternalDNS\", \"requestObject.metadata.labels.failure-domain.beta.kubernetes.io/zone\": \"us-east-1f\", \"requestObject.status.allocatable.cpu\": \"3920m\", \"requestObject.metadata.labels.kubernetes.io/os\": \"linux\", \"requestObject.status.nodeInfo.operatingSystem\": \"linux\", \"responseObject.status.daemonEndpoints.kubeletEndpoint.Port\": \"10250\", \"responseObject.status.nodeInfo.systemUUID\": \"ec2483c6-33b0-e271-f36c-e14e45a361b8\", \"responseObject.metadata.labels.failure-domain.beta.kubernetes.io/zone\": \"us-east-1f\", \"requestObject.metadata.labels.topology.kubernetes.io/zone\": \"us-east-1f\", \"responseObject.status.nodeInfo.containerRuntimeVersion\": \"docker://19.3.13\", \"requestObject.status.nodeInfo.kernelVersion\": \"5.4.141-67.229.amzn2.x86_64\", \"requestObject.kind\": \"Node\", \"requestObject.spec.providerID\": \"aws:///us-east-1f/i-12345678901\", \"responseObject.metadata.uid\": \"4ecf628a-1b50-47ed-932c-bb1df89dad10\", \"responseObject.status.capacity.hugepages-2Mi\": \"0\", \"responseObject.metadata.managedFields[].fieldsType\": \"FieldsV1\", \"responseObject.metadata.labels.topology.kubernetes.io/region\": \"us-east-1\", \"responseObject.status.capacity.pods\": \"58\", \"requestObject.status.capacity.memory\": \"16093700Ki\", \"responseObject.metadata.managedFields[].apiVersion\": \"v1\", \"responseObject.status.allocatable.hugepages-1Gi\": \"0\", \"responseObject.metadata.resourceVersion\": \"67933403\", \"responseObject.status.addresses[].address\": \"192.000.22.33,12.000.22.33,ip-192-001-02-03.ec2.internal,ip-192-001-02-03.ec2.internal,ec2-12.000.22.33.compute-1.amazonaws.com\", \"requestObject.status.conditions[].lastTransitionTime\": \"2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z,2021-09-07T20:37:28Z\", \"requestObject.status.nodeInfo.kubeletVersion\": \"v1.21.2-eks-55daa9d\", \"responseObject.metadata.labels.eks.amazonaws.com/nodegroup\": \"ng-5fe434eb\", \"requestObject.metadata.labels.eks.amazonaws.com/nodegroup\": \"ng-5fe434eb\", \"requestObject.status.conditions[].reason\": \"KubeletHasSufficientMemory,KubeletHasNoDiskPressure,KubeletHasSufficientPID,KubeletNotReady\", \"responseObject.metadata.labels.eks.amazonaws.com/capacityType\": \"ON_DEMAND\", \"requestObject.status.nodeInfo.machineID\": \"ec2483c633b0e271f36ce14e45a361b8\", \"responseObject.status.addresses[].type\": \"InternalIP,ExternalIP,Hostname,InternalDNS,ExternalDNS\", \"responseObject.metadata.labels.beta.kubernetes.io/arch\": \"amd64\", \"responseObject.metadata.managedFields[].operation\": \"Update\", \"responseObject.status.allocatable.cpu\": \"3920m\", \"responseObject.status.conditions[].type\": \"MemoryPressure,DiskPressure,PIDPressure,Ready\", \"responseObject.spec.taints[].key\": \"node.kubernetes.io/not-ready\", \"sourceIPs[]\": \"12.000.22.33\", \"requestObject.status.capacity.pods\": \"58\", \"requestObject.status.allocatable.pods\": \"58\"}}", + "event": { + "action": "create", + "category": [ + "web" + ], + "kind": "event", + "reason": "ResponseComplete", + "severity": 1, + "start": "2021-09-07T20:37:30.502000Z", + "type": [ + "info" + ] + }, + "@timestamp": "2021-09-07T20:37:30.642000Z", + "cloud": { + "account": { + "id": "arn:aws:sts::123456789012:assumed-role/example-test-161366663-NodeInstanceRole-abc12345678912/i-12345678901" + }, + "provider": "AWS" + }, + "ocsf": { + "activity_id": 1, + "activity_name": "Create", + "class_name": "API Activity", + "class_uid": 6003 + }, + "package": { + "description": [], + "name": [], + "type": [] + }, + "related": { + "user": [ + "system:node:ip-192-001-02-03.ec2.internal" + ] + }, + "url": { + "path": "/api/v1/nodes" + }, + "user": { + "group": { + "id": [], + "name": [ + "system:authenticated", + "system:bootstrappers", + "system:nodes" + ] + }, + "id": "heptio-authenticator-aws:123456789012:ABCD1234567890EXAMPLE", + "name": "system:node:ip-192-001-02-03.ec2.internal" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Other", + "original": "kubelet/v1.21.2 (linux/amd64) kubernetes/729bdfc", + "os": { + "name": "Linux" + } + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_authentication_1.json b/OCSF/ocsf/tests/test_authentication_1.json new file mode 100644 index 000000000..3bae772bc --- /dev/null +++ b/OCSF/ocsf/tests/test_authentication_1.json @@ -0,0 +1,76 @@ +{ + "input": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Logon\", \"actor\": {\"idp\": {\"name\": null}, \"invoked_by\": null, \"session\": {\"issuer\": null}, \"user\": {\"account\": {\"uid\": \"111122223333\"}, \"credential_uid\": null, \"name\": \"anaya\", \"type\": \"IAMUser\", \"uid\": \"arn:aws:iam::111122223333:user/anaya\", \"uid_alt\": \"AIDACKCEVSQ6C2EXAMPLE\"}}, \"api\": {\"operation\": \"ConsoleLogin\", \"request\": {\"data\": null, \"uid\": \"\"}, \"response\": {\"data\": {\"ConsoleLogin\": \"Success\"}, \"error\": null, \"message\": null}, \"service\": {\"name\": \"signin.amazonaws.com\"}, \"version\": null}, \"category_name\": \"Identity & Access Management Category\", \"category_uid\": 3, \"class_name\": \"Authentication\", \"class_uid\": 3002, \"cloud\": {\"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"dst_endpoint\": {\"svc_name\": \"https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true\"}, \"http_request\": {\"user_agent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36\"}, \"is_mfa\": true, \"metadata\": {\"event_code\": \"AwsConsoleSignIn\", \"log_provider\": \"CloudTrail\", \"product\": {\"feature\": {\"name\": \"Management\"}, \"name\": \"CloudTrail\", \"vendor_name\": \"AWS\", \"version\": \"1.08\"}, \"profiles\": [\"cloud\", \"datetime\"], \"uid\": \"fed06f42-cb12-4764-8c69-example\", \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"192.0.2.0\"}], \"session\": {\"expiration_time\": null}, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"192.0.2.0\"}, \"status\": \"Success\", \"status_id\": 1, \"time\": 1699633474000, \"time_dt\": \"2023-11-10T16:24:34Z\", \"type_name\": \"Authentication: Logon\", \"type_uid\": 300201, \"unmapped\": {\"additionalEventData\": {\"LoginTo\": \"https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true\", \"MFAIdentifier\": \"arn:aws:iam::111122223333:u2f/user/anaya/default-AAAAAAAABBBBBBBBCCCCCCCCDD\", \"MobileVersion\": \"No\"}, \"eventType\": \"AwsConsoleSignIn\", \"recipientAccountId\": \"111122223333\", \"requestParameters\": null, \"responseElements\": {}, \"userIdentity\": {}}, \"user\": {\"uid\": \"arn:aws:iam::111122223333:user/anaya\", \"uid_alt\": \"AIDACKCEVSQ6C2EXAMPLE\"}}" + }, + "expected": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Logon\", \"actor\": {\"idp\": {\"name\": null}, \"invoked_by\": null, \"session\": {\"issuer\": null}, \"user\": {\"account\": {\"uid\": \"111122223333\"}, \"credential_uid\": null, \"name\": \"anaya\", \"type\": \"IAMUser\", \"uid\": \"arn:aws:iam::111122223333:user/anaya\", \"uid_alt\": \"AIDACKCEVSQ6C2EXAMPLE\"}}, \"api\": {\"operation\": \"ConsoleLogin\", \"request\": {\"data\": null, \"uid\": \"\"}, \"response\": {\"data\": {\"ConsoleLogin\": \"Success\"}, \"error\": null, \"message\": null}, \"service\": {\"name\": \"signin.amazonaws.com\"}, \"version\": null}, \"category_name\": \"Identity & Access Management Category\", \"category_uid\": 3, \"class_name\": \"Authentication\", \"class_uid\": 3002, \"cloud\": {\"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"dst_endpoint\": {\"svc_name\": \"https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true\"}, \"http_request\": {\"user_agent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36\"}, \"is_mfa\": true, \"metadata\": {\"event_code\": \"AwsConsoleSignIn\", \"log_provider\": \"CloudTrail\", \"product\": {\"feature\": {\"name\": \"Management\"}, \"name\": \"CloudTrail\", \"vendor_name\": \"AWS\", \"version\": \"1.08\"}, \"profiles\": [\"cloud\", \"datetime\"], \"uid\": \"fed06f42-cb12-4764-8c69-example\", \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"192.0.2.0\"}], \"session\": {\"expiration_time\": null}, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"192.0.2.0\"}, \"status\": \"Success\", \"status_id\": 1, \"time\": 1699633474000, \"time_dt\": \"2023-11-10T16:24:34Z\", \"type_name\": \"Authentication: Logon\", \"type_uid\": 300201, \"unmapped\": {\"additionalEventData\": {\"LoginTo\": \"https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true\", \"MFAIdentifier\": \"arn:aws:iam::111122223333:u2f/user/anaya/default-AAAAAAAABBBBBBBBCCCCCCCCDD\", \"MobileVersion\": \"No\"}, \"eventType\": \"AwsConsoleSignIn\", \"recipientAccountId\": \"111122223333\", \"requestParameters\": null, \"responseElements\": {}, \"userIdentity\": {}}, \"user\": {\"uid\": \"arn:aws:iam::111122223333:user/anaya\", \"uid_alt\": \"AIDACKCEVSQ6C2EXAMPLE\"}}", + "event": { + "action": "logon", + "category": [ + "authentication" + ], + "code": "AwsConsoleSignIn", + "kind": "event", + "outcome": "success", + "provider": "CloudTrail", + "severity": 1, + "type": [ + "info", + "start" + ] + }, + "@timestamp": "2023-11-10T16:24:34Z", + "cloud": { + "provider": "AWS", + "region": "us-east-1" + }, + "network": { + "application": "https://console.aws.amazon.com/console/home?state=hashArgs%23&isauthcode=true" + }, + "ocsf": { + "activity_id": 1, + "activity_name": "Logon", + "class_name": "Authentication", + "class_uid": 3002 + }, + "related": { + "ip": [ + "192.0.2.0" + ], + "user": [ + "anaya" + ] + }, + "source": { + "address": "192.0.2.0", + "ip": "192.0.2.0" + }, + "user": { + "group": { + "id": [], + "name": [] + }, + "id": "arn:aws:iam::111122223333:user/anaya", + "name": "anaya", + "target": { + "group": { + "id": [], + "name": [] + }, + "id": "arn:aws:iam::111122223333:user/anaya" + } + }, + "user_agent": { + "device": { + "name": "Mac" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", + "os": { + "name": "Mac OS X", + "version": "10.11.6" + }, + "version": "67.0.3396" + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_authentication_2.json b/OCSF/ocsf/tests/test_authentication_2.json new file mode 100644 index 000000000..41c2d96a4 --- /dev/null +++ b/OCSF/ocsf/tests/test_authentication_2.json @@ -0,0 +1,81 @@ +{ + "input": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Logon\", \"actor\": {\"process\": {\"file\": {\"name\": \"services.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 848}, \"session\": {\"uid\": \"0x3E7\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"ATTACKRANGE\", \"name\": \"WIN-DC-725$\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}, \"auth_protocol\": \"Other\", \"auth_protocol_id\": 99, \"category_name\": \"Audit Activity\", \"category_uid\": 3, \"class_name\": \"Authentication\", \"class_uid\": 3002, \"device\": {\"hostname\": \"win-dc-725.attackrange.local\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"dst_endpoint\": {\"hostname\": \"win-dc-725.attackrange.local\"}, \"logon_process\": {\"name\": \"Advapi \", \"pid\": -1}, \"logon_type\": \"OS Service\", \"logon_type_id\": 5, \"message\": \"An account was successfully logged on.\", \"metadata\": {\"original_time\": \"03/12/2021 10:48:14 AM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"ce139867-ced1-4742-9bb0-ad1926b8bbe1\", \"version\": \"1.0.0-rc.2\"}, \"session\": {\"uid\": \"0x3E7\", \"uuid\": \"{00000000-0000-0000-0000-000000000000}\"}, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"-\", \"name\": \"-\", \"port\": 0}, \"status\": \"Success\", \"status_id\": 1, \"time\": 1615564094000, \"type_name\": \"Authentication: Logon\", \"type_uid\": 300201, \"unmapped\": {\"Detailed Authentication Information\": {\"Key Length\": \"0\", \"Package Name (NTLM only)\": \"-\", \"Transited Services\": \"-\"}, \"EventCode\": \"4624\", \"EventType\": \"0\", \"Impersonation Level\": \"Impersonation\", \"Logon Information\": {\"Elevated Token\": \"Yes\", \"Restricted Admin Mode\": \"-\", \"Virtual Account\": \"No\"}, \"New Logon\": {\"Linked Logon ID\": \"0x0\", \"Network Account Domain\": \"-\", \"Network Account Name\": \"-\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"257879\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Logon\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"NT AUTHORITY\", \"name\": \"SYSTEM\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}" + }, + "expected": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Logon\", \"actor\": {\"process\": {\"file\": {\"name\": \"services.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 848}, \"session\": {\"uid\": \"0x3E7\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"ATTACKRANGE\", \"name\": \"WIN-DC-725$\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}, \"auth_protocol\": \"Other\", \"auth_protocol_id\": 99, \"category_name\": \"Audit Activity\", \"category_uid\": 3, \"class_name\": \"Authentication\", \"class_uid\": 3002, \"device\": {\"hostname\": \"win-dc-725.attackrange.local\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"dst_endpoint\": {\"hostname\": \"win-dc-725.attackrange.local\"}, \"logon_process\": {\"name\": \"Advapi \", \"pid\": -1}, \"logon_type\": \"OS Service\", \"logon_type_id\": 5, \"message\": \"An account was successfully logged on.\", \"metadata\": {\"original_time\": \"03/12/2021 10:48:14 AM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"ce139867-ced1-4742-9bb0-ad1926b8bbe1\", \"version\": \"1.0.0-rc.2\"}, \"session\": {\"uid\": \"0x3E7\", \"uuid\": \"{00000000-0000-0000-0000-000000000000}\"}, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"-\", \"name\": \"-\", \"port\": 0}, \"status\": \"Success\", \"status_id\": 1, \"time\": 1615564094000, \"type_name\": \"Authentication: Logon\", \"type_uid\": 300201, \"unmapped\": {\"Detailed Authentication Information\": {\"Key Length\": \"0\", \"Package Name (NTLM only)\": \"-\", \"Transited Services\": \"-\"}, \"EventCode\": \"4624\", \"EventType\": \"0\", \"Impersonation Level\": \"Impersonation\", \"Logon Information\": {\"Elevated Token\": \"Yes\", \"Restricted Admin Mode\": \"-\", \"Virtual Account\": \"No\"}, \"New Logon\": {\"Linked Logon ID\": \"0x0\", \"Network Account Domain\": \"-\", \"Network Account Name\": \"-\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"257879\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Logon\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"NT AUTHORITY\", \"name\": \"SYSTEM\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}", + "event": { + "action": "logon", + "category": [ + "authentication" + ], + "kind": "event", + "outcome": "success", + "reason": "An account was successfully logged on.", + "severity": 1, + "type": [ + "info", + "start" + ] + }, + "@timestamp": "2021-03-12T15:48:14Z", + "destination": { + "address": "win-dc-725.attackrange.local", + "domain": "win-dc-725.attackrange.local", + "subdomain": "win-dc-725.attackrange" + }, + "file": { + "directory": "C:\\Windows\\System32", + "name": "services.exe", + "path": "C:\\Windows\\System32\\services.exe", + "type": "Regular File" + }, + "host": { + "hostname": "win-dc-725.attackrange.local", + "name": "win-dc-725.attackrange.local", + "os": { + "name": "Windows", + "type": "Windows" + }, + "type": "Unknown" + }, + "ocsf": { + "activity_id": 1, + "activity_name": "Logon", + "class_name": "Authentication", + "class_uid": 3002 + }, + "process": { + "pid": 848 + }, + "related": { + "hosts": [ + "win-dc-725.attackrange.local" + ], + "user": [ + "WIN-DC-725$" + ] + }, + "source": { + "port": 0 + }, + "user": { + "domain": "ATTACKRANGE", + "group": { + "id": [], + "name": [] + }, + "id": "NT AUTHORITY\\SYSTEM", + "name": "WIN-DC-725$", + "target": { + "domain": "NT AUTHORITY", + "group": { + "id": [], + "name": [] + }, + "id": "NT AUTHORITY\\SYSTEM", + "name": "SYSTEM" + } + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_authentication_3.json b/OCSF/ocsf/tests/test_authentication_3.json new file mode 100644 index 000000000..3504b1c8a --- /dev/null +++ b/OCSF/ocsf/tests/test_authentication_3.json @@ -0,0 +1,72 @@ +{ + "input": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Logon\", \"actor\": {\"process\": {\"file\": {\"name\": \"-\", \"path\": \"-\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 0}, \"session\": {\"uid\": \"0x0\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"-\", \"name\": \"-\", \"uid\": \"NULL SID\"}}, \"auth_protocol\": \"NTLM\", \"auth_protocol_id\": 1, \"category_name\": \"Audit Activity\", \"category_uid\": 3, \"class_name\": \"Authentication\", \"class_uid\": 3002, \"device\": {\"hostname\": \"EC2AMAZ-6KJ2BPP\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"dst_endpoint\": {\"hostname\": \"EC2AMAZ-6KJ2BPP\"}, \"logon_process\": {\"name\": \"NtLmSsp \", \"pid\": -1}, \"logon_type\": \"Network\", \"logon_type_id\": 3, \"message\": \"An account failed to log on.\", \"metadata\": {\"original_time\": \"10/08/2020 12:41:47 PM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"a738d6e6-4ebd-49bb-805e-45d0604a1bef\", \"version\": \"1.0.0-rc.2\"}, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"-\", \"name\": \"EC2AMAZ-6KJ2BPP\", \"port\": 0}, \"status\": \"0xC000006D\", \"status_detail\": \"Unknown user name or bad password.\", \"status_id\": 2, \"time\": 1602175307000, \"type_name\": \"Authentication: Logon\", \"type_uid\": 300201, \"unmapped\": {\"Detailed Authentication Information\": {\"Key Length\": \"0\", \"Package Name (NTLM only)\": \"-\", \"Transited Services\": \"-\"}, \"EventCode\": \"4625\", \"EventType\": \"0\", \"Failure Information\": {\"Sub Status\": \"0xC000006A\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"223742\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Logon\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"EC2AMAZ-6KJ2BPP\", \"name\": \"Administrator\", \"uid\": \"NULL SID\"}}" + }, + "expected": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Logon\", \"actor\": {\"process\": {\"file\": {\"name\": \"-\", \"path\": \"-\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 0}, \"session\": {\"uid\": \"0x0\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"-\", \"name\": \"-\", \"uid\": \"NULL SID\"}}, \"auth_protocol\": \"NTLM\", \"auth_protocol_id\": 1, \"category_name\": \"Audit Activity\", \"category_uid\": 3, \"class_name\": \"Authentication\", \"class_uid\": 3002, \"device\": {\"hostname\": \"EC2AMAZ-6KJ2BPP\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"dst_endpoint\": {\"hostname\": \"EC2AMAZ-6KJ2BPP\"}, \"logon_process\": {\"name\": \"NtLmSsp \", \"pid\": -1}, \"logon_type\": \"Network\", \"logon_type_id\": 3, \"message\": \"An account failed to log on.\", \"metadata\": {\"original_time\": \"10/08/2020 12:41:47 PM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"a738d6e6-4ebd-49bb-805e-45d0604a1bef\", \"version\": \"1.0.0-rc.2\"}, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"-\", \"name\": \"EC2AMAZ-6KJ2BPP\", \"port\": 0}, \"status\": \"0xC000006D\", \"status_detail\": \"Unknown user name or bad password.\", \"status_id\": 2, \"time\": 1602175307000, \"type_name\": \"Authentication: Logon\", \"type_uid\": 300201, \"unmapped\": {\"Detailed Authentication Information\": {\"Key Length\": \"0\", \"Package Name (NTLM only)\": \"-\", \"Transited Services\": \"-\"}, \"EventCode\": \"4625\", \"EventType\": \"0\", \"Failure Information\": {\"Sub Status\": \"0xC000006A\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"223742\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Logon\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"EC2AMAZ-6KJ2BPP\", \"name\": \"Administrator\", \"uid\": \"NULL SID\"}}", + "event": { + "action": "logon", + "category": [ + "authentication" + ], + "kind": "event", + "outcome": "failure", + "reason": "An account failed to log on.", + "severity": 1, + "type": [ + "info", + "start" + ] + }, + "@timestamp": "2020-10-08T16:41:47Z", + "destination": { + "address": "EC2AMAZ-6KJ2BPP", + "domain": "EC2AMAZ-6KJ2BPP" + }, + "file": { + "type": "Regular File" + }, + "host": { + "hostname": "EC2AMAZ-6KJ2BPP", + "name": "EC2AMAZ-6KJ2BPP", + "os": { + "name": "Windows", + "type": "Windows" + }, + "type": "Unknown" + }, + "ocsf": { + "activity_id": 1, + "activity_name": "Logon", + "class_name": "Authentication", + "class_uid": 3002 + }, + "process": { + "pid": 0 + }, + "related": { + "hosts": [ + "EC2AMAZ-6KJ2BPP" + ] + }, + "source": { + "port": 0 + }, + "user": { + "group": { + "id": [], + "name": [] + }, + "id": "NULL SID", + "target": { + "domain": "EC2AMAZ-6KJ2BPP", + "group": { + "id": [], + "name": [] + }, + "id": "NULL SID", + "name": "Administrator" + } + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_compliance_finding_1.json b/OCSF/ocsf/tests/test_compliance_finding_1.json new file mode 100644 index 000000000..5b2f713c5 --- /dev/null +++ b/OCSF/ocsf/tests/test_compliance_finding_1.json @@ -0,0 +1,28 @@ +{ + "input": { + "message": "{\"activity_id\": 2, \"activity_name\": \"Update\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Compliance Finding\", \"class_uid\": 2003, \"cloud\": {\"account\": {\"uid\": \"111111111111\"}, \"provider\": \"AWS\", \"region\": \"us-east-2\"}, \"compliance\": {\"control\": \"Config.1\", \"requirements\": [\"PCI DSS 10.5.2\", \"PCI DSS 11.5\"], \"standards\": [\"standards/pci-dss/v/3.2.1\"], \"status\": \"FAILED\"}, \"finding_info\": {\"created_time_dt\": \"2023-01-13T15:08:44.967-05:00\", \"desc\": \"This AWS control checks whether AWS Config is enabled in current account and region.\", \"first_seen_time_dt\": \"2023-01-13T15:08:44.967-05:00\", \"last_seen_time_dt\": \"2023-07-21T14:12:05.693-04:00\", \"modified_time_dt\": \"2023-07-21T14:11:53.060-04:00\", \"title\": \"PCI.Config.1 AWS Config should be enabled\", \"types\": [\"Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS\"], \"uid\": \"arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1/PCI.Config.1/finding/7d619054-6f0d-456b-aa75-23b20f74fae6\"}, \"metadata\": {\"log_version\": \"2018-10-08\", \"processed_time_dt\": \"2023-07-21T14:12:08.489-04:00\", \"product\": {\"feature\": {\"uid\": \"pci-dss/v/3.2.1/PCI.Config.1\"}, \"name\": \"Security Hub\", \"uid\": \"arn:aws:securityhub:us-east-2::product/aws/securityhub\", \"vendor_name\": \"AWS\"}, \"profiles\": [\"cloud\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"resource.uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"AWS::::Account:111111111111\"}], \"remediation\": {\"desc\": \"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\", \"references\": [\"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\"]}, \"resource\": {\"cloud_partition\": \"aws\", \"region\": \"us-east-2\", \"type\": \"AwsAccount\", \"uid\": \"AWS::::Account:111111111111\"}, \"severity\": \"Medium\", \"severity_id\": 3, \"status\": \"New\", \"time\": 1689963113060, \"time_dt\": \"2023-07-21T14:11:53.060-04:00\", \"type_name\": \"Compliance Finding: Update\", \"type_uid\": 200302, \"unmapped\": {\"FindingProviderFields.Severity.Label\": \"MEDIUM\", \"FindingProviderFields.Severity.Original\": \"MEDIUM\", \"FindingProviderFields.Types[]\": \"Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS\", \"ProductFields.ControlId\": \"PCI.Config.1\", \"ProductFields.RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\", \"ProductFields.Resources:0/Id\": \"arn:aws:iam::111111111111:root\", \"ProductFields.StandardsArn\": \"arn:aws:securityhub:::standards/pci-dss/v/3.2.1\", \"ProductFields.StandardsControlArn\": \"arn:aws:securityhub:us-east-2:111111111111:control/pci-dss/v/3.2.1/PCI.Config.1\", \"ProductFields.StandardsSubscriptionArn\": \"arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1\", \"ProductFields.aws/securityhub/CompanyName\": \"AWS\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-2::product/aws/securityhub/arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1/PCI.Config.1/finding/7d619054-6f0d-456b-aa75-23b20f74fae6\", \"ProductFields.aws/securityhub/ProductName\": \"Security Hub\", \"RecordState\": \"ACTIVE\", \"Severity.Normalized\": \"40\", \"Severity.Original\": \"MEDIUM\", \"Severity.Product\": \"40\", \"WorkflowState\": \"NEW\"}}" + }, + "expected": { + "message": "{\"activity_id\": 2, \"activity_name\": \"Update\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Compliance Finding\", \"class_uid\": 2003, \"cloud\": {\"account\": {\"uid\": \"111111111111\"}, \"provider\": \"AWS\", \"region\": \"us-east-2\"}, \"compliance\": {\"control\": \"Config.1\", \"requirements\": [\"PCI DSS 10.5.2\", \"PCI DSS 11.5\"], \"standards\": [\"standards/pci-dss/v/3.2.1\"], \"status\": \"FAILED\"}, \"finding_info\": {\"created_time_dt\": \"2023-01-13T15:08:44.967-05:00\", \"desc\": \"This AWS control checks whether AWS Config is enabled in current account and region.\", \"first_seen_time_dt\": \"2023-01-13T15:08:44.967-05:00\", \"last_seen_time_dt\": \"2023-07-21T14:12:05.693-04:00\", \"modified_time_dt\": \"2023-07-21T14:11:53.060-04:00\", \"title\": \"PCI.Config.1 AWS Config should be enabled\", \"types\": [\"Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS\"], \"uid\": \"arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1/PCI.Config.1/finding/7d619054-6f0d-456b-aa75-23b20f74fae6\"}, \"metadata\": {\"log_version\": \"2018-10-08\", \"processed_time_dt\": \"2023-07-21T14:12:08.489-04:00\", \"product\": {\"feature\": {\"uid\": \"pci-dss/v/3.2.1/PCI.Config.1\"}, \"name\": \"Security Hub\", \"uid\": \"arn:aws:securityhub:us-east-2::product/aws/securityhub\", \"vendor_name\": \"AWS\"}, \"profiles\": [\"cloud\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"resource.uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"AWS::::Account:111111111111\"}], \"remediation\": {\"desc\": \"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\", \"references\": [\"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\"]}, \"resource\": {\"cloud_partition\": \"aws\", \"region\": \"us-east-2\", \"type\": \"AwsAccount\", \"uid\": \"AWS::::Account:111111111111\"}, \"severity\": \"Medium\", \"severity_id\": 3, \"status\": \"New\", \"time\": 1689963113060, \"time_dt\": \"2023-07-21T14:11:53.060-04:00\", \"type_name\": \"Compliance Finding: Update\", \"type_uid\": 200302, \"unmapped\": {\"FindingProviderFields.Severity.Label\": \"MEDIUM\", \"FindingProviderFields.Severity.Original\": \"MEDIUM\", \"FindingProviderFields.Types[]\": \"Software and Configuration Checks/Industry and Regulatory Standards/PCI-DSS\", \"ProductFields.ControlId\": \"PCI.Config.1\", \"ProductFields.RecommendationUrl\": \"https://docs.aws.amazon.com/console/securityhub/Config.1/remediation\", \"ProductFields.Resources:0/Id\": \"arn:aws:iam::111111111111:root\", \"ProductFields.StandardsArn\": \"arn:aws:securityhub:::standards/pci-dss/v/3.2.1\", \"ProductFields.StandardsControlArn\": \"arn:aws:securityhub:us-east-2:111111111111:control/pci-dss/v/3.2.1/PCI.Config.1\", \"ProductFields.StandardsSubscriptionArn\": \"arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1\", \"ProductFields.aws/securityhub/CompanyName\": \"AWS\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-2::product/aws/securityhub/arn:aws:securityhub:us-east-2:111111111111:subscription/pci-dss/v/3.2.1/PCI.Config.1/finding/7d619054-6f0d-456b-aa75-23b20f74fae6\", \"ProductFields.aws/securityhub/ProductName\": \"Security Hub\", \"RecordState\": \"ACTIVE\", \"Severity.Normalized\": \"40\", \"Severity.Original\": \"MEDIUM\", \"Severity.Product\": \"40\", \"WorkflowState\": \"NEW\"}}", + "event": { + "action": "update", + "category": [], + "severity": 3, + "type": [] + }, + "@timestamp": "2023-07-21T18:11:53.060000Z", + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "AWS", + "region": "us-east-2" + }, + "ocsf": { + "activity_id": 2, + "activity_name": "Update", + "class_name": "Compliance Finding", + "class_uid": 2003 + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_detection_finding_1.json b/OCSF/ocsf/tests/test_detection_finding_1.json new file mode 100644 index 000000000..15c53b791 --- /dev/null +++ b/OCSF/ocsf/tests/test_detection_finding_1.json @@ -0,0 +1,28 @@ +{ + "input": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Create\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Detection Finding\", \"class_uid\": 2004, \"cloud\": {\"account\": {\"uid\": \"111111111111\"}, \"provider\": \"AWS\", \"region\": \"us-east-2\"}, \"evidences\": [{\"api\": {\"operation\": \"DeleteTrail\", \"service\": {\"name\": \"cloudtrail.amazonaws.com\"}}, \"data\": \"\", \"src_endpoint\": {\"ip\": \"52.94.133.131\", \"location\": {\"city\": \"\", \"coordinates\": [-100.821999, 37.751], \"country\": \"United States\"}}}], \"finding_info\": {\"created_time_dt\": \"2023-09-19T11:05:22.487-04:00\", \"desc\": \"AWS CloudTrail trail arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me was disabled by Admin calling DeleteTrail under unusual circumstances. This can be attackers attempt to cover their tracks by eliminating any trace of activity performed while they accessed your account.\", \"first_seen_time_dt\": \"2023-09-19T10:55:09.000-04:00\", \"last_seen_time_dt\": \"2023-09-19T10:55:09.000-04:00\", \"modified_time_dt\": \"2023-09-19T11:05:22.487-04:00\", \"src_url\": \"https://us-east-2.console.aws.amazon.com/guardduty/home?region=us-east-2#/findings?macros=current&fId=a6c556fcbc9bea427a19f8b787099a0b\", \"title\": \"AWS CloudTrail trail arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me was disabled.\", \"types\": [\"TTPs/Defense Evasion/Stealth:IAMUser-CloudTrailLoggingDisabled\"], \"uid\": \"arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE/finding/a6c556fcbc9bea427a19f8b787099a0b\"}, \"metadata\": {\"extensions\": [{\"name\": \"linux\", \"uid\": \"1\", \"version\": \"1.1.0\"}], \"log_version\": \"2018-10-08\", \"product\": {\"feature\": {\"uid\": \"arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE\"}, \"name\": \"GuardDuty\", \"uid\": \"arn:aws:securityhub:us-east-2::product/aws/guardduty\", \"vendor_name\": \"Amazon\"}, \"profiles\": [\"cloud\", \"datetime\", \"linux\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"evidences[].src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"52.94.133.131\"}, {\"name\": \"resources[].uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"AWS::IAM::AccessKey:ASIATMJPC7EXAMPLE\"}], \"resources\": [{\"cloud_partition\": \"aws\", \"data\": \"{\\\"AwsIamAccessKey\\\":{\\\"PrincipalId\\\":\\\"AROATMJPC7YEXAMPLE:example\\\",\\\"PrincipalName\\\":\\\"Admin\\\",\\\"PrincipalType\\\":\\\"AssumedRole\\\"}}\", \"region\": \"us-east-2\", \"type\": \"AwsIamAccessKey\", \"uid\": \"AWS::IAM::AccessKey:ASIATMJPC7EXAMPLE\"}], \"severity\": \"Low\", \"severity_id\": 2, \"status\": \"New\", \"time\": 1695135922487, \"time_dt\": \"2023-09-19T11:05:22.487-04:00\", \"type_name\": \"Detection Finding: Create\", \"type_uid\": 200401, \"unmapped\": {\"FindingProviderFields.Severity.Label\": \"LOW\", \"FindingProviderFields.Types[]\": \"TTPs/Defense Evasion/Stealth:IAMUser-CloudTrailLoggingDisabled\", \"ProductFields.aws/guardduty/service/action/actionType\": \"AWS_API_CALL\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/affectedResources/AWS::CloudTrail::Trail\": \"arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/callerType\": \"Remote IP\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asn\": \"16509\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asnOrg\": \"AMAZON-02\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp\": \"Amazon Office\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/org\": \"Amazon Office\", \"ProductFields.aws/guardduty/service/additionalInfo/type\": \"default\", \"ProductFields.aws/guardduty/service/archived\": \"false\", \"ProductFields.aws/guardduty/service/count\": \"1\", \"ProductFields.aws/guardduty/service/detectorId\": \"1ac1bfceda6679698215d5d0EXAMPLE\", \"ProductFields.aws/guardduty/service/eventFirstSeen\": \"2023-09-19T14:55:09.000Z\", \"ProductFields.aws/guardduty/service/eventLastSeen\": \"2023-09-19T14:55:09.000Z\", \"ProductFields.aws/guardduty/service/resourceRole\": \"TARGET\", \"ProductFields.aws/guardduty/service/serviceName\": \"guardduty\", \"ProductFields.aws/securityhub/CompanyName\": \"Amazon\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-2::product/aws/guardduty/arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE/finding/a6c556fcbc9bea427a19f8b787099a0b\", \"ProductFields.aws/securityhub/ProductName\": \"GuardDuty\", \"RecordState\": \"ACTIVE\", \"Sample\": \"false\", \"Severity.Normalized\": \"40\", \"Severity.Product\": \"2\", \"WorkflowState\": \"NEW\"}}" + }, + "expected": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Create\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Detection Finding\", \"class_uid\": 2004, \"cloud\": {\"account\": {\"uid\": \"111111111111\"}, \"provider\": \"AWS\", \"region\": \"us-east-2\"}, \"evidences\": [{\"api\": {\"operation\": \"DeleteTrail\", \"service\": {\"name\": \"cloudtrail.amazonaws.com\"}}, \"data\": \"\", \"src_endpoint\": {\"ip\": \"52.94.133.131\", \"location\": {\"city\": \"\", \"coordinates\": [-100.821999, 37.751], \"country\": \"United States\"}}}], \"finding_info\": {\"created_time_dt\": \"2023-09-19T11:05:22.487-04:00\", \"desc\": \"AWS CloudTrail trail arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me was disabled by Admin calling DeleteTrail under unusual circumstances. This can be attackers attempt to cover their tracks by eliminating any trace of activity performed while they accessed your account.\", \"first_seen_time_dt\": \"2023-09-19T10:55:09.000-04:00\", \"last_seen_time_dt\": \"2023-09-19T10:55:09.000-04:00\", \"modified_time_dt\": \"2023-09-19T11:05:22.487-04:00\", \"src_url\": \"https://us-east-2.console.aws.amazon.com/guardduty/home?region=us-east-2#/findings?macros=current&fId=a6c556fcbc9bea427a19f8b787099a0b\", \"title\": \"AWS CloudTrail trail arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me was disabled.\", \"types\": [\"TTPs/Defense Evasion/Stealth:IAMUser-CloudTrailLoggingDisabled\"], \"uid\": \"arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE/finding/a6c556fcbc9bea427a19f8b787099a0b\"}, \"metadata\": {\"extensions\": [{\"name\": \"linux\", \"uid\": \"1\", \"version\": \"1.1.0\"}], \"log_version\": \"2018-10-08\", \"product\": {\"feature\": {\"uid\": \"arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE\"}, \"name\": \"GuardDuty\", \"uid\": \"arn:aws:securityhub:us-east-2::product/aws/guardduty\", \"vendor_name\": \"Amazon\"}, \"profiles\": [\"cloud\", \"datetime\", \"linux\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"evidences[].src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"52.94.133.131\"}, {\"name\": \"resources[].uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"AWS::IAM::AccessKey:ASIATMJPC7EXAMPLE\"}], \"resources\": [{\"cloud_partition\": \"aws\", \"data\": \"{\\\"AwsIamAccessKey\\\":{\\\"PrincipalId\\\":\\\"AROATMJPC7YEXAMPLE:example\\\",\\\"PrincipalName\\\":\\\"Admin\\\",\\\"PrincipalType\\\":\\\"AssumedRole\\\"}}\", \"region\": \"us-east-2\", \"type\": \"AwsIamAccessKey\", \"uid\": \"AWS::IAM::AccessKey:ASIATMJPC7EXAMPLE\"}], \"severity\": \"Low\", \"severity_id\": 2, \"status\": \"New\", \"time\": 1695135922487, \"time_dt\": \"2023-09-19T11:05:22.487-04:00\", \"type_name\": \"Detection Finding: Create\", \"type_uid\": 200401, \"unmapped\": {\"FindingProviderFields.Severity.Label\": \"LOW\", \"FindingProviderFields.Types[]\": \"TTPs/Defense Evasion/Stealth:IAMUser-CloudTrailLoggingDisabled\", \"ProductFields.aws/guardduty/service/action/actionType\": \"AWS_API_CALL\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/affectedResources/AWS::CloudTrail::Trail\": \"arn:aws:cloudtrail:us-east-2:111111111111:trail/delete-me\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/callerType\": \"Remote IP\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asn\": \"16509\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/asnOrg\": \"AMAZON-02\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/isp\": \"Amazon Office\", \"ProductFields.aws/guardduty/service/action/awsApiCallAction/remoteIpDetails/organization/org\": \"Amazon Office\", \"ProductFields.aws/guardduty/service/additionalInfo/type\": \"default\", \"ProductFields.aws/guardduty/service/archived\": \"false\", \"ProductFields.aws/guardduty/service/count\": \"1\", \"ProductFields.aws/guardduty/service/detectorId\": \"1ac1bfceda6679698215d5d0EXAMPLE\", \"ProductFields.aws/guardduty/service/eventFirstSeen\": \"2023-09-19T14:55:09.000Z\", \"ProductFields.aws/guardduty/service/eventLastSeen\": \"2023-09-19T14:55:09.000Z\", \"ProductFields.aws/guardduty/service/resourceRole\": \"TARGET\", \"ProductFields.aws/guardduty/service/serviceName\": \"guardduty\", \"ProductFields.aws/securityhub/CompanyName\": \"Amazon\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-2::product/aws/guardduty/arn:aws:guardduty:us-east-2:111111111111:detector/1ac1bfceda6679698215d5d0EXAMPLE/finding/a6c556fcbc9bea427a19f8b787099a0b\", \"ProductFields.aws/securityhub/ProductName\": \"GuardDuty\", \"RecordState\": \"ACTIVE\", \"Sample\": \"false\", \"Severity.Normalized\": \"40\", \"Severity.Product\": \"2\", \"WorkflowState\": \"NEW\"}}", + "event": { + "action": "create", + "category": [], + "severity": 2, + "type": [] + }, + "@timestamp": "2023-09-19T15:05:22.487000Z", + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "AWS", + "region": "us-east-2" + }, + "ocsf": { + "activity_id": 1, + "activity_name": "Create", + "class_name": "Detection Finding", + "class_uid": 2004 + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_dns_activity_1.json b/OCSF/ocsf/tests/test_dns_activity_1.json new file mode 100644 index 000000000..7567bb466 --- /dev/null +++ b/OCSF/ocsf/tests/test_dns_activity_1.json @@ -0,0 +1,75 @@ +{ + "input": { + "message": "{\"action\": \"Allowed\", \"action_id\": 1, \"activity_id\": 6, \"activity_name\": \"Traffic\", \"answers\": [{\"class\": \"IN\", \"rdata\": \"127.0.0.62\", \"type\": \"A\"}], \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"DNS Activity\", \"class_uid\": 4003, \"cloud\": {\"account\": {\"uid\": \"123456789012\"}, \"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"connection_info\": {\"direction\": \"Unknown\", \"direction_id\": 0, \"protocol_name\": \"UDP\"}, \"disposition\": \"Alert\", \"dst_endpoint\": {\"instance_uid\": \"rslvr-in-0000000000000000\", \"interface_uid\": \"rni-0000000000000000\"}, \"firewall_rule\": {\"uid\": \"rslvr-frg-000000000000000\"}, \"metadata\": {\"product\": {\"feature\": {\"name\": \"Resolver Query Logs\"}, \"name\": \"Route 53\", \"vendor_name\": \"AWS\", \"version\": \"1.100000\"}, \"profiles\": [\"cloud\", \"security_control\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"answers[].rdata\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"127.0.0.62\"}, {\"name\": \"dst_endpoint.instance_uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"rslvr-in-0000000000000000\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"10.200.21.100\"}, {\"name\": \"query.hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": \"ip-127-0-0-62.alert.firewall.canary.\"}], \"query\": {\"class\": \"IN\", \"hostname\": \"ip-127-0-0-62.alert.firewall.canary.\", \"type\": \"A\"}, \"rcode\": \"NoError\", \"rcode_id\": 0, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"10.200.21.100\", \"port\": 15083, \"vpc_uid\": \"vpc-00000000000000000\"}, \"time\": 1665694956000, \"time_dt\": \"2022-10-13T17:02:36.000-04:00\", \"type_name\": \"DNS Activity: Traffic\", \"type_uid\": 400306, \"unmapped\": {\"firewall_domain_list_id\": \"rslvr-fdl-0000000000000\"}}" + }, + "expected": { + "message": "{\"action\": \"Allowed\", \"action_id\": 1, \"activity_id\": 6, \"activity_name\": \"Traffic\", \"answers\": [{\"class\": \"IN\", \"rdata\": \"127.0.0.62\", \"type\": \"A\"}], \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"DNS Activity\", \"class_uid\": 4003, \"cloud\": {\"account\": {\"uid\": \"123456789012\"}, \"provider\": \"AWS\", \"region\": \"us-east-1\"}, \"connection_info\": {\"direction\": \"Unknown\", \"direction_id\": 0, \"protocol_name\": \"UDP\"}, \"disposition\": \"Alert\", \"dst_endpoint\": {\"instance_uid\": \"rslvr-in-0000000000000000\", \"interface_uid\": \"rni-0000000000000000\"}, \"firewall_rule\": {\"uid\": \"rslvr-frg-000000000000000\"}, \"metadata\": {\"product\": {\"feature\": {\"name\": \"Resolver Query Logs\"}, \"name\": \"Route 53\", \"vendor_name\": \"AWS\", \"version\": \"1.100000\"}, \"profiles\": [\"cloud\", \"security_control\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"answers[].rdata\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"127.0.0.62\"}, {\"name\": \"dst_endpoint.instance_uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"rslvr-in-0000000000000000\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"10.200.21.100\"}, {\"name\": \"query.hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": \"ip-127-0-0-62.alert.firewall.canary.\"}], \"query\": {\"class\": \"IN\", \"hostname\": \"ip-127-0-0-62.alert.firewall.canary.\", \"type\": \"A\"}, \"rcode\": \"NoError\", \"rcode_id\": 0, \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"10.200.21.100\", \"port\": 15083, \"vpc_uid\": \"vpc-00000000000000000\"}, \"time\": 1665694956000, \"time_dt\": \"2022-10-13T17:02:36.000-04:00\", \"type_name\": \"DNS Activity: Traffic\", \"type_uid\": 400306, \"unmapped\": {\"firewall_domain_list_id\": \"rslvr-fdl-0000000000000\"}}", + "event": { + "action": "traffic", + "category": [ + "network" + ], + "kind": "event", + "severity": 1, + "type": [ + "info", + "protocol" + ] + }, + "@timestamp": "2022-10-13T21:02:36Z", + "cloud": { + "account": { + "id": "123456789012" + }, + "provider": "AWS", + "region": "us-east-1" + }, + "dns": { + "answers": { + "class": [ + "IN" + ], + "ttl": [], + "type": [ + "A" + ] + }, + "id": [], + "question": { + "class": [ + "IN" + ], + "name": "ip-127-0-0-62.alert.firewall.canary.", + "subdomain": "ip-127-0-0-62.alert.firewall", + "type": [ + "A" + ] + }, + "response_code": "NoError" + }, + "network": { + "direction": [ + "unknown" + ] + }, + "ocsf": { + "activity_id": 6, + "activity_name": "Traffic", + "class_name": "DNS Activity", + "class_uid": 4003 + }, + "related": { + "hosts": [ + "ip-127-0-0-62.alert.firewall.canary." + ], + "ip": [ + "10.200.21.100" + ] + }, + "source": { + "address": "10.200.21.100", + "ip": "10.200.21.100", + "port": 15083 + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_http_activity_1.json b/OCSF/ocsf/tests/test_http_activity_1.json new file mode 100644 index 000000000..effda93fa --- /dev/null +++ b/OCSF/ocsf/tests/test_http_activity_1.json @@ -0,0 +1,60 @@ +{ + "input": { + "message": "{\"activity_id\": 3, \"activity_name\": \"Get\", \"category_name\": \"Network Activitys\", \"category_uid\": 4, \"class_name\": \"HTTP Activity\", \"class_uid\": 4002, \"cloud\": {\"provider\": \"AWS\"}, \"dst_endpoint\": {\"domain\": \"/CanaryTest\"}, \"firewall_rule\": {\"type\": \"RATE_BASED\", \"uid\": \"RateBasedRule\"}, \"http_request\": {\"args\": \"\", \"http_method\": \"GET\", \"uid\": \"Ed0AiHF_CGYF-DA=\", \"url\": {\"path\": \"/CanaryTest\"}, \"version\": \"HTTP/1.1\"}, \"http_response\": {\"code\": 403}, \"metadata\": {\"labels\": null, \"product\": {\"feature\": {\"uid\": \"...\"}, \"name\": \"AWS WAF\", \"vendor_name\": \"AWS\", \"version\": \"1\"}, \"version\": \"1.1.0-dev\"}, \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"52.46.82.45\", \"location\": {\"country\": \"FR\"}, \"svc_name\": \"APIGW\", \"uid\": \"EXAMPLE11:rjvegx5guh:CanaryTest\"}, \"time\": 0, \"type_name\": \"HTTP Activity: Get\", \"type_uid\": 400203, \"unmapped\": [[\"rateBasedRuleList[].rateBasedRuleId\", \"...\"], [\"rateBasedRuleList[].customValues[].value\", \"ella\"], [\"rateBasedRuleList[].customValues[].name\", \"dogname\"], [\"rateBasedRuleList[].limitKey\", \"CUSTOMKEYS\"], [\"rateBasedRuleList[].customValues[].key\", \"HEADER\"], [\"httpRequest.headers[].value\", \"52.46.82.45,https,443,rjvegx5guh.execute-api.eu-west-3.amazonaws.com,Root=1-645566cf-7cb058b04d9bb3ee01dc4036,ella,RateBasedRuleTestKoipOneKeyModulePV2,gzip,deflate\"], [\"rateBasedRuleList[].rateBasedRuleName\", \"RateBasedRule\"], [\"rateBasedRuleList[].maxRateAllowed\", \"100\"], [\"httpRequest.headers[].name\", \"X-Forwarded-For,X-Forwarded-Proto,X-Forwarded-Port,Host,X-Amzn-Trace-Id,dogname,User-Agent,Accept-Encoding\"]]}" + }, + "expected": { + "message": "{\"activity_id\": 3, \"activity_name\": \"Get\", \"category_name\": \"Network Activitys\", \"category_uid\": 4, \"class_name\": \"HTTP Activity\", \"class_uid\": 4002, \"cloud\": {\"provider\": \"AWS\"}, \"dst_endpoint\": {\"domain\": \"/CanaryTest\"}, \"firewall_rule\": {\"type\": \"RATE_BASED\", \"uid\": \"RateBasedRule\"}, \"http_request\": {\"args\": \"\", \"http_method\": \"GET\", \"uid\": \"Ed0AiHF_CGYF-DA=\", \"url\": {\"path\": \"/CanaryTest\"}, \"version\": \"HTTP/1.1\"}, \"http_response\": {\"code\": 403}, \"metadata\": {\"labels\": null, \"product\": {\"feature\": {\"uid\": \"...\"}, \"name\": \"AWS WAF\", \"vendor_name\": \"AWS\", \"version\": \"1\"}, \"version\": \"1.1.0-dev\"}, \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"52.46.82.45\", \"location\": {\"country\": \"FR\"}, \"svc_name\": \"APIGW\", \"uid\": \"EXAMPLE11:rjvegx5guh:CanaryTest\"}, \"time\": 0, \"type_name\": \"HTTP Activity: Get\", \"type_uid\": 400203, \"unmapped\": [[\"rateBasedRuleList[].rateBasedRuleId\", \"...\"], [\"rateBasedRuleList[].customValues[].value\", \"ella\"], [\"rateBasedRuleList[].customValues[].name\", \"dogname\"], [\"rateBasedRuleList[].limitKey\", \"CUSTOMKEYS\"], [\"rateBasedRuleList[].customValues[].key\", \"HEADER\"], [\"httpRequest.headers[].value\", \"52.46.82.45,https,443,rjvegx5guh.execute-api.eu-west-3.amazonaws.com,Root=1-645566cf-7cb058b04d9bb3ee01dc4036,ella,RateBasedRuleTestKoipOneKeyModulePV2,gzip,deflate\"], [\"rateBasedRuleList[].rateBasedRuleName\", \"RateBasedRule\"], [\"rateBasedRuleList[].maxRateAllowed\", \"100\"], [\"httpRequest.headers[].name\", \"X-Forwarded-For,X-Forwarded-Proto,X-Forwarded-Port,Host,X-Amzn-Trace-Id,dogname,User-Agent,Accept-Encoding\"]]}", + "event": { + "action": "get", + "category": [ + "api" + ], + "kind": "event", + "severity": 1, + "type": [ + "info" + ] + }, + "cloud": { + "provider": "AWS" + }, + "destination": { + "address": "/CanaryTest", + "domain": "/CanaryTest" + }, + "http": { + "request": { + "id": "Ed0AiHF_CGYF-DA=", + "method": "GET" + }, + "version": "HTTP/1.1" + }, + "network": { + "application": "APIGW" + }, + "ocsf": { + "activity_id": 3, + "activity_name": "Get", + "class_name": "HTTP Activity", + "class_uid": 4002 + }, + "related": { + "hosts": [ + "/CanaryTest" + ], + "ip": [ + "52.46.82.45" + ] + }, + "source": { + "address": "52.46.82.45", + "geo": { + "country_iso_code": "FR" + }, + "ip": "52.46.82.45" + }, + "url": { + "path": "/CanaryTest" + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_1.json b/OCSF/ocsf/tests/test_network_activity_1.json new file mode 100644 index 000000000..0a39b9b10 --- /dev/null +++ b/OCSF/ocsf/tests/test_network_activity_1.json @@ -0,0 +1,54 @@ +{ + "input": { + "message": "{\"cloud\": {\"account_uid\": \"987654321098\", \"region\": \"us-west-2\", \"zone\": \"use2-az2\", \"provider\": \"AWS\"}, \"action\": \"Allowed\", \"action_id\": 1, \"status_code\": \"OK\", \"traffic\": {\"bytes\": 85, \"packets\": 10}, \"src_endpoint\": {\"ip\": \"192.168.1.10\", \"port\": 8080, \"svc_name\": \"amazon-s3\", \"subnet_uid\": \"subnet-33333333333333333\", \"vpc_uid\": \"vpc-44444444444444444\"}, \"dst_endpoint\": {\"ip\": \"192.168.1.20\", \"port\": 443, \"svc_name\": \"amazon-ec2\", \"interface_uid\": \"eni-22222222222222222\", \"instance_uid\": \"i-111111111111111111\"}, \"connection_info\": {\"protocol_num\": 17, \"protocol_ver\": \"IPv6\", \"tcp_flags\": 6, \"direction\": \"egress\", \"direction_id\": 2, \"boundary_id\": 99, \"boundary\": \"vpn\", \"start_time\": 1653200123, \"end_time\": 1653200100}, \"time\": 1653200100, \"type_name\": \"Network Activity: Traffic\", \"type_uid\": 400105, \"activity_id\": 5, \"activity_name\": \"Traffic\", \"class_uid\": 4001, \"class_name\": \"Network Activity\", \"category_uid\": 4, \"category_name\": \"Network Activity\", \"metadata\": {\"product\": {\"name\": \"Amazon VPC\", \"feature\": {\"name\": \"Flowlogs\"}, \"vendor_name\": \"AWS\"}, \"profiles\": [\"cloud\", \"security_control\"], \"version\": \"1.1.0\"}, \"severity_id\": 1, \"severity\": \"Informational\", \"status_id\": 1, \"status\": \"Success\", \"disposition\": \"Allowed\", \"pkt_src_aws_service\": \"amazon-s3\", \"pkt_dst_aws_service\": \"amazon-ec2\", \"sublocation_type\": \"subnet\", \"sublocation_id\": \"subnet-33333333333333333\"}" + }, + "expected": { + "message": "{\"cloud\": {\"account_uid\": \"987654321098\", \"region\": \"us-west-2\", \"zone\": \"use2-az2\", \"provider\": \"AWS\"}, \"action\": \"Allowed\", \"action_id\": 1, \"status_code\": \"OK\", \"traffic\": {\"bytes\": 85, \"packets\": 10}, \"src_endpoint\": {\"ip\": \"192.168.1.10\", \"port\": 8080, \"svc_name\": \"amazon-s3\", \"subnet_uid\": \"subnet-33333333333333333\", \"vpc_uid\": \"vpc-44444444444444444\"}, \"dst_endpoint\": {\"ip\": \"192.168.1.20\", \"port\": 443, \"svc_name\": \"amazon-ec2\", \"interface_uid\": \"eni-22222222222222222\", \"instance_uid\": \"i-111111111111111111\"}, \"connection_info\": {\"protocol_num\": 17, \"protocol_ver\": \"IPv6\", \"tcp_flags\": 6, \"direction\": \"egress\", \"direction_id\": 2, \"boundary_id\": 99, \"boundary\": \"vpn\", \"start_time\": 1653200123, \"end_time\": 1653200100}, \"time\": 1653200100, \"type_name\": \"Network Activity: Traffic\", \"type_uid\": 400105, \"activity_id\": 5, \"activity_name\": \"Traffic\", \"class_uid\": 4001, \"class_name\": \"Network Activity\", \"category_uid\": 4, \"category_name\": \"Network Activity\", \"metadata\": {\"product\": {\"name\": \"Amazon VPC\", \"feature\": {\"name\": \"Flowlogs\"}, \"vendor_name\": \"AWS\"}, \"profiles\": [\"cloud\", \"security_control\"], \"version\": \"1.1.0\"}, \"severity_id\": 1, \"severity\": \"Informational\", \"status_id\": 1, \"status\": \"Success\", \"disposition\": \"Allowed\", \"pkt_src_aws_service\": \"amazon-s3\", \"pkt_dst_aws_service\": \"amazon-ec2\", \"sublocation_type\": \"subnet\", \"sublocation_id\": \"subnet-33333333333333333\"}", + "event": { + "action": "traffic", + "category": [ + "network" + ], + "kind": "event", + "outcome": "success", + "severity": 1, + "type": [ + "info" + ] + }, + "@timestamp": "2022-05-22T06:15:00Z", + "cloud": { + "availability_zone": "use2-az2", + "provider": "AWS", + "region": "us-west-2" + }, + "destination": { + "address": "192.168.1.20", + "ip": "192.168.1.20", + "port": 443 + }, + "network": { + "application": "amazon-ec2", + "bytes": 85, + "iana_number": "17", + "packets": 10 + }, + "ocsf": { + "activity_id": 5, + "activity_name": "Traffic", + "class_name": "Network Activity", + "class_uid": 4001 + }, + "related": { + "ip": [ + "192.168.1.10", + "192.168.1.20" + ] + }, + "source": { + "address": "192.168.1.10", + "ip": "192.168.1.10", + "port": 8080 + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_2.json b/OCSF/ocsf/tests/test_network_activity_2.json new file mode 100644 index 000000000..aefba6a98 --- /dev/null +++ b/OCSF/ocsf/tests/test_network_activity_2.json @@ -0,0 +1,61 @@ +{ + "input": { + "message": "{\"action\": \"Denied\", \"action_id\": 2, \"activity_id\": 5, \"activity_name\": \"Refuse\", \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"Network Activity\", \"class_uid\": 4001, \"cloud\": {\"account\": {\"uid\": \"123456789012\"}, \"provider\": \"AWS\", \"region\": \"us-east-1\", \"zone\": \"use1-az1\"}, \"connection_info\": {\"boundary\": \"-\", \"boundary_id\": 99, \"direction\": \"Inbound\", \"direction_id\": 1, \"protocol_num\": 6, \"protocol_ver\": \"IPv4\", \"tcp_flags\": 2}, \"disposition\": \"Blocked\", \"dst_endpoint\": {\"instance_uid\": \"i-000000000000000000\", \"interface_uid\": \"eni-000000000000000000\", \"ip\": \"172.31.2.52\", \"port\": 39938, \"subnet_uid\": \"subnet-000000000000000000\", \"svc_name\": \"-\", \"vpc_uid\": \"vpc-00000000\"}, \"end_time_dt\": \"2022-04-11T20:03:08.000-04:00\", \"metadata\": {\"product\": {\"feature\": {\"name\": \"Flowlogs\"}, \"name\": \"Amazon VPC\", \"vendor_name\": \"AWS\", \"version\": \"5\"}, \"profiles\": [\"cloud\", \"security_control\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"dst_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"172.31.2.52\"}, {\"name\": \"dst_endpoint.instance_uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"i-000000000000000000\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"1.2.3.4\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"1.2.3.4\", \"port\": 56858, \"svc_name\": \"-\"}, \"start_time_dt\": \"2022-04-11T20:02:12.000-04:00\", \"status_code\": \"OK\", \"time\": 1649721732000, \"time_dt\": \"2022-04-11T20:02:12.000-04:00\", \"traffic\": {\"bytes\": 40, \"packets\": 1}, \"type_name\": \"Network Activity: Refuse\", \"type_uid\": 400105, \"unmapped\": {\"sublocation_id\": \"-\", \"sublocation_type\": \"-\"}}" + }, + "expected": { + "message": "{\"action\": \"Denied\", \"action_id\": 2, \"activity_id\": 5, \"activity_name\": \"Refuse\", \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"Network Activity\", \"class_uid\": 4001, \"cloud\": {\"account\": {\"uid\": \"123456789012\"}, \"provider\": \"AWS\", \"region\": \"us-east-1\", \"zone\": \"use1-az1\"}, \"connection_info\": {\"boundary\": \"-\", \"boundary_id\": 99, \"direction\": \"Inbound\", \"direction_id\": 1, \"protocol_num\": 6, \"protocol_ver\": \"IPv4\", \"tcp_flags\": 2}, \"disposition\": \"Blocked\", \"dst_endpoint\": {\"instance_uid\": \"i-000000000000000000\", \"interface_uid\": \"eni-000000000000000000\", \"ip\": \"172.31.2.52\", \"port\": 39938, \"subnet_uid\": \"subnet-000000000000000000\", \"svc_name\": \"-\", \"vpc_uid\": \"vpc-00000000\"}, \"end_time_dt\": \"2022-04-11T20:03:08.000-04:00\", \"metadata\": {\"product\": {\"feature\": {\"name\": \"Flowlogs\"}, \"name\": \"Amazon VPC\", \"vendor_name\": \"AWS\", \"version\": \"5\"}, \"profiles\": [\"cloud\", \"security_control\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"dst_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"172.31.2.52\"}, {\"name\": \"dst_endpoint.instance_uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"i-000000000000000000\"}, {\"name\": \"src_endpoint.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"1.2.3.4\"}], \"severity\": \"Informational\", \"severity_id\": 1, \"src_endpoint\": {\"ip\": \"1.2.3.4\", \"port\": 56858, \"svc_name\": \"-\"}, \"start_time_dt\": \"2022-04-11T20:02:12.000-04:00\", \"status_code\": \"OK\", \"time\": 1649721732000, \"time_dt\": \"2022-04-11T20:02:12.000-04:00\", \"traffic\": {\"bytes\": 40, \"packets\": 1}, \"type_name\": \"Network Activity: Refuse\", \"type_uid\": 400105, \"unmapped\": {\"sublocation_id\": \"-\", \"sublocation_type\": \"-\"}}", + "event": { + "action": "refuse", + "category": [ + "network" + ], + "end": "2022-04-12T00:03:08Z", + "kind": "event", + "severity": 1, + "start": "2022-04-12T00:02:12Z", + "type": [ + "denied", + "info" + ] + }, + "@timestamp": "2022-04-12T00:02:12Z", + "cloud": { + "account": { + "id": "123456789012" + }, + "availability_zone": "use1-az1", + "provider": "AWS", + "region": "us-east-1" + }, + "destination": { + "address": "172.31.2.52", + "ip": "172.31.2.52", + "port": 39938 + }, + "network": { + "bytes": 40, + "direction": [ + "inbound" + ], + "iana_number": "6", + "packets": 1 + }, + "ocsf": { + "activity_id": 5, + "activity_name": "Refuse", + "class_name": "Network Activity", + "class_uid": 4001 + }, + "related": { + "ip": [ + "1.2.3.4", + "172.31.2.52" + ] + }, + "source": { + "address": "1.2.3.4", + "ip": "1.2.3.4", + "port": 56858 + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_3.json b/OCSF/ocsf/tests/test_network_activity_3.json new file mode 100644 index 000000000..191c39ac2 --- /dev/null +++ b/OCSF/ocsf/tests/test_network_activity_3.json @@ -0,0 +1,52 @@ +{ + "input": { + "message": "{\"activity_name\": \"Traffic\", \"activity_id\": 6, \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"Network Activity\", \"class_uid\": 4001, \"type_uid\": 400106, \"type_name\": \"Network Activity: Traffic\", \"severity_id\": 1, \"severity\": \"Informational\", \"start_time\": \"2015/06/17T00:00:00.083\", \"end_time\": \"2015/06/17T00:00:00.089\", \"duration\": 0.006, \"metadata\": {\"product\": {\"version\": \"3.9.0\", \"name\": \"SiLK\", \"feature\": {\"name\": \" Network Flow Data\"}, \"vendor_name\": \"CERT/NetSA at Carnegie Mellon University - Software Engineering Institute\"}, \"version\": \"1.0.0-rc.3\"}, \"src_endpoint\": {\"port\": 63975, \"ip\": \"192.168.40.20\"}, \"dst_endpoint\": {\"port\": 443, \"ip\": \"10.0.40.21\"}, \"connection_info\": {\"protocol_num\": 6, \"tcp_flags\": 19, \"boundary_id\": 99, \"boundary\": \"Other\", \"direction_id\": 2, \"direction\": \"Outbound\"}, \"traffic\": {\"packets\": 8, \"bytes\": 344}, \"unmapped\": {\"sensor\": \"S1\", \"in\": 0, \"out\": 0, \"nhIP\": \"0.0.0.0\", \"initialFlags\": \"\", \"sessionFlags\": \"\", \"attributes\": \"\", \"application\": 0, \"class\": \"all\", \"type\": \"outweb\", \"iType\": \"\", \"iCode\": \"\"}}" + }, + "expected": { + "message": "{\"activity_name\": \"Traffic\", \"activity_id\": 6, \"category_name\": \"Network Activity\", \"category_uid\": 4, \"class_name\": \"Network Activity\", \"class_uid\": 4001, \"type_uid\": 400106, \"type_name\": \"Network Activity: Traffic\", \"severity_id\": 1, \"severity\": \"Informational\", \"start_time\": \"2015/06/17T00:00:00.083\", \"end_time\": \"2015/06/17T00:00:00.089\", \"duration\": 0.006, \"metadata\": {\"product\": {\"version\": \"3.9.0\", \"name\": \"SiLK\", \"feature\": {\"name\": \" Network Flow Data\"}, \"vendor_name\": \"CERT/NetSA at Carnegie Mellon University - Software Engineering Institute\"}, \"version\": \"1.0.0-rc.3\"}, \"src_endpoint\": {\"port\": 63975, \"ip\": \"192.168.40.20\"}, \"dst_endpoint\": {\"port\": 443, \"ip\": \"10.0.40.21\"}, \"connection_info\": {\"protocol_num\": 6, \"tcp_flags\": 19, \"boundary_id\": 99, \"boundary\": \"Other\", \"direction_id\": 2, \"direction\": \"Outbound\"}, \"traffic\": {\"packets\": 8, \"bytes\": 344}, \"unmapped\": {\"sensor\": \"S1\", \"in\": 0, \"out\": 0, \"nhIP\": \"0.0.0.0\", \"initialFlags\": \"\", \"sessionFlags\": \"\", \"attributes\": \"\", \"application\": 0, \"class\": \"all\", \"type\": \"outweb\", \"iType\": \"\", \"iCode\": \"\"}}", + "event": { + "action": "traffic", + "category": [ + "network" + ], + "duration": 6000.0, + "end": "2015-06-17T00:00:00.089000Z", + "kind": "event", + "severity": 1, + "start": "2015-06-17T00:00:00.083000Z", + "type": [ + "info" + ] + }, + "destination": { + "address": "10.0.40.21", + "ip": "10.0.40.21", + "port": 443 + }, + "network": { + "bytes": 344, + "direction": [ + "outbound" + ], + "iana_number": "6", + "packets": 8 + }, + "ocsf": { + "activity_id": 6, + "activity_name": "Traffic", + "class_name": "Network Activity", + "class_uid": 4001 + }, + "related": { + "ip": [ + "10.0.40.21", + "192.168.40.20" + ] + }, + "source": { + "address": "192.168.40.20", + "ip": "192.168.40.20", + "port": 63975 + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_4.json b/OCSF/ocsf/tests/test_network_activity_4.json new file mode 100644 index 000000000..a2042d955 --- /dev/null +++ b/OCSF/ocsf/tests/test_network_activity_4.json @@ -0,0 +1,40 @@ +{ + "input": { + "message": "{\"time\": 1591367999.305988, \"uuid\": \"CMdzit1AMNsmfAIiQc\", \"src_endpoint\": {\"ip\": \"192.168.4.76\", \"port\": 36844}, \"dst_endpoint\": {\"ip\": \"192.168.4.1\", \"port\": 53}, \"connection_info\": {\"protocol_name\": \"udp\"}, \"bytes_in\": 62, \"packets_in\": 2, \"orig_bytes\": {\"ip\": 118}, \"bytes_out\": 141, \"packets_out\": 2, \"resp_bytes\": {\"ip\": 197}, \"duration\": 0.06685185432434082, \"unmapped\": {\"conn_state\": \"SF\"}, \"category_uid\": 4, \"category_name\": \"Network Activity\", \"class_uid\": 4001, \"class_name\": \"Network Activity\", \"metadata\": {\"profiles\": [\"security_control\"], \"product\": {\"name\": \"Zeek\", \"feature\": {\"name\": \"conn.log\"}, \"vendor_name\": \"Zeek\"}}, \"severity\": \"Informational\", \"severity_id\": 1, \"proposed_new_attributes\": {\"application_protocol\": \"dns\", \"bytes_missed\": 0, \"connection_history\": \"Dd\"}}" + }, + "expected": { + "message": "{\"time\": 1591367999.305988, \"uuid\": \"CMdzit1AMNsmfAIiQc\", \"src_endpoint\": {\"ip\": \"192.168.4.76\", \"port\": 36844}, \"dst_endpoint\": {\"ip\": \"192.168.4.1\", \"port\": 53}, \"connection_info\": {\"protocol_name\": \"udp\"}, \"bytes_in\": 62, \"packets_in\": 2, \"orig_bytes\": {\"ip\": 118}, \"bytes_out\": 141, \"packets_out\": 2, \"resp_bytes\": {\"ip\": 197}, \"duration\": 0.06685185432434082, \"unmapped\": {\"conn_state\": \"SF\"}, \"category_uid\": 4, \"category_name\": \"Network Activity\", \"class_uid\": 4001, \"class_name\": \"Network Activity\", \"metadata\": {\"profiles\": [\"security_control\"], \"product\": {\"name\": \"Zeek\", \"feature\": {\"name\": \"conn.log\"}, \"vendor_name\": \"Zeek\"}}, \"severity\": \"Informational\", \"severity_id\": 1, \"proposed_new_attributes\": {\"application_protocol\": \"dns\", \"bytes_missed\": 0, \"connection_history\": \"Dd\"}}", + "event": { + "category": [ + "network" + ], + "duration": 66851.85432434082, + "kind": "event", + "severity": 1, + "type": [ + "info" + ] + }, + "@timestamp": "2020-06-05T14:39:59.305988Z", + "destination": { + "address": "192.168.4.1", + "ip": "192.168.4.1", + "port": 53 + }, + "ocsf": { + "class_name": "Network Activity", + "class_uid": 4001 + }, + "related": { + "ip": [ + "192.168.4.1", + "192.168.4.76" + ] + }, + "source": { + "address": "192.168.4.76", + "ip": "192.168.4.76", + "port": 36844 + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_5.json b/OCSF/ocsf/tests/test_network_activity_5.json new file mode 100644 index 000000000..a2042d955 --- /dev/null +++ b/OCSF/ocsf/tests/test_network_activity_5.json @@ -0,0 +1,40 @@ +{ + "input": { + "message": "{\"time\": 1591367999.305988, \"uuid\": \"CMdzit1AMNsmfAIiQc\", \"src_endpoint\": {\"ip\": \"192.168.4.76\", \"port\": 36844}, \"dst_endpoint\": {\"ip\": \"192.168.4.1\", \"port\": 53}, \"connection_info\": {\"protocol_name\": \"udp\"}, \"bytes_in\": 62, \"packets_in\": 2, \"orig_bytes\": {\"ip\": 118}, \"bytes_out\": 141, \"packets_out\": 2, \"resp_bytes\": {\"ip\": 197}, \"duration\": 0.06685185432434082, \"unmapped\": {\"conn_state\": \"SF\"}, \"category_uid\": 4, \"category_name\": \"Network Activity\", \"class_uid\": 4001, \"class_name\": \"Network Activity\", \"metadata\": {\"profiles\": [\"security_control\"], \"product\": {\"name\": \"Zeek\", \"feature\": {\"name\": \"conn.log\"}, \"vendor_name\": \"Zeek\"}}, \"severity\": \"Informational\", \"severity_id\": 1, \"proposed_new_attributes\": {\"application_protocol\": \"dns\", \"bytes_missed\": 0, \"connection_history\": \"Dd\"}}" + }, + "expected": { + "message": "{\"time\": 1591367999.305988, \"uuid\": \"CMdzit1AMNsmfAIiQc\", \"src_endpoint\": {\"ip\": \"192.168.4.76\", \"port\": 36844}, \"dst_endpoint\": {\"ip\": \"192.168.4.1\", \"port\": 53}, \"connection_info\": {\"protocol_name\": \"udp\"}, \"bytes_in\": 62, \"packets_in\": 2, \"orig_bytes\": {\"ip\": 118}, \"bytes_out\": 141, \"packets_out\": 2, \"resp_bytes\": {\"ip\": 197}, \"duration\": 0.06685185432434082, \"unmapped\": {\"conn_state\": \"SF\"}, \"category_uid\": 4, \"category_name\": \"Network Activity\", \"class_uid\": 4001, \"class_name\": \"Network Activity\", \"metadata\": {\"profiles\": [\"security_control\"], \"product\": {\"name\": \"Zeek\", \"feature\": {\"name\": \"conn.log\"}, \"vendor_name\": \"Zeek\"}}, \"severity\": \"Informational\", \"severity_id\": 1, \"proposed_new_attributes\": {\"application_protocol\": \"dns\", \"bytes_missed\": 0, \"connection_history\": \"Dd\"}}", + "event": { + "category": [ + "network" + ], + "duration": 66851.85432434082, + "kind": "event", + "severity": 1, + "type": [ + "info" + ] + }, + "@timestamp": "2020-06-05T14:39:59.305988Z", + "destination": { + "address": "192.168.4.1", + "ip": "192.168.4.1", + "port": 53 + }, + "ocsf": { + "class_name": "Network Activity", + "class_uid": 4001 + }, + "related": { + "ip": [ + "192.168.4.1", + "192.168.4.76" + ] + }, + "source": { + "address": "192.168.4.76", + "ip": "192.168.4.76", + "port": 36844 + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_network_activity_6.json b/OCSF/ocsf/tests/test_network_activity_6.json new file mode 100644 index 000000000..7c337a7ce --- /dev/null +++ b/OCSF/ocsf/tests/test_network_activity_6.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"time\": 1598377391.921726, \"uuid\": \"CsukF91Bx9mrqdEaH9\", \"src_endpoint\": {\"ip\": \"192.168.4.49\", \"port\": 56718}, \"dst_endpoint\": {\"ip\": \"13.32.202.10\", \"port\": 443}, \"version\": \"TLSv12\", \"cipher\": \"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\", \"certificate\": \"secp256r1\", \"domain\": \"www.taosecurity.com\", \"certificate_chain\": [\"F2XEvj1CahhdhtfvT4\", \"FZ7ygD3ERPfEVVohG9\", \"F7vklpOKI4yX9wmvh\", \"FAnbnR32nIIr2j9XV\"], \"subject\": \"CN=www.taosecurity.com\", \"issuer\": \"CN=Amazon,OU=Server CA 1B,O=Amazon,C=US\", \"unmapped\": {\"next_protocol\": \"h2\", \"resumed\": false}, \"network_activity\": {\"status_id\": \"1\"}, \"category_uid\": 4, \"category_name\": \"Network Activity\", \"class_uid\": 4001, \"class_name\": \"Network Activity\", \"metadata\": {\"profiles\": [\"security_control\"], \"product\": {\"name\": \"Zeek\", \"feature\": {\"name\": \"ssl.log\"}, \"vendor_name\": \"Zeek\"}}, \"severity\": \"Informational\", \"severity_id\": 1}" + }, + "expected": { + "message": "{\"time\": 1598377391.921726, \"uuid\": \"CsukF91Bx9mrqdEaH9\", \"src_endpoint\": {\"ip\": \"192.168.4.49\", \"port\": 56718}, \"dst_endpoint\": {\"ip\": \"13.32.202.10\", \"port\": 443}, \"version\": \"TLSv12\", \"cipher\": \"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256\", \"certificate\": \"secp256r1\", \"domain\": \"www.taosecurity.com\", \"certificate_chain\": [\"F2XEvj1CahhdhtfvT4\", \"FZ7ygD3ERPfEVVohG9\", \"F7vklpOKI4yX9wmvh\", \"FAnbnR32nIIr2j9XV\"], \"subject\": \"CN=www.taosecurity.com\", \"issuer\": \"CN=Amazon,OU=Server CA 1B,O=Amazon,C=US\", \"unmapped\": {\"next_protocol\": \"h2\", \"resumed\": false}, \"network_activity\": {\"status_id\": \"1\"}, \"category_uid\": 4, \"category_name\": \"Network Activity\", \"class_uid\": 4001, \"class_name\": \"Network Activity\", \"metadata\": {\"profiles\": [\"security_control\"], \"product\": {\"name\": \"Zeek\", \"feature\": {\"name\": \"ssl.log\"}, \"vendor_name\": \"Zeek\"}}, \"severity\": \"Informational\", \"severity_id\": 1}", + "event": { + "category": [ + "network" + ], + "kind": "event", + "severity": 1, + "type": [ + "info" + ] + }, + "@timestamp": "2020-08-25T17:43:11.921726Z", + "destination": { + "address": "13.32.202.10", + "ip": "13.32.202.10", + "port": 443 + }, + "ocsf": { + "class_name": "Network Activity", + "class_uid": 4001 + }, + "related": { + "ip": [ + "13.32.202.10", + "192.168.4.49" + ] + }, + "source": { + "address": "192.168.4.49", + "ip": "192.168.4.49", + "port": 56718 + }, + "tls": { + "server": { + "certificate_chain": [ + "F2XEvj1CahhdhtfvT4", + "F7vklpOKI4yX9wmvh", + "FAnbnR32nIIr2j9XV", + "FZ7ygD3ERPfEVVohG9" + ] + } + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_process_activity_1.json b/OCSF/ocsf/tests/test_process_activity_1.json new file mode 100644 index 000000000..02bc3a582 --- /dev/null +++ b/OCSF/ocsf/tests/test_process_activity_1.json @@ -0,0 +1,74 @@ +{ + "input": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Launch\", \"actor\": {\"process\": {\"file\": {\"name\": \"cmd.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 3948}, \"session\": {\"uid\": \"0x55E621\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"ATTACKRANGE\", \"name\": \"Administrator\", \"uid\": \"ATTACKRANGE\\\\Administrator\"}}, \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Process Activity\", \"class_uid\": 1007, \"device\": {\"hostname\": \"win-dc-725.attackrange.local\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"message\": \"A new process has been created.\", \"metadata\": {\"original_time\": \"03/12/2021 10:48:14 AM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"a47bd2fb-4da1-4378-8961-81f81f90aec2\", \"version\": \"1.0.0-rc.2\"}, \"process\": {\"cmd_line\": \"reg save HKLM\\\\system C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\system \", \"file\": {\"name\": \"reg.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\reg.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 4696, \"session\": {\"uid\": \"0x0\"}, \"user\": {\"domain\": \"-\", \"name\": \"-\", \"uid\": \"NULL SID\"}}, \"severity\": \"Informational\", \"severity_id\": 1, \"status\": \"Success\", \"status_id\": 1, \"time\": 1615564094000, \"type_name\": \"Process Activity: Launch\", \"type_uid\": 100701, \"unmapped\": {\"EventCode\": \"4688\", \"EventType\": \"0\", \"OpCode\": \"Info\", \"Process Information\": {\"Mandatory Label\": \"Mandatory Label\\\\High Mandatory Level\", \"Token Elevation Type\": \"%%1936\"}, \"RecordNumber\": \"257874\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Process Creation\"}}" + }, + "expected": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Launch\", \"actor\": {\"process\": {\"file\": {\"name\": \"cmd.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\cmd.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 3948}, \"session\": {\"uid\": \"0x55E621\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"ATTACKRANGE\", \"name\": \"Administrator\", \"uid\": \"ATTACKRANGE\\\\Administrator\"}}, \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Process Activity\", \"class_uid\": 1007, \"device\": {\"hostname\": \"win-dc-725.attackrange.local\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"message\": \"A new process has been created.\", \"metadata\": {\"original_time\": \"03/12/2021 10:48:14 AM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"a47bd2fb-4da1-4378-8961-81f81f90aec2\", \"version\": \"1.0.0-rc.2\"}, \"process\": {\"cmd_line\": \"reg save HKLM\\\\system C:\\\\Users\\\\ADMINI~1\\\\AppData\\\\Local\\\\Temp\\\\system \", \"file\": {\"name\": \"reg.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\reg.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 4696, \"session\": {\"uid\": \"0x0\"}, \"user\": {\"domain\": \"-\", \"name\": \"-\", \"uid\": \"NULL SID\"}}, \"severity\": \"Informational\", \"severity_id\": 1, \"status\": \"Success\", \"status_id\": 1, \"time\": 1615564094000, \"type_name\": \"Process Activity: Launch\", \"type_uid\": 100701, \"unmapped\": {\"EventCode\": \"4688\", \"EventType\": \"0\", \"OpCode\": \"Info\", \"Process Information\": {\"Mandatory Label\": \"Mandatory Label\\\\High Mandatory Level\", \"Token Elevation Type\": \"%%1936\"}, \"RecordNumber\": \"257874\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Process Creation\"}}", + "event": { + "action": "launch", + "category": [ + "process" + ], + "kind": "event", + "outcome": "success", + "reason": "A new process has been created.", + "severity": 1, + "type": [ + "info", + "start" + ] + }, + "@timestamp": "2021-03-12T15:48:14Z", + "file": { + "directory": "C:\\Windows\\System32", + "name": "reg.exe", + "path": "C:\\Windows\\System32\\reg.exe", + "type": "Regular File" + }, + "host": { + "hostname": "win-dc-725.attackrange.local", + "name": "win-dc-725.attackrange.local", + "os": { + "name": "Windows", + "type": "Windows" + }, + "type": "Unknown" + }, + "ocsf": { + "activity_id": 1, + "activity_name": "Launch", + "class_name": "Process Activity", + "class_uid": 1007 + }, + "process": { + "command_line": "reg save HKLM\\system C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\system ", + "pid": 4696, + "user": { + "group": { + "id": [], + "name": [] + }, + "id": [ + "NULL SID" + ] + } + }, + "related": { + "hosts": [ + "win-dc-725.attackrange.local" + ], + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "ATTACKRANGE", + "group": { + "id": [], + "name": [] + }, + "id": "ATTACKRANGE\\Administrator", + "name": "Administrator" + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_process_activity_2.json b/OCSF/ocsf/tests/test_process_activity_2.json new file mode 100644 index 000000000..d2fc4367f --- /dev/null +++ b/OCSF/ocsf/tests/test_process_activity_2.json @@ -0,0 +1,65 @@ +{ + "input": { + "message": "{\"activity_id\": 2, \"activity_name\": \"Terminate\", \"actor\": {\"process\": {\"file\": {\"name\": \"auditon.exe\", \"parent_folder\": \"C:\\\\Generate_Security_Events1\", \"path\": \"C:\\\\Generate_Security_Events1\\\\auditon.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 1524}, \"session\": {\"uid\": \"0x1806d9\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"LOGISTICS\", \"name\": \"Administrator\", \"uid\": \"S-1-5-21-1135140816-2109348461-2107143693-500\"}}, \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Process Activity\", \"class_uid\": 1007, \"device\": {\"hostname\": \"dcc1.Logistics.local\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"exit_code\": 0, \"message\": \"A process has exited.\", \"metadata\": {\"original_time\": \"09/05/2019 11:22:49 AM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"cc27b41c-94e0-48a9-8cc2-5a1598fb8d1f\", \"version\": \"1.0.0-rc.2\"}, \"process\": {\"file\": {\"name\": \"auditon.exe\", \"parent_folder\": \"C:\\\\Generate_Security_Events1\", \"path\": \"C:\\\\Generate_Security_Events1\\\\auditon.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 1524}, \"severity\": \"Informational\", \"severity_id\": 1, \"status\": \"Success\", \"status_id\": 1, \"time\": 1567696969000, \"type_name\": \"Process Activity: Terminate\", \"type_uid\": 100702, \"unmapped\": {\"EventCode\": \"4689\", \"EventType\": \"0\", \"OpCode\": \"Info\", \"RecordNumber\": \"6828379\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Process Termination\"}}" + }, + "expected": { + "message": "{\"activity_id\": 2, \"activity_name\": \"Terminate\", \"actor\": {\"process\": {\"file\": {\"name\": \"auditon.exe\", \"parent_folder\": \"C:\\\\Generate_Security_Events1\", \"path\": \"C:\\\\Generate_Security_Events1\\\\auditon.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 1524}, \"session\": {\"uid\": \"0x1806d9\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"LOGISTICS\", \"name\": \"Administrator\", \"uid\": \"S-1-5-21-1135140816-2109348461-2107143693-500\"}}, \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Process Activity\", \"class_uid\": 1007, \"device\": {\"hostname\": \"dcc1.Logistics.local\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"exit_code\": 0, \"message\": \"A process has exited.\", \"metadata\": {\"original_time\": \"09/05/2019 11:22:49 AM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"cc27b41c-94e0-48a9-8cc2-5a1598fb8d1f\", \"version\": \"1.0.0-rc.2\"}, \"process\": {\"file\": {\"name\": \"auditon.exe\", \"parent_folder\": \"C:\\\\Generate_Security_Events1\", \"path\": \"C:\\\\Generate_Security_Events1\\\\auditon.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 1524}, \"severity\": \"Informational\", \"severity_id\": 1, \"status\": \"Success\", \"status_id\": 1, \"time\": 1567696969000, \"type_name\": \"Process Activity: Terminate\", \"type_uid\": 100702, \"unmapped\": {\"EventCode\": \"4689\", \"EventType\": \"0\", \"OpCode\": \"Info\", \"RecordNumber\": \"6828379\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Process Termination\"}}", + "event": { + "action": "terminate", + "category": [ + "process" + ], + "kind": "event", + "outcome": "success", + "reason": "A process has exited.", + "severity": 1, + "type": [ + "end", + "info" + ] + }, + "@timestamp": "2019-09-05T15:22:49Z", + "file": { + "directory": "C:\\Generate_Security_Events1", + "name": "auditon.exe", + "path": "C:\\Generate_Security_Events1\\auditon.exe", + "type": "Regular File" + }, + "host": { + "hostname": "dcc1.Logistics.local", + "name": "dcc1.Logistics.local", + "os": { + "name": "Windows", + "type": "Windows" + }, + "type": "Unknown" + }, + "ocsf": { + "activity_id": 2, + "activity_name": "Terminate", + "class_name": "Process Activity", + "class_uid": 1007 + }, + "process": { + "exit_code": 0, + "pid": 1524 + }, + "related": { + "hosts": [ + "dcc1.Logistics.local" + ], + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "LOGISTICS", + "group": { + "id": [], + "name": [] + }, + "id": "S-1-5-21-1135140816-2109348461-2107143693-500", + "name": "Administrator" + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_security_finding_1.json b/OCSF/ocsf/tests/test_security_finding_1.json new file mode 100644 index 000000000..49f38eac6 --- /dev/null +++ b/OCSF/ocsf/tests/test_security_finding_1.json @@ -0,0 +1,24 @@ +{ + "input": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"classname\": \"Security Finding\", \"class_uid\": 2001, \"finding\": {\"created_time\": 1672758699558, \"desc\": \"Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args %container.info image=%container.image.repository:%container.image.tag)\", \"title\": \"Linux Kernel Module Injection Detected\", \"types\": [\"syscalls\"], \"uid\": \"ec834826-90c1-458a-8eec-a014e7266754\"}, \"message\": \"Linux Kernel Module Injection Detected\", \"metadata\": {\"version\": \"0.1.0\", \"product\": {\"vendor_name\": \"Falcosecurity\", \"name\": \"Falco\"}, \"labels\": [\"process\"]}, \"observables\": [{\"name\": \"hostname\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"host0.local\"}, {\"name\": \"proc.pname\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"proc.pname\"}, {\"name\": \"container.info\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"container.info\"}, {\"name\": \"proc.args\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"proc.args\"}, {\"name\": \"user.loginuid\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"user.loginuid\"}, {\"name\": \"user.name\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"user.name\"}, {\"name\": \"container.image.repository\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"container.image.repository\"}, {\"name\": \"container.image.tag\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"container.image.tag\"}], \"raw_data\": \"{\\\"uuid\\\":\\\"ec834826-90c1-458a-8eec-a014e7266754\\\",\\\"output\\\":\\\"Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args %container.info image=%container.image.repository:%container.image.tag)\\\",\\\"priority\\\":\\\"Warning\\\",\\\"rule\\\":\\\"Linux Kernel Module Injection Detected\\\",\\\"time\\\":\\\"2023-01-03T15:11:39.558068644Z\\\",\\\"output_fields\\\":{\\\"akey\\\":\\\"AValue\\\",\\\"bkey\\\":\\\"BValue\\\",\\\"ckey\\\":\\\"CValue\\\",\\\"container.image.repository\\\":\\\"container.image.repository\\\",\\\"container.image.tag\\\":\\\"container.image.tag\\\",\\\"container.info\\\":\\\"container.info\\\",\\\"dkey\\\":\\\"bar\\\",\\\"proc.args\\\":\\\"proc.args\\\",\\\"proc.pname\\\":\\\"proc.pname\\\",\\\"user.loginuid\\\":\\\"user.loginuid\\\",\\\"user.name\\\":\\\"user.name\\\"},\\\"source\\\":\\\"syscalls\\\",\\\"tags\\\":[\\\"process\\\"],\\\"hostname\\\":\\\"host0.local\\\"}\", \"severity\": \"Medium\", \"severity_id\": 3, \"state\": \"New\", \"state_id\": 1, \"status\": \"Warning\", \"time\": 1672758699558, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101}" + }, + "expected": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"classname\": \"Security Finding\", \"class_uid\": 2001, \"finding\": {\"created_time\": 1672758699558, \"desc\": \"Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args %container.info image=%container.image.repository:%container.image.tag)\", \"title\": \"Linux Kernel Module Injection Detected\", \"types\": [\"syscalls\"], \"uid\": \"ec834826-90c1-458a-8eec-a014e7266754\"}, \"message\": \"Linux Kernel Module Injection Detected\", \"metadata\": {\"version\": \"0.1.0\", \"product\": {\"vendor_name\": \"Falcosecurity\", \"name\": \"Falco\"}, \"labels\": [\"process\"]}, \"observables\": [{\"name\": \"hostname\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"host0.local\"}, {\"name\": \"proc.pname\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"proc.pname\"}, {\"name\": \"container.info\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"container.info\"}, {\"name\": \"proc.args\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"proc.args\"}, {\"name\": \"user.loginuid\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"user.loginuid\"}, {\"name\": \"user.name\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"user.name\"}, {\"name\": \"container.image.repository\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"container.image.repository\"}, {\"name\": \"container.image.tag\", \"type\": \"Other\", \"type_id\": 0, \"value\": \"container.image.tag\"}], \"raw_data\": \"{\\\"uuid\\\":\\\"ec834826-90c1-458a-8eec-a014e7266754\\\",\\\"output\\\":\\\"Linux Kernel Module injection using insmod detected (user=%user.name user_loginuid=%user.loginuid parent_process=%proc.pname module=%proc.args %container.info image=%container.image.repository:%container.image.tag)\\\",\\\"priority\\\":\\\"Warning\\\",\\\"rule\\\":\\\"Linux Kernel Module Injection Detected\\\",\\\"time\\\":\\\"2023-01-03T15:11:39.558068644Z\\\",\\\"output_fields\\\":{\\\"akey\\\":\\\"AValue\\\",\\\"bkey\\\":\\\"BValue\\\",\\\"ckey\\\":\\\"CValue\\\",\\\"container.image.repository\\\":\\\"container.image.repository\\\",\\\"container.image.tag\\\":\\\"container.image.tag\\\",\\\"container.info\\\":\\\"container.info\\\",\\\"dkey\\\":\\\"bar\\\",\\\"proc.args\\\":\\\"proc.args\\\",\\\"proc.pname\\\":\\\"proc.pname\\\",\\\"user.loginuid\\\":\\\"user.loginuid\\\",\\\"user.name\\\":\\\"user.name\\\"},\\\"source\\\":\\\"syscalls\\\",\\\"tags\\\":[\\\"process\\\"],\\\"hostname\\\":\\\"host0.local\\\"}\", \"severity\": \"Medium\", \"severity_id\": 3, \"state\": \"New\", \"state_id\": 1, \"status\": \"Warning\", \"time\": 1672758699558, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101}", + "event": { + "action": "generate", + "category": [], + "kind": "alert", + "reason": "Linux Kernel Module Injection Detected", + "severity": 3, + "type": [ + "info" + ] + }, + "@timestamp": "2023-01-03T15:11:39.558000Z", + "ocsf": { + "activity_id": 1, + "activity_name": "Generate", + "class_uid": 2001 + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_security_finding_2.json b/OCSF/ocsf/tests/test_security_finding_2.json new file mode 100644 index 000000000..84753b18b --- /dev/null +++ b/OCSF/ocsf/tests/test_security_finding_2.json @@ -0,0 +1,34 @@ +{ + "input": { + "message": "{\"analytic\": {\"desc\": \"Custom Rule Engine\", \"name\": \"CRE\", \"relatedAnalytics\": [{\"category\": \"CRE_RULE\", \"name\": \"Network DoS Attack Detected\", \"type\": \"Rule\", \"typeId\": 1, \"uid\": \"100079\"}], \"type\": \"Rule\", \"typeId\": 1}, \"finding\": {\"uid\": \"591\", \"title\": \"BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\\n\", \"created_time\": 1682347463218, \"desc\": \"BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\\n\", \"first_seen_time\": 1682347463000, \"last_seen_time\": 1682781010000}, \"confidence_score\": 2, \"confidence\": \"Low\", \"confidence_id\": 2, \"data_sources\": [\"Snort @ wolverine\"], \"impact_score\": 0, \"impact\": \"Low\", \"impact_id\": 1, \"malware\": [{\"classification_ids\": [5], \"classifications\": [\"DDOS\"], \"name\": \"ICMP DoS\"}], \"risk_level\": \"High\", \"risk_level_id\": 3, \"risk_score\": 3, \"state\": \"In Progress\", \"state_id\": 2, \"activity_id\": 1, \"category_uid\": 2, \"class_uid\": 2001, \"time\": 1682347463218, \"message\": \"BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\\n\", \"metadata\": {\"log_name\": \"Offense\", \"log_provider\": \"IBM QRadar\", \"original_time\": 1682347463218, \"product\": {\"lang\": \"en\", \"name\": \"QRadar SIEM\", \"version\": \"7.5.0\", \"vendor_name\": \"IBM\"}, \"version\": \"7.5.0\", \"modified_time\": 1682347469220}, \"activity_name\": \"Create\", \"category_name\": \"Findings\", \"class_name\": \"Security Finding\", \"count\": 2, \"end_time\": 1682781010000, \"enrichments\": [{\"name\": \"Magnitude\", \"provider\": \"Event Processor\", \"type\": \"score\", \"value\": \"3\"}, {\"name\": \"offense_type\", \"provider\": \"Event Processor\", \"type\": \"correlation\", \"value\": \"2\"}, {\"name\": \"offense_source\", \"provider\": \"Event Processor\", \"type\": \"correlation\", \"value\": \"BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\"}, {\"name\": \"category_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"1\"}, {\"name\": \"device_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"1\"}, {\"name\": \"event_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"2\"}, {\"name\": \"flow_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"0\"}, {\"name\": \"policy_category_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"0\"}, {\"name\": \"remote_destination_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"0\"}, {\"name\": \"local_destination_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"2\"}, {\"name\": \"security_category_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"1\"}, {\"name\": \"source_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"1\"}, {\"name\": \"user_name_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"0\"}, {\"name\": \"domain_id\", \"provider\": \"Event Processor\", \"type\": \"correlation\", \"value\": \"0\"}, {\"name\": \"source_network\", \"provider\": \"Event Processor\", \"type\": \"network\", \"value\": \"Net-99-99-99.Net_99_0_0_0\"}, {\"name\": \"destination_network\", \"provider\": \"Event Processor\", \"type\": \"network\", \"value\": \"Net-88-88-88.Net_88_88_0_0\"}, {\"name\": \"destination_network\", \"provider\": \"Event Processor\", \"type\": \"network\", \"value\": \"Net-77-77-77.Net_77_0_0_0\"}], \"observables\": [{\"name\": \"log_source_id\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"112\"}, {\"name\": \"log_source_name\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"Snort @ wolverine\"}, {\"name\": \"log_source_type_id\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"2\"}, {\"name\": \"log_source_type_name\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"Snort\"}, {\"name\": \"assigned_to\", \"type\": \"User\", \"type_id\": 21, \"value\": \"SomeUser\"}, {\"name\": \"low_level_category\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"ICMP DoS\"}, {\"name\": \"source_address\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"99.99.99.99\"}, {\"name\": \"local_destination_address\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"88.88.88.88\"}, {\"name\": \"local_destination_address\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"77.77.77.77\"}], \"status_code\": \"OPEN\"}" + }, + "expected": { + "message": "{\"analytic\": {\"desc\": \"Custom Rule Engine\", \"name\": \"CRE\", \"relatedAnalytics\": [{\"category\": \"CRE_RULE\", \"name\": \"Network DoS Attack Detected\", \"type\": \"Rule\", \"typeId\": 1, \"uid\": \"100079\"}], \"type\": \"Rule\", \"typeId\": 1}, \"finding\": {\"uid\": \"591\", \"title\": \"BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\\n\", \"created_time\": 1682347463218, \"desc\": \"BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\\n\", \"first_seen_time\": 1682347463000, \"last_seen_time\": 1682781010000}, \"confidence_score\": 2, \"confidence\": \"Low\", \"confidence_id\": 2, \"data_sources\": [\"Snort @ wolverine\"], \"impact_score\": 0, \"impact\": \"Low\", \"impact_id\": 1, \"malware\": [{\"classification_ids\": [5], \"classifications\": [\"DDOS\"], \"name\": \"ICMP DoS\"}], \"risk_level\": \"High\", \"risk_level_id\": 3, \"risk_score\": 3, \"state\": \"In Progress\", \"state_id\": 2, \"activity_id\": 1, \"category_uid\": 2, \"class_uid\": 2001, \"time\": 1682347463218, \"message\": \"BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\\n\", \"metadata\": {\"log_name\": \"Offense\", \"log_provider\": \"IBM QRadar\", \"original_time\": 1682347463218, \"product\": {\"lang\": \"en\", \"name\": \"QRadar SIEM\", \"version\": \"7.5.0\", \"vendor_name\": \"IBM\"}, \"version\": \"7.5.0\", \"modified_time\": 1682347469220}, \"activity_name\": \"Create\", \"category_name\": \"Findings\", \"class_name\": \"Security Finding\", \"count\": 2, \"end_time\": 1682781010000, \"enrichments\": [{\"name\": \"Magnitude\", \"provider\": \"Event Processor\", \"type\": \"score\", \"value\": \"3\"}, {\"name\": \"offense_type\", \"provider\": \"Event Processor\", \"type\": \"correlation\", \"value\": \"2\"}, {\"name\": \"offense_source\", \"provider\": \"Event Processor\", \"type\": \"correlation\", \"value\": \"BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\"}, {\"name\": \"category_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"1\"}, {\"name\": \"device_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"1\"}, {\"name\": \"event_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"2\"}, {\"name\": \"flow_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"0\"}, {\"name\": \"policy_category_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"0\"}, {\"name\": \"remote_destination_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"0\"}, {\"name\": \"local_destination_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"2\"}, {\"name\": \"security_category_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"1\"}, {\"name\": \"source_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"1\"}, {\"name\": \"user_name_count\", \"provider\": \"Event Processor\", \"type\": \"counter\", \"value\": \"0\"}, {\"name\": \"domain_id\", \"provider\": \"Event Processor\", \"type\": \"correlation\", \"value\": \"0\"}, {\"name\": \"source_network\", \"provider\": \"Event Processor\", \"type\": \"network\", \"value\": \"Net-99-99-99.Net_99_0_0_0\"}, {\"name\": \"destination_network\", \"provider\": \"Event Processor\", \"type\": \"network\", \"value\": \"Net-88-88-88.Net_88_88_0_0\"}, {\"name\": \"destination_network\", \"provider\": \"Event Processor\", \"type\": \"network\", \"value\": \"Net-77-77-77.Net_77_0_0_0\"}], \"observables\": [{\"name\": \"log_source_id\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"112\"}, {\"name\": \"log_source_name\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"Snort @ wolverine\"}, {\"name\": \"log_source_type_id\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"2\"}, {\"name\": \"log_source_type_name\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"Snort\"}, {\"name\": \"assigned_to\", \"type\": \"User\", \"type_id\": 21, \"value\": \"SomeUser\"}, {\"name\": \"low_level_category\", \"type\": \"Other\", \"type_id\": 99, \"value\": \"ICMP DoS\"}, {\"name\": \"source_address\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"99.99.99.99\"}, {\"name\": \"local_destination_address\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"88.88.88.88\"}, {\"name\": \"local_destination_address\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"77.77.77.77\"}], \"status_code\": \"OPEN\"}", + "event": { + "action": "create", + "category": [ + "malware" + ], + "end": "2023-04-29T15:10:10Z", + "kind": "alert", + "provider": "IBM QRadar", + "reason": "BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt\n", + "risk_score": 3, + "type": [ + "info" + ] + }, + "@timestamp": "2023-04-24T14:44:23.218000Z", + "ocsf": { + "activity_id": 1, + "activity_name": "Create", + "class_name": "Security Finding", + "class_uid": 2001 + }, + "vulnerability": { + "category": [ + "DDOS" + ] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_security_finding_3.json b/OCSF/ocsf/tests/test_security_finding_3.json new file mode 100644 index 000000000..bb29fab22 --- /dev/null +++ b/OCSF/ocsf/tests/test_security_finding_3.json @@ -0,0 +1,33 @@ +{ + "input": { + "message": "{\"activity_id\": 1, \"malware\": [{\"classification_ids\": [-1], \"classifications\": [\"Potentially vulnerable application\"], \"name\": \"pva.torrent.openinternet\", \"provider\": \"SecurityScorecard\", \"uid\": \"pva.torrent.openinternet_9d153be3-a48e-4498-b476-18c2a847d214\"}], \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"confidence\": 100, \"data\": \"{\\\"body_bytes_sent\\\":\\\"-\\\",\\\"enc_host\\\":\\\"open-internet.nl\\\",\\\"enc_raw_header\\\":\\\"-\\\",\\\"enc_request\\\":\\\"SOCKET_UDP%20%2F\\\",\\\"enc_request_body\\\":\\\"AAAEFycQGYAAAAAAiWPgag==\\\",\\\"family\\\":\\\"pva.torrent.openinternet\\\",\\\"field_1\\\":\\\"2022-06-27T01:37:06.385325 version_5\\\",\\\"remote_addr\\\":\\\"1.183.190.110\\\",\\\"remote_port\\\":\\\"2048\\\",\\\"remote_user\\\":\\\"-\\\", \\\"status\\\":\\\"200\\\",\\\"time_local\\\":\\\"2022-06-27T01:36:21.515207\\\"}\", \"message\": \"Potentially vulnerable application infection detected on IP address 1.183.190.110 by Malware DNS sinkhole on communication domain for sinkholed domain open-internet.nl\", \"severity\": \"Informational \", \"severity_id\": 1, \"status\": \"Not applicable, static security finding from global threat intelligence monitoring\", \"status_id\": -1, \"state\": \"New\", \"state_id\": 1, \"time\": 1668535199945, \"timezone_offset\": 0, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101, \"metadata\": {\"logged_time\": 1668535199945, \"original_time\": \"2022-11-15T17:59:59.945Z\", \"labels\": [\"infected_device\"], \"product\": {\"lang\": \"en\", \"name\": \"SecurityScorecard Attack Surface Intelligence\", \"uid\": \"ssc_asi\", \"feature\": {\"uid\": \"ssc_malware_dns_sinkhole\", \"name\": \"SecurityScorecard Malware DNS Sinkhole collection system\"}, \"vendor_name\": \"SecurityScorecard\"}, \"version\": \"1.0.0\", \"profiles\": [\"malware\", \"reputation\"]}, \"resources\": [{\"group_name\": \"infected_device\", \"name\": \"IPv4 address 1.183.190.110 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs\", \"owner\": \"chinatelecom.cn\", \"uid\": \"1.183.190.110\"}], \"observables\": [{\"name\": \"infected_device.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"1.183.190.110\"}, {\"name\": \"infection.category\", \"type\": \"Category of infection on infected device\", \"type_id\": -1, \"value\": \"Potentially vulnerable application\"}, {\"name\": \"infected_device.malware_hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": \"open-internet.nl\"}, {\"name\": \"infection.family\", \"type\": \"Malware, adware, or PUA/PVA family name\", \"type_id\": -1, \"value\": \"pva.torrent.openinternet\"}, {\"name\": \"infected_device.source_port\", \"type\": \"Client-side port making connection to the infection communication domain\", \"type_id\": -1, \"value\": \"2048\"}, {\"name\": \"infected_device.geo_location\", \"type\": \"Geo Location\", \"type_id\": 26, \"value\": \"Bieligutai, China\"}], \"finding\": {\"title\": \"Infection found on 1.183.190.110\", \"uid\": \"2b7908d7-4b72-4f65-afa0-09bdaea46ae3\", \"types\": [\"malware_infection\", \"infected_device\", \"pva.torrent.openinternet\"], \"src_url\": \"https://platform.securityscorecard.io/#/asi/details/1.183.190.110\", \"remediation\": {\"desc\": \"If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence\", \"kb_articles\": [\"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K\", \"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings\"]}, \"product_uid\": \"ssc_malware_dns_sinkhole\", \"last_seen_time\": 1668535199945, \"desc\": \"Potentially vulnerable application infection detected on IP address 1.183.190.110 communicating with Command-and-Control domain open-internet.nl\"}}" + }, + "expected": { + "message": "{\"activity_id\": 1, \"malware\": [{\"classification_ids\": [-1], \"classifications\": [\"Potentially vulnerable application\"], \"name\": \"pva.torrent.openinternet\", \"provider\": \"SecurityScorecard\", \"uid\": \"pva.torrent.openinternet_9d153be3-a48e-4498-b476-18c2a847d214\"}], \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"confidence\": 100, \"data\": \"{\\\"body_bytes_sent\\\":\\\"-\\\",\\\"enc_host\\\":\\\"open-internet.nl\\\",\\\"enc_raw_header\\\":\\\"-\\\",\\\"enc_request\\\":\\\"SOCKET_UDP%20%2F\\\",\\\"enc_request_body\\\":\\\"AAAEFycQGYAAAAAAiWPgag==\\\",\\\"family\\\":\\\"pva.torrent.openinternet\\\",\\\"field_1\\\":\\\"2022-06-27T01:37:06.385325 version_5\\\",\\\"remote_addr\\\":\\\"1.183.190.110\\\",\\\"remote_port\\\":\\\"2048\\\",\\\"remote_user\\\":\\\"-\\\", \\\"status\\\":\\\"200\\\",\\\"time_local\\\":\\\"2022-06-27T01:36:21.515207\\\"}\", \"message\": \"Potentially vulnerable application infection detected on IP address 1.183.190.110 by Malware DNS sinkhole on communication domain for sinkholed domain open-internet.nl\", \"severity\": \"Informational \", \"severity_id\": 1, \"status\": \"Not applicable, static security finding from global threat intelligence monitoring\", \"status_id\": -1, \"state\": \"New\", \"state_id\": 1, \"time\": 1668535199945, \"timezone_offset\": 0, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101, \"metadata\": {\"logged_time\": 1668535199945, \"original_time\": \"2022-11-15T17:59:59.945Z\", \"labels\": [\"infected_device\"], \"product\": {\"lang\": \"en\", \"name\": \"SecurityScorecard Attack Surface Intelligence\", \"uid\": \"ssc_asi\", \"feature\": {\"uid\": \"ssc_malware_dns_sinkhole\", \"name\": \"SecurityScorecard Malware DNS Sinkhole collection system\"}, \"vendor_name\": \"SecurityScorecard\"}, \"version\": \"1.0.0\", \"profiles\": [\"malware\", \"reputation\"]}, \"resources\": [{\"group_name\": \"infected_device\", \"name\": \"IPv4 address 1.183.190.110 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs\", \"owner\": \"chinatelecom.cn\", \"uid\": \"1.183.190.110\"}], \"observables\": [{\"name\": \"infected_device.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"1.183.190.110\"}, {\"name\": \"infection.category\", \"type\": \"Category of infection on infected device\", \"type_id\": -1, \"value\": \"Potentially vulnerable application\"}, {\"name\": \"infected_device.malware_hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": \"open-internet.nl\"}, {\"name\": \"infection.family\", \"type\": \"Malware, adware, or PUA/PVA family name\", \"type_id\": -1, \"value\": \"pva.torrent.openinternet\"}, {\"name\": \"infected_device.source_port\", \"type\": \"Client-side port making connection to the infection communication domain\", \"type_id\": -1, \"value\": \"2048\"}, {\"name\": \"infected_device.geo_location\", \"type\": \"Geo Location\", \"type_id\": 26, \"value\": \"Bieligutai, China\"}], \"finding\": {\"title\": \"Infection found on 1.183.190.110\", \"uid\": \"2b7908d7-4b72-4f65-afa0-09bdaea46ae3\", \"types\": [\"malware_infection\", \"infected_device\", \"pva.torrent.openinternet\"], \"src_url\": \"https://platform.securityscorecard.io/#/asi/details/1.183.190.110\", \"remediation\": {\"desc\": \"If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence\", \"kb_articles\": [\"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K\", \"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings\"]}, \"product_uid\": \"ssc_malware_dns_sinkhole\", \"last_seen_time\": 1668535199945, \"desc\": \"Potentially vulnerable application infection detected on IP address 1.183.190.110 communicating with Command-and-Control domain open-internet.nl\"}}", + "event": { + "action": "generate", + "category": [ + "malware" + ], + "kind": "alert", + "reason": "Infection found on 1.183.190.110", + "reference": "https://platform.securityscorecard.io/#/asi/details/1.183.190.110", + "severity": 1, + "type": [ + "info" + ] + }, + "@timestamp": "2022-11-15T17:59:59.945000Z", + "ocsf": { + "activity_id": 1, + "activity_name": "Generate", + "class_name": "Security Finding", + "class_uid": 2001 + }, + "vulnerability": { + "category": [ + "Potentially vulnerable application" + ] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_security_finding_4.json b/OCSF/ocsf/tests/test_security_finding_4.json new file mode 100644 index 000000000..231a3f26e --- /dev/null +++ b/OCSF/ocsf/tests/test_security_finding_4.json @@ -0,0 +1,33 @@ +{ + "input": { + "message": "{\"activity_id\": 1, \"malware\": [{\"classification_ids\": [-1], \"classifications\": [\"Potentially vulnerable application\"], \"name\": \"pva.torrent.openinternet\", \"provider\": \"SecurityScorecard\", \"uid\": \"pva.torrent.openinternet_e1472f25-0d2d-4b88-aac9-b7bd439218f5\"}], \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"confidence\": 100, \"data\": \"{\\\"body_bytes_sent\\\":\\\"-\\\",\\\"enc_host\\\":\\\"open-internet.nl\\\",\\\"enc_raw_header\\\":\\\"-\\\",\\\"enc_request\\\":\\\"SOCKET_UDP%20%2F\\\",\\\"enc_request_body\\\":\\\"AAAEFycQGYAAAAAAtdIQjw==\\\",\\\"family\\\":\\\"pva.torrent.openinternet\\\",\\\"field_1\\\":\\\"2022-06-04T10:35:07.143255 version_5\\\",\\\"remote_addr\\\":\\\"59.11.81.231\\\",\\\"remote_port\\\":\\\"6927\\\",\\\"remote_user\\\":\\\"-\\\", \\\"status\\\":\\\"200\\\",\\\"time_local\\\":\\\"2022-06-04T10:34:45.835005\\\"}\", \"message\": \"Potentially vulnerable application infection detected on IP address 59.11.81.231 by Malware DNS sinkhole on communication domain for sinkholed domain \", \"severity\": \"Informational \", \"severity_id\": 1, \"status\": \"Not applicable, static security finding from global threat intelligence monitoring\", \"status_id\": -1, \"state\": \"New\", \"state_id\": 1, \"time\": 1668535199946, \"timezone_offset\": 0, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101, \"metadata\": {\"logged_time\": 1668535199946, \"original_time\": \"2022-11-15T17:59:59.946Z\", \"labels\": [\"infected_device\"], \"product\": {\"lang\": \"en\", \"name\": \"SecurityScorecard Attack Surface Intelligence\", \"uid\": \"ssc_asi\", \"feature\": {\"uid\": \"ssc_malware_dns_sinkhole\", \"name\": \"SecurityScorecard Malware DNS Sinkhole collection system\"}, \"vendor_name\": \"SecurityScorecard\"}, \"version\": \"1.0.0\", \"profiles\": [\"malware\", \"reputation\"]}, \"resources\": [{\"group_name\": \"infected_device\", \"name\": \"IPv4 address 59.11.81.231 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs\", \"owner\": \"krnic.or.kr\", \"uid\": \"59.11.81.231\"}], \"observables\": [{\"name\": \"infected_device.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"59.11.81.231\"}, {\"name\": \"infection.category\", \"type\": \"Category of infection on infected device\", \"type_id\": -1, \"value\": \"Potentially vulnerable application\"}, {\"name\": \"infected_device.malware_hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": null}, {\"name\": \"infection.family\", \"type\": \"Malware, adware, or PUA/PVA family name\", \"type_id\": -1, \"value\": \"pva.torrent.openinternet\"}, {\"name\": \"infected_device.source_port\", \"type\": \"Client-side port making connection to the infection communication domain\", \"type_id\": -1, \"value\": \"6927\"}, {\"name\": \"infected_device.geo_location\", \"type\": \"Geo Location\", \"type_id\": 26, \"value\": \"Seongnam-si (Buljeong-ro), Korea, Republic of\"}], \"finding\": {\"title\": \"Infection found on 59.11.81.231\", \"uid\": \"45521c66-6498-442d-ad9b-40da9f0e9236\", \"types\": [\"malware_infection\", \"infected_device\", \"pva.torrent.openinternet\"], \"src_url\": \"https://platform.securityscorecard.io/#/asi/details/59.11.81.231\", \"remediation\": {\"desc\": \"If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence\", \"kb_articles\": [\"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K\", \"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings\"]}, \"product_uid\": \"ssc_malware_dns_sinkhole\", \"last_seen_time\": 1668535199947, \"desc\": \"Potentially vulnerable application infection detected on IP address 59.11.81.231 communicating with Command-and-Control domain \"}}" + }, + "expected": { + "message": "{\"activity_id\": 1, \"malware\": [{\"classification_ids\": [-1], \"classifications\": [\"Potentially vulnerable application\"], \"name\": \"pva.torrent.openinternet\", \"provider\": \"SecurityScorecard\", \"uid\": \"pva.torrent.openinternet_e1472f25-0d2d-4b88-aac9-b7bd439218f5\"}], \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"confidence\": 100, \"data\": \"{\\\"body_bytes_sent\\\":\\\"-\\\",\\\"enc_host\\\":\\\"open-internet.nl\\\",\\\"enc_raw_header\\\":\\\"-\\\",\\\"enc_request\\\":\\\"SOCKET_UDP%20%2F\\\",\\\"enc_request_body\\\":\\\"AAAEFycQGYAAAAAAtdIQjw==\\\",\\\"family\\\":\\\"pva.torrent.openinternet\\\",\\\"field_1\\\":\\\"2022-06-04T10:35:07.143255 version_5\\\",\\\"remote_addr\\\":\\\"59.11.81.231\\\",\\\"remote_port\\\":\\\"6927\\\",\\\"remote_user\\\":\\\"-\\\", \\\"status\\\":\\\"200\\\",\\\"time_local\\\":\\\"2022-06-04T10:34:45.835005\\\"}\", \"message\": \"Potentially vulnerable application infection detected on IP address 59.11.81.231 by Malware DNS sinkhole on communication domain for sinkholed domain \", \"severity\": \"Informational \", \"severity_id\": 1, \"status\": \"Not applicable, static security finding from global threat intelligence monitoring\", \"status_id\": -1, \"state\": \"New\", \"state_id\": 1, \"time\": 1668535199946, \"timezone_offset\": 0, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101, \"metadata\": {\"logged_time\": 1668535199946, \"original_time\": \"2022-11-15T17:59:59.946Z\", \"labels\": [\"infected_device\"], \"product\": {\"lang\": \"en\", \"name\": \"SecurityScorecard Attack Surface Intelligence\", \"uid\": \"ssc_asi\", \"feature\": {\"uid\": \"ssc_malware_dns_sinkhole\", \"name\": \"SecurityScorecard Malware DNS Sinkhole collection system\"}, \"vendor_name\": \"SecurityScorecard\"}, \"version\": \"1.0.0\", \"profiles\": [\"malware\", \"reputation\"]}, \"resources\": [{\"group_name\": \"infected_device\", \"name\": \"IPv4 address 59.11.81.231 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs\", \"owner\": \"krnic.or.kr\", \"uid\": \"59.11.81.231\"}], \"observables\": [{\"name\": \"infected_device.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"59.11.81.231\"}, {\"name\": \"infection.category\", \"type\": \"Category of infection on infected device\", \"type_id\": -1, \"value\": \"Potentially vulnerable application\"}, {\"name\": \"infected_device.malware_hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": null}, {\"name\": \"infection.family\", \"type\": \"Malware, adware, or PUA/PVA family name\", \"type_id\": -1, \"value\": \"pva.torrent.openinternet\"}, {\"name\": \"infected_device.source_port\", \"type\": \"Client-side port making connection to the infection communication domain\", \"type_id\": -1, \"value\": \"6927\"}, {\"name\": \"infected_device.geo_location\", \"type\": \"Geo Location\", \"type_id\": 26, \"value\": \"Seongnam-si (Buljeong-ro), Korea, Republic of\"}], \"finding\": {\"title\": \"Infection found on 59.11.81.231\", \"uid\": \"45521c66-6498-442d-ad9b-40da9f0e9236\", \"types\": [\"malware_infection\", \"infected_device\", \"pva.torrent.openinternet\"], \"src_url\": \"https://platform.securityscorecard.io/#/asi/details/59.11.81.231\", \"remediation\": {\"desc\": \"If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence\", \"kb_articles\": [\"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K\", \"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings\"]}, \"product_uid\": \"ssc_malware_dns_sinkhole\", \"last_seen_time\": 1668535199947, \"desc\": \"Potentially vulnerable application infection detected on IP address 59.11.81.231 communicating with Command-and-Control domain \"}}", + "event": { + "action": "generate", + "category": [ + "malware" + ], + "kind": "alert", + "reason": "Infection found on 59.11.81.231", + "reference": "https://platform.securityscorecard.io/#/asi/details/59.11.81.231", + "severity": 1, + "type": [ + "info" + ] + }, + "@timestamp": "2022-11-15T17:59:59.946000Z", + "ocsf": { + "activity_id": 1, + "activity_name": "Generate", + "class_name": "Security Finding", + "class_uid": 2001 + }, + "vulnerability": { + "category": [ + "Potentially vulnerable application" + ] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_security_finding_5.json b/OCSF/ocsf/tests/test_security_finding_5.json new file mode 100644 index 000000000..a5607b3df --- /dev/null +++ b/OCSF/ocsf/tests/test_security_finding_5.json @@ -0,0 +1,33 @@ +{ + "input": { + "message": "{\"activity_id\": 1, \"malware\": [{\"classification_ids\": [-1], \"classifications\": [\"Potentially vulnerable application\"], \"name\": \"pva.torrent.kickasstracker\", \"provider\": \"SecurityScorecard\", \"uid\": \"pva.torrent.kickasstracker_d605642d-9f8b-46ed-bb19-882ffc34a8f4\"}], \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"confidence\": 100, \"data\": \"{\\\"body_bytes_sent\\\":\\\"152\\\",\\\"enc_host\\\":\\\"open.kickasstracker.com\\\",\\\"enc_raw_header\\\":\\\"R0VUIC9zY3JhcGU/aW5mb19oYXNoPSUwMiUyNSVkYiVmMiVmZlElZWVLJTNmJWMxJTI4MW8lMGMlMDklYWElODN4JWVlJTk5IEhUVFAvMS4xDQpVc2VyLUFnZW50OiBUcmFuc21pc3Npb24vMi44NA0KSG9zdDogb3Blbi5raWNrYXNzdHJhY2tlci5jb20NCkFjY2VwdDogKi8qDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXA7cT0xLjAsIGRlZmxhdGUsIGlkZW50aXR5DQoNCg==\\\",\\\"enc_request\\\":\\\"GET%20%2Fscrape%3Finfo_hash%3D%2502%2525%25db%25f2%25ffQ%25eeK%253f%25c1%25281o%250c%2509%25aa%2583x%25ee%2599%20HTTP%2F1.1\\\",\\\"enc_request_body\\\":\\\"\\\",\\\"family\\\":\\\"pva.torrent.kickasstracker\\\",\\\"field_1\\\":\\\"2022-09-30T21:26:09.028507 version_5\\\",\\\"remote_addr\\\":\\\"190.109.227.80\\\",\\\"remote_port\\\":\\\"21886\\\",\\\"remote_user\\\":\\\"-\\\", \\\"status\\\":\\\"404\\\",\\\"time_local\\\":\\\"2022-09-30T21:25:21+00:00\\\"}\", \"message\": \"Potentially vulnerable application infection detected on IP address 190.109.227.80 by Malware DNS sinkhole on communication domain for sinkholed domain open.kickasstracker.com\", \"severity\": \"Informational \", \"severity_id\": 1, \"status\": \"Not applicable, static security finding from global threat intelligence monitoring\", \"status_id\": -1, \"state\": \"New\", \"state_id\": 1, \"time\": 1668535199947, \"timezone_offset\": 0, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101, \"metadata\": {\"logged_time\": 1668535199947, \"original_time\": \"2022-11-15T17:59:59.947Z\", \"labels\": [\"infected_device\"], \"product\": {\"lang\": \"en\", \"name\": \"SecurityScorecard Attack Surface Intelligence\", \"uid\": \"ssc_asi\", \"feature\": {\"uid\": \"ssc_malware_dns_sinkhole\", \"name\": \"SecurityScorecard Malware DNS Sinkhole collection system\"}, \"vendor_name\": \"SecurityScorecard\"}, \"version\": \"1.0.0\", \"profiles\": [\"malware\", \"reputation\"]}, \"resources\": [{\"group_name\": \"infected_device\", \"name\": \"IPv4 address 190.109.227.80 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs\", \"owner\": \"cotel.bo\", \"uid\": \"190.109.227.80\"}], \"observables\": [{\"name\": \"infected_device.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"190.109.227.80\"}, {\"name\": \"infection.category\", \"type\": \"Category of infection on infected device\", \"type_id\": -1, \"value\": \"Potentially vulnerable application\"}, {\"name\": \"infected_device.malware_hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": \"open.kickasstracker.com\"}, {\"name\": \"infection.family\", \"type\": \"Malware, adware, or PUA/PVA family name\", \"type_id\": -1, \"value\": \"pva.torrent.kickasstracker\"}, {\"name\": \"infected_device.source_port\", \"type\": \"Client-side port making connection to the infection communication domain\", \"type_id\": -1, \"value\": \"21886\"}, {\"name\": \"infected_device.geo_location\", \"type\": \"Geo Location\", \"type_id\": 26, \"value\": \"La Paz (Macrodistrito Centro), Bolivia, Plurinational State of\"}], \"finding\": {\"title\": \"Infection found on 190.109.227.80\", \"uid\": \"8f91e92d-b75c-4d55-a6a2-c9f611cdea28\", \"types\": [\"malware_infection\", \"infected_device\", \"pva.torrent.kickasstracker\"], \"src_url\": \"https://platform.securityscorecard.io/#/asi/details/190.109.227.80\", \"remediation\": {\"desc\": \"If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence\", \"kb_articles\": [\"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K\", \"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings\"]}, \"product_uid\": \"ssc_malware_dns_sinkhole\", \"last_seen_time\": 1668535199948, \"desc\": \"Potentially vulnerable application infection detected on IP address 190.109.227.80 communicating with Command-and-Control domain open.kickasstracker.com\"}}" + }, + "expected": { + "message": "{\"activity_id\": 1, \"malware\": [{\"classification_ids\": [-1], \"classifications\": [\"Potentially vulnerable application\"], \"name\": \"pva.torrent.kickasstracker\", \"provider\": \"SecurityScorecard\", \"uid\": \"pva.torrent.kickasstracker_d605642d-9f8b-46ed-bb19-882ffc34a8f4\"}], \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"confidence\": 100, \"data\": \"{\\\"body_bytes_sent\\\":\\\"152\\\",\\\"enc_host\\\":\\\"open.kickasstracker.com\\\",\\\"enc_raw_header\\\":\\\"R0VUIC9zY3JhcGU/aW5mb19oYXNoPSUwMiUyNSVkYiVmMiVmZlElZWVLJTNmJWMxJTI4MW8lMGMlMDklYWElODN4JWVlJTk5IEhUVFAvMS4xDQpVc2VyLUFnZW50OiBUcmFuc21pc3Npb24vMi44NA0KSG9zdDogb3Blbi5raWNrYXNzdHJhY2tlci5jb20NCkFjY2VwdDogKi8qDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXA7cT0xLjAsIGRlZmxhdGUsIGlkZW50aXR5DQoNCg==\\\",\\\"enc_request\\\":\\\"GET%20%2Fscrape%3Finfo_hash%3D%2502%2525%25db%25f2%25ffQ%25eeK%253f%25c1%25281o%250c%2509%25aa%2583x%25ee%2599%20HTTP%2F1.1\\\",\\\"enc_request_body\\\":\\\"\\\",\\\"family\\\":\\\"pva.torrent.kickasstracker\\\",\\\"field_1\\\":\\\"2022-09-30T21:26:09.028507 version_5\\\",\\\"remote_addr\\\":\\\"190.109.227.80\\\",\\\"remote_port\\\":\\\"21886\\\",\\\"remote_user\\\":\\\"-\\\", \\\"status\\\":\\\"404\\\",\\\"time_local\\\":\\\"2022-09-30T21:25:21+00:00\\\"}\", \"message\": \"Potentially vulnerable application infection detected on IP address 190.109.227.80 by Malware DNS sinkhole on communication domain for sinkholed domain open.kickasstracker.com\", \"severity\": \"Informational \", \"severity_id\": 1, \"status\": \"Not applicable, static security finding from global threat intelligence monitoring\", \"status_id\": -1, \"state\": \"New\", \"state_id\": 1, \"time\": 1668535199947, \"timezone_offset\": 0, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101, \"metadata\": {\"logged_time\": 1668535199947, \"original_time\": \"2022-11-15T17:59:59.947Z\", \"labels\": [\"infected_device\"], \"product\": {\"lang\": \"en\", \"name\": \"SecurityScorecard Attack Surface Intelligence\", \"uid\": \"ssc_asi\", \"feature\": {\"uid\": \"ssc_malware_dns_sinkhole\", \"name\": \"SecurityScorecard Malware DNS Sinkhole collection system\"}, \"vendor_name\": \"SecurityScorecard\"}, \"version\": \"1.0.0\", \"profiles\": [\"malware\", \"reputation\"]}, \"resources\": [{\"group_name\": \"infected_device\", \"name\": \"IPv4 address 190.109.227.80 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs\", \"owner\": \"cotel.bo\", \"uid\": \"190.109.227.80\"}], \"observables\": [{\"name\": \"infected_device.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"190.109.227.80\"}, {\"name\": \"infection.category\", \"type\": \"Category of infection on infected device\", \"type_id\": -1, \"value\": \"Potentially vulnerable application\"}, {\"name\": \"infected_device.malware_hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": \"open.kickasstracker.com\"}, {\"name\": \"infection.family\", \"type\": \"Malware, adware, or PUA/PVA family name\", \"type_id\": -1, \"value\": \"pva.torrent.kickasstracker\"}, {\"name\": \"infected_device.source_port\", \"type\": \"Client-side port making connection to the infection communication domain\", \"type_id\": -1, \"value\": \"21886\"}, {\"name\": \"infected_device.geo_location\", \"type\": \"Geo Location\", \"type_id\": 26, \"value\": \"La Paz (Macrodistrito Centro), Bolivia, Plurinational State of\"}], \"finding\": {\"title\": \"Infection found on 190.109.227.80\", \"uid\": \"8f91e92d-b75c-4d55-a6a2-c9f611cdea28\", \"types\": [\"malware_infection\", \"infected_device\", \"pva.torrent.kickasstracker\"], \"src_url\": \"https://platform.securityscorecard.io/#/asi/details/190.109.227.80\", \"remediation\": {\"desc\": \"If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence\", \"kb_articles\": [\"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K\", \"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings\"]}, \"product_uid\": \"ssc_malware_dns_sinkhole\", \"last_seen_time\": 1668535199948, \"desc\": \"Potentially vulnerable application infection detected on IP address 190.109.227.80 communicating with Command-and-Control domain open.kickasstracker.com\"}}", + "event": { + "action": "generate", + "category": [ + "malware" + ], + "kind": "alert", + "reason": "Infection found on 190.109.227.80", + "reference": "https://platform.securityscorecard.io/#/asi/details/190.109.227.80", + "severity": 1, + "type": [ + "info" + ] + }, + "@timestamp": "2022-11-15T17:59:59.947000Z", + "ocsf": { + "activity_id": 1, + "activity_name": "Generate", + "class_name": "Security Finding", + "class_uid": 2001 + }, + "vulnerability": { + "category": [ + "Potentially vulnerable application" + ] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_security_finding_6.json b/OCSF/ocsf/tests/test_security_finding_6.json new file mode 100644 index 000000000..20ea6f1c3 --- /dev/null +++ b/OCSF/ocsf/tests/test_security_finding_6.json @@ -0,0 +1,33 @@ +{ + "input": { + "message": "{\"activity_id\": 1, \"malware\": [{\"classification_ids\": [-1], \"classifications\": [\"Adware\"], \"name\": \"adware.android.imp\", \"provider\": \"SecurityScorecard\", \"uid\": \"adware.android.imp_7cd5cf7b-4c99-406c-ad46-621487394fba\"}], \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"confidence\": 100, \"data\": \"{\\\"body_bytes_sent\\\":\\\"152\\\",\\\"enc_host\\\":\\\"x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com\\\",\\\"enc_raw_header\\\":\\\"UE9TVCAvYXVjdGlvbi9pbml0IEhUVFAvMS4xDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtcHJvdG9idWYNCkFjY2VwdC1FbmNvZGluZzogZ3ppcA0KQ29udGVudC1FbmNvZGluZzogZ3ppcA0KVXNlci1BZ2VudDogRGFsdmlrLzIuMS4wIChMaW51eDsgVTsgQW5kcm9pZCAxMTsgU00tQTIwN0YgQnVpbGQvUlAxQS4yMDA3MjAuMDEyKQ0KSG9zdDogeC1ldS41OGRhYzE2ZTdiMmM4NmMxOWNmZTQ4OTE0YTZlOGZjZGFjOWFlMDZmZTVjZjUzMzY5YmVhYTQ1Yi5jb20NCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkNvbnRlbnQtTGVuZ3RoOiAzMDMNCg0K\\\",\\\"enc_request\\\":\\\"POST%20%2Fauction%2Finit%20HTTP%2F1.1\\\",\\\"enc_request_body\\\":\\\"H4sIAAAAAAAAAK3PzUoDMRQFYEhbSwNSnI1lljKrgYQkzd+47MqNIIg/u3qTTHCUzshMacFHEHwGwbUPaStVQTcu3F3uOXxwcI8X02TsmwWFdUehDm1ThQk6QpznvZs3JPCsCqfgb6u6PB5wWlA9y0oLzjGvCHPGE+kgEif05iq5YVZZkEye9M+Qy6LVLETpiXfOEilAE2sUJ9EIr4WCGKfibqSoVJQRrttMhKijLhjxQhsijSo29NSS4IOSDJRRzDy+IvyC8H5dLtdNe9/Nqzo2yTMSTwhf55c4wcNdlAzTwaKFKuAUj3e/+apsu6qptxnb7LE4w4efGQR4WJbtV2eUDj82U46v8gt88C3vpf0VdMt/gC/y8x9wvYUnv+FB2uOU/Y19BzRbkezaAQAA\\\",\\\"family\\\":\\\"adware.android.imp\\\",\\\"field_1\\\":\\\"2022-09-23T16:20:10.540428 version_5\\\",\\\"remote_addr\\\":\\\"38.7.186.198\\\",\\\"remote_port\\\":\\\"59750\\\",\\\"remote_user\\\":\\\"-\\\",\\\"status\\\":\\\"404\\\",\\\"time_local\\\":\\\"2022-09-23T16:19:38+00:00\\\"}\", \"message\": \"Adware infection detected on IP address 38.7.186.198 by Malware DNS sinkhole on communication domain for sinkholed domain x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com\", \"severity\": \"Informational \", \"severity_id\": 1, \"status\": \"Not applicable, static security finding from global threat intelligence monitoring\", \"status_id\": -1, \"state\": \"New\", \"state_id\": 1, \"time\": 1668535199948, \"timezone_offset\": 0, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101, \"metadata\": {\"logged_time\": 1668535199948, \"original_time\": \"2022-11-15T17:59:59.948Z\", \"labels\": [\"infected_device\"], \"product\": {\"lang\": \"en\", \"name\": \"SecurityScorecard Attack Surface Intelligence\", \"uid\": \"ssc_asi\", \"feature\": {\"uid\": \"ssc_malware_dns_sinkhole\", \"name\": \"SecurityScorecard Malware DNS Sinkhole collection system\"}, \"vendor_name\": \"SecurityScorecard\"}, \"version\": \"1.0.0\", \"profiles\": [\"malware\", \"reputation\"]}, \"resources\": [{\"group_name\": \"infected_device\", \"name\": \"IPv4 address 38.7.186.198 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs\", \"owner\": \"emix.net.ae\", \"uid\": \"38.7.186.198\"}], \"observables\": [{\"name\": \"infected_device.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"38.7.186.198\"}, {\"name\": \"infection.category\", \"type\": \"Category of infection on infected device\", \"type_id\": -1, \"value\": \"Adware\"}, {\"name\": \"infected_device.malware_hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": \"x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com\"}, {\"name\": \"infection.family\", \"type\": \"Malware, adware, or PUA/PVA family name\", \"type_id\": -1, \"value\": \"adware.android.imp\"}, {\"name\": \"infected_device.source_port\", \"type\": \"Client-side port making connection to the infection communication domain\", \"type_id\": -1, \"value\": \"59750\"}, {\"name\": \"infected_device.geo_location\", \"type\": \"Geo Location\", \"type_id\": 26, \"value\": \"Karachi (Sector Five F), Pakistan\"}], \"finding\": {\"title\": \"Infection found on 38.7.186.198\", \"uid\": \"26c7c83d-0aad-411b-88ee-52343ff22064\", \"types\": [\"malware_infection\", \"infected_device\", \"adware.android.imp\"], \"src_url\": \"https://platform.securityscorecard.io/#/asi/details/38.7.186.198\", \"remediation\": {\"desc\": \"If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence\", \"kb_articles\": [\"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K\", \"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings\"]}, \"product_uid\": \"ssc_malware_dns_sinkhole\", \"last_seen_time\": 1668535199948, \"desc\": \"Adware infection detected on IP address 38.7.186.198 communicating with Command-and-Control domain x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com\"}}" + }, + "expected": { + "message": "{\"activity_id\": 1, \"malware\": [{\"classification_ids\": [-1], \"classifications\": [\"Adware\"], \"name\": \"adware.android.imp\", \"provider\": \"SecurityScorecard\", \"uid\": \"adware.android.imp_7cd5cf7b-4c99-406c-ad46-621487394fba\"}], \"activity_name\": \"Generate\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Security Finding\", \"class_uid\": 2001, \"confidence\": 100, \"data\": \"{\\\"body_bytes_sent\\\":\\\"152\\\",\\\"enc_host\\\":\\\"x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com\\\",\\\"enc_raw_header\\\":\\\"UE9TVCAvYXVjdGlvbi9pbml0IEhUVFAvMS4xDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3gtcHJvdG9idWYNCkFjY2VwdC1FbmNvZGluZzogZ3ppcA0KQ29udGVudC1FbmNvZGluZzogZ3ppcA0KVXNlci1BZ2VudDogRGFsdmlrLzIuMS4wIChMaW51eDsgVTsgQW5kcm9pZCAxMTsgU00tQTIwN0YgQnVpbGQvUlAxQS4yMDA3MjAuMDEyKQ0KSG9zdDogeC1ldS41OGRhYzE2ZTdiMmM4NmMxOWNmZTQ4OTE0YTZlOGZjZGFjOWFlMDZmZTVjZjUzMzY5YmVhYTQ1Yi5jb20NCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCkNvbnRlbnQtTGVuZ3RoOiAzMDMNCg0K\\\",\\\"enc_request\\\":\\\"POST%20%2Fauction%2Finit%20HTTP%2F1.1\\\",\\\"enc_request_body\\\":\\\"H4sIAAAAAAAAAK3PzUoDMRQFYEhbSwNSnI1lljKrgYQkzd+47MqNIIg/u3qTTHCUzshMacFHEHwGwbUPaStVQTcu3F3uOXxwcI8X02TsmwWFdUehDm1ThQk6QpznvZs3JPCsCqfgb6u6PB5wWlA9y0oLzjGvCHPGE+kgEif05iq5YVZZkEye9M+Qy6LVLETpiXfOEilAE2sUJ9EIr4WCGKfibqSoVJQRrttMhKijLhjxQhsijSo29NSS4IOSDJRRzDy+IvyC8H5dLtdNe9/Nqzo2yTMSTwhf55c4wcNdlAzTwaKFKuAUj3e/+apsu6qptxnb7LE4w4efGQR4WJbtV2eUDj82U46v8gt88C3vpf0VdMt/gC/y8x9wvYUnv+FB2uOU/Y19BzRbkezaAQAA\\\",\\\"family\\\":\\\"adware.android.imp\\\",\\\"field_1\\\":\\\"2022-09-23T16:20:10.540428 version_5\\\",\\\"remote_addr\\\":\\\"38.7.186.198\\\",\\\"remote_port\\\":\\\"59750\\\",\\\"remote_user\\\":\\\"-\\\",\\\"status\\\":\\\"404\\\",\\\"time_local\\\":\\\"2022-09-23T16:19:38+00:00\\\"}\", \"message\": \"Adware infection detected on IP address 38.7.186.198 by Malware DNS sinkhole on communication domain for sinkholed domain x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com\", \"severity\": \"Informational \", \"severity_id\": 1, \"status\": \"Not applicable, static security finding from global threat intelligence monitoring\", \"status_id\": -1, \"state\": \"New\", \"state_id\": 1, \"time\": 1668535199948, \"timezone_offset\": 0, \"type_name\": \"Security Finding: Generate\", \"type_uid\": 200101, \"metadata\": {\"logged_time\": 1668535199948, \"original_time\": \"2022-11-15T17:59:59.948Z\", \"labels\": [\"infected_device\"], \"product\": {\"lang\": \"en\", \"name\": \"SecurityScorecard Attack Surface Intelligence\", \"uid\": \"ssc_asi\", \"feature\": {\"uid\": \"ssc_malware_dns_sinkhole\", \"name\": \"SecurityScorecard Malware DNS Sinkhole collection system\"}, \"vendor_name\": \"SecurityScorecard\"}, \"version\": \"1.0.0\", \"profiles\": [\"malware\", \"reputation\"]}, \"resources\": [{\"group_name\": \"infected_device\", \"name\": \"IPv4 address 38.7.186.198 of device in SecurityScorecard DNS sinkhole malware, adware, or potentially unwanted/vulnerable collection logs\", \"owner\": \"emix.net.ae\", \"uid\": \"38.7.186.198\"}], \"observables\": [{\"name\": \"infected_device.ip\", \"type\": \"IP Address\", \"type_id\": 2, \"value\": \"38.7.186.198\"}, {\"name\": \"infection.category\", \"type\": \"Category of infection on infected device\", \"type_id\": -1, \"value\": \"Adware\"}, {\"name\": \"infected_device.malware_hostname\", \"type\": \"Hostname\", \"type_id\": 1, \"value\": \"x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com\"}, {\"name\": \"infection.family\", \"type\": \"Malware, adware, or PUA/PVA family name\", \"type_id\": -1, \"value\": \"adware.android.imp\"}, {\"name\": \"infected_device.source_port\", \"type\": \"Client-side port making connection to the infection communication domain\", \"type_id\": -1, \"value\": \"59750\"}, {\"name\": \"infected_device.geo_location\", \"type\": \"Geo Location\", \"type_id\": 26, \"value\": \"Karachi (Sector Five F), Pakistan\"}], \"finding\": {\"title\": \"Infection found on 38.7.186.198\", \"uid\": \"26c7c83d-0aad-411b-88ee-52343ff22064\", \"types\": [\"malware_infection\", \"infected_device\", \"adware.android.imp\"], \"src_url\": \"https://platform.securityscorecard.io/#/asi/details/38.7.186.198\", \"remediation\": {\"desc\": \"If this IP address is tied to your network via any observables attached to this event, take immediate steps to find the related device on your network and remove the infection seen from external threat intelligence\", \"kb_articles\": [\"https://support.securityscorecard.com/hc/en-us/articles/8528362400539-How-SecurityScorecard-collects-data-for-ASI#h_01GBX38RBVVDT63RH11KVREN0K\", \"https://support.securityscorecard.com/hc/en-us/articles/360061410291-Resolving-Malware-Findings\"]}, \"product_uid\": \"ssc_malware_dns_sinkhole\", \"last_seen_time\": 1668535199948, \"desc\": \"Adware infection detected on IP address 38.7.186.198 communicating with Command-and-Control domain x-eu.58dac16e7b2c86c19cfe48914a6e8fcdac9ae06fe5cf53369beaa45b.com\"}}", + "event": { + "action": "generate", + "category": [ + "malware" + ], + "kind": "alert", + "reason": "Infection found on 38.7.186.198", + "reference": "https://platform.securityscorecard.io/#/asi/details/38.7.186.198", + "severity": 1, + "type": [ + "info" + ] + }, + "@timestamp": "2022-11-15T17:59:59.948000Z", + "ocsf": { + "activity_id": 1, + "activity_name": "Generate", + "class_name": "Security Finding", + "class_uid": 2001 + }, + "vulnerability": { + "category": [ + "Adware" + ] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_1.json b/OCSF/ocsf/tests/test_system_activity_1.json new file mode 100644 index 000000000..e106135ff --- /dev/null +++ b/OCSF/ocsf/tests/test_system_activity_1.json @@ -0,0 +1,52 @@ +{ + "input": { + "message": "{\"activity_id\": 99, \"actor\": {\"process\": {\"file\": {\"name\": \"lsass.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\lsass.exe\", \"type_id\": 1}, \"pid\": 492}, \"session\": {\"uid\": \"0x3e7\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"DIR\", \"name\": \"STLDIRDC1$\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}, \"category_uid\": 1, \"class_uid\": 1010, \"device\": {\"hostname\": \"STLDIRDC1.dir.solutia.com\", \"os\": {\"name\": \"Windows\", \"type_id\": 100}, \"type_id\": 0}, \"message\": \"A handle to an object was requested.\", \"metadata\": {\"original_time\": \"01/09/2019 12:46:00 AM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"d9e6a7b1-3177-4542-8de1-bfd582f87727\", \"version\": \"1.0.0-rc.2\"}, \"severity_id\": 1, \"status_id\": 1, \"time\": 1547012760000, \"unmapped\": {\"Access Request Information\": {\"Access Mask\": \"0x2d\", \"Accesses\": [\"DELETE\", \"READ_CONTROL\", \"WRITE_DAC\", \"WRITE_OWNER\", \"ReadPasswordParameters\", \"WritePasswordParameters\", \"ReadOtherParameters\", \"WriteOtherParameters\", \"CreateUser\", \"CreateGlobalGroup\", \"CreateLocalGroup\", \"GetLocalGroupMembership\", \"ListAccounts\"], \"Privileges Used for Access Check\": \"\\u01ff\\\\x0F-\", \"Properties\": [\"---\", \"domain\", \"DELETE\", \"READ_CONTROL\", \"WRITE_DAC\", \"WRITE_OWNER\", \"ReadPasswordParameters\", \"WritePasswordParameters\", \"ReadOtherParameters\", \"WriteOtherParameters\", \"CreateUser\", \"CreateGlobalGroup\", \"CreateLocalGroup\", \"GetLocalGroupMembership\", \"ListAccounts\", \"Domain Password & Lockout Policies\", \"lockOutObservationWindow\", \"lockoutDuration\", \"lockoutThreshold\", \"maxPwdAge\", \"minPwdAge\", \"minPwdLength\", \"pwdHistoryLength\", \"pwdProperties\", \"Other Domain Parameters (for use by SAM)\", \"serverState\", \"serverRole\", \"modifiedCount\", \"uASCompat\", \"forceLogoff\", \"domainReplica\", \"oEMInformation\", \"Domain Administer Server\"], \"Restricted SID Count\": \"0\", \"Transaction ID\": \"{00000000-0000-0000-0000-000000000000}\"}, \"EventCode\": \"4661\", \"EventType\": \"0\", \"Object\": {\"Object Server\": \"Security Account Manager\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"3166250565\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"SAM\"}, \"win_resource\": {\"name\": \"DC=dir,DC=solutia,DC=com\", \"type_id\": 36, \"uid\": \"0x7f79620\"}}" + }, + "expected": { + "message": "{\"activity_id\": 99, \"actor\": {\"process\": {\"file\": {\"name\": \"lsass.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\lsass.exe\", \"type_id\": 1}, \"pid\": 492}, \"session\": {\"uid\": \"0x3e7\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"DIR\", \"name\": \"STLDIRDC1$\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}, \"category_uid\": 1, \"class_uid\": 1010, \"device\": {\"hostname\": \"STLDIRDC1.dir.solutia.com\", \"os\": {\"name\": \"Windows\", \"type_id\": 100}, \"type_id\": 0}, \"message\": \"A handle to an object was requested.\", \"metadata\": {\"original_time\": \"01/09/2019 12:46:00 AM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"d9e6a7b1-3177-4542-8de1-bfd582f87727\", \"version\": \"1.0.0-rc.2\"}, \"severity_id\": 1, \"status_id\": 1, \"time\": 1547012760000, \"unmapped\": {\"Access Request Information\": {\"Access Mask\": \"0x2d\", \"Accesses\": [\"DELETE\", \"READ_CONTROL\", \"WRITE_DAC\", \"WRITE_OWNER\", \"ReadPasswordParameters\", \"WritePasswordParameters\", \"ReadOtherParameters\", \"WriteOtherParameters\", \"CreateUser\", \"CreateGlobalGroup\", \"CreateLocalGroup\", \"GetLocalGroupMembership\", \"ListAccounts\"], \"Privileges Used for Access Check\": \"\\u01ff\\\\x0F-\", \"Properties\": [\"---\", \"domain\", \"DELETE\", \"READ_CONTROL\", \"WRITE_DAC\", \"WRITE_OWNER\", \"ReadPasswordParameters\", \"WritePasswordParameters\", \"ReadOtherParameters\", \"WriteOtherParameters\", \"CreateUser\", \"CreateGlobalGroup\", \"CreateLocalGroup\", \"GetLocalGroupMembership\", \"ListAccounts\", \"Domain Password & Lockout Policies\", \"lockOutObservationWindow\", \"lockoutDuration\", \"lockoutThreshold\", \"maxPwdAge\", \"minPwdAge\", \"minPwdLength\", \"pwdHistoryLength\", \"pwdProperties\", \"Other Domain Parameters (for use by SAM)\", \"serverState\", \"serverRole\", \"modifiedCount\", \"uASCompat\", \"forceLogoff\", \"domainReplica\", \"oEMInformation\", \"Domain Administer Server\"], \"Restricted SID Count\": \"0\", \"Transaction ID\": \"{00000000-0000-0000-0000-000000000000}\"}, \"EventCode\": \"4661\", \"EventType\": \"0\", \"Object\": {\"Object Server\": \"Security Account Manager\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"3166250565\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"SAM\"}, \"win_resource\": {\"name\": \"DC=dir,DC=solutia,DC=com\", \"type_id\": 36, \"uid\": \"0x7f79620\"}}", + "event": { + "category": [], + "outcome": "success", + "reason": "A handle to an object was requested.", + "severity": 1, + "type": [] + }, + "@timestamp": "2019-01-09T05:46:00Z", + "file": { + "directory": "C:\\Windows\\System32", + "name": "lsass.exe", + "path": "C:\\Windows\\System32\\lsass.exe" + }, + "host": { + "hostname": "STLDIRDC1.dir.solutia.com", + "name": "STLDIRDC1.dir.solutia.com", + "os": { + "name": "Windows" + } + }, + "ocsf": { + "activity_id": 99, + "class_uid": 1010 + }, + "process": { + "pid": 492 + }, + "related": { + "hosts": [ + "STLDIRDC1.dir.solutia.com" + ], + "user": [ + "STLDIRDC1$" + ] + }, + "user": { + "domain": "DIR", + "group": { + "id": [], + "name": [] + }, + "id": "NT AUTHORITY\\SYSTEM", + "name": "STLDIRDC1$" + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_system_activity_2.json b/OCSF/ocsf/tests/test_system_activity_2.json new file mode 100644 index 000000000..268062b61 --- /dev/null +++ b/OCSF/ocsf/tests/test_system_activity_2.json @@ -0,0 +1,52 @@ +{ + "input": { + "message": "{\"activity_id\": 1, \"actor\": {\"process\": {\"file\": {\"name\": \"explorer.exe\", \"parent_folder\": \"C:\\\\Windows\", \"path\": \"C:\\\\Windows\\\\explorer.exe\", \"type_id\": 1}, \"pid\": 1704}, \"session\": {\"uid\": \"0xDE9AD8\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"SESTEST\", \"name\": \"splunker\", \"uid\": \"SESTEST\\\\splunker\"}}, \"category_uid\": 1, \"class_uid\": 1010, \"device\": {\"hostname\": \"SesWin2019DC1.SesTest.local\", \"os\": {\"name\": \"Windows\", \"type_id\": 100}, \"type_id\": 0}, \"message\": \"A privileged service was called.\", \"metadata\": {\"original_time\": \"01/28/2022 04:12:19 PM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"995559a6-1921-463f-93e1-9c5ca932dc8c\", \"version\": \"1.0.0-rc.2\"}, \"severity_id\": 1, \"status_id\": 2, \"time\": 1643404339000, \"unmapped\": {\"EventCode\": \"4673\", \"EventType\": \"0\", \"OpCode\": \"Info\", \"RecordNumber\": \"374060\", \"Service Request Information\": {\"Privileges\": \"SeTcbPrivilege\"}, \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Sensitive Privilege Use\"}, \"win_resource\": {\"name\": \"-\", \"type\": \"Security\", \"type_id\": 0}}" + }, + "expected": { + "message": "{\"activity_id\": 1, \"actor\": {\"process\": {\"file\": {\"name\": \"explorer.exe\", \"parent_folder\": \"C:\\\\Windows\", \"path\": \"C:\\\\Windows\\\\explorer.exe\", \"type_id\": 1}, \"pid\": 1704}, \"session\": {\"uid\": \"0xDE9AD8\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"SESTEST\", \"name\": \"splunker\", \"uid\": \"SESTEST\\\\splunker\"}}, \"category_uid\": 1, \"class_uid\": 1010, \"device\": {\"hostname\": \"SesWin2019DC1.SesTest.local\", \"os\": {\"name\": \"Windows\", \"type_id\": 100}, \"type_id\": 0}, \"message\": \"A privileged service was called.\", \"metadata\": {\"original_time\": \"01/28/2022 04:12:19 PM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"995559a6-1921-463f-93e1-9c5ca932dc8c\", \"version\": \"1.0.0-rc.2\"}, \"severity_id\": 1, \"status_id\": 2, \"time\": 1643404339000, \"unmapped\": {\"EventCode\": \"4673\", \"EventType\": \"0\", \"OpCode\": \"Info\", \"RecordNumber\": \"374060\", \"Service Request Information\": {\"Privileges\": \"SeTcbPrivilege\"}, \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Sensitive Privilege Use\"}, \"win_resource\": {\"name\": \"-\", \"type\": \"Security\", \"type_id\": 0}}", + "event": { + "category": [], + "outcome": "failure", + "reason": "A privileged service was called.", + "severity": 1, + "type": [] + }, + "@timestamp": "2022-01-28T21:12:19Z", + "file": { + "directory": "C:\\Windows", + "name": "explorer.exe", + "path": "C:\\Windows\\explorer.exe" + }, + "host": { + "hostname": "SesWin2019DC1.SesTest.local", + "name": "SesWin2019DC1.SesTest.local", + "os": { + "name": "Windows" + } + }, + "ocsf": { + "activity_id": 1, + "class_uid": 1010 + }, + "process": { + "pid": 1704 + }, + "related": { + "hosts": [ + "SesWin2019DC1.SesTest.local" + ], + "user": [ + "splunker" + ] + }, + "user": { + "domain": "SESTEST", + "group": { + "id": [], + "name": [] + }, + "id": "SESTEST\\splunker", + "name": "splunker" + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_vulnerability_finding_1.json b/OCSF/ocsf/tests/test_vulnerability_finding_1.json new file mode 100644 index 000000000..89ec9b0a7 --- /dev/null +++ b/OCSF/ocsf/tests/test_vulnerability_finding_1.json @@ -0,0 +1,49 @@ +{ + "input": { + "message": "{\"activity_id\": 2, \"activity_name\": \"Update\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Vulnerability Finding\", \"class_uid\": 2002, \"cloud\": {\"account\": {\"uid\": \"111111111111\"}, \"provider\": \"AWS\", \"region\": \"us-east-2\"}, \"finding_info\": {\"created_time_dt\": \"2023-04-21T11:59:04.000-04:00\", \"desc\": \"Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM\\nplatform contains a bug that could cause it to read past the input buffer,\\nleading to a crash.\\n\\nImpact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM\\nplatform can crash in rare circumstances. The AES-XTS algorithm is usually\\nused for disk encryption.\\n\\nThe AES-XTS cipher decryption implementation for 64 bit ARM platform will read\\npast the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16\\nbyte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext\\nbuffer is unmapped, this will trigger a crash which results in a denial of\\nservice.\\n\\nIf an attacker can control the size and location of the ciphertext buffer\\nbeing decrypted by an application using AES-XTS on 64 bit ARM, the\\napplication is affected. This is fairly unlikely making this issue\\na Low severity one.\", \"first_seen_time_dt\": \"2023-04-21T11:59:04.000-04:00\", \"last_seen_time_dt\": \"2024-01-26T17:19:14.000-05:00\", \"modified_time_dt\": \"2024-01-26T17:19:14.000-05:00\", \"title\": \"CVE-2023-1255 - openssl\", \"types\": [\"Software and Configuration Checks/Vulnerabilities/CVE\"], \"uid\": \"arn:aws:inspector2:us-east-2:111111111111:finding/faa0d54609b94871badcc83ac7c2add5\"}, \"metadata\": {\"log_version\": \"2018-10-08\", \"processed_time_dt\": \"2024-01-26T17:59:56.923-05:00\", \"product\": {\"feature\": {\"uid\": \"AWSInspector\"}, \"name\": \"Inspector\", \"uid\": \"arn:aws:securityhub:us-east-2::product/aws/inspector\", \"vendor_name\": \"Amazon\", \"version\": \"2\"}, \"profiles\": [\"cloud\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"resource.uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"arn:aws:ecr:us-east-2:111111111111:repository/browserhostingstack-EXAMPLE-btb1o54yh1jr/sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\"}], \"resource\": {\"cloud_partition\": \"aws\", \"data\": \"{\\\"AwsEcrContainerImage\\\":{\\\"Architecture\\\":\\\"amd64\\\",\\\"ImageDigest\\\":\\\"sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\\\",\\\"ImagePublishedAt\\\":\\\"2023-04-11T21:07:55Z\\\",\\\"RegistryId\\\":\\\"111111111111\\\",\\\"RepositoryName\\\":\\\"browserhostingstack-EXAMPLE-btb1o54yh1jr\\\"}}\", \"region\": \"us-east-2\", \"type\": \"AwsEcrContainerImage\", \"uid\": \"arn:aws:ecr:us-east-2:111111111111:repository/browserhostingstack-EXAMPLE-btb1o54yh1jr/sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\"}, \"severity\": \"Medium\", \"severity_id\": 3, \"status\": \"New\", \"time\": 1706307554000, \"time_dt\": \"2024-01-26T17:19:14.000-05:00\", \"type_name\": \"Vulnerability Finding: Update\", \"type_uid\": 200202, \"unmapped\": {\"FindingProviderFields.Severity.Label\": \"MEDIUM\", \"FindingProviderFields.Types[]\": \"Software and Configuration Checks/Vulnerabilities/CVE\", \"ProductFields.aws/inspector/FindingStatus\": \"ACTIVE\", \"ProductFields.aws/inspector/inspectorScore\": \"5.9\", \"ProductFields.aws/inspector/packageVulnerabilityDetails/vulnerablePackages/sourceLayerHashes\": \"sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09\", \"ProductFields.aws/inspector/resources/1/resourceDetails/awsEcrContainerImageDetails/platform\": \"ALPINE_LINUX_3_17\", \"ProductFields.aws/securityhub/CompanyName\": \"Amazon\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-2::product/aws/inspector/arn:aws:inspector2:us-east-2:111111111111:finding/faa0d54609b94871badcc83ac7c2add5\", \"ProductFields.aws/securityhub/ProductName\": \"Inspector\", \"RecordState\": \"ACTIVE\", \"Severity.Normalized\": \"40\", \"Vulnerabilities[].Cvss[].Source\": \"NVD,NVD\", \"Vulnerabilities[].Vendor.VendorSeverity\": \"MEDIUM\", \"Vulnerabilities[].VulnerablePackages[].SourceLayerHash\": \"sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09\", \"WorkflowState\": \"NEW\"}, \"vulnerabilities\": [{\"affected_packages\": [{\"architecture\": \"X86_64\", \"epoch\": 0, \"fixed_in_version\": \"0:3.0.8-r4\", \"name\": \"openssl\", \"package_manager\": \"OS\", \"release\": \"r3\", \"remediation\": {\"desc\": \"apk update && apk upgrade openssl\"}, \"version\": \"3.0.8\"}], \"cve\": {\"created_time_dt\": \"2023-04-20T13:15:06.000-04:00\", \"cvss\": [{\"base_score\": 5.9, \"vector_string\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}, {\"base_score\": 5.9, \"vector_string\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}], \"epss\": {\"score\": \"0.00066\"}, \"modified_time_dt\": \"2023-09-08T13:15:15.000-04:00\", \"references\": [\"https://nvd.nist.gov/vuln/detail/CVE-2023-1255\"], \"uid\": \"CVE-2023-1255\"}, \"is_exploit_available\": true, \"is_fix_available\": true, \"references\": [\"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bc2f61ad70971869b242fc1cb445b98bad50074a\", \"https://www.openssl.org/news/secadv/20230419.txt\", \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=02ac9c9420275868472f33b01def01218742b8bb\"], \"remediation\": {\"desc\": \"Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON.\"}, \"vendor_name\": \"NVD\"}]}" + }, + "expected": { + "message": "{\"activity_id\": 2, \"activity_name\": \"Update\", \"category_name\": \"Findings\", \"category_uid\": 2, \"class_name\": \"Vulnerability Finding\", \"class_uid\": 2002, \"cloud\": {\"account\": {\"uid\": \"111111111111\"}, \"provider\": \"AWS\", \"region\": \"us-east-2\"}, \"finding_info\": {\"created_time_dt\": \"2023-04-21T11:59:04.000-04:00\", \"desc\": \"Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM\\nplatform contains a bug that could cause it to read past the input buffer,\\nleading to a crash.\\n\\nImpact summary: Applications that use the AES-XTS algorithm on the 64 bit ARM\\nplatform can crash in rare circumstances. The AES-XTS algorithm is usually\\nused for disk encryption.\\n\\nThe AES-XTS cipher decryption implementation for 64 bit ARM platform will read\\npast the end of the ciphertext buffer if the ciphertext size is 4 mod 5 in 16\\nbyte blocks, e.g. 144 bytes or 1024 bytes. If the memory after the ciphertext\\nbuffer is unmapped, this will trigger a crash which results in a denial of\\nservice.\\n\\nIf an attacker can control the size and location of the ciphertext buffer\\nbeing decrypted by an application using AES-XTS on 64 bit ARM, the\\napplication is affected. This is fairly unlikely making this issue\\na Low severity one.\", \"first_seen_time_dt\": \"2023-04-21T11:59:04.000-04:00\", \"last_seen_time_dt\": \"2024-01-26T17:19:14.000-05:00\", \"modified_time_dt\": \"2024-01-26T17:19:14.000-05:00\", \"title\": \"CVE-2023-1255 - openssl\", \"types\": [\"Software and Configuration Checks/Vulnerabilities/CVE\"], \"uid\": \"arn:aws:inspector2:us-east-2:111111111111:finding/faa0d54609b94871badcc83ac7c2add5\"}, \"metadata\": {\"log_version\": \"2018-10-08\", \"processed_time_dt\": \"2024-01-26T17:59:56.923-05:00\", \"product\": {\"feature\": {\"uid\": \"AWSInspector\"}, \"name\": \"Inspector\", \"uid\": \"arn:aws:securityhub:us-east-2::product/aws/inspector\", \"vendor_name\": \"Amazon\", \"version\": \"2\"}, \"profiles\": [\"cloud\", \"datetime\"], \"version\": \"1.1.0\"}, \"observables\": [{\"name\": \"resource.uid\", \"type\": \"Resource UID\", \"type_id\": 10, \"value\": \"arn:aws:ecr:us-east-2:111111111111:repository/browserhostingstack-EXAMPLE-btb1o54yh1jr/sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\"}], \"resource\": {\"cloud_partition\": \"aws\", \"data\": \"{\\\"AwsEcrContainerImage\\\":{\\\"Architecture\\\":\\\"amd64\\\",\\\"ImageDigest\\\":\\\"sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\\\",\\\"ImagePublishedAt\\\":\\\"2023-04-11T21:07:55Z\\\",\\\"RegistryId\\\":\\\"111111111111\\\",\\\"RepositoryName\\\":\\\"browserhostingstack-EXAMPLE-btb1o54yh1jr\\\"}}\", \"region\": \"us-east-2\", \"type\": \"AwsEcrContainerImage\", \"uid\": \"arn:aws:ecr:us-east-2:111111111111:repository/browserhostingstack-EXAMPLE-btb1o54yh1jr/sha256:e9e2afad74f4e80511a5cff33d3d989b9797a718425f27e549f5b1f862c058a8\"}, \"severity\": \"Medium\", \"severity_id\": 3, \"status\": \"New\", \"time\": 1706307554000, \"time_dt\": \"2024-01-26T17:19:14.000-05:00\", \"type_name\": \"Vulnerability Finding: Update\", \"type_uid\": 200202, \"unmapped\": {\"FindingProviderFields.Severity.Label\": \"MEDIUM\", \"FindingProviderFields.Types[]\": \"Software and Configuration Checks/Vulnerabilities/CVE\", \"ProductFields.aws/inspector/FindingStatus\": \"ACTIVE\", \"ProductFields.aws/inspector/inspectorScore\": \"5.9\", \"ProductFields.aws/inspector/packageVulnerabilityDetails/vulnerablePackages/sourceLayerHashes\": \"sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09\", \"ProductFields.aws/inspector/resources/1/resourceDetails/awsEcrContainerImageDetails/platform\": \"ALPINE_LINUX_3_17\", \"ProductFields.aws/securityhub/CompanyName\": \"Amazon\", \"ProductFields.aws/securityhub/FindingId\": \"arn:aws:securityhub:us-east-2::product/aws/inspector/arn:aws:inspector2:us-east-2:111111111111:finding/faa0d54609b94871badcc83ac7c2add5\", \"ProductFields.aws/securityhub/ProductName\": \"Inspector\", \"RecordState\": \"ACTIVE\", \"Severity.Normalized\": \"40\", \"Vulnerabilities[].Cvss[].Source\": \"NVD,NVD\", \"Vulnerabilities[].Vendor.VendorSeverity\": \"MEDIUM\", \"Vulnerabilities[].VulnerablePackages[].SourceLayerHash\": \"sha256:f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09\", \"WorkflowState\": \"NEW\"}, \"vulnerabilities\": [{\"affected_packages\": [{\"architecture\": \"X86_64\", \"epoch\": 0, \"fixed_in_version\": \"0:3.0.8-r4\", \"name\": \"openssl\", \"package_manager\": \"OS\", \"release\": \"r3\", \"remediation\": {\"desc\": \"apk update && apk upgrade openssl\"}, \"version\": \"3.0.8\"}], \"cve\": {\"created_time_dt\": \"2023-04-20T13:15:06.000-04:00\", \"cvss\": [{\"base_score\": 5.9, \"vector_string\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}, {\"base_score\": 5.9, \"vector_string\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}], \"epss\": {\"score\": \"0.00066\"}, \"modified_time_dt\": \"2023-09-08T13:15:15.000-04:00\", \"references\": [\"https://nvd.nist.gov/vuln/detail/CVE-2023-1255\"], \"uid\": \"CVE-2023-1255\"}, \"is_exploit_available\": true, \"is_fix_available\": true, \"references\": [\"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=bc2f61ad70971869b242fc1cb445b98bad50074a\", \"https://www.openssl.org/news/secadv/20230419.txt\", \"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=02ac9c9420275868472f33b01def01218742b8bb\"], \"remediation\": {\"desc\": \"Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON.\"}, \"vendor_name\": \"NVD\"}]}", + "event": { + "action": "update", + "category": [], + "severity": 3, + "type": [] + }, + "@timestamp": "2024-01-26T22:19:14Z", + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "AWS", + "region": "us-east-2" + }, + "ocsf": { + "activity_id": 2, + "activity_name": "Update", + "class_name": "Vulnerability Finding", + "class_uid": 2002 + }, + "vulnerability": { + "description": [ + "" + ], + "id": [ + "CVE-2023-1255" + ], + "scanner": { + "vendor": [ + "NVD" + ] + }, + "score": { + "version": [ + "" + ] + }, + "severity": [ + "" + ] + } + } +} \ No newline at end of file diff --git a/OCSF/ocsf/tests/test_windows_resource_activity_1.json b/OCSF/ocsf/tests/test_windows_resource_activity_1.json new file mode 100644 index 000000000..cae726797 --- /dev/null +++ b/OCSF/ocsf/tests/test_windows_resource_activity_1.json @@ -0,0 +1,58 @@ +{ + "input": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Access\", \"actor\": {\"process\": {\"file\": {\"name\": \"services.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 532}, \"session\": {\"uid\": \"0x3e7\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"SOI\", \"name\": \"SZUSOIDC1$\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}, \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Windows Resource Activity\", \"class_uid\": 201003, \"device\": {\"hostname\": \"szusoidc1.soi.dir.acme080.com\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"message\": \"An attempt was made to access an object.\", \"metadata\": {\"original_time\": \"01/14/2015 08:30:54 PM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"05e90f2c-5be6-484c-aefb-f8e6f591bd2c\", \"version\": \"1.0.0-rc.2\"}, \"severity\": \"Informational\", \"severity_id\": 1, \"status\": \"Success\", \"status_id\": 1, \"time\": 1421285454000, \"type_name\": \"Windows Resource Activity: Access\", \"type_uid\": 101001, \"unmapped\": {\"Access Mask\": \"0x2\", \"Access Request Information\": {\"Accesses\": \"Set key value\"}, \"CaseID\": \"AD_4663\", \"EventCode\": \"4663\", \"EventType\": \"0\", \"Object\": {\"Object Server\": \"Security\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"989202992\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Registry\"}, \"win_resource\": {\"name\": \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\EventLog\\\\Security\", \"type\": \"Key\", \"type_id\": 25, \"uid\": \"0x564\"}}" + }, + "expected": { + "message": "{\"activity_id\": 1, \"activity_name\": \"Access\", \"actor\": {\"process\": {\"file\": {\"name\": \"services.exe\", \"parent_folder\": \"C:\\\\Windows\\\\System32\", \"path\": \"C:\\\\Windows\\\\System32\\\\services.exe\", \"type\": \"Regular File\", \"type_id\": 1}, \"pid\": 532}, \"session\": {\"uid\": \"0x3e7\"}, \"user\": {\"account_type\": \"Windows Account\", \"account_type_id\": 2, \"domain\": \"SOI\", \"name\": \"SZUSOIDC1$\", \"uid\": \"NT AUTHORITY\\\\SYSTEM\"}}, \"category_name\": \"System Activity\", \"category_uid\": 1, \"class_name\": \"Windows Resource Activity\", \"class_uid\": 201003, \"device\": {\"hostname\": \"szusoidc1.soi.dir.acme080.com\", \"os\": {\"name\": \"Windows\", \"type\": \"Windows\", \"type_id\": 100}, \"type\": \"Unknown\", \"type_id\": 0}, \"message\": \"An attempt was made to access an object.\", \"metadata\": {\"original_time\": \"01/14/2015 08:30:54 PM\", \"product\": {\"feature\": {\"name\": \"Security\"}, \"name\": \"Microsoft Windows\", \"vendor_name\": \"Microsoft\"}, \"profiles\": [\"host\"], \"uid\": \"05e90f2c-5be6-484c-aefb-f8e6f591bd2c\", \"version\": \"1.0.0-rc.2\"}, \"severity\": \"Informational\", \"severity_id\": 1, \"status\": \"Success\", \"status_id\": 1, \"time\": 1421285454000, \"type_name\": \"Windows Resource Activity: Access\", \"type_uid\": 101001, \"unmapped\": {\"Access Mask\": \"0x2\", \"Access Request Information\": {\"Accesses\": \"Set key value\"}, \"CaseID\": \"AD_4663\", \"EventCode\": \"4663\", \"EventType\": \"0\", \"Object\": {\"Object Server\": \"Security\"}, \"OpCode\": \"Info\", \"RecordNumber\": \"989202992\", \"SourceName\": \"Microsoft Windows security auditing.\", \"TaskCategory\": \"Registry\"}, \"win_resource\": {\"name\": \"\\\\REGISTRY\\\\MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services\\\\EventLog\\\\Security\", \"type\": \"Key\", \"type_id\": 25, \"uid\": \"0x564\"}}", + "event": { + "action": "access", + "category": [], + "outcome": "success", + "reason": "An attempt was made to access an object.", + "severity": 1, + "type": [] + }, + "@timestamp": "2015-01-15T01:30:54Z", + "file": { + "directory": "C:\\Windows\\System32", + "name": "services.exe", + "path": "C:\\Windows\\System32\\services.exe", + "type": "Regular File" + }, + "host": { + "hostname": "szusoidc1.soi.dir.acme080.com", + "name": "szusoidc1.soi.dir.acme080.com", + "os": { + "name": "Windows", + "type": "Windows" + }, + "type": "Unknown" + }, + "ocsf": { + "activity_id": 1, + "activity_name": "Access", + "class_name": "Windows Resource Activity", + "class_uid": 201003 + }, + "process": { + "pid": 532 + }, + "related": { + "hosts": [ + "szusoidc1.soi.dir.acme080.com" + ], + "user": [ + "SZUSOIDC1$" + ] + }, + "user": { + "domain": "SOI", + "group": { + "id": [], + "name": [] + }, + "id": "NT AUTHORITY\\SYSTEM", + "name": "SZUSOIDC1$" + } + } +} \ No newline at end of file